Re: [strongSwan] Cannot pass the traffic through the established tunnel.
Thanks Noel for the reply, There are two issue-
1) I cannot pass the normal traffic through the VPN tunnel and 2) I want
to redirect the all http traffic through the established tunnel.
Following is the current iptables status.
@cloud:~$ sudo iptables-save
[sudo] password for kencloud_mlx:
# Generated by iptables-save v1.6.0 on Fri Apr 6 15:36:00 2018
*filter
:INPUT ACCEPT [2373595:1217217340]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2358742:1592362700]
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
COMMIT
# Completed on Fri Apr 6 15:36:00 2018
# Generated by iptables-save v1.6.0 on Fri Apr 6 15:36:00 2018
*nat
:PREROUTING ACCEPT [343961:24571900]
:INPUT ACCEPT [53423:7217944]
:OUTPUT ACCEPT [12732:772316]
:POSTROUTING ACCEPT [12732:772316]
-A PREROUTING -p tcp -m tcp --dport 26 -j DNAT --to-destination
172.25.12.42:80
COMMIT
# Completed on Fri Apr 6 15:36:00 2018
Thanks
Sujoy
On Thursday 05 April 2018 10:15 PM, Noel Kuntze wrote:
Hello Sujoy,
Do you mean to block all traffic that uses TCP port 80 (0.0.0.0/0[tcp/80]), but
the traffic that is protected in an established tunnel?
Or do you mean to block everything but what is protected?
Kind regards
Noel
On 04.04.2018 10:58, Sujoy wrote:
Hi list members,
I am facing one issue with Strongswan for quite long time. I want to block
all the traffic(http) and pass only the traffic of connected network. But after
so many try, still I cannot do so. Bellow is the configuration status of the
Server which is having multiple connection. It will be a big help if someone
can provide any solution to this. Thanks for the support provide till now from
the members.
root@cloud:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64):
uptime: 19 hours, since Apr 03 18:02:13 2018
malloc: sbrk 2703360, mmap 0, used 570192, free 2133168
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 12
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
172.25.12.42
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (2 up, 0 connecting):
tunnel[6]: ESTABLISHED 66 minutes ago,
172.25.12.42[X.X.X.X]...223.227.10.138[192.168.1.100]
tunnel[6]: IKEv2 SPIs: 1e596ccc27d7939a_i c459f660671c3952_r*,
pre-shared key reauthentication in 101 minutes
tunnel[6]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{16}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: cc167350_i
c722bb0f_o
tunnel{16}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
35 minutes
tunnel{16}: X.X.X.X/32 === 192.168.10.1/32
tunnel[5]: ESTABLISHED 76 minutes ago,
172.25.12.42[X.X.X.X]...27.59.17.206[192.168.2.100]
tunnel[5]: IKEv2 SPIs: 6bac8f644b19cf85_i 07c5f9254cda6720_r*,
pre-shared key reauthentication in 90 minutes
tunnel[5]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{17}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c3015f13_i
ce6ea6b8_o
tunnel{17}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
36 minutes
tunnel{17}: X.X.X.X/32 === 192.168.10.1/32
[strongSwan] Cannot pass the traffic through the established tunnel.
Hi list members,
I am facing one issue with Strongswan for quite long time. I want to
block all the traffic(http) and pass only the traffic of connected
network. But after so many try, still I cannot do so. Bellow is the
configuration status of the Server which is having multiple connection.
It will be a big help if someone can provide any solution to this.
Thanks for the support provide till now from the members.
root@cloud:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic,
x86_64):
uptime: 19 hours, since Apr 03 18:02:13 2018
malloc: sbrk 2703360, mmap 0, used 570192, free 2133168
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 12
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke vici updown xauth-generic
counters
Listening IP addresses:
172.25.12.42
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (2 up, 0 connecting):
tunnel[6]: ESTABLISHED 66 minutes ago,
172.25.12.42[X.X.X.X]...223.227.10.138[192.168.1.100]
tunnel[6]: IKEv2 SPIs: 1e596ccc27d7939a_i c459f660671c3952_r*,
pre-shared key reauthentication in 101 minutes
tunnel[6]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{16}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
cc167350_i c722bb0f_o
tunnel{16}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 35 minutes
tunnel{16}: X.X.X.X/32 === 192.168.10.1/32
tunnel[5]: ESTABLISHED 76 minutes ago,
172.25.12.42[X.X.X.X]...27.59.17.206[192.168.2.100]
tunnel[5]: IKEv2 SPIs: 6bac8f644b19cf85_i 07c5f9254cda6720_r*,
pre-shared key reauthentication in 90 minutes
tunnel[5]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{17}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c3015f13_i ce6ea6b8_o
tunnel{17}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 36 minutes
tunnel{17}: X.X.X.X/32 === 192.168.10.1/32
--
Thanks
Sujoy
[strongSwan] No CHILD_SA tunnel{2} established with nat public IP
Hi All,
I am facing a issue while establish tunnel through the nated Public
IP. When I connect to the same Strongswan server from LAN I get
"*CHILD_SA tunnel{2} established with SPIs cb7bd615_i c3fb87d7_o and TS
172.25.12.38/32 == 172.25.1.23/32"*. But from public network "IKE_SA
tunnel is established but CHILD_SA tunnel" is not displayed. Even during
the public IP tunneling- "ip route list table 220" no output in the
server. Due to that traffic is also not passing.
The configuration file is same of both the client. It will be a big help
if someone can provide any solution.
root@Device_BD2009:~# ipsec up tunnel
no files found matching '/etc/strongswan.d/*.conf'
initiating IKE_SA tunnel[1] to X.X.X.X
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) ]
sending packet: from 192.168.1.100[500] to X.X.X.X[500] (1080 bytes)
received packet: from X.X.X.X[500] to 192.168.1.100[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of '192.168.1.100' (myself) with pre-shared key
establishing CHILD_SA tunnel
generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
sending packet: from 192.168.1.100[4500] to X.X.X.X[4500] (332 bytes)
received packet: from X.X.X.X[4500] to 192.168.1.100[4500] (220 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
authentication of 'X.X.X.X' with pre-shared key successful
IKE_SA tunnel[1] established between
192.168.1.100[192.168.1.100]...X.X.X.X[X.X.X.X]
scheduling reauthentication in 10015s
maximum IKE_SA lifetime 10555s
connection 'tunnel' established successfully
config setup
charondebug="all"
uniqueids=no
strictcrlpolicy=no
conn %default
conn tunnel #
left=192.168.1.100
leftsubnet=192.168.1.100/32
right=X.X.X.X
rightsubnet=X.X.X.X/32
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=60m
dpddelay=30s
dpdtimeout=150s
dpdaction=clear
authby=psk
auto=route
keyexchange=ikev2
type=tunnel
mobike=no
fragmentation=yes
--
Thanks in advance.
Re: [strongSwan] Traffic blocked through the tunnel
Thanks a lot for the information Noel, I have updated sysctl.conf
according to point 1 and 2.
root@mlxvpn:~# sysctl -p
net.ipv4.conf.enp3s0.forwarding = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_no_pmtu_disc = 1
Point 3. Verified the tunnel is established by "ipsec statusall" in
both the end. I check the connection from the other systems which can
ping and ssh/http.
The host which establish the tunnel is not able to communicate with the
VPN server.
#Nmap -Pn IP shows
All 1000 scanned ports on static-IP-ISP.co.in (IP) are filtered
Point 4. "10.0.0.1" is a sample IP, As I need to connect multiple device
which IP's are not fixed so I have set the left/rightsubnet as 0.0.0.0/0.
config setup
charondebug="all"
uniqueids=no
strictcrlpolicy=no
conn %default
conn tunnel #
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightsubnet=0.0.0.0/0
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=60m
dpddelay=30s
dpdtimeout=150s
dpdaction=clear
authby=psk
auto=route
keyexchange=ikev2
type=tunnel
mobike=no
leftfirewall=yes
fragmentation=yes
Thanks
On Friday 09 March 2018 07:31 PM, Noel Kuntze wrote:
Hi,
1) Make sure that net.ipv4.ip_forward=1 is set in sysctl (or just run `sysctl
-w net.ipv4.ip_forward=1`, then it is set)
2) Make sure forwarding for the interfaces that are involved is enabled
(net.ipv4.conf.$INTERFACE.forwarding=1)
3) How do you test the tunnel?
4) Do you have a route to 10.0.0.1?
5) There is only a route in table 220 if it's needed and route installation is
enabled in strongswan.conf/charon.conf (the default).
Kind regards
Noel
On 09.03.2018 14:52, Sujoy wrote:
Thanks Noel, As you replied this is a new thread. Followed the bellow
forwarding and split tunneling link but cannot pass traffic through the
Strongswan tunnel.
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Strongswan configuration details.
root@mlxvpn:~# ifconfig
enp3s0 Link encap:Ethernet HWaddr 00:25:ab:98:12:d5
inet addr:172.25.1.23 Bcast:172.25.255.255 Mask:255.255.0.0
inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:281997 errors:0 dropped:1 overruns:0 frame:0
TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29640846 (29.6 MB) TX bytes:3714848 (3.7 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:225 errors:0 dropped:0 overruns:0 frame:0
TX packets:225 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:16397 (16.3 KB) TX bytes:16397 (16.3 KB)
root@mlxvpn:~#
root@mlxvpn:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64):
uptime: 3 hours, since Mar 09 13:29:26 2018
malloc: sbrk 2703360, mmap 0, used 553856, free 2149504
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 6
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
172.25.1.23
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
tunnel[3]: ESTABLISHED 109 minutes ago,
172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40]
tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*,
pre-shared key reauthentication in 61 minutes
tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c4116d05_i
c29b66f5_o
tunnel{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
20 minutes
tunnel{5}: 10.0.0.1/32 === 192.168.1.40/32
root@mlxvpn:~#
root@mlxvpn:~# iptables-save
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*nat
:PREROUTING ACCEPT [41820:3021162]
:INPUT ACCEPT [6196:914229]
:OUTPUT ACCEPT [16:1536]
:POSTROUTING ACCEPT [16:1536]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:
[strongSwan] Traffic blocked through the tunnel
Thanks Noel, As you replied this is a new thread. Followed the bellow
forwarding and split tunneling link but cannot pass traffic through the
Strongswan tunnel.
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Strongswan configuration details.
root@mlxvpn:~# ifconfig
enp3s0 Link encap:Ethernet HWaddr 00:25:ab:98:12:d5
inet addr:172.25.1.23 Bcast:172.25.255.255 Mask:255.255.0.0
inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:281997 errors:0 dropped:1 overruns:0 frame:0
TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29640846 (29.6 MB) TX bytes:3714848 (3.7 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:225 errors:0 dropped:0 overruns:0 frame:0
TX packets:225 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:16397 (16.3 KB) TX bytes:16397 (16.3 KB)
root@mlxvpn:~#
root@mlxvpn:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic,
x86_64):
uptime: 3 hours, since Mar 09 13:29:26 2018
malloc: sbrk 2703360, mmap 0, used 553856, free 2149504
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 6
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke vici updown xauth-generic
counters
Listening IP addresses:
172.25.1.23
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
tunnel[3]: ESTABLISHED 109 minutes ago,
172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40]
tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*,
pre-shared key reauthentication in 61 minutes
tunnel[3]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c4116d05_i c29b66f5_o
tunnel{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 20 minutes
tunnel{5}: 10.0.0.1/32 === 192.168.1.40/32
root@mlxvpn:~#
root@mlxvpn:~# iptables-save
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*nat
:PREROUTING ACCEPT [41820:3021162]
:INPUT ACCEPT [6196:914229]
:OUTPUT ACCEPT [16:1536]
:POSTROUTING ACCEPT [16:1536]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*mangle
:PREROUTING ACCEPT [90325:7771073]
:INPUT ACCEPT [54531:5654040]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10356:1527995]
:POSTROUTING ACCEPT [10360:1528611]
-A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
root@mlxvpn:~#
root@mlxvpn:~# ip route list table 220
root@mlxvpn:~#
Thanks for the help.
Re: [strongSwan] ssh and http through IPSec
Hi Noel,
I do appreciate your view, cannot able to pass traffic over the tunnel
after following the Forwarding and Split Tunneling links. Tryied by
enable kernel-libipsec plugin also. Struggling with this issue for more
than a month now.
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Below are the iptables and strongswan configuration details. Thanks for
the help.
root@mlxvpn:~# ifconfig
enp3s0 Link encap:Ethernet HWaddr 00:25:ab:98:12:d5
inet addr:172.25.1.23 Bcast:172.25.255.255 Mask:255.255.0.0
inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:281997 errors:0 dropped:1 overruns:0 frame:0
TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29640846 (29.6 MB) TX bytes:3714848 (3.7 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:225 errors:0 dropped:0 overruns:0 frame:0
TX packets:225 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:16397 (16.3 KB) TX bytes:16397 (16.3 KB)
root@mlxvpn:~#
root@mlxvpn:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic,
x86_64):
uptime: 3 hours, since Mar 09 13:29:26 2018
malloc: sbrk 2703360, mmap 0, used 553856, free 2149504
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 6
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke vici updown xauth-generic
counters
Listening IP addresses:
172.25.1.23
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
tunnel[3]: ESTABLISHED 109 minutes ago,
172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40]
tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*,
pre-shared key reauthentication in 61 minutes
tunnel[3]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c4116d05_i c29b66f5_o
tunnel{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 20 minutes
tunnel{5}: 10.0.0.1/32 === 192.168.1.40/32
root@mlxvpn:~#
root@mlxvpn:~# iptables-save
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*nat
:PREROUTING ACCEPT [41820:3021162]
:INPUT ACCEPT [6196:914229]
:OUTPUT ACCEPT [16:1536]
:POSTROUTING ACCEPT [16:1536]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*mangle
:PREROUTING ACCEPT [90325:7771073]
:INPUT ACCEPT [54531:5654040]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10356:1527995]
:POSTROUTING ACCEPT [10360:1528611]
-A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
root@mlxvpn:~#
root@mlxvpn:~# ip route list table 220
root@mlxvpn:~#
Thanks
On Thursday 08 March 2018 04:07 PM, Noel Kuntze wrote:
Hi,
Don't answer existing threads if you want to talk about new things. Send a
completely new mail to the list, otherwise you get shit like this with
different topics under a single thread and that makes it unnecessarily
difficult and ugly to handle in mail clients.
Take a look at the article about help requests[1]. I'm sure you can figure it
out by yourself (hint: It's likely your rules in *nat).
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
On 07.03.2018 12:50, Sujoy wrote:
Hi Jafar,
I am not getting any output during "*ip route list table 220*" the tunnel is
established. And it is not allowing any type of traffic any idea what should be the issue.
[root@VPNTEST ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux
3.10.0-693.11.6.el7.x86_64, x86_64):
uptime: 8 minutes, since Mar 07 17:00:51 2018
malloc: sbrk 2568192, mmap 0, used 403312, free 2164880
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
op
Re: [strongSwan] ssh and http through IPSec
Hi Jafar,
I am not getting any output during "*ip route list table 220*" the
tunnel is established. And it is not allowing any type of traffic any
idea what should be the issue.
[root@VPNTEST ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux
3.10.0-693.11.6.el7.x86_64, x86_64):
uptime: 8 minutes, since Mar 07 17:00:51 2018
malloc: sbrk 2568192, mmap 0, used 403312, free 2164880
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke updown xauth-generic
Listening IP addresses:
172.25.1.23
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[2]: ESTABLISHED 27 seconds ago,
172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40]
tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a8648d0d206c_r*,
rekeying disabled
tunnel[2]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c06d3ac1_i cd4c518b_o
tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying disabled
tunnel{3}: X.X.X.X/32 === 192.168.10.40/32
[root@VPNTEST ~]#
[root@VPNTEST ~]#
[root@VPNTEST ~]# ip route list table 220
[root@VPNTEST ~]#
[root@VPNTEST ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp
dpt:ipsec-nat-t
ACCEPT esp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@VPNTEST ~]#
Thanks
On Tuesday 06 March 2018 10:46 AM, Sujoy wrote:
Hi Jafar,
Thanks for the information. The ping is stopped as soon as the
tunnel is established to the right IP of the client. I cannot
ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP
address where the tunnel terminates.
Server configuration
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3,
knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsubnet=0.0.0.0/0
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
mobike=no
Client output
root@Device_BD2009:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
uptime: 25 seconds, since Mar 06 13:00:41 2018
malloc: sbrk 196608, mmap 0, used 163488, free 33120
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 17
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke updown eap-identity
eap-md5 xauth-generic
Listening IP addresses:
192.168.20.100
192.168.10.1
fd70:5f2:3744::1
Connections:
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: [X.X.X.X] uses pre-shared key authentication
tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 23 seconds ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r,
pre-shared key reauthentication in 2 hours
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
c25c0775_i c559455b_o
tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1
pkt, 0s ago), rekeying active
tunnel{21}: 192.168.20.100/32 === X.X.X.X/32
Thanks
On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote:
Hi Sujoy,
Can you ping the the server's IP address that you want to ssh to ?
Is that the same IP address where the tunnel terminates: the
"right" address on the client side ?
--Jafar
On 3/5/2018 12:31 AM, Sujoy wrote:
Hi Christopher,
Thanks for the response. I want to access
Re: [strongSwan] ssh and http through IPSec
Hi Jafar,
Thanks for the information. The ping is stopped as soon as the tunnel
is established to the right IP of the client. I cannot
ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP
address where the tunnel terminates.
Server configuration
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3,
knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsubnet=0.0.0.0/0
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
mobike=no
Client output
root@Device_BD2009:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
uptime: 25 seconds, since Mar 06 13:00:41 2018
malloc: sbrk 196608, mmap 0, used 163488, free 33120
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 17
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke updown eap-identity eap-md5 xauth-generic
Listening IP addresses:
192.168.20.100
192.168.10.1
fd70:5f2:3744::1
Connections:
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: [X.X.X.X] uses pre-shared key authentication
tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 23 seconds ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r,
pre-shared key reauthentication in 2 hours
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
c25c0775_i c559455b_o
tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1
pkt, 0s ago), rekeying active
tunnel{21}: 192.168.20.100/32 === X.X.X.X/32
Thanks
On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote:
Hi Sujoy,
Can you ping the the server's IP address that you want to ssh to ?
Is that the same IP address where the tunnel terminates: the "right"
address on the client side ?
--Jafar
On 3/5/2018 12:31 AM, Sujoy wrote:
Hi Christopher,
Thanks for the response. I want to access the CentOS IPSec server
which is the having tunneling enable from other system through SSH.
In the mean time other OpenWRT client should also be able cur/wget
through the tunnel. Both SSH and http fails while tunnel is established.
Tried with the following but doesn't works.
https://wiki.strongswan.org/issues/2351
https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
Thanks
Sujoy
On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:
Hi Sujoy,
Do you route all traffic through the ipsec tunnel at the moment?
Or is your goal to access the CentOS sever through ipsec?
Cheers,
Christopher
On Mar 5, 2018 07:05, Sujoy <sujo...@mindlogicx.com> wrote:
Hi Jafar,
I have successfully establish connection with tunneling between
OpenWRT client and CentOS as StrongSwan server. Now I am facing
one issue. How to enable ssh and http through IPSec tunnel in
StrongSwan.
Thanks
Sujoy
On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:
Sujoy,
You have to send me the logs from both ends. It is hard to
know what is the problem with no logs.
--Jafar
On 2/21/2018 8:58 AM, Sujoy wrote:
Thanks Jafar, for giving this information. Please let me
know if anything else is required. The client OS is
Openwrt, so no logs are available.
*Server Config*
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
dmn 3, cfg 3, knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
right=%any
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: PSK "XXX"
Re: [strongSwan] ssh and http through IPSec
Hi Christopher,
Thanks for the response. I want to access the CentOS IPSec server
which is the having tunneling enable from other system through SSH.
In the mean time other OpenWRT client should also be able cur/wget
through the tunnel. Both SSH and http fails while tunnel is established.
Tried with the following but doesn't works.
https://wiki.strongswan.org/issues/2351
https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
Thanks
Sujoy
On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:
Hi Sujoy,
Do you route all traffic through the ipsec tunnel at the moment?
Or is your goal to access the CentOS sever through ipsec?
Cheers,
Christopher
On Mar 5, 2018 07:05, Sujoy <sujo...@mindlogicx.com> wrote:
Hi Jafar,
I have successfully establish connection with tunneling between
OpenWRT client and CentOS as StrongSwan server. Now I am facing
one issue. How to enable ssh and http through IPSec tunnel in
StrongSwan.
Thanks
Sujoy
On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:
Sujoy,
You have to send me the logs from both ends. It is hard to
know what is the problem with no logs.
--Jafar
On 2/21/2018 8:58 AM, Sujoy wrote:
Thanks Jafar, for giving this information. Please let me
know if anything else is required. The client OS is
Openwrt, so no logs are available.
*Server Config*
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
dmn 3, cfg 3, knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
right=%any
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: PSK "XXX"
[host@VPNTEST ~]# firewall-cmd --list-all
FirewallD is not running
[host@VPNTEST ~]# sestatus
SELinux status: disabled
[host@VPNTEST ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
*Client config and status*
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
dmn 3, cfg 3, knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
#right=192.168.10.40
right=182.156.253.59
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: PSK "XXX"
root@Device_BD2009:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux
3.10.49, mips):
uptime: 22 minutes, since Feb 21 14:31:43 2018
malloc: sbrk 196608, mmap 0, used 157560, free 39048
worker threads: 11 of 16 idle, 5/0/0/0 working, job
queue: 0/0/0/0, scheduled: 5
loaded plugins: charon aes des rc2 sha1 sha2 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc
cmac hmac curl attr kernel-netlink resolve socket-default
stroke updown eap-identity eap-md5 xauth-generic
Listening IP addresses:
192.168.20.100
192.168.10.1
fd70:5f2:3744::1
Connections:
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: [X.X.X.X] uses pre-shared key
authentication
tunnel: child: dynamic === dynamic TUNNEL,
dpdaction=restart
Security Associations (1
[strongSwan] ssh and http through IPSec
Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. *Server Config* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running [host@VPNTEST ~]# sestatus SELinux status: disabled [host@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination *Client config and status* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any #right=192.168.10.40 right=182.156.253.59 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 22 minutes, since Feb 21 14:31:43 2018 malloc: sbrk 196608, mmap 0, used 157560, free 39048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 22 minutes ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh wrote: Sujoy, It is really hard to help you if don't give us full information only sending us one picture at a time. Please use test files, they are easier to navigate than screen shots. Your last question below is a repeat to a question that I answered before. If you want proper diagnose of the problem please send the configuration files,logs, routing table at both ends. see 8 at: https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Make sure to increase the debug level in your ipsec.conf files at both ends, something like: config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" Regards, Jafar On 2/20/2018 8:00 AM, Sujoy wrote: Hi Jafar, I am able to establish tunnel when I try to connect from LAN IP. But with same configuration(Firewall setting) and same OS version it failed to establish tunnel with *nated public IP*. What means parsed "failed to establish CHILD_SA, keeping IKE_SA". Please let me know if you have any idea regarding this issue.
Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built
Hi Jafar/Noel,
What means " received TS_UNACCEPTABLE notify, no CHILD_SA built [IKE]
failed to establish CHILD_SA, keeping IKE_SA" . Same error comes in the
new installed Linux also.
root@client:~# ipsec up tunnel
initiating IKE_SA tunnel[1] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (464 bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(MULT_AUTH) ]
remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH)
N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (368 bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (160 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR)
N(TS_UNACCEPT) ]
authentication of '192.168.10.40' with pre-shared key successful
IKE_SA tunnel[1] established between
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]
scheduling rekeying in 2642s
maximum IKE_SA lifetime 3182s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
peer supports MOBIKE
establishing connection 'tunnel' failed
Feb 9 11:55:44 localhost charon: 14[NET] sending packet: from
192.168.10.38[4500] to 192.168.10.40[4500] (368 bytes)
Feb 9 11:55:44 localhost charon: 16[NET] received packet: from
192.168.10.40[4500] to 192.168.10.38[4500] (160 bytes)
Feb 9 11:55:44 localhost charon: 16[ENC] parsed IKE_AUTH response 1 [
IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
Feb 9 11:55:44 localhost charon: 16[IKE] authentication of
'192.168.10.40' with pre-shared key successful
Feb 9 11:55:44 localhost charon: 16[IKE] IKE_SA tunnel[1] established
between 192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]
Feb 9 11:55:44 localhost charon: 16[IKE] scheduling rekeying in 2642s
Feb 9 11:55:44 localhost charon: 16[IKE] maximum IKE_SA lifetime 3182s
*Feb 9 11:55:44 localhost charon: 16[IKE] received TS_UNACCEPTABLE
notify, no CHILD_SA built**
**Feb 9 11:55:44 localhost charon: 16[IKE] failed to establish
CHILD_SA, keeping IKE_SA*
Feb 9 11:55:44 localhost charon: 16[IKE] peer supports MOBIKE
Thanks
On Friday 09 February 2018 11:21 AM, Sujoy wrote:
Thanks Jafar, for the update. But after setting up without subnet and
"type=tunnel or transport" it shows the same error "failed to
establish CHILD_SA, keeping IKE_SA. What should be issue.
Thanks
On Friday 09 February 2018 01:53 AM, Jafar Al-Gharaibeh wrote:
Sujoy,
Just to make sure everything is working OK. Try setting:
left=192.168.10.40
right=192.168.10.38
and
left=192.168.10.38
right=192.168.10.40
Comment out left/rightsubnet configs. They should default to the same
IP addresses as left/right.
--Jafar
On 2/8/2018 12:26 AM, Sujoy wrote:
Hi Jafar, Peer is also using strongswan 5.3.3. following is the
configuration. We need tunnel because once it is connected in LAN we
want to implement in WAN/Internet. Output of the 192.168.10.40 is
bellow.
Config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=yes
conn %default
conn tunnel #
left=%any
right=192.168.10.38
rightsubnet=192.168.10.38/24
ike=aes256-sha1-modp2048!
esp=aes256-sha1-modp2048!
keyingtries=1
ikelifetime=1h
lifetime=8h
dpddelay=30
#dpdtimeout=120
dpdaction=restart
authby=psk
auto=route
keyexchange=ikev2
type=tunnel
root@server:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux
4.4.0-112-generic, x86_64):
uptime: 114 minutes, since Feb 08 09:58:49 2018
malloc: sbrk 2703360, mmap 0, used 513168, free 2190192
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac
curl attr kernel-netlink resolve socket-default stroke updown
xauth-generic
Listening IP addresses:
192.168.10.40
10.8.0.1
Connections:
tunnel: %any...192.168.10.38 IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: [192.168.10.38] uses pre-shared key
authentication
tunnel: child: dynamic === 192.168.10.0/24 TUNNEL,
dpdaction=restart
Securi
Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built
Thanks Jafar, for the update. But after setting up without subnet and
"type=tunnel or transport" it shows the same error "failed to establish
CHILD_SA, keeping IKE_SA. What should be issue.
Thanks
On Friday 09 February 2018 01:53 AM, Jafar Al-Gharaibeh wrote:
Sujoy,
Just to make sure everything is working OK. Try setting:
left=192.168.10.40
right=192.168.10.38
and
left=192.168.10.38
right=192.168.10.40
Comment out left/rightsubnet configs. They should default to the same
IP addresses as left/right.
--Jafar
On 2/8/2018 12:26 AM, Sujoy wrote:
Hi Jafar, Peer is also using strongswan 5.3.3. following is the
configuration. We need tunnel because once it is connected in LAN we
want to implement in WAN/Internet. Output of the 192.168.10.40 is
bellow.
Config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=yes
conn %default
conn tunnel #
left=%any
right=192.168.10.38
rightsubnet=192.168.10.38/24
ike=aes256-sha1-modp2048!
esp=aes256-sha1-modp2048!
keyingtries=1
ikelifetime=1h
lifetime=8h
dpddelay=30
#dpdtimeout=120
dpdaction=restart
authby=psk
auto=route
keyexchange=ikev2
type=tunnel
root@server:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux
4.4.0-112-generic, x86_64):
uptime: 114 minutes, since Feb 08 09:58:49 2018
malloc: sbrk 2703360, mmap 0, used 513168, free 2190192
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl
attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
192.168.10.40
10.8.0.1
Connections:
tunnel: %any...192.168.10.38 IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: [192.168.10.38] uses pre-shared key
authentication
tunnel: child: dynamic === 192.168.10.0/24 TUNNEL,
dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[3]: ESTABLISHED 25 minutes ago,
192.168.10.40[192.168.10.40]...192.168.10.38[192.168.10.38]
tunnel[3]: IKEv2 SPIs: c1a42433ade9fa28_i a52cfea6d767c397_r*,
pre-shared key reauthentication in 24 minutes
tunnel[3]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Thanks
On Wednesday 07 February 2018 09:06 PM, Jafar Al-Gharaibeh wrote:
On 2/7/2018 9:22 AM, Sujoy wrote:
Thanks Jafar, for the reply. But after removing subnet from the
config also tunneling failed. Is there any issue with the version
of strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no
CHILD_SA built"
"TS_UNACCEPTABLE notify" means the peer didn't like the proposed
traffic selector. The log shows that your IKE SA is up, so you
don't have a problem there. I can't tell you what your rightsubnet
should be unless you tell us more about the setup you have. What is
your peer running? is it also strongSwan?
If you only want to encrypt traffic from 192.168.10.38 to
192.168.10.40 and you don't have other subnets/hosts, you can switch
the connection type to transport mode ("type=trasnport"). Both sides
must agree on this. transport doesn't require left/rightsubnets.
--Jafar
Config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=yes
conn %default
conn tunnel #
left=%any
right=192.168.10.40
ike=aes256-sha1-modp2048!
esp=aes256-sha1-modp2048!
keyingtries=1
ikelifetime=1h
lifetime=8h
dpddelay=30
#dpdtimeout=120
dpdaction=restart
authby=secret
auto=route
keyexchange=ikev2
type=tunnel
root@client:~# ipsec up tunnel
initiating IKE_SA tunnel[1] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (448
bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456
bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(MULT_AUTH) ]
remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi
TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500]
(348 bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500]
(156 bytes)
parsed IKE_AUTH response 1
Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built
Hi Jafar, Peer is also using strongswan 5.3.3. following is the
configuration. We need tunnel because once it is connected in LAN we
want to implement in WAN/Internet. Output of the 192.168.10.40 is bellow.
Config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=yes
conn %default
conn tunnel #
left=%any
right=192.168.10.38
rightsubnet=192.168.10.38/24
ike=aes256-sha1-modp2048!
esp=aes256-sha1-modp2048!
keyingtries=1
ikelifetime=1h
lifetime=8h
dpddelay=30
#dpdtimeout=120
dpdaction=restart
authby=psk
auto=route
keyexchange=ikev2
type=tunnel
root@server:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 4.4.0-112-generic,
x86_64):
uptime: 114 minutes, since Feb 08 09:58:49 2018
malloc: sbrk 2703360, mmap 0, used 513168, free 2190192
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
192.168.10.40
10.8.0.1
Connections:
tunnel: %any...192.168.10.38 IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: [192.168.10.38] uses pre-shared key authentication
tunnel: child: dynamic === 192.168.10.0/24 TUNNEL,
dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[3]: ESTABLISHED 25 minutes ago,
192.168.10.40[192.168.10.40]...192.168.10.38[192.168.10.38]
tunnel[3]: IKEv2 SPIs: c1a42433ade9fa28_i a52cfea6d767c397_r*,
pre-shared key reauthentication in 24 minutes
tunnel[3]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Thanks
On Wednesday 07 February 2018 09:06 PM, Jafar Al-Gharaibeh wrote:
On 2/7/2018 9:22 AM, Sujoy wrote:
Thanks Jafar, for the reply. But after removing subnet from the
config also tunneling failed. Is there any issue with the version of
strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built"
"TS_UNACCEPTABLE notify" means the peer didn't like the proposed
traffic selector. The log shows that your IKE SA is up, so you don't
have a problem there. I can't tell you what your rightsubnet should be
unless you tell us more about the setup you have. What is your peer
running? is it also strongSwan?
If you only want to encrypt traffic from 192.168.10.38 to
192.168.10.40 and you don't have other subnets/hosts, you can switch
the connection type to transport mode ("type=trasnport"). Both sides
must agree on this. transport doesn't require left/rightsubnets.
--Jafar
Config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=yes
conn %default
conn tunnel #
left=%any
right=192.168.10.40
ike=aes256-sha1-modp2048!
esp=aes256-sha1-modp2048!
keyingtries=1
ikelifetime=1h
lifetime=8h
dpddelay=30
#dpdtimeout=120
dpdaction=restart
authby=secret
auto=route
keyexchange=ikev2
type=tunnel
root@client:~# ipsec up tunnel
initiating IKE_SA tunnel[1] to 192.168.10.40
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) ]
sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (448 bytes)
received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456
bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(MULT_AUTH) ]
remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '192.168.10.38' (myself) with pre-shared key
establishing CHILD_SA tunnel
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi
TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (348
bytes)
received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (156
bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_4_ADDR) N(TS_UNACCEPT) ]
authentication of '192.168.10.40' with pre-shared key successful
IKE_SA tunnel[1] established between
192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40]
scheduling reauthentication in 2819s
maximum IKE_SA lifetime 3359s
*received TS_UNACCEPTABLE notify, no CHILD_SA built**
**failed to establish CHILD_SA, keeping IKE_SA*
received AUTH_LIFETIME of 2637s, scheduling reauthentication in 2097s
peer supports MOBIKE
establishing connection 'tunnel' failed
root@client:~# ipsec statusall
Status of IKE charon daemon *(strongSwan 5.3.3
Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built
Thanks Jafar, for the reply. But after removing subnet from the config also tunneling failed. Is there any issue with the version of strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built" Config setup charondebug="all" uniqueids=yes strictcrlpolicy=yes conn %default conn tunnel # left=%any right=192.168.10.40 ike=aes256-sha1-modp2048! esp=aes256-sha1-modp2048! keyingtries=1 ikelifetime=1h lifetime=8h dpddelay=30 #dpdtimeout=120 dpdaction=restart authby=secret auto=route keyexchange=ikev2 type=tunnel root@client:~# ipsec up tunnel initiating IKE_SA tunnel[1] to 192.168.10.40 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (448 bytes) received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] remote host is behind NAT no IDi configured, fall back on IP address authentication of '192.168.10.38' (myself) with pre-shared key establishing CHILD_SA tunnel generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (348 bytes) received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (156 bytes) parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ] authentication of '192.168.10.40' with pre-shared key successful IKE_SA tunnel[1] established between 192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40] scheduling reauthentication in 2819s maximum IKE_SA lifetime 3359s *received TS_UNACCEPTABLE notify, no CHILD_SA built** **failed to establish CHILD_SA, keeping IKE_SA* received AUTH_LIFETIME of 2637s, scheduling reauthentication in 2097s peer supports MOBIKE establishing connection 'tunnel' failed root@client:~# ipsec statusall Status of IKE charon daemon *(strongSwan 5.3.3, Linux 4.4.0-112-generic, x86_64)*: uptime: 2 minutes, since Feb 07 20:44:23 2018 malloc: sbrk 2703360, mmap 0, used 519600, free 2183760 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic Listening IP addresses: 192.168.10.38 192.168.3.107 Connections: tunnel: %any...192.168.10.40 IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [192.168.10.40] uses pre-shared key authentication tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 2 minutes ago, 192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40] tunnel[1]: IKEv2 SPIs: 175dcf9cdcf11b38_i* 9cc05896738a5e45_r, pre-shared key reauthentication in 32 minutes tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 Thanks On Wednesday 07 February 2018 08:31 PM, Jafar Al-Gharaibeh wrote: Sujoy, Are you sure about rightsubnet=192.168.10.0/32 This subnet gets you nothing unless you know that it has a special meaning in the config that I'm not aware of. You can have the least significant octet set to zero with a 32-bit netmask. What is the rightsubnet that you are trying to protect? is it all 192.168.10.0/24? or just one host like 192.168.10.100? --Jafar On 2/7/2018 12:44 AM, Sujoy wrote: Hi Noel, Still cannot establish tunnel. logs doesn't show anything. Can someone help to solve this. Client configuration config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn tunnel # left=%any right=192.168.10.40 rightsubnet=192.168.10.0/32 ike=aes128-md5-modp1536 esp=aes128-sha1 keyingtries=%forever ikelifetime=1h lifetime=8h dpddelay=30 #dpdtimeout=120 #dpdaction=restart authby=secret auto=start keyexchange=ikev2 type=tunnel mobike=no #pfs=no reauth=no Server setup config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn tunnel #conn %default conn tunnel # left=%any right=192.168.10.40 rightsubnet=192.168.10.0/32 ike=aes128-md5-modp1536 esp=aes128-sha1 keyingtries=%forever ikelifetime
[strongSwan] Tunneling failed with AES_CBC_256 algorithm
Hi Noel/Team, Need help to resolve the following issue in Tunneling. The connection is established but tunneling failed. root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 5 hours, since Jan 30 12:40:15 2018 malloc: sbrk 184320, mmap 0, used 161168, free 23152 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-libipsec kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fde6:8bab:cfa4::1 Connections: tunnel: %any...192.168.10.38 IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [192.168.10.38] uses pre-shared key authentication tunnel: child: dynamic === 192.168.10.0/24 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[3]: ESTABLISHED 48 seconds ago, 192.168.10.1[192.168.10.1]...192.168.10.38[192.168.10.38] tunnel[3]: IKEv2 SPIs: 60459905871e3dee_i* 36a77bd6f87a1841_r, pre-shared key reauthentication in 38 minutes tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 root@Device_BD2009:~# root@Device_BD2009:~# ipsec up tunnel no files found matching '/etc/strongswan.d/*.conf' establishing CHILD_SA tunnel generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ] sending packet: from 192.168.10.1[4500] to 192.168.10.38[4500] (188 bytes) received packet: from 192.168.10.38[4500] to 192.168.10.1[4500] (188 bytes) parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ] failed to create ESP context: unsupported integrity algorithm UNDEFINED failed to create SAD entry failed to create ESP context: unsupported integrity algorithm UNDEFINED failed to create SAD entry unable to install inbound and outbound IPsec SA (SAD) in kernel failed to establish CHILD_SA, keeping IKE_SA sending DELETE for ESP CHILD_SA with SPI c9c86396 generating INFORMATIONAL request 4 [ D ] sending packet: from 192.168.10.1[4500] to 192.168.10.38[4500] (76 bytes) received packet: from 192.168.10.38[4500] to 192.168.10.1[4500] (76 bytes) parsed INFORMATIONAL response 4 [ D ] establishing connection 'tunnel' failed root@Device_BD2009:~# Thanks & Regards Sujoy On Tuesday 16 January 2018 11:23 PM, Noel Kuntze wrote: Hi, Check the logs of the remote side. It means the remote peer did not like the proposed traffic selector. It was probably outside of the network range that its own configuration allows, meaning narrowing failed. Kind regards Noel On 16.01.2018 07:25, Sujoy wrote: Hi Noel, Same strongswan 5.3.3 configuration working in my VM(client) to desktop server. But not working from my OpenWRT to Global IP used nated Linux server. Can you help me to solve this. what means "received TS_UNACCEPTABLE notify, no CHILD_SA built" Server config file. Thanks & Regards Sujoy On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote: Hi, Only on the responder. If you use dpd and enforce UDP encapsulation, you do not need to open any ports on the initiator side. Refer to the UsableExamples wiki page[1] for example configurations that are usable in the real world. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples On 28.12.2017 08:51, Sujoy wrote: Hi All, We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be running in CentOS and the OpenWRt router will connect to it using VPN. I have configured the server part, struggling to configure the client part. Do we need to open port 4500 for this first. Anyone can suggest any solution for this.
Re: [strongSwan] OpenWRT. IPSec server
Hi Neon, when I run "IPSec up tunnel". I get the below message. scheduling reauthentication in 2905s maximum IKE_SA lifetime 3445s received TS_UNACCEPTABLE notify, no CHILD_SA built failed to establish CHILD_SA, keeping IKE_SA establishing connection 'tunnel' failed Following is my client config file config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn tunnel # left=192.168.10.1 right=X.X.X.X ike=aes256-sha1-modp2048 #ike=aes256-sha384-prfsha384-ecp384! esp=aes256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=1h dpdaction=restart authby=psk auto=start Thanks Sujoy On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote: Hi, Only on the responder. If you use dpd and enforce UDP encapsulation, you do not need to open any ports on the initiator side. Refer to the UsableExamples wiki page[1] for example configurations that are usable in the real world. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples On 28.12.2017 08:51, Sujoy wrote: Hi All, We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be running in CentOS and the OpenWRt router will connect to it using VPN. I have configured the server part, struggling to configure the client part. Do we need to open port 4500 for this first. Anyone can suggest any solution for this.
[strongSwan] OpenWRT. IPSec server
Hi All, We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be running in CentOS and the OpenWRt router will connect to it using VPN. I have configured the server part, struggling to configure the client part. Do we need to open port 4500 for this first. Anyone can suggest any solution for this. -- Thanks & Reards Sujoy
