[strongSwan] Help with setup

Michael Deignan michael.p.deignan at gmail.com
Mon Jan 31 19:03:55 CET 2022


I am attempting to set up a strongswan connection between my home's redhat
linux router and my work's redhat linux router. Both are running Redhat 8
and have the strongswan binaries installed from
https://pkgs.org/download/strongswan.

The connection appears to be successful but I cannot talk to anything on
either side of the connection, e.g. I cannot ping either router or any
machines on either side of the connection. I have set up the iptables
postrouting rules per the wiki.

Might someone give me a clue figuring out where else I should look to get
it working?

Thank you.


WorkRouter swanctl.conf:

connections {
 homenet {
  version=2
  local_addrs=WORK.PUBLIC.IP.ADDRESS
  proposals=aes256-sha1-modp1024
  remote_addrs=HOME.PUBLIC.IP.ADDRESS
  children {
   homenet {
    esp_proposals=aes256-sha1
    remote_ts=192.168.127.0/24
    local_ts=192.168.126.0/24
   }
  }
 }
}

HomeRouter swanctl.conf:

worknet {
 version=2
 local_addrs=HOME.PUBLIC.IP.ADDRESS
 proposals=aes256-sha1-modp1024
 remote_addrs=WORK.PUBLIC.IP.ADDRESS
 children {
  worknet {
   esp_proposals=aes256-sha1
   local_ts=192.168.127.0/24
   remote_ts=192.168.126.0/24
  }
 }
}

HomeRouter initiating connection:

swanctl --initiate --ike worknet --child worknet

[IKE] initiating IKE_SA worknet[4] to WORK.PUBLIC.IP.ADDRESS
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from HOME.PUBLIC.IP.ADDRESS[500] to
WORK.PUBLIC.IP.ADDRESS[500] (336 bytes)
[NET] received packet: from WORK.PUBLIC.IP.ADDRESS[500] to
HOME.PUBLIC.IP.ADDRESS[500] (344 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of 'HOME.PUBLIC.IP.ADDRESS' (myself) with pre-shared
key
[IKE] establishing CHILD_SA worknet{1}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY)
N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from HOME.PUBLIC.IP.ADDRESS[4500] to
WORK.PUBLIC.IP.ADDRESS[4500] (348 bytes)
[NET] received packet: from WORK.PUBLIC.IP.ADDRESS[4500] to
HOME.PUBLIC.IP.ADDRESS[4500] (236 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) ]
[IKE] authentication of 'WORK.PUBLIC.IP.ADDRESS' with pre-shared key
successful
[IKE] IKE_SA worknet[4] established between
HOME.PUBLIC.IP.ADDRESS[HOME.PUBLIC.IP.ADDRESS]...WORK.PUBLIC.IP.ADDRESS[WORK.PUBLIC.IP.ADDRESS]
[IKE] scheduling rekeying in 13339s
[IKE] maximum IKE_SA lifetime 14779s
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[IKE] CHILD_SA worknet{1} established with SPIs cfd5d0fa_i c4358b01_o and
TS 192.168.127.0/24 === 192.168.126.0/24
[IKE] peer supports MOBIKE
initiate completed successfully


HomeRouter ip xfrm state:

src HOME.PUBLIC.IP.ADDRESS dst WORK.PUBLIC.IP.ADDRESS
        proto esp spi 0xc4358b01 reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha1) 0x8d6abe2f321b228663e9c88799dc3d9c78e891a7 96
        enc cbc(aes)
0xb3820a34e1bf3f4cb4cb634a4ba9aeeaca17519bd7e323f35ff4726cc09c1c54
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS
        proto esp spi 0xcfd5d0fa reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0x844dfdb29f581e317dad43b0c4a893669b1fa38a 96
        enc cbc(aes)
0x130f8dc4bb5b4fd7eec13a595a45883a4b3c7d38b2a2fd0a0db635e9202e8aba
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

HomeRouter ip xfrm policy:

src 192.168.127.0/24 dst 192.168.126.0/24
        dir out priority 375423 ptype main
        tmpl src HOME.PUBLIC.IP.ADDRESS dst WORK.PUBLIC.IP.ADDRESS
                proto esp spi 0xc4358b01 reqid 1 mode tunnel
src 192.168.126.0/24 dst 192.168.127.0/24
        dir fwd priority 375423 ptype main
        tmpl src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS
                proto esp reqid 1 mode tunnel
src 192.168.126.0/24 dst 192.168.127.0/24
        dir in priority 375423 ptype main
        tmpl src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS
                proto esp reqid 1 mode tunnel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220131/221ef51f/attachment-0001.html>


More information about the Users mailing list