[strongSwan] Help with setup
Michael Deignan
michael.p.deignan at gmail.com
Mon Jan 31 19:03:55 CET 2022
I am attempting to set up a strongswan connection between my home's redhat
linux router and my work's redhat linux router. Both are running Redhat 8
and have the strongswan binaries installed from
https://pkgs.org/download/strongswan.
The connection appears to be successful but I cannot talk to anything on
either side of the connection, e.g. I cannot ping either router or any
machines on either side of the connection. I have set up the iptables
postrouting rules per the wiki.
Might someone give me a clue figuring out where else I should look to get
it working?
Thank you.
WorkRouter swanctl.conf:
connections {
homenet {
version=2
local_addrs=WORK.PUBLIC.IP.ADDRESS
proposals=aes256-sha1-modp1024
remote_addrs=HOME.PUBLIC.IP.ADDRESS
children {
homenet {
esp_proposals=aes256-sha1
remote_ts=192.168.127.0/24
local_ts=192.168.126.0/24
}
}
}
}
HomeRouter swanctl.conf:
worknet {
version=2
local_addrs=HOME.PUBLIC.IP.ADDRESS
proposals=aes256-sha1-modp1024
remote_addrs=WORK.PUBLIC.IP.ADDRESS
children {
worknet {
esp_proposals=aes256-sha1
local_ts=192.168.127.0/24
remote_ts=192.168.126.0/24
}
}
}
HomeRouter initiating connection:
swanctl --initiate --ike worknet --child worknet
[IKE] initiating IKE_SA worknet[4] to WORK.PUBLIC.IP.ADDRESS
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from HOME.PUBLIC.IP.ADDRESS[500] to
WORK.PUBLIC.IP.ADDRESS[500] (336 bytes)
[NET] received packet: from WORK.PUBLIC.IP.ADDRESS[500] to
HOME.PUBLIC.IP.ADDRESS[500] (344 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of 'HOME.PUBLIC.IP.ADDRESS' (myself) with pre-shared
key
[IKE] establishing CHILD_SA worknet{1}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY)
N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from HOME.PUBLIC.IP.ADDRESS[4500] to
WORK.PUBLIC.IP.ADDRESS[4500] (348 bytes)
[NET] received packet: from WORK.PUBLIC.IP.ADDRESS[4500] to
HOME.PUBLIC.IP.ADDRESS[4500] (236 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) ]
[IKE] authentication of 'WORK.PUBLIC.IP.ADDRESS' with pre-shared key
successful
[IKE] IKE_SA worknet[4] established between
HOME.PUBLIC.IP.ADDRESS[HOME.PUBLIC.IP.ADDRESS]...WORK.PUBLIC.IP.ADDRESS[WORK.PUBLIC.IP.ADDRESS]
[IKE] scheduling rekeying in 13339s
[IKE] maximum IKE_SA lifetime 14779s
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[IKE] CHILD_SA worknet{1} established with SPIs cfd5d0fa_i c4358b01_o and
TS 192.168.127.0/24 === 192.168.126.0/24
[IKE] peer supports MOBIKE
initiate completed successfully
HomeRouter ip xfrm state:
src HOME.PUBLIC.IP.ADDRESS dst WORK.PUBLIC.IP.ADDRESS
proto esp spi 0xc4358b01 reqid 1 mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(sha1) 0x8d6abe2f321b228663e9c88799dc3d9c78e891a7 96
enc cbc(aes)
0xb3820a34e1bf3f4cb4cb634a4ba9aeeaca17519bd7e323f35ff4726cc09c1c54
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS
proto esp spi 0xcfd5d0fa reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x844dfdb29f581e317dad43b0c4a893669b1fa38a 96
enc cbc(aes)
0x130f8dc4bb5b4fd7eec13a595a45883a4b3c7d38b2a2fd0a0db635e9202e8aba
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
HomeRouter ip xfrm policy:
src 192.168.127.0/24 dst 192.168.126.0/24
dir out priority 375423 ptype main
tmpl src HOME.PUBLIC.IP.ADDRESS dst WORK.PUBLIC.IP.ADDRESS
proto esp spi 0xc4358b01 reqid 1 mode tunnel
src 192.168.126.0/24 dst 192.168.127.0/24
dir fwd priority 375423 ptype main
tmpl src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS
proto esp reqid 1 mode tunnel
src 192.168.126.0/24 dst 192.168.127.0/24
dir in priority 375423 ptype main
tmpl src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS
proto esp reqid 1 mode tunnel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220131/221ef51f/attachment-0001.html>
More information about the Users
mailing list