Re: [strongSwan] Cannot pass the traffic through the established tunnel.
Thanks Noel for the reply, There are two issue- 1) I cannot pass the normal traffic through the VPN tunnel and 2) I want to redirect the all http traffic through the established tunnel. Following is the current iptables status. @cloud:~$ sudo iptables-save [sudo] password for kencloud_mlx: # Generated by iptables-save v1.6.0 on Fri Apr 6 15:36:00 2018 *filter :INPUT ACCEPT [2373595:1217217340] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2358742:1592362700] -A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT COMMIT # Completed on Fri Apr 6 15:36:00 2018 # Generated by iptables-save v1.6.0 on Fri Apr 6 15:36:00 2018 *nat :PREROUTING ACCEPT [343961:24571900] :INPUT ACCEPT [53423:7217944] :OUTPUT ACCEPT [12732:772316] :POSTROUTING ACCEPT [12732:772316] -A PREROUTING -p tcp -m tcp --dport 26 -j DNAT --to-destination 172.25.12.42:80 COMMIT # Completed on Fri Apr 6 15:36:00 2018 Thanks Sujoy On Thursday 05 April 2018 10:15 PM, Noel Kuntze wrote: Hello Sujoy, Do you mean to block all traffic that uses TCP port 80 (0.0.0.0/0[tcp/80]), but the traffic that is protected in an established tunnel? Or do you mean to block everything but what is protected? Kind regards Noel On 04.04.2018 10:58, Sujoy wrote: Hi list members, I am facing one issue with Strongswan for quite long time. I want to block all the traffic(http) and pass only the traffic of connected network. But after so many try, still I cannot do so. Bellow is the configuration status of the Server which is having multiple connection. It will be a big help if someone can provide any solution to this. Thanks for the support provide till now from the members. root@cloud:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64): uptime: 19 hours, since Apr 03 18:02:13 2018 malloc: sbrk 2703360, mmap 0, used 570192, free 2133168 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 12 loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters Listening IP addresses: 172.25.12.42 Connections: tunnel: %any...%any IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: uses pre-shared key authentication tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear Security Associations (2 up, 0 connecting): tunnel[6]: ESTABLISHED 66 minutes ago, 172.25.12.42[X.X.X.X]...223.227.10.138[192.168.1.100] tunnel[6]: IKEv2 SPIs: 1e596ccc27d7939a_i c459f660671c3952_r*, pre-shared key reauthentication in 101 minutes tunnel[6]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{16}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: cc167350_i c722bb0f_o tunnel{16}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 35 minutes tunnel{16}: X.X.X.X/32 === 192.168.10.1/32 tunnel[5]: ESTABLISHED 76 minutes ago, 172.25.12.42[X.X.X.X]...27.59.17.206[192.168.2.100] tunnel[5]: IKEv2 SPIs: 6bac8f644b19cf85_i 07c5f9254cda6720_r*, pre-shared key reauthentication in 90 minutes tunnel[5]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{17}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c3015f13_i ce6ea6b8_o tunnel{17}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 36 minutes tunnel{17}: X.X.X.X/32 === 192.168.10.1/32
[strongSwan] Cannot pass the traffic through the established tunnel.
Hi list members, I am facing one issue with Strongswan for quite long time. I want to block all the traffic(http) and pass only the traffic of connected network. But after so many try, still I cannot do so. Bellow is the configuration status of the Server which is having multiple connection. It will be a big help if someone can provide any solution to this. Thanks for the support provide till now from the members. root@cloud:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64): uptime: 19 hours, since Apr 03 18:02:13 2018 malloc: sbrk 2703360, mmap 0, used 570192, free 2133168 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 12 loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters Listening IP addresses: 172.25.12.42 Connections: tunnel: %any...%any IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: uses pre-shared key authentication tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear Security Associations (2 up, 0 connecting): tunnel[6]: ESTABLISHED 66 minutes ago, 172.25.12.42[X.X.X.X]...223.227.10.138[192.168.1.100] tunnel[6]: IKEv2 SPIs: 1e596ccc27d7939a_i c459f660671c3952_r*, pre-shared key reauthentication in 101 minutes tunnel[6]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{16}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: cc167350_i c722bb0f_o tunnel{16}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 35 minutes tunnel{16}: X.X.X.X/32 === 192.168.10.1/32 tunnel[5]: ESTABLISHED 76 minutes ago, 172.25.12.42[X.X.X.X]...27.59.17.206[192.168.2.100] tunnel[5]: IKEv2 SPIs: 6bac8f644b19cf85_i 07c5f9254cda6720_r*, pre-shared key reauthentication in 90 minutes tunnel[5]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{17}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c3015f13_i ce6ea6b8_o tunnel{17}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 36 minutes tunnel{17}: X.X.X.X/32 === 192.168.10.1/32 -- Thanks Sujoy
[strongSwan] No CHILD_SA tunnel{2} established with nat public IP
Hi All, I am facing a issue while establish tunnel through the nated Public IP. When I connect to the same Strongswan server from LAN I get "*CHILD_SA tunnel{2} established with SPIs cb7bd615_i c3fb87d7_o and TS 172.25.12.38/32 == 172.25.1.23/32"*. But from public network "IKE_SA tunnel is established but CHILD_SA tunnel" is not displayed. Even during the public IP tunneling- "ip route list table 220" no output in the server. Due to that traffic is also not passing. The configuration file is same of both the client. It will be a big help if someone can provide any solution. root@Device_BD2009:~# ipsec up tunnel no files found matching '/etc/strongswan.d/*.conf' initiating IKE_SA tunnel[1] to X.X.X.X generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ] sending packet: from 192.168.1.100[500] to X.X.X.X[500] (1080 bytes) received packet: from X.X.X.X[500] to 192.168.1.100[500] (464 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] local host is behind NAT, sending keep alives remote host is behind NAT authentication of '192.168.1.100' (myself) with pre-shared key establishing CHILD_SA tunnel generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 192.168.1.100[4500] to X.X.X.X[4500] (332 bytes) received packet: from X.X.X.X[4500] to 192.168.1.100[4500] (220 bytes) parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ] authentication of 'X.X.X.X' with pre-shared key successful IKE_SA tunnel[1] established between 192.168.1.100[192.168.1.100]...X.X.X.X[X.X.X.X] scheduling reauthentication in 10015s maximum IKE_SA lifetime 10555s connection 'tunnel' established successfully config setup charondebug="all" uniqueids=no strictcrlpolicy=no conn %default conn tunnel # left=192.168.1.100 leftsubnet=192.168.1.100/32 right=X.X.X.X rightsubnet=X.X.X.X/32 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=60m dpddelay=30s dpdtimeout=150s dpdaction=clear authby=psk auto=route keyexchange=ikev2 type=tunnel mobike=no fragmentation=yes -- Thanks in advance.
Re: [strongSwan] Traffic blocked through the tunnel
Thanks a lot for the information Noel, I have updated sysctl.conf according to point 1 and 2. root@mlxvpn:~# sysctl -p net.ipv4.conf.enp3s0.forwarding = 1 net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.ip_no_pmtu_disc = 1 Point 3. Verified the tunnel is established by "ipsec statusall" in both the end. I check the connection from the other systems which can ping and ssh/http. The host which establish the tunnel is not able to communicate with the VPN server. #Nmap -Pn IP shows All 1000 scanned ports on static-IP-ISP.co.in (IP) are filtered Point 4. "10.0.0.1" is a sample IP, As I need to connect multiple device which IP's are not fixed so I have set the left/rightsubnet as 0.0.0.0/0. config setup charondebug="all" uniqueids=no strictcrlpolicy=no conn %default conn tunnel # left=%any leftsubnet=0.0.0.0/0 right=%any rightid=%any rightsubnet=0.0.0.0/0 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=60m dpddelay=30s dpdtimeout=150s dpdaction=clear authby=psk auto=route keyexchange=ikev2 type=tunnel mobike=no leftfirewall=yes fragmentation=yes Thanks On Friday 09 March 2018 07:31 PM, Noel Kuntze wrote: Hi, 1) Make sure that net.ipv4.ip_forward=1 is set in sysctl (or just run `sysctl -w net.ipv4.ip_forward=1`, then it is set) 2) Make sure forwarding for the interfaces that are involved is enabled (net.ipv4.conf.$INTERFACE.forwarding=1) 3) How do you test the tunnel? 4) Do you have a route to 10.0.0.1? 5) There is only a route in table 220 if it's needed and route installation is enabled in strongswan.conf/charon.conf (the default). Kind regards Noel On 09.03.2018 14:52, Sujoy wrote: Thanks Noel, As you replied this is a new thread. Followed the bellow forwarding and split tunneling link but cannot pass traffic through the Strongswan tunnel. https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling Strongswan configuration details. root@mlxvpn:~# ifconfig enp3s0 Link encap:Ethernet HWaddr 00:25:ab:98:12:d5 inet addr:172.25.1.23 Bcast:172.25.255.255 Mask:255.255.0.0 inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:281997 errors:0 dropped:1 overruns:0 frame:0 TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:29640846 (29.6 MB) TX bytes:3714848 (3.7 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:225 errors:0 dropped:0 overruns:0 frame:0 TX packets:225 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:16397 (16.3 KB) TX bytes:16397 (16.3 KB) root@mlxvpn:~# root@mlxvpn:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64): uptime: 3 hours, since Mar 09 13:29:26 2018 malloc: sbrk 2703360, mmap 0, used 553856, free 2149504 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters Listening IP addresses: 172.25.1.23 Connections: tunnel: %any...%any IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: uses pre-shared key authentication tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting): tunnel[3]: ESTABLISHED 109 minutes ago, 172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40] tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*, pre-shared key reauthentication in 61 minutes tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c4116d05_i c29b66f5_o tunnel{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 20 minutes tunnel{5}: 10.0.0.1/32 === 192.168.1.40/32 root@mlxvpn:~# root@mlxvpn:~# iptables-save # Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018 *nat :PREROUTING ACCEPT [41820:3021162] :INPUT ACCEPT [6196:914229] :OUTPUT ACCEPT [16:1536] :POSTROUTING ACCEPT [16:1536] -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Fri Mar 9 17:17:25 2018 # Generated by iptables-save v1.6.0 on Fri Mar 9 17:
[strongSwan] Traffic blocked through the tunnel
Thanks Noel, As you replied this is a new thread. Followed the bellow forwarding and split tunneling link but cannot pass traffic through the Strongswan tunnel. https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling Strongswan configuration details. root@mlxvpn:~# ifconfig enp3s0 Link encap:Ethernet HWaddr 00:25:ab:98:12:d5 inet addr:172.25.1.23 Bcast:172.25.255.255 Mask:255.255.0.0 inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:281997 errors:0 dropped:1 overruns:0 frame:0 TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:29640846 (29.6 MB) TX bytes:3714848 (3.7 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:225 errors:0 dropped:0 overruns:0 frame:0 TX packets:225 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:16397 (16.3 KB) TX bytes:16397 (16.3 KB) root@mlxvpn:~# root@mlxvpn:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64): uptime: 3 hours, since Mar 09 13:29:26 2018 malloc: sbrk 2703360, mmap 0, used 553856, free 2149504 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters Listening IP addresses: 172.25.1.23 Connections: tunnel: %any...%any IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: uses pre-shared key authentication tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting): tunnel[3]: ESTABLISHED 109 minutes ago, 172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40] tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*, pre-shared key reauthentication in 61 minutes tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c4116d05_i c29b66f5_o tunnel{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 20 minutes tunnel{5}: 10.0.0.1/32 === 192.168.1.40/32 root@mlxvpn:~# root@mlxvpn:~# iptables-save # Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018 *nat :PREROUTING ACCEPT [41820:3021162] :INPUT ACCEPT [6196:914229] :OUTPUT ACCEPT [16:1536] :POSTROUTING ACCEPT [16:1536] -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Fri Mar 9 17:17:25 2018 # Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018 *mangle :PREROUTING ACCEPT [90325:7771073] :INPUT ACCEPT [54531:5654040] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [10356:1527995] :POSTROUTING ACCEPT [10360:1528611] -A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 -A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT # Completed on Fri Mar 9 17:17:25 2018 root@mlxvpn:~# root@mlxvpn:~# ip route list table 220 root@mlxvpn:~# Thanks for the help.
Re: [strongSwan] ssh and http through IPSec
Hi Noel, I do appreciate your view, cannot able to pass traffic over the tunnel after following the Forwarding and Split Tunneling links. Tryied by enable kernel-libipsec plugin also. Struggling with this issue for more than a month now. https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling Below are the iptables and strongswan configuration details. Thanks for the help. root@mlxvpn:~# ifconfig enp3s0 Link encap:Ethernet HWaddr 00:25:ab:98:12:d5 inet addr:172.25.1.23 Bcast:172.25.255.255 Mask:255.255.0.0 inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:281997 errors:0 dropped:1 overruns:0 frame:0 TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:29640846 (29.6 MB) TX bytes:3714848 (3.7 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:225 errors:0 dropped:0 overruns:0 frame:0 TX packets:225 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:16397 (16.3 KB) TX bytes:16397 (16.3 KB) root@mlxvpn:~# root@mlxvpn:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64): uptime: 3 hours, since Mar 09 13:29:26 2018 malloc: sbrk 2703360, mmap 0, used 553856, free 2149504 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters Listening IP addresses: 172.25.1.23 Connections: tunnel: %any...%any IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: uses pre-shared key authentication tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting): tunnel[3]: ESTABLISHED 109 minutes ago, 172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40] tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*, pre-shared key reauthentication in 61 minutes tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c4116d05_i c29b66f5_o tunnel{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 20 minutes tunnel{5}: 10.0.0.1/32 === 192.168.1.40/32 root@mlxvpn:~# root@mlxvpn:~# iptables-save # Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018 *nat :PREROUTING ACCEPT [41820:3021162] :INPUT ACCEPT [6196:914229] :OUTPUT ACCEPT [16:1536] :POSTROUTING ACCEPT [16:1536] -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Fri Mar 9 17:17:25 2018 # Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018 *mangle :PREROUTING ACCEPT [90325:7771073] :INPUT ACCEPT [54531:5654040] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [10356:1527995] :POSTROUTING ACCEPT [10360:1528611] -A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 -A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT # Completed on Fri Mar 9 17:17:25 2018 root@mlxvpn:~# root@mlxvpn:~# ip route list table 220 root@mlxvpn:~# Thanks On Thursday 08 March 2018 04:07 PM, Noel Kuntze wrote: Hi, Don't answer existing threads if you want to talk about new things. Send a completely new mail to the list, otherwise you get shit like this with different topics under a single thread and that makes it unnecessarily difficult and ugly to handle in mail clients. Take a look at the article about help requests[1]. I'm sure you can figure it out by yourself (hint: It's likely your rules in *nat). Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 07.03.2018 12:50, Sujoy wrote: Hi Jafar, I am not getting any output during "*ip route list table 220*" the tunnel is established. And it is not allowing any type of traffic any idea what should be the issue. [root@VPNTEST ~]# ipsec statusall Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.0-693.11.6.el7.x86_64, x86_64): uptime: 8 minutes, since Mar 07 17:00:51 2018 malloc: sbrk 2568192, mmap 0, used 403312, free 2164880 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem op
Re: [strongSwan] ssh and http through IPSec
Hi Jafar, I am not getting any output during "*ip route list table 220*" the tunnel is established. And it is not allowing any type of traffic any idea what should be the issue. [root@VPNTEST ~]# ipsec statusall Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.0-693.11.6.el7.x86_64, x86_64): uptime: 8 minutes, since Mar 07 17:00:51 2018 malloc: sbrk 2568192, mmap 0, used 403312, free 2164880 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic Listening IP addresses: 172.25.1.23 Connections: tunnel: %any...%any IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: uses pre-shared key authentication tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[2]: ESTABLISHED 27 seconds ago, 172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40] tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a8648d0d206c_r*, rekeying disabled tunnel[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c06d3ac1_i cd4c518b_o tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled tunnel{3}: X.X.X.X/32 === 192.168.10.40/32 [root@VPNTEST ~]# [root@VPNTEST ~]# [root@VPNTEST ~]# ip route list table 220 [root@VPNTEST ~]# [root@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:isakmp ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t ACCEPT esp -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@VPNTEST ~]# Thanks On Tuesday 06 March 2018 10:46 AM, Sujoy wrote: Hi Jafar, Thanks for the information. The ping is stopped as soon as the tunnel is established to the right IP of the client. I cannot ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP address where the tunnel terminates. Server configuration config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any leftsubnet=0.0.0.0/0 right=%any rightsubnet=0.0.0.0/0 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel mobike=no Client output root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 25 seconds, since Mar 06 13:00:41 2018 malloc: sbrk 196608, mmap 0, used 163488, free 33120 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 17 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 23 seconds ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r, pre-shared key reauthentication in 2 hours tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c25c0775_i c559455b_o tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1 pkt, 0s ago), rekeying active tunnel{21}: 192.168.20.100/32 === X.X.X.X/32 Thanks On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote: Hi Sujoy, Can you ping the the server's IP address that you want to ssh to ? Is that the same IP address where the tunnel terminates: the "right" address on the client side ? --Jafar On 3/5/2018 12:31 AM, Sujoy wrote: Hi Christopher, Thanks for the response. I want to access
Re: [strongSwan] ssh and http through IPSec
Hi Jafar, Thanks for the information. The ping is stopped as soon as the tunnel is established to the right IP of the client. I cannot ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP address where the tunnel terminates. Server configuration config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any leftsubnet=0.0.0.0/0 right=%any rightsubnet=0.0.0.0/0 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel mobike=no Client output root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 25 seconds, since Mar 06 13:00:41 2018 malloc: sbrk 196608, mmap 0, used 163488, free 33120 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 17 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 23 seconds ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r, pre-shared key reauthentication in 2 hours tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c25c0775_i c559455b_o tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1 pkt, 0s ago), rekeying active tunnel{21}: 192.168.20.100/32 === X.X.X.X/32 Thanks On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote: Hi Sujoy, Can you ping the the server's IP address that you want to ssh to ? Is that the same IP address where the tunnel terminates: the "right" address on the client side ? --Jafar On 3/5/2018 12:31 AM, Sujoy wrote: Hi Christopher, Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH. In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established. Tried with the following but doesn't works. https://wiki.strongswan.org/issues/2351 https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan Thanks Sujoy On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote: Hi Sujoy, Do you route all traffic through the ipsec tunnel at the moment? Or is your goal to access the CentOS sever through ipsec? Cheers, Christopher On Mar 5, 2018 07:05, Sujoy <sujo...@mindlogicx.com> wrote: Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. *Server Config* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX"
Re: [strongSwan] ssh and http through IPSec
Hi Christopher, Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH. In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established. Tried with the following but doesn't works. https://wiki.strongswan.org/issues/2351 https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan Thanks Sujoy On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote: Hi Sujoy, Do you route all traffic through the ipsec tunnel at the moment? Or is your goal to access the CentOS sever through ipsec? Cheers, Christopher On Mar 5, 2018 07:05, Sujoy <sujo...@mindlogicx.com> wrote: Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. *Server Config* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running [host@VPNTEST ~]# sestatus SELinux status: disabled [host@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination *Client config and status* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any #right=192.168.10.40 right=182.156.253.59 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 22 minutes, since Feb 21 14:31:43 2018 malloc: sbrk 196608, mmap 0, used 157560, free 39048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart Security Associations (1
[strongSwan] ssh and http through IPSec
Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. *Server Config* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running [host@VPNTEST ~]# sestatus SELinux status: disabled [host@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination *Client config and status* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any #right=192.168.10.40 right=182.156.253.59 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 22 minutes, since Feb 21 14:31:43 2018 malloc: sbrk 196608, mmap 0, used 157560, free 39048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 22 minutes ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh wrote: Sujoy, It is really hard to help you if don't give us full information only sending us one picture at a time. Please use test files, they are easier to navigate than screen shots. Your last question below is a repeat to a question that I answered before. If you want proper diagnose of the problem please send the configuration files,logs, routing table at both ends. see 8 at: https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Make sure to increase the debug level in your ipsec.conf files at both ends, something like: config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" Regards, Jafar On 2/20/2018 8:00 AM, Sujoy wrote: Hi Jafar, I am able to establish tunnel when I try to connect from LAN IP. But with same configuration(Firewall setting) and same OS version it failed to establish tunnel with *nated public IP*. What means parsed "failed to establish CHILD_SA, keeping IKE_SA". Please let me know if you have any idea regarding this issue.
Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built
Hi Jafar/Noel, What means " received TS_UNACCEPTABLE notify, no CHILD_SA built [IKE] failed to establish CHILD_SA, keeping IKE_SA" . Same error comes in the new installed Linux also. root@client:~# ipsec up tunnel initiating IKE_SA tunnel[1] to 192.168.10.40 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (464 bytes) received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] remote host is behind NAT no IDi configured, fall back on IP address authentication of '192.168.10.38' (myself) with pre-shared key establishing CHILD_SA tunnel{1} generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (368 bytes) received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (160 bytes) parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ] authentication of '192.168.10.40' with pre-shared key successful IKE_SA tunnel[1] established between 192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40] scheduling rekeying in 2642s maximum IKE_SA lifetime 3182s received TS_UNACCEPTABLE notify, no CHILD_SA built failed to establish CHILD_SA, keeping IKE_SA peer supports MOBIKE establishing connection 'tunnel' failed Feb 9 11:55:44 localhost charon: 14[NET] sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (368 bytes) Feb 9 11:55:44 localhost charon: 16[NET] received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (160 bytes) Feb 9 11:55:44 localhost charon: 16[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ] Feb 9 11:55:44 localhost charon: 16[IKE] authentication of '192.168.10.40' with pre-shared key successful Feb 9 11:55:44 localhost charon: 16[IKE] IKE_SA tunnel[1] established between 192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40] Feb 9 11:55:44 localhost charon: 16[IKE] scheduling rekeying in 2642s Feb 9 11:55:44 localhost charon: 16[IKE] maximum IKE_SA lifetime 3182s *Feb 9 11:55:44 localhost charon: 16[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built** **Feb 9 11:55:44 localhost charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA* Feb 9 11:55:44 localhost charon: 16[IKE] peer supports MOBIKE Thanks On Friday 09 February 2018 11:21 AM, Sujoy wrote: Thanks Jafar, for the update. But after setting up without subnet and "type=tunnel or transport" it shows the same error "failed to establish CHILD_SA, keeping IKE_SA. What should be issue. Thanks On Friday 09 February 2018 01:53 AM, Jafar Al-Gharaibeh wrote: Sujoy, Just to make sure everything is working OK. Try setting: left=192.168.10.40 right=192.168.10.38 and left=192.168.10.38 right=192.168.10.40 Comment out left/rightsubnet configs. They should default to the same IP addresses as left/right. --Jafar On 2/8/2018 12:26 AM, Sujoy wrote: Hi Jafar, Peer is also using strongswan 5.3.3. following is the configuration. We need tunnel because once it is connected in LAN we want to implement in WAN/Internet. Output of the 192.168.10.40 is bellow. Config setup charondebug="all" uniqueids=yes strictcrlpolicy=yes conn %default conn tunnel # left=%any right=192.168.10.38 rightsubnet=192.168.10.38/24 ike=aes256-sha1-modp2048! esp=aes256-sha1-modp2048! keyingtries=1 ikelifetime=1h lifetime=8h dpddelay=30 #dpdtimeout=120 dpdaction=restart authby=psk auto=route keyexchange=ikev2 type=tunnel root@server:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.3.3, Linux 4.4.0-112-generic, x86_64): uptime: 114 minutes, since Feb 08 09:58:49 2018 malloc: sbrk 2703360, mmap 0, used 513168, free 2190192 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic Listening IP addresses: 192.168.10.40 10.8.0.1 Connections: tunnel: %any...192.168.10.38 IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [192.168.10.38] uses pre-shared key authentication tunnel: child: dynamic === 192.168.10.0/24 TUNNEL, dpdaction=restart Securi
Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built
Thanks Jafar, for the update. But after setting up without subnet and "type=tunnel or transport" it shows the same error "failed to establish CHILD_SA, keeping IKE_SA. What should be issue. Thanks On Friday 09 February 2018 01:53 AM, Jafar Al-Gharaibeh wrote: Sujoy, Just to make sure everything is working OK. Try setting: left=192.168.10.40 right=192.168.10.38 and left=192.168.10.38 right=192.168.10.40 Comment out left/rightsubnet configs. They should default to the same IP addresses as left/right. --Jafar On 2/8/2018 12:26 AM, Sujoy wrote: Hi Jafar, Peer is also using strongswan 5.3.3. following is the configuration. We need tunnel because once it is connected in LAN we want to implement in WAN/Internet. Output of the 192.168.10.40 is bellow. Config setup charondebug="all" uniqueids=yes strictcrlpolicy=yes conn %default conn tunnel # left=%any right=192.168.10.38 rightsubnet=192.168.10.38/24 ike=aes256-sha1-modp2048! esp=aes256-sha1-modp2048! keyingtries=1 ikelifetime=1h lifetime=8h dpddelay=30 #dpdtimeout=120 dpdaction=restart authby=psk auto=route keyexchange=ikev2 type=tunnel root@server:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.3.3, Linux 4.4.0-112-generic, x86_64): uptime: 114 minutes, since Feb 08 09:58:49 2018 malloc: sbrk 2703360, mmap 0, used 513168, free 2190192 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic Listening IP addresses: 192.168.10.40 10.8.0.1 Connections: tunnel: %any...192.168.10.38 IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [192.168.10.38] uses pre-shared key authentication tunnel: child: dynamic === 192.168.10.0/24 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[3]: ESTABLISHED 25 minutes ago, 192.168.10.40[192.168.10.40]...192.168.10.38[192.168.10.38] tunnel[3]: IKEv2 SPIs: c1a42433ade9fa28_i a52cfea6d767c397_r*, pre-shared key reauthentication in 24 minutes tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 Thanks On Wednesday 07 February 2018 09:06 PM, Jafar Al-Gharaibeh wrote: On 2/7/2018 9:22 AM, Sujoy wrote: Thanks Jafar, for the reply. But after removing subnet from the config also tunneling failed. Is there any issue with the version of strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built" "TS_UNACCEPTABLE notify" means the peer didn't like the proposed traffic selector. The log shows that your IKE SA is up, so you don't have a problem there. I can't tell you what your rightsubnet should be unless you tell us more about the setup you have. What is your peer running? is it also strongSwan? If you only want to encrypt traffic from 192.168.10.38 to 192.168.10.40 and you don't have other subnets/hosts, you can switch the connection type to transport mode ("type=trasnport"). Both sides must agree on this. transport doesn't require left/rightsubnets. --Jafar Config setup charondebug="all" uniqueids=yes strictcrlpolicy=yes conn %default conn tunnel # left=%any right=192.168.10.40 ike=aes256-sha1-modp2048! esp=aes256-sha1-modp2048! keyingtries=1 ikelifetime=1h lifetime=8h dpddelay=30 #dpdtimeout=120 dpdaction=restart authby=secret auto=route keyexchange=ikev2 type=tunnel root@client:~# ipsec up tunnel initiating IKE_SA tunnel[1] to 192.168.10.40 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (448 bytes) received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] remote host is behind NAT no IDi configured, fall back on IP address authentication of '192.168.10.38' (myself) with pre-shared key establishing CHILD_SA tunnel generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (348 bytes) received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (156 bytes) parsed IKE_AUTH response 1
Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built
Hi Jafar, Peer is also using strongswan 5.3.3. following is the configuration. We need tunnel because once it is connected in LAN we want to implement in WAN/Internet. Output of the 192.168.10.40 is bellow. Config setup charondebug="all" uniqueids=yes strictcrlpolicy=yes conn %default conn tunnel # left=%any right=192.168.10.38 rightsubnet=192.168.10.38/24 ike=aes256-sha1-modp2048! esp=aes256-sha1-modp2048! keyingtries=1 ikelifetime=1h lifetime=8h dpddelay=30 #dpdtimeout=120 dpdaction=restart authby=psk auto=route keyexchange=ikev2 type=tunnel root@server:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.3.3, Linux 4.4.0-112-generic, x86_64): uptime: 114 minutes, since Feb 08 09:58:49 2018 malloc: sbrk 2703360, mmap 0, used 513168, free 2190192 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic Listening IP addresses: 192.168.10.40 10.8.0.1 Connections: tunnel: %any...192.168.10.38 IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [192.168.10.38] uses pre-shared key authentication tunnel: child: dynamic === 192.168.10.0/24 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[3]: ESTABLISHED 25 minutes ago, 192.168.10.40[192.168.10.40]...192.168.10.38[192.168.10.38] tunnel[3]: IKEv2 SPIs: c1a42433ade9fa28_i a52cfea6d767c397_r*, pre-shared key reauthentication in 24 minutes tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 Thanks On Wednesday 07 February 2018 09:06 PM, Jafar Al-Gharaibeh wrote: On 2/7/2018 9:22 AM, Sujoy wrote: Thanks Jafar, for the reply. But after removing subnet from the config also tunneling failed. Is there any issue with the version of strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built" "TS_UNACCEPTABLE notify" means the peer didn't like the proposed traffic selector. The log shows that your IKE SA is up, so you don't have a problem there. I can't tell you what your rightsubnet should be unless you tell us more about the setup you have. What is your peer running? is it also strongSwan? If you only want to encrypt traffic from 192.168.10.38 to 192.168.10.40 and you don't have other subnets/hosts, you can switch the connection type to transport mode ("type=trasnport"). Both sides must agree on this. transport doesn't require left/rightsubnets. --Jafar Config setup charondebug="all" uniqueids=yes strictcrlpolicy=yes conn %default conn tunnel # left=%any right=192.168.10.40 ike=aes256-sha1-modp2048! esp=aes256-sha1-modp2048! keyingtries=1 ikelifetime=1h lifetime=8h dpddelay=30 #dpdtimeout=120 dpdaction=restart authby=secret auto=route keyexchange=ikev2 type=tunnel root@client:~# ipsec up tunnel initiating IKE_SA tunnel[1] to 192.168.10.40 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (448 bytes) received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] remote host is behind NAT no IDi configured, fall back on IP address authentication of '192.168.10.38' (myself) with pre-shared key establishing CHILD_SA tunnel generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (348 bytes) received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (156 bytes) parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ] authentication of '192.168.10.40' with pre-shared key successful IKE_SA tunnel[1] established between 192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40] scheduling reauthentication in 2819s maximum IKE_SA lifetime 3359s *received TS_UNACCEPTABLE notify, no CHILD_SA built** **failed to establish CHILD_SA, keeping IKE_SA* received AUTH_LIFETIME of 2637s, scheduling reauthentication in 2097s peer supports MOBIKE establishing connection 'tunnel' failed root@client:~# ipsec statusall Status of IKE charon daemon *(strongSwan 5.3.3
Re: [strongSwan] received TS_UNACCEPTABLE notify, no CHILD_SA built
Thanks Jafar, for the reply. But after removing subnet from the config also tunneling failed. Is there any issue with the version of strongswan 5.3.3. What means "TS_UNACCEPTABLE notify, no CHILD_SA built" Config setup charondebug="all" uniqueids=yes strictcrlpolicy=yes conn %default conn tunnel # left=%any right=192.168.10.40 ike=aes256-sha1-modp2048! esp=aes256-sha1-modp2048! keyingtries=1 ikelifetime=1h lifetime=8h dpddelay=30 #dpdtimeout=120 dpdaction=restart authby=secret auto=route keyexchange=ikev2 type=tunnel root@client:~# ipsec up tunnel initiating IKE_SA tunnel[1] to 192.168.10.40 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] sending packet: from 192.168.10.38[500] to 192.168.10.40[500] (448 bytes) received packet: from 192.168.10.40[500] to 192.168.10.38[500] (456 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] remote host is behind NAT no IDi configured, fall back on IP address authentication of '192.168.10.38' (myself) with pre-shared key establishing CHILD_SA tunnel generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 192.168.10.38[4500] to 192.168.10.40[4500] (348 bytes) received packet: from 192.168.10.40[4500] to 192.168.10.38[4500] (156 bytes) parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ] authentication of '192.168.10.40' with pre-shared key successful IKE_SA tunnel[1] established between 192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40] scheduling reauthentication in 2819s maximum IKE_SA lifetime 3359s *received TS_UNACCEPTABLE notify, no CHILD_SA built** **failed to establish CHILD_SA, keeping IKE_SA* received AUTH_LIFETIME of 2637s, scheduling reauthentication in 2097s peer supports MOBIKE establishing connection 'tunnel' failed root@client:~# ipsec statusall Status of IKE charon daemon *(strongSwan 5.3.3, Linux 4.4.0-112-generic, x86_64)*: uptime: 2 minutes, since Feb 07 20:44:23 2018 malloc: sbrk 2703360, mmap 0, used 519600, free 2183760 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon aes kernel-libipsec des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic Listening IP addresses: 192.168.10.38 192.168.3.107 Connections: tunnel: %any...192.168.10.40 IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [192.168.10.40] uses pre-shared key authentication tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 2 minutes ago, 192.168.10.38[192.168.10.38]...192.168.10.40[192.168.10.40] tunnel[1]: IKEv2 SPIs: 175dcf9cdcf11b38_i* 9cc05896738a5e45_r, pre-shared key reauthentication in 32 minutes tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 Thanks On Wednesday 07 February 2018 08:31 PM, Jafar Al-Gharaibeh wrote: Sujoy, Are you sure about rightsubnet=192.168.10.0/32 This subnet gets you nothing unless you know that it has a special meaning in the config that I'm not aware of. You can have the least significant octet set to zero with a 32-bit netmask. What is the rightsubnet that you are trying to protect? is it all 192.168.10.0/24? or just one host like 192.168.10.100? --Jafar On 2/7/2018 12:44 AM, Sujoy wrote: Hi Noel, Still cannot establish tunnel. logs doesn't show anything. Can someone help to solve this. Client configuration config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn tunnel # left=%any right=192.168.10.40 rightsubnet=192.168.10.0/32 ike=aes128-md5-modp1536 esp=aes128-sha1 keyingtries=%forever ikelifetime=1h lifetime=8h dpddelay=30 #dpdtimeout=120 #dpdaction=restart authby=secret auto=start keyexchange=ikev2 type=tunnel mobike=no #pfs=no reauth=no Server setup config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn tunnel #conn %default conn tunnel # left=%any right=192.168.10.40 rightsubnet=192.168.10.0/32 ike=aes128-md5-modp1536 esp=aes128-sha1 keyingtries=%forever ikelifetime
[strongSwan] Tunneling failed with AES_CBC_256 algorithm
Hi Noel/Team, Need help to resolve the following issue in Tunneling. The connection is established but tunneling failed. root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 5 hours, since Jan 30 12:40:15 2018 malloc: sbrk 184320, mmap 0, used 161168, free 23152 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-libipsec kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fde6:8bab:cfa4::1 Connections: tunnel: %any...192.168.10.38 IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [192.168.10.38] uses pre-shared key authentication tunnel: child: dynamic === 192.168.10.0/24 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[3]: ESTABLISHED 48 seconds ago, 192.168.10.1[192.168.10.1]...192.168.10.38[192.168.10.38] tunnel[3]: IKEv2 SPIs: 60459905871e3dee_i* 36a77bd6f87a1841_r, pre-shared key reauthentication in 38 minutes tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 root@Device_BD2009:~# root@Device_BD2009:~# ipsec up tunnel no files found matching '/etc/strongswan.d/*.conf' establishing CHILD_SA tunnel generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ] sending packet: from 192.168.10.1[4500] to 192.168.10.38[4500] (188 bytes) received packet: from 192.168.10.38[4500] to 192.168.10.1[4500] (188 bytes) parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ] failed to create ESP context: unsupported integrity algorithm UNDEFINED failed to create SAD entry failed to create ESP context: unsupported integrity algorithm UNDEFINED failed to create SAD entry unable to install inbound and outbound IPsec SA (SAD) in kernel failed to establish CHILD_SA, keeping IKE_SA sending DELETE for ESP CHILD_SA with SPI c9c86396 generating INFORMATIONAL request 4 [ D ] sending packet: from 192.168.10.1[4500] to 192.168.10.38[4500] (76 bytes) received packet: from 192.168.10.38[4500] to 192.168.10.1[4500] (76 bytes) parsed INFORMATIONAL response 4 [ D ] establishing connection 'tunnel' failed root@Device_BD2009:~# Thanks & Regards Sujoy On Tuesday 16 January 2018 11:23 PM, Noel Kuntze wrote: Hi, Check the logs of the remote side. It means the remote peer did not like the proposed traffic selector. It was probably outside of the network range that its own configuration allows, meaning narrowing failed. Kind regards Noel On 16.01.2018 07:25, Sujoy wrote: Hi Noel, Same strongswan 5.3.3 configuration working in my VM(client) to desktop server. But not working from my OpenWRT to Global IP used nated Linux server. Can you help me to solve this. what means "received TS_UNACCEPTABLE notify, no CHILD_SA built" Server config file. Thanks & Regards Sujoy On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote: Hi, Only on the responder. If you use dpd and enforce UDP encapsulation, you do not need to open any ports on the initiator side. Refer to the UsableExamples wiki page[1] for example configurations that are usable in the real world. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples On 28.12.2017 08:51, Sujoy wrote: Hi All, We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be running in CentOS and the OpenWRt router will connect to it using VPN. I have configured the server part, struggling to configure the client part. Do we need to open port 4500 for this first. Anyone can suggest any solution for this.
Re: [strongSwan] OpenWRT. IPSec server
Hi Neon, when I run "IPSec up tunnel". I get the below message. scheduling reauthentication in 2905s maximum IKE_SA lifetime 3445s received TS_UNACCEPTABLE notify, no CHILD_SA built failed to establish CHILD_SA, keeping IKE_SA establishing connection 'tunnel' failed Following is my client config file config setup charondebug="all" uniqueids=yes strictcrlpolicy=no conn %default conn tunnel # left=192.168.10.1 right=X.X.X.X ike=aes256-sha1-modp2048 #ike=aes256-sha384-prfsha384-ecp384! esp=aes256! keyingtries=0 ikelifetime=1h lifetime=8h dpddelay=30 dpdtimeout=1h dpdaction=restart authby=psk auto=start Thanks Sujoy On Thursday 04 January 2018 03:38 AM, Noel Kuntze wrote: Hi, Only on the responder. If you use dpd and enforce UDP encapsulation, you do not need to open any ports on the initiator side. Refer to the UsableExamples wiki page[1] for example configurations that are usable in the real world. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples On 28.12.2017 08:51, Sujoy wrote: Hi All, We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be running in CentOS and the OpenWRt router will connect to it using VPN. I have configured the server part, struggling to configure the client part. Do we need to open port 4500 for this first. Anyone can suggest any solution for this.
[strongSwan] OpenWRT. IPSec server
Hi All, We want to implement StrongSwan,with IPsec in OpenWRT. IPSec server will be running in CentOS and the OpenWRt router will connect to it using VPN. I have configured the server part, struggling to configure the client part. Do we need to open port 4500 for this first. Anyone can suggest any solution for this. -- Thanks & Reards Sujoy