Re: [strongSwan] Connecting but not connected [Resolved]
Hi Tobias, That is awesome! Thank you so very much. -- Stephen Feyrer DevOps Engineer Greensill Capital stephen.fey...@greensill.com http://www.greensill.com -Original Message- From: Tobias Brunner Sent: 19 August 2019 12:55 To: Stephen Feyrer ; strongSwan Users-Mailinglist Subject: Re: [strongSwan] Connecting but not connected This message was sent from outside of Greensill Capital. Please do not open attachments or click on links unless you recognise the source of this email and are certain the content is safe. Hi Stephen, > This looks to me like it has worked but I may be wrong. Is there a > quick test to prove success? > > For example should 'ip address' offer a 'PPP' interface or something > like that? No, there is no separate interface. The virtual IP address is added to a local interface (the outbound interface, by default). A special route is installed in routing table 220 (ip route list table 220). And IPsec is handled by the kernel (can be listed via ip xfrm policy|state). Status/log look good and with the established connection all traffic should be tunneled via VPN server. Regards, Tobias This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 –66 Woondooma Street, Bundaberg, Queensland 4670, Australia.
Re: [strongSwan] Connecting but not connected
47 05[KNL] using 10.0.0.1 as nexthop and
wlp2s0 as dev to reach 50.45.0.51/32
Mon, 2019-08-19 11:47 05[KNL] installing route: 0.0.0.0/0 via
10.0.0.1 src 196.198.128.13 dev wlp2s0
Mon, 2019-08-19 11:47 05[KNL] getting iface index for wlp2s0
Mon, 2019-08-19 11:47 05[IKE] CHILD_SA officeVPN{1} established
with SPIs c6b3f079_i 9e604960_o and TS 196.198.128.13/32 === 0.0.0.0/0
Mon, 2019-08-19 11:47 05[CHD] CHILD_SA officeVPN{1} state change:
INSTALLING => INSTALLED
Mon, 2019-08-19 11:47 05[IKE] reinitiating already active tasks
Mon, 2019-08-19 11:47 05[IKE]QUICK_MODE task
Mon, 2019-08-19 11:47 05[ENC] generating QUICK_MODE request
2371115108 [ HASH ]
Mon, 2019-08-19 11:47 05[NET] sending packet: from 10.0.0.3[4500]
to 50.45.0.51[4500] (60 bytes)
Mon, 2019-08-19 11:47 05[IKE] activating new tasks
Mon, 2019-08-19 11:47 05[IKE] nothing to initiate
Mon, 2019-08-19 11:49 07[NET] received packet: from
50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes)
Mon, 2019-08-19 11:49 07[ENC] parsed INFORMATIONAL_V1 request
3449164663 [ HASH N(DPD) ]
Mon, 2019-08-19 11:49 07[IKE] queueing ISAKMP_DPD task
Mon, 2019-08-19 11:49 07[IKE] activating new tasks
Mon, 2019-08-19 11:49 07[IKE]activating ISAKMP_DPD task
Mon, 2019-08-19 11:49 07[ENC] generating INFORMATIONAL_V1 request
1814674566 [ HASH N(DPD_ACK) ]
Mon, 2019-08-19 11:49 07[NET] sending packet: from 10.0.0.3[4500]
to 50.45.0.51[4500] (92 bytes)
Mon, 2019-08-19 11:49 07[IKE] activating new tasks
Mon, 2019-08-19 11:49 07[IKE] nothing to initiate
Mon, 2019-08-19 11:50 09[NET] received packet: from
50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes)
Mon, 2019-08-19 11:50 09[ENC] parsed INFORMATIONAL_V1 request
1546570273 [ HASH N(DPD) ]
Mon, 2019-08-19 11:50 09[IKE] queueing ISAKMP_DPD task
Mon, 2019-08-19 11:50 09[IKE] activating new tasks
Mon, 2019-08-19 11:50 09[IKE]activating ISAKMP_DPD task
Mon, 2019-08-19 11:50 09[ENC] generating INFORMATIONAL_V1 request
4044055820 [ HASH N(DPD_ACK) ]
Mon, 2019-08-19 11:50 09[NET] sending packet: from 10.0.0.3[4500]
to 50.45.0.51[4500] (92 bytes)
Mon, 2019-08-19 11:50 09[IKE] activating new tasks
--
Kind regards
Stephen Feyrer
From: Tobias Brunner
Sent: 19 August 2019 11:16
To: Stephen Feyrer ; strongSwan Users-Mailinglist
Subject: Re: [strongSwan] Connecting but not connected
This message was sent from outside of Greensill Capital. Please do not open
attachments or click on links unless you recognise the source of this email and
are certain the content is safe.
Hi Stephen,
> I
> will send updates for push and pull separately. Sorry for all the emails...
Don't bother with `push`, it's definitely not the way to go.
The problem now are your either the ESP algorithm proposals and/or the
traffic selectors (`left|rightsubnet`). Start with
`rightsubnet=0.0.0.0/0` as that's what's usually used for roadwarriors
(if L2TP should be used you can experiment with restricting the
ports/protocols too). If you still get a NO_PROPOSAL_CHOSEN notify try
adding `esp=aes128-sha1-modp2048` (that matches the IKE proposal,
however, if you actually have more specific information regarding the
ESP/IPsec proposal from your admin, use that).
Regards,
Tobias
This message is for the designated recipient only and may contain privileged,
proprietary or otherwise confidential information. If you have received this in
error, please contact the sender immediately and delete the original. Any other
use of this e-mail by you is prohibited. If we collect and use your personal
data we will use it in accordance with our privacy
policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited.
Registered in England and Wales. Registered Number: 8126173. Registered Office:
One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom.
Greensill Capital Pty Limited. Australian Company Number: 154 088 132.
Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670,
Australia.
Re: [strongSwan] Connecting but not connected
_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Fri, 2019-08-16 16:12 01[KNL] got SPI c1a6f32b
Fri, 2019-08-16 16:12 01[CFG] configured proposals:
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Fri, 2019-08-16 16:12 01[CFG] proposing traffic selectors for us:
Fri, 2019-08-16 16:12 01[CFG] 192.168.50.13/32
Fri, 2019-08-16 16:12 01[CFG] proposing traffic selectors for
other:
Fri, 2019-08-16 16:12 01[CFG] 50.45.0.51/32
Fri, 2019-08-16 16:12 01[ENC] generating QUICK_MODE request
3055767202 [ HASH SA No ID ID ]
Fri, 2019-08-16 16:12 01[NET] sending packet: from 10.0.0.3[4500]
to 50.45.0.51[4500] (172 bytes)
Fri, 2019-08-16 16:12 06[NET] received packet: from
50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
Fri, 2019-08-16 16:12 06[ENC] parsed INFORMATIONAL_V1 request
3215514754 [ HASH N(NO_PROP) ]
Fri, 2019-08-16 16:12 06[IKE] received NO_PROPOSAL_CHOSEN error
notify
Fri, 2019-08-16 16:12 06[CHD] CHILD_SA officeVPN{1} state change:
CREATED => DESTROYING
Fri, 2019-08-16 16:12 06[KNL] deleting SAD entry with SPI c1a6f32b
Fri, 2019-08-16 16:12 06[KNL] deleted SAD entry with SPI c1a6f32b
Thank you.
--
Kind regards
Stephen Feyrer
From: Tobias Brunner
Sent: 19 August 2019 10:17
To: Stephen Feyrer ; strongSwan Users-Mailinglist
Subject: Re: [strongSwan] Connecting but not connected
This message was sent from outside of Greensill Capital. Please do not open
attachments or click on links unless you recognise the source of this email and
are certain the content is safe.
Hi Stephen,
> Part Pull
The log/status doesn't seem to match that. There is no mode config
exchange in the log and the queued task given as QUICK_MODE. With
`pull` (that's actually the default) the client should send a mode
config request after XAuth.
Regards,
Tobias
This message is for the designated recipient only and may contain privileged,
proprietary or otherwise confidential information. If you have received this in
error, please contact the sender immediately and delete the original. Any other
use of this e-mail by you is prohibited. If we collect and use your personal
data we will use it in accordance with our privacy
policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited.
Registered in England and Wales. Registered Number: 8126173. Registered Office:
One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom.
Greensill Capital Pty Limited. Australian Company Number: 154 088 132.
Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670,
Australia.
Re: [strongSwan] Connecting but not connected
12[IKE] IKE_SA officeVPN[1] established between 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64] Fri, 2019-08-16 16:14 12[IKE] IKE_SA officeVPN[1] state change: CONNECTING => ESTABLISHED Fri, 2019-08-16 16:14 12[IKE] scheduling reauthentication in 9852s Fri, 2019-08-16 16:14 12[IKE] maximum IKE_SA lifetime 10392s Fri, 2019-08-16 16:14 12[ENC] generating TRANSACTION response 3349886284 [ HASH CPA(X_STATUS) ] Fri, 2019-08-16 16:14 12[NET] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (76 bytes) Fri, 2019-08-16 16:14 12[IKE] activating new tasks Fri, 2019-08-16 16:14 12[IKE] nothing to initiate Fri, 2019-08-16 16:15 04[NET] received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes) Fri, 2019-08-16 16:15 04[ENC] parsed INFORMATIONAL_V1 request 1714123051 [ HASH N(DPD) ] Fri, 2019-08-16 16:15 04[IKE] queueing ISAKMP_DPD task Fri, 2019-08-16 16:15 04[IKE] activating new tasks Fri, 2019-08-16 16:15 04[IKE]activating ISAKMP_DPD task Fri, 2019-08-16 16:15 04[ENC] generating INFORMATIONAL_V1 request 3290006026 [ HASH N(DPD_ACK) ] Fri, 2019-08-16 16:15 04[NET] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes) Fri, 2019-08-16 16:15 04[IKE] activating new tasks Fri, 2019-08-16 16:15 04[IKE] nothing to initiate Fri, 2019-08-16 16:16 11[NET] received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes) Fri, 2019-08-16 16:16 11[ENC] parsed INFORMATIONAL_V1 request 2545931713 [ HASH N(DPD) ] Fri, 2019-08-16 16:16 11[IKE] queueing ISAKMP_DPD task Fri, 2019-08-16 16:16 11[IKE] activating new tasks Fri, 2019-08-16 16:16 11[IKE]activating ISAKMP_DPD task Fri, 2019-08-16 16:16 11[ENC] generating INFORMATIONAL_V1 request 3138418696 [ HASH N(DPD_ACK) ] Fri, 2019-08-16 16:16 11[NET] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes) Fri, 2019-08-16 16:16 11[IKE] activating new tasks Fri, 2019-08-16 16:16 11[IKE] nothing to initiate Fri, 2019-08-16 16:17 14[CFG] proposing traffic selectors for us: Fri, 2019-08-16 16:17 14[CFG] dynamic Fri, 2019-08-16 16:17 14[CFG] proposing traffic selectors for other: Fri, 2019-08-16 16:17 14[CFG] dynamic Fri, 2019-08-16 16:17 05[NET] received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes) Fri, 2019-08-16 16:17 05[ENC] parsed INFORMATIONAL_V1 request 4173293943 [ HASH N(DPD) ] Fri, 2019-08-16 16:17 05[IKE] queueing ISAKMP_DPD task Fri, 2019-08-16 16:17 05[IKE] activating new tasks Fri, 2019-08-16 16:17 05[IKE]activating ISAKMP_DPD task Fri, 2019-08-16 16:17 05[ENC] generating INFORMATIONAL_V1 request 529988676 [ HASH N(DPD_ACK) ] Fri, 2019-08-16 16:17 05[NET] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes) Fri, 2019-08-16 16:17 05[IKE] activating new tasks Fri, 2019-08-16 16:17 05[IKE] nothing to initiate Thank you -- Kind regards Stephen Feyrer From: Tobias Brunner Sent: 16 August 2019 15:48 To: Stephen Feyrer ; strongSwan Users-Mailinglist Subject: Re: [strongSwan] Connecting but not connected This message was sent from outside of Greensill Capital. Please do not open attachments or click on links unless you recognise the source of this email and are certain the content is safe. Hi Stephen, > I have already advised the team that Aggressive > mode with psk is unsafe. If you are at it, they shouldn't use IKEv1 or L2TP (if they actually do) anymore either. Looks like you might now have to add leftsourceip=%config again (the peer is apparently not ready yet to accept Quick Mode requests, so it might be waiting for Mode Config). Regards, Tobias This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.
Re: [strongSwan] Connecting but not connected
12[IKE] IKE_SA officeVPN[1] established between 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64] Fri, 2019-08-16 16:14 12[IKE] IKE_SA officeVPN[1] state change: CONNECTING => ESTABLISHED Fri, 2019-08-16 16:14 12[IKE] scheduling reauthentication in 9852s Fri, 2019-08-16 16:14 12[IKE] maximum IKE_SA lifetime 10392s Fri, 2019-08-16 16:14 12[ENC] generating TRANSACTION response 3349886284 [ HASH CPA(X_STATUS) ] Fri, 2019-08-16 16:14 12[NET] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (76 bytes) Fri, 2019-08-16 16:14 12[IKE] activating new tasks Fri, 2019-08-16 16:14 12[IKE] nothing to initiate Fri, 2019-08-16 16:15 04[NET] received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes) Fri, 2019-08-16 16:15 04[ENC] parsed INFORMATIONAL_V1 request 1714123051 [ HASH N(DPD) ] Fri, 2019-08-16 16:15 04[IKE] queueing ISAKMP_DPD task Fri, 2019-08-16 16:15 04[IKE] activating new tasks Fri, 2019-08-16 16:15 04[IKE]activating ISAKMP_DPD task Fri, 2019-08-16 16:15 04[ENC] generating INFORMATIONAL_V1 request 3290006026 [ HASH N(DPD_ACK) ] Fri, 2019-08-16 16:15 04[NET] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes) Fri, 2019-08-16 16:15 04[IKE] activating new tasks Fri, 2019-08-16 16:15 04[IKE] nothing to initiate Fri, 2019-08-16 16:16 11[NET] received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes) Fri, 2019-08-16 16:16 11[ENC] parsed INFORMATIONAL_V1 request 2545931713 [ HASH N(DPD) ] Fri, 2019-08-16 16:16 11[IKE] queueing ISAKMP_DPD task Fri, 2019-08-16 16:16 11[IKE] activating new tasks Fri, 2019-08-16 16:16 11[IKE]activating ISAKMP_DPD task Fri, 2019-08-16 16:16 11[ENC] generating INFORMATIONAL_V1 request 3138418696 [ HASH N(DPD_ACK) ] Fri, 2019-08-16 16:16 11[NET] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes) Fri, 2019-08-16 16:16 11[IKE] activating new tasks Fri, 2019-08-16 16:16 11[IKE] nothing to initiate Fri, 2019-08-16 16:17 14[CFG] proposing traffic selectors for us: Fri, 2019-08-16 16:17 14[CFG] dynamic Fri, 2019-08-16 16:17 14[CFG] proposing traffic selectors for other: Fri, 2019-08-16 16:17 14[CFG] dynamic Fri, 2019-08-16 16:17 05[NET] received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes) Fri, 2019-08-16 16:17 05[ENC] parsed INFORMATIONAL_V1 request 4173293943 [ HASH N(DPD) ] Fri, 2019-08-16 16:17 05[IKE] queueing ISAKMP_DPD task Fri, 2019-08-16 16:17 05[IKE] activating new tasks Fri, 2019-08-16 16:17 05[IKE]activating ISAKMP_DPD task Fri, 2019-08-16 16:17 05[ENC] generating INFORMATIONAL_V1 request 529988676 [ HASH N(DPD_ACK) ] Fri, 2019-08-16 16:17 05[NET] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes) Fri, 2019-08-16 16:17 05[IKE] activating new tasks Fri, 2019-08-16 16:17 05[IKE] nothing to initiate Thank you -- Kind regards Stephen Feyrer From: Tobias Brunner Sent: 16 August 2019 15:48 To: Stephen Feyrer ; strongSwan Users-Mailinglist Subject: Re: [strongSwan] Connecting but not connected This message was sent from outside of Greensill Capital. Please do not open attachments or click on links unless you recognise the source of this email and are certain the content is safe. Hi Stephen, > I have already advised the team that Aggressive > mode with psk is unsafe. If you are at it, they shouldn't use IKEv1 or L2TP (if they actually do) anymore either. Looks like you might now have to add leftsourceip=%config again (the peer is apparently not ready yet to accept Quick Mode requests, so it might be waiting for Mode Config). Regards, Tobias This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.
Re: [strongSwan] Connecting but not connected
_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ Fri, 2019-08-16 14:48 11[KNL] got SPI cddb140c Fri, 2019-08-16 14:48 11[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ Fri, 2019-08-16 14:48 11[CFG] proposing traffic selectors for us: Fri, 2019-08-16 14:48 11[CFG] 10.0.0.3/32[udp/l2f] Fri, 2019-08-16 14:48 11[CFG] proposing traffic selectors for other: Fri, 2019-08-16 14:48 11[CFG] 192.168.50.0/24[udp/l2f] Fri, 2019-08-16 14:48 11[ENC] generating QUICK_MODE request 4038947095 [ HASH SA No ID ID ] Fri, 2019-08-16 14:48 11[NET] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes) Fri, 2019-08-16 14:48 04[IKE] sending retransmit 1 of request message ID 4038947095, seq 3 Fri, 2019-08-16 14:48 04[NET] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes) Fri, 2019-08-16 14:48 14[IKE] sending retransmit 2 of request message ID 4038947095, seq 3 Fri, 2019-08-16 14:48 14[NET] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (204 bytes) Fri, 2019-08-16 14:48 15[CFG] proposing traffic selectors for us: Fri, 2019-08-16 14:48 15[CFG] dynamic[udp/l2f] Fri, 2019-08-16 14:48 15[CFG] proposing traffic selectors for other: Fri, 2019-08-16 14:48 15[CFG] 192.168.50.0/24[udp/l2f] Thank you. -- Kind regards Stephen Feyrer From: Tobias Brunner Sent: 16 August 2019 14:42 To: Stephen Feyrer ; strongSwan Users-Mailinglist Subject: Re: [strongSwan] Connecting but not connected This message was sent from outside of Greensill Capital. Please do not open attachments or click on links unless you recognise the source of this email and are certain the content is safe. Hi Stephen, > Here are the details in full: That fist log you posted is useless. It's not the daemon's log (you configured logging to a separate file yourself in strongswan.conf). Your problem now is the `authby` setting. Since the peer wants to do XAuth you have to set it to `xauthpsk` (which is very unsafe with aggressive mode [1]). Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Aggressive-Mode This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.
Re: [strongSwan] Connecting but not connected
l conn officeVPN aggressive=yes keyexchange=ikev1 type=tunnel authby=secret ike=aes128-sha1-modp2048 left=%defaultroute leftprotoport=udp/l2tp right=50.45.0.51 rightsubnet=192.168.50.0/24 rightprotoport=udp/l2tp rightid=196.198.128.64 rightfirewall=yes auto=add xauth_identity=user I have been provided some details from the Windows client that may be relevant: Phase 1, IKE version 1, Aggressive, Mode Config, Dead Peer Detection, NAT Traversal IKE Proposal AES128 SHA1 AES256 SHA256 Phase 2, Enable Replay Detection IKE Proposal AES128 SHA1 AES256 SHA1 DH Group 5 The responder is a FortiGate NVA appliance. Thank you. From: Tobias Brunner Sent: 16 August 2019 14:00 To: Stephen Feyrer ; strongSwan Users-Mailinglist Subject: Re: [strongSwan] Connecting but not connected This message was sent from outside of Greensill Capital. Please do not open attachments or click on links unless you recognise the source of this email and are certain the content is safe. Hi Stephen, > I have tried with: > > #leftsourceip=%config > modeconfig=pull Leave both enabled to use a virtual IP. Comment both (as you tried) to not use one. > These both result with: Please post the full logs. Regards, Tobias This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.
Re: [strongSwan] Connecting but not connected
Hi Tobias, Apologies, I misunderstood. I have tried with: #leftsourceip=%config modeconfig=pull and #leftsourceip=%config #modeconfig=pull These both result with: sending retransmit 1 of request message ID 204552098, seq 3 sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (76 bytes) received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes) ignoring TRANSACTION request, queue full Thank you From: Tobias Brunner Sent: 16 August 2019 10:08 To: Stephen Feyrer ; strongSwan Users-Mailinglist Subject: Re: [strongSwan] Connecting but not connected This message was sent from outside of Greensill Capital. Please do not open attachments or click on links unless you recognise the source of this email and are certain the content is safe. Hi Stephen, > Thank you for your helpful response. > > Unfortunately this has resulted in a similar outcome: As I said, `leftsourceip=%config` might not be applicable if the goal is to use L2TP. Regards, Tobias This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.
[strongSwan] Connecting but not connected
save # Generated by iptables-save v1.6.1 on Thu Aug 15 12:11:29 2019 *nat :PREROUTING ACCEPT [114:18309] :INPUT ACCEPT [71:7900] :OUTPUT ACCEPT [734:82033] :POSTROUTING ACCEPT [734:82033] -A POSTROUTING -o enp4s0 -j MASQUERADE -A POSTROUTING -o enp4s0 ! -p esp -j SNAT --to-source 50.45.0.51 COMMIT # Completed on Thu Aug 15 12:11:29 2019 # Generated by iptables-save v1.6.1 on Thu Aug 15 12:11:29 2019 *filter :INPUT ACCEPT [1033:70520] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [485:53012] -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT -A INPUT -p udp -m udp -m udp --dport 1701 -j REJECT --reject-with icmp-port-unreachable -A INPUT -p esp -j ACCEPT -A INPUT -p ah -j ACCEPT -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --dport 1701 -j ACCEPT -A OUTPUT -p udp -m udp -m udp --dport 1701 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -p esp -j ACCEPT -A OUTPUT -p ah -j ACCEPT COMMIT # Completed on Thu Aug 15 12:11:29 2019 sudo ip6tables-save # Generated by ip6tables-save v1.6.1 on Thu Aug 15 17:18:10 2019 *filter :INPUT ACCEPT [61:9719] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [107:13371] COMMIT # Completed on Thu Aug 15 17:18:10 2019 $ ip route show table all default via 10.0.0.1 dev wlp2s0 proto dhcp metric 600 169.254.0.0/16 dev wlp2s0 scope link metric 1000 10.0.0.0/28 dev wlp2s0 proto kernel scope link src 10.0.0.3 metric 600 broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 broadcast 10.0.0.0 dev wlp2s0 table local proto kernel scope link src 10.0.0.3 local 10.0.0.3 dev wlp2s0 table local proto kernel scope host src 10.0.0.3 broadcast 10.0.0.15 dev wlp2s0 table local proto kernel scope link src 10.0.0.3 ::1 dev lo proto kernel metric 256 pref medium fe80::/64 dev wlp2s0 proto kernel metric 256 pref medium fe80::/64 dev wlp2s0 proto kernel metric 600 pref medium local ::1 dev lo table local proto kernel metric 0 pref medium local dev wlp2s0 table local proto kernel metric 0 pref medium ff00::/8 dev wlp2s0 table local metric 256 pref medium ip address 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp4s0: mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether brd ff:ff:ff:ff:ff:ff 3: wlp2s0: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether brd ff:ff:ff:ff:ff:ff inet 10.0.0.3/28 brd 10.0.0.15 scope global dynamic noprefixroute wlp2s0 valid_lft 83281sec preferred_lft 83281sec inet6 /64 scope link noprefixroute valid_lft forever preferred_lft forever sudo ipsec up officeVPN initiating Aggressive Mode IKE_SA officeVPN[1] to 50.45.0.51 generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from 10.0.0.3[500] to 50.45.0.51[500] (548 bytes) received packet: from 50.45.0.51[500] to 10.0.0.3[500] (564 bytes) parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ] received NAT-T (RFC 3947) vendor ID received DPD vendor ID received XAuth vendor ID received unknown vendor ID: received FRAGMENTATION vendor ID received FRAGMENTATION vendor ID local host is behind NAT, sending keep alives remote host is behind NAT IKE_SA officeVPN[1] established between 10.0.0.3[10.0.0.3]...50.45.0.51[196.198.128.64] scheduling reauthentication in 9883s maximum IKE_SA lifetime 10423s generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (108 bytes) received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes) parsed TRANSACTION request 2194615948 [ HASH CPRQ(X_TYPE X_USER X_PWD) ] generating TRANSACTION response 2194615948 [ HASH CP ] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (76 bytes) received packet: from 50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes) parsed INFORMATIONAL_V1 request 3863129339 [ HASH N(DPD) ] generating INFORMATIONAL_V1 request 608732088 [ HASH N(DPD_ACK) ] sending packet: from 10.0.0.3[4500] to 50.45.0.51[4500] (92 bytes) Please help, thank you. -- Kind regards Stephen Feyrer This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibit
Re: [strongSwan] local host is behind NAT, sending keep alives
Hi Team, An update. ipsec.conf conn officeVPN aggressive=yes type=transport authby=secret keyexchange=ikev1 ike=aes128-sha1-modp2048,aes256-sha1-modp2048! left=%defaultroute leftsourceip=%config modeconfig=push leftprotoport=udp/l2tp right= 50.45.0.51 rightprotoport=udp/l2tp righted=10.0.0.254 auto=add ipsec.secret: 50.45.0.51 %any : PSK "StrongKey-Honest!" strongswan.conf keep_alive=0 i_dont_care_about_security_and_use_aggressive_mode_psk=yes $ sudo ipsec up officeVPN initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet:from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes) received packet:from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes) parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ] received NAT-T (RFC 3947) vendor ID received DPD vendor ID received XAuth vendor ID received unknown vendor ID: 00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00 received FRAGMENTATION vendor ID received FRAGMENTATION vendor ID local host is behind NAT, sending keep alives remote host is behind NAT IKE_SA officeVPN[1] established between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254] scheduling reauthentication in 9761s maximum IKE_SA lifetime 10301s generating AGGRESSIVE request 0 [ HASH NAT-D ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (140 bytes) received packet:from 50.54.0.51[4500] to 1.0.0.127[4500] (92 bytes) generating TRANSACTION response 890044400 [ HASH CP ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes) received packet:from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes) parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) ] generating INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes) received packet:from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes) parsed INFORMATIONAL_V1 request 7654321098 [ HASH N(DPD) ] generating INFORMATIONAL_V1 request 2109876543 [ HASH N(DPD_ACK) ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes) received packet:from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes) parsed INFORMATIONAL_V1 request 3210987654 [ HASH N(DPD) ] generating INFORMATIONAL_V1 request 6543210987 [ HASH N(DPD_ACK) ] Please help, thanks. -- Stephen Feyrer DevOps Engineer Greensill Capital stephen.fey...@greensill.com<mailto:stephen.fey...@greensill.com> http://www.greensill.com From: Stephen Feyrer Sent: 13 August 2019 13:11 To: users@lists.strongswan.org Subject: local host is behind NAT, sending keep alives Hey everyone, I have a laptop tethered via my phone, Ubuntu 18.4. I am unable to establish a connection and none of my research has thus far revealed anything helpful. Please review the below and advise. Other proprietary clients are able to connect without issue. I have an ipsec.conf file which looks like: conn officeVPN aggressive=yes type=tunnel authby=secret keyexchange=ikev1 ike=aes128-sha1-modp2048 esp= aes256-sha256-modp2048 mobike=no left=%defaultroute leftsourceip=%config modeconfig=push leftprotoport=udp/l2tp right= 50.45.0.51 rightprotoport=udp/l2tp righted=10.0.0.254 auto=add xauth_identity=user An ipsec.secrets that looks like: 50.45.0.51 %any : PSK "StrongKey-Honest!" user %any : XAUTH "password" An /etc/strongswan.conf that has the following line: i_dont_care_about_security_and_use_aggressive_mode_psk=yes Then the ipsec up officeVPN command is run: $ sudo ipsec up officeVPN initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet:from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes) received packet:from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes) parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ] received NAT-T (RFC 3947) vendor ID received DPD vendor ID received XAuth vendor ID received unknown vendor ID: 00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00 received FRAGMENTATION vendor ID received FRAGMENTATION vendor ID local host is behind NAT, sending keep alives remote host is behind NAT IKE_SA officeVPN[1] established between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254] scheduling reauthentication in 9761s maximum IKE_SA lifetime 10301s generating AGGRESSIVE request 0 [ HASH NAT-D ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes) received packet:from 50.54.0.51[4500] to 1.0.0.127[4500] (76 bytes) generating TRANSACTION response 890044400 [ HASH CP ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (76 bytes) sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54
[strongSwan] local host is behind NAT, sending keep alives
Hey everyone, I have a laptop tethered via my phone, Ubuntu 18.4. I am unable to establish a connection and none of my research has thus far revealed anything helpful. Please review the below and advise. Other proprietary clients are able to connect without issue. I have an ipsec.conf file which looks like: conn officeVPN aggressive=yes type=tunnel authby=secret keyexchange=ikev1 ike=aes128-sha1-modp2048 esp= aes256-sha256-modp2048 mobike=no left=%defaultroute leftsourceip=%config modeconfig=push leftprotoport=udp/l2tp right= 50.45.0.51 rightprotoport=udp/l2tp righted=10.0.0.254 auto=add xauth_identity=user An ipsec.secrets that looks like: 50.45.0.51 %any : PSK "StrongKey-Honest!" user %any : XAUTH "password" An /etc/strongswan.conf that has the following line: i_dont_care_about_security_and_use_aggressive_mode_psk=yes Then the ipsec up officeVPN command is run: $ sudo ipsec up officeVPN initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet:from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes) received packet:from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes) parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ] received NAT-T (RFC 3947) vendor ID received DPD vendor ID received XAuth vendor ID received unknown vendor ID: 00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00 received FRAGMENTATION vendor ID received FRAGMENTATION vendor ID local host is behind NAT, sending keep alives remote host is behind NAT IKE_SA officeVPN[1] established between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254] scheduling reauthentication in 9761s maximum IKE_SA lifetime 10301s generating AGGRESSIVE request 0 [ HASH NAT-D ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes) received packet:from 50.54.0.51[4500] to 1.0.0.127[4500] (76 bytes) generating TRANSACTION response 890044400 [ HASH CP ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (76 bytes) sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] received packet:from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes) parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) ] generating INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes) sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] received packet:from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes) parsed INFORMATIONAL_V1 request 7654321098 [ HASH N(DPD) ] generating INFORMATIONAL_V1 request 2109876543 [ HASH N(DPD_ACK) ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes) sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] received packet:from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes) parsed INFORMATIONAL_V1 request 3210987654 [ HASH N(DPD) ] generating INFORMATIONAL_V1 request 6543210987 [ HASH N(DPD_ACK) ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes) sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] sending keep alive to 50.54.0.51[4500] deleting IKE_SA officeVPN[1] between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254] sending DELETE for IKE_SA officeVPN[1] parsed INFORMATIONAL_V1 request 5432109876 [ HASH D ] sending packet:from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes) establishing connection 'officeVPN' failed Thank you. -- Stephen Feyrer DevOps Engineer Greensill Capital stephen.fey...@greensill.com<mailto:stephen.fey...@greensill.com> http://www.greensill.com This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.
Re: [strongSwan] peer not responding [Resovled]
Hey, Please consider the specific issue below resolved. Added the line "ike=aes128-sha1-modp2048" Thank you. -- Stephen Feyrer DevOps Engineer Greensill Capital stephen.fey...@greensill.com<mailto:stephen.fey...@greensill.com> http://www.greensill.com From: Stephen Feyrer Sent: 12 August 2019 16:29 To: users@lists.strongswan.org Subject: RE: peer not responding Hi there, A short update. Most of the below remains true. I now have permission to test from a Laptop running Ubuntu which is tethered to my phone. Some additional information from $ sudo ike-scan -v -M -m -1 -y 1 -A 50.45.0.51 DEBUG :pkt len=356 bytes, bandwidth=56000 bps, int=54857 us Startng ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan) ---Pass 1 of 3 completed ---Pass 2 of 3 completed ---Pass 3 of 3 completed Ending ike-scan 1.9.4: 1 hosts scanned in 2.451 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify The VPN provider is a Fortigate. -- Stephen Feyrer DevOps Engineer Greensill Capital stephen.fey...@greensill.com<mailto:stephen.fey...@greensill.com> http://www.greensill.com From: Stephen Feyrer Sent: 08 August 2019 17:17 To: users@lists.strongswan.org<mailto:users@lists.strongswan.org> Subject: peer not responding Hi there, My situation is an odd one. I have on my desktop a Linux Virtual Machine (Debian) running in virtual box which I need to setup a IPSec/l2tp VPN client thus to be able to provide guidance to external users to set up their connections. In virtualbox I have set rules to forward the ports 50, 51, 500 and 4500 to the VM. I have an officeVPN.conf file which looks like: conn officeVPN aggressive=yes type=tunnel authby=psk keyexchange=ikev1 left=%defaultroute leftprotoport=udp/l2tp right= 50.45.0.51 rightprotoport=udp/l2tp auto=add An officeVPN.secrets that looks like: : PSK "StrongKey-Honest!" An /etc/strongswan.conf that has the following line: i_dont_care_about_security_and_use_aggressive_mode_psk=yes Then the ipsec up officeVPN command is run: # ipsec up officeVPN Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 Generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 1 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 2 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 3 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 4 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 5 of request message ID 0, seq 1 giving up after 5 retransmits peer not responding, trying again (2/3) Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 Generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 1 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 2 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 3 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 4 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 5 of request message ID 0, seq 1 giving up after 5 retransmits peer not responding, trying again (3/3) Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 Generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 1 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 2 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 3 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.5.0.51[500] (320 bytes) sending retransmit 4 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 5 of request message ID 0, seq 1 giving up after 5 retransmits establishing IKE_SA failed, peer not responding establishing connection 'officeVPN' failed. >From the logs I get lines like: Starting strongSwan 5.7.2 IPsec [starter]... Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86-64) loading ca certificates from '/etc/ipsec.d/cacerts' loading aa certificates from '/etc/ipsec.d/aacerts' loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' loading attribute certificates from '/etc/ip
Re: [strongSwan] peer not responding
Hi there, A short update. Most of the below remains true. I now have permission to test from a Laptop running Ubuntu which is tethered to my phone. Some additional information from $ sudo ike-scan -v -M -m -1 -y 1 -A 50.45.0.51 DEBUG :pkt len=356 bytes, bandwidth=56000 bps, int=54857 us Startng ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan) ---Pass 1 of 3 completed ---Pass 2 of 3 completed ---Pass 3 of 3 completed Ending ike-scan 1.9.4: 1 hosts scanned in 2.451 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify The VPN provider is a Fortigate. -- Stephen Feyrer DevOps Engineer Greensill Capital stephen.fey...@greensill.com<mailto:stephen.fey...@greensill.com> http://www.greensill.com From: Stephen Feyrer Sent: 08 August 2019 17:17 To: users@lists.strongswan.org Subject: peer not responding Hi there, My situation is an odd one. I have on my desktop a Linux Virtual Machine (Debian) running in virtual box which I need to setup a IPSec/l2tp VPN client thus to be able to provide guidance to external users to set up their connections. In virtualbox I have set rules to forward the ports 50, 51, 500 and 4500 to the VM. I have an officeVPN.conf file which looks like: conn officeVPN aggressive=yes type=tunnel authby=psk keyexchange=ikev1 left=%defaultroute leftprotoport=udp/l2tp right= 50.45.0.51 rightprotoport=udp/l2tp auto=add An officeVPN.secrets that looks like: : PSK "StrongKey-Honest!" An /etc/strongswan.conf that has the following line: i_dont_care_about_security_and_use_aggressive_mode_psk=yes Then the ipsec up officeVPN command is run: # ipsec up officeVPN Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 Generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 1 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 2 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 3 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 4 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 5 of request message ID 0, seq 1 giving up after 5 retransmits peer not responding, trying again (2/3) Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 Generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 1 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 2 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 3 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 4 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 5 of request message ID 0, seq 1 giving up after 5 retransmits peer not responding, trying again (3/3) Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 Generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 1 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 2 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 3 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.5.0.51[500] (320 bytes) sending retransmit 4 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 5 of request message ID 0, seq 1 giving up after 5 retransmits establishing IKE_SA failed, peer not responding establishing connection 'officeVPN' failed. >From the logs I get lines like: Starting strongSwan 5.7.2 IPsec [starter]... Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86-64) loading ca certificates from '/etc/ipsec.d/cacerts' loading aa certificates from '/etc/ipsec.d/aacerts' loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' loading attribute certificates from '/etc/ipsec.d/acerts' loading crls from '/etc/ipsec.d/crls' loading secrets from '/etc/ipsec.d/officeVPN.sercrets' loading IKE secret for officeVPN 50.45.0.51 loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation... dropped capabilities, running as uid 0, gid 0 spawning 16 worker threads charon (1499) started after 20 ms received stroke: add connection 'officeVPN' added
[strongSwan] peer not responding
Hi there, My situation is an odd one. I have on my desktop a Linux Virtual Machine (Debian) running in virtual box which I need to setup a IPSec/l2tp VPN client thus to be able to provide guidance to external users to set up their connections. In virtualbox I have set rules to forward the ports 50, 51, 500 and 4500 to the VM. I have an officeVPN.conf file which looks like: conn officeVPN aggressive=yes type=tunnel authby=psk keyexchange=ikev1 left=%defaultroute leftprotoport=udp/l2tp right= 50.45.0.51 rightprotoport=udp/l2tp auto=add An officeVPN.secrets that looks like: : PSK "StrongKey-Honest!" An /etc/strongswan.conf that has the following line: i_dont_care_about_security_and_use_aggressive_mode_psk=yes Then the ipsec up officeVPN command is run: # ipsec up officeVPN Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 Generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 1 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 2 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 3 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 4 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 5 of request message ID 0, seq 1 giving up after 5 retransmits peer not responding, trying again (2/3) Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 Generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 1 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 2 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 3 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 4 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 5 of request message ID 0, seq 1 giving up after 5 retransmits peer not responding, trying again (3/3) Initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51 Generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 1 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 2 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 3 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.5.0.51[500] (320 bytes) sending retransmit 4 of request message ID 0, seq 1 sending packet: from a.b.c.d [500] to 50.45.0.51[500] (320 bytes) sending retransmit 5 of request message ID 0, seq 1 giving up after 5 retransmits establishing IKE_SA failed, peer not responding establishing connection 'officeVPN' failed. >From the logs I get lines like: Starting strongSwan 5.7.2 IPsec [starter]... Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86-64) loading ca certificates from '/etc/ipsec.d/cacerts' loading aa certificates from '/etc/ipsec.d/aacerts' loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' loading attribute certificates from '/etc/ipsec.d/acerts' loading crls from '/etc/ipsec.d/crls' loading secrets from '/etc/ipsec.d/officeVPN.sercrets' loading IKE secret for officeVPN 50.45.0.51 loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation... dropped capabilities, running as uid 0, gid 0 spawning 16 worker threads charon (1499) started after 20 ms received stroke: add connection 'officeVPN' added configuration 'officeVPN' received stroke: initiate 'officeVPN' Where a.b.c.d is the local IP of the host and 50.54.0.51 is the VPN server. Nothing that I have tried has had a positive effect. Thank you for your patience. I may be going about this wholly the wrong way, so any suggestions would be gratefully received. Thank you. -- Stephen Feyrer DevOps Engineer Greensill Capital stephen.fey...@greensill.com<mailto:stephen.fey...@greensill.com> http://www.greensill.com This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with o
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi, I would just like to say thank you to everyone. On point irony, I learned yesterday that today the office network is being upgraded and the current VPN will no longer work. Thank you for your help, I'm sorry I can report back a solution. I wish you all the best. -- Kind regards Stephen Feyrer. On Mon, 20 Apr 2015 12:02:36 +0100, Noel Kuntze wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Stephen, Your original configuration looks like l2tp/IPsec. Your configuration was correct for that purpose. Where this is going right now, is a general roadwarrior configuration for IKEv1. Please check what is actually configured on the IOS device, so we can solve this quickly. Mit freundlichen Grüßen/Regards, Noel Kuntze Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 20.04.2015 um 11:01 schrieb Stephen Feyrer: Hi Miroslav, Thank you. We've made progress. I haven't included the any of the log file as it is very verbose (24488 lines - for ipsec up, statusall, down). Please let me know which sections to look at and I'll grab those. As you can see below the transaction request below seems to be very laboured but does result in a success statement. Following that I have tried to test with openl2tp to create the l2tp ppp tunnel. Openl2tp seems create this tunnel but ifconfig does not show any ppp interfaces. The lines in the conn left/rightprotoport do not seem to affect the outcome whether included or not. The charondebug line when uncommented prevents any output and I suspect that the syntax is wrong there. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no #charondebug="ike 3, cfg 3, app 3, chd 3, dmn 3, net 3" conn VPN-OFFICE-COM keyexchange=ikev1 type=tunnel authby=secret ike=3des-sha1-modp1024 rekey=no left=%any leftsourceip=%config # leftprotoport=udp/l2tp right=vpn.office.com # rightprotoport=udp/l2tp rightid=17.11.7.5 rightsubnet=0.0.0.0/0 auto=add # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [HIDDEN] received unknown vendor ID: [HIDDEN] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating TRANSACTION request [HIDDEN] [ HASH CPRQ(ADDR DNS U_SPLITINC U_LOCALLAN) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) sending retransmit 1 of request message ID [HIDDEN], seq 4 sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) sending retransmit 2 of request message ID [HIDDEN], seq 4 sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) sending retransmit 3 of request message ID [HIDDEN], seq 4 sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ] received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ] sending keep alive to 17.11.7.5[4500] sending retransmit 4 of request message ID [HIDDEN], seq 4 sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ] received DELETE for IKE_SA VPN-OFFICE-COM[1] deleting IKE_SA VPN-OFFICE-COM[1] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] initiating Main Mode IKE_SA VPN-OFFICE-COM[2] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) connection 'VPN-OFFICE-COM' established successfully # ipsec statusall Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo, x86_64): uptime: 112 seconds,
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
uthentication VPN-OFFICE-COM: child: dynamic[udp/l2tp] === 172.18.7.0/24[udp/l2tp] TUNNEL Security Associations (1 up, 0 connecting): VPN-OFFICE-COM[2]: ESTABLISHED 40 seconds ago, 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] VPN-OFFICE-COM[2]: IKEv1 SPIs: [HIDDEN]_i* [HIDDEN]_r, rekeying disabled VPN-OFFICE-COM[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 VPN-OFFICE-COM[2]: Tasks queued: QUICK_MODE ISAKMP_DPD ISAKMP_DPD ISAKMP_DPD VPN-OFFICE-COM[2]: Tasks active: MODE_CONFIG # ipsec down VPN-OFFICE-COM received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ] received DELETE for IKE_SA VPN-OFFICE-COM[2] deleting IKE_SA VPN-OFFICE-COM[2] between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] initiating Main Mode IKE_SA VPN-OFFICE-COM[3] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) IKE_SA [2] closed successfully -- Kind regards Stephen Feyrer On Mon, 20 Apr 2015 00:57:42 +0100, Miroslav Svoboda wrote: Hi Stephen, Please delete type=transport or change it to type=tunnel. Also delete rightprotoport and leftprotoport. If this did not help, please provide again ipsec statusall + enable logging at higher level as described here and >provide logfile. Regards, Miroslav On Monday, April 20, 2015 at 1:47:48 AM UTC+2, Stephen Feyrer wrote: Hi Miroslav, You are correct, the syntax error is gone. Sadly, there is not much which I can tell you about my office Network >>topology. All that I do know is that we pass through a Windows Firewall before being able to connect our work >>stations. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%any leftsourceip=%config leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 rightsubnet=0.0.0.0/0 auto=add # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[14] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [HIDDEN] received unknown vendor ID: [HIDDEN] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[14] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N(([HIDDEN])) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'VPN-OFFICE-COM' failed # ipsec statusall Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo, x86_64): uptime: 3 hours, since Apr 19 20:50:15 2015 malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN] worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1 loaded plugins: charon ldap mysql sqlite aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints >>pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac curl attr >>kernel-netlink resolve socket-default socket-dynamic farp stroke vici updown eap-identity eap-sim eap-aka eap->>aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls xauth-generic >>xauth-eap xauth-pam dhcp lookip led unity Listening IP addresses: 1.2.3.4 Connections: VPN-OFFICE-COM: %any...vpn.office.com IKEv1 VPN-OFFICE-COM: local: [1.2.3.4] uses pre-shared key authentication VPN-OFFICE-COM: remote: [17.11.7.5] uses pre-shared key authentication VPN-OFFICE-COM: child: dynamic[udp/l2tp] === dynamic[udp/l2tp] TRANSPORT Security Associations (1 up, 0 connecting): VPN-OFFICE-COM[14]: ESTABLISHED 6 seconds ago, 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi Miroslav,
Thank you. The conn section as presented below was copied and pasted from
web page for convenience (this stripped the leading white spaced from the
conn section). For the moment the white spaces are in form of TAB
characters. I will test with space characters and complete this email.
I Apologise for the lack of white spaces in the conn section of below
email. I have now tested with both spaces and tabs, each producing the
same error as below.
--
Kind regards
Stephen Feyrer.
On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda
wrote:
Hi Stephen,
I believe the issue might be caused as the "conn" section is not
compliant with prescribed format. There should be >at least one
whitespace at the beginning of each line within the section. Only
sections can and shall start at the >first character of the line.
Supposed correction:
conn VPN-OFFICE-COM
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
auto=add
Regards,
Miroslav
Message: 3
Date: Fri, 17 Apr 2015 14:08:57 +0100
From: "Stephen Feyrer"
To: users@lists.strongswan.org
Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error,
unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Message-ID:
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
Hi Neol,
Thank you. I have removed the file /etc/strongswan.d/VPN.conf
In /etc/ipsec.conf I have the same configuration. At least there is
progress, unfortunately I am still baffled. This is the previously
working configuration.
code:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn VPN-OFFICE-COM
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
auto=add
Having restarted ipsec, I get the following result
code:
# ipsec up VPN-OFFICE-COM
initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN-OFFICE-COM[1] established between
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID
NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID
N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
no acceptable traffic selectors found
establishing connection 'VPN-OFFICE-COM' failed
--
Kind regards
Stephen Feyrer___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Apologies!!! Thank you, Noel! -- Kind regards Stephen Feyrer. On Fri, 17 Apr 2015 14:08:57 +0100, Stephen Feyrer wrote: Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'VPN-OFFICE-COM' failed -- Kind regards Stephen Feyrer ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi Neol,
Thank you. I have removed the file /etc/strongswan.d/VPN.conf
In /etc/ipsec.conf I have the same configuration. At least there is
progress, unfortunately I am still baffled. This is the previously
working configuration.
code:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn VPN-OFFICE-COM
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
auto=add
Having restarted ipsec, I get the following result
code:
# ipsec up VPN-OFFICE-COM
initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN-OFFICE-COM[1] established between
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID
NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID
N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
no acceptable traffic selectors found
establishing connection 'VPN-OFFICE-COM' failed
--
Kind regards
Stephen Feyrer
On Fri, 17 Apr 2015 11:49:04 +0100, Noel Kuntze
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello Stephen,
The configuration for the conns go into /etc/ipsec.conf, not
/etc/strongswan.d or /etc/strongswan.conf.
Only the plugin and logger configurations go into /etc/stronswan,d/ or
/etc/strongswan.conf.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 17.04.2015 um 12:27 schrieb Stephen Feyrer:
Hi,
I am hoping someone can help me. At first this looks like a simple
error but I don't think it is.
To put this into some context, so you can ignore this paragraph if
you're not interested.
A few months ago, I got my home PC - (Gentoo Linux) setup to VPN into
the office which is a Windows environment. Shortly after I moved house
and my phone line. Only at that time my ISP had a fault on the phone
line at my new house so no internet connection. Once the internet was
resolved, the first thing I did was update my PC. Next I found that my
VPN was no longer working. I was careful to look for messages that
required configuration updates, I saw none for StrongSwan.
Code:
* Starting ...
/etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting
NEWLINE or '{' or '=' [vpn]
invalid config file '/etc/strongswan.conf'
Starting strongSwan 5.2.2 IPsec [starter]...
Code:
# ipsec up vpn.office.com
/etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting
NEWLINE or '{' or '=' [vpn]
invalid config file '/etc/strongswan.conf'
initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed
[strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi,
I am hoping someone can help me. At first this looks like a simple error
but I don't think it is.
To put this into some context, so you can ignore this paragraph if you're
not interested.
A few months ago, I got my home PC - (Gentoo Linux) setup to VPN into the
office which is a Windows environment. Shortly after I moved house and my
phone line. Only at that time my ISP had a fault on the phone line at my
new house so no internet connection. Once the internet was resolved, the
first thing I did was update my PC. Next I found that my VPN was no
longer working. I was careful to look for messages that required
configuration updates, I saw none for StrongSwan.
Code:
* Starting ...
/etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting
NEWLINE or '{' or '=' [vpn]
invalid config file '/etc/strongswan.conf'
Starting strongSwan 5.2.2 IPsec [starter]...
Code:
# ipsec up vpn.office.com
/etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting
NEWLINE or '{' or '=' [vpn]
invalid config file '/etc/strongswan.conf'
initiating Main Mode IKE_SA vpn.office.com[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA vpn.office.com[1] established between
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID
NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID
N(([Available On Request])) NAT-OA ]
received 28800s lifetime, configured 0s
no acceptable traffic selectors found
establishing connection 'vpn.office.com' failed
The only other issue of note is that the behaviour of Networkmanager
appears to have changed during boot. Previously, there was a 1 second
wait, now that is gone. I have searched the web for similar issues and
found none.
The details of how my VPN came to be setup as it is are available here:
https://forums.gentoo.org/viewtopic-t-998042-postdays-0-postorder-asc-start-0.html
code:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
code:
# strongswan.d/VPN.conf
conn VPN-OFFICE-COM
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
auto=add
At the time of writing I have just tried commenting out the whole of
VPN.conf and then going line by line uncommenting but now even with all
the lines uncommented, I get this message.
code:
# ipsec up VPN-OFFICE-COM
/etc/strongswan.d/Xerox.conf:15: syntax error, unexpected NAME, expecting
NEWLINE or '{' or '=' [VPN-OFFICE-COM]
invalid config file '/etc/strongswan.conf'
no config named 'VPN-OFFICE-COM'
Please help!
--
Kind regards
Stephen Feyrer___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
