Can you post your logfile ? The difference in configurations is the wiki has authby=secret in the default connection whereas you have it in the individual connection.
Regards, Randy On Fri, Jun 5, 2015 at 10:39 AM, Alexandre DEPREZ <[email protected]> wrote: > yes, true, they are for openswan, my bad. > > I do not have a hand on the other side. Can't tell > > On Fri, Jun 5, 2015 at 7:35 PM, Noel Kuntze <[email protected]> > wrote: > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Hello Alexandre, >> >> These options don't exist: >> leftxauthclient=no >> rightxauthserver=no >> You described using those in one of your last emails. >> What is the config on the other side? >> >> Mit freundlichen Grüßen/Kind Regards, >> Noel Kuntze >> >> GPG Key ID: 0x63EC6658 >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> Am 05.06.2015 um 19:29 schrieb Alexandre DEPREZ: >> > Randy, >> > >> > I'll change if there is no other possibilities. >> > >> > As for the link you gave me, thank you for it. I did a lot of digging >> in the documentation I could read. So far, nothing seems to work. >> > >> > >> > Noel, >> > >> > version 2.0 >> > >> > config setup >> > charonstart=no >> > interfaces="%none" >> > nat_traversal=no >> > >> > conn clear >> > auto=ignore >> > >> > conn clear-or-private >> > auto=ignore >> > >> > conn private-or-clear >> > auto=ignore >> > >> > conn private >> > auto=ignore >> > >> > conn block >> > auto=ignore >> > >> > conn packetdefault >> > auto=ignore >> > >> > conn %default >> > keyexchange=ikev1 >> > >> > conn tunnel-1 >> > left=a.a.a.a >> > right=b.b.b.b >> > leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> >> > rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> >> > leftsourceip=a.a.a.a >> > ike=aes256-sha1-modp1024,aes128-sha1-modp1024! >> > ikelifetime=86400s >> > dpddelay=15s >> > dpdtimeout=30s >> > dpdaction=restart >> > esp=aes256-sha1! >> > keylife=3600s >> > rekeymargin=540s >> > type=tunnel >> > authby=secret >> > pfs=no >> > compress=no >> > auto=start >> > keyingtries=%forever >> > >> > >> > Also, I didnt get the imaginary configuration option part ? >> > >> > Thanks >> > >> > >> > >> > >> > On Fri, Jun 5, 2015 at 7:20 PM, Noel Kuntze <[email protected] >> <mailto:[email protected]>> wrote: >> > >> > >> > Hello Alexandre, >> > >> > Please stop trying to use some imaginary configuration options and >> stick to those >> > on the man page of ipsec.conf. >> > >> > What is your complete ipsec.conf? Pay attention to conn %default, if >> you have that, >> > as it will beqeust its own options to _all_ other conns. >> > >> > >> > >> > Mit freundlichen Grüßen/Kind Regards, >> > Noel Kuntze >> > >> > GPG Key ID: 0x63EC6658 >> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> > >> > Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ: >> > > Hi Randy, >> > >> > > I forgot to mention, i'm using this version: >> > >> > > Linux strongSwan U4.5.2/K3.2.0-4-amd64 >> > >> > > Here is it : >> > >> > > conn tunnel-1 >> > > left=a.a.a.a >> > > right=b.b.b.b >> > > leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> < >> http://10.252.243.128/28> >> > > rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> < >> http://172.23.149.0/24> >> > > leftsourceip=a.a.a.a >> > > ike=aes256-sha1-modp1024,aes128-sha1-modp1024! >> > > ikelifetime=86400s >> > > dpddelay=15s >> > > dpdtimeout=30s >> > > dpdaction=restart >> > > esp=aes256-sha1! >> > > keylife=3600s >> > > rekeymargin=540s >> > > type=tunnel >> > > authby=secret >> > > pfs=no >> > > compress=no >> > > auto=start >> > > keyingtries=%forever >> > >> > > I also tried to use >> > >> > > leftxauthclient=no >> > > rightxauthserver=no >> > >> > > No changes. >> > >> > > Thanks >> > >> > >> > >> > >> > >> > > On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <[email protected] >> <mailto:[email protected]> <mailto:[email protected] <mailto: >> [email protected]>>> wrote: >> > >> > > Please send a sanitized version of your configuration. xauth >> should only be sent if you configured it to be sent. >> > >> > > On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ < >> [email protected] <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>>> wrote: >> > >> > > Hi, >> > >> > > I'm using strongswan only for L2L VPN. >> > >> > > It's been some times now, I can not be the initiator of the >> VPN because strongswan is always sending an XAUTH option in the phase 1 >> establishment. >> > >> > > When the other side is not configured to receive remote user, >> it's working but when it is, I'm receiving L2TP/IPsec or some other remote >> access vpn protocols. >> > >> > > I can not wait for the other side to send me trafic in order >> to be the responder. I tried to recompile strongswan removing xauth, but >> it's not working. >> > >> > > Is there any configuration command I can use to force >> strongswan not to send XAUTH ? >> > >> > > Thanks >> > >> > > Alex >> > >> > >> > >> > >> > >> > >> > > _______________________________________________ >> > > Users mailing list >> > > [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> > > https://lists.strongswan.org/mailman/listinfo/users >> > >> > >> > >> > >> > > -- >> > > Randy W. Wyatt >> > > [email protected] <mailto:[email protected]> <mailto: >> [email protected] <mailto:[email protected]>> >> > > Home: 858-309-5303 <tel:858-309-5303> <tel:858-309-5303 <tel: >> 858-309-5303>> >> > > Cell: 858-598-4421 <tel:858-598-4421> <tel:858-598-4421 <tel: >> 858-598-4421>> >> > > Fax: 858-408-7554 <tel:858-408-7554> <tel:858-408-7554 <tel: >> 858-408-7554>> >> > >> > >> > >> > >> > >> > > _______________________________________________ >> > > Users mailing list >> > > [email protected] <mailto:[email protected]> >> > > https://lists.strongswan.org/mailman/listinfo/users >> > >> > >> > _______________________________________________ >> > Users mailing list >> > [email protected] <mailto:[email protected]> >> > https://lists.strongswan.org/mailman/listinfo/users >> > >> > >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> >> iQIcBAEBCAAGBQJVcd3FAAoJEDg5KY9j7GZYL74P/j6DkBsYDrRHMnz/GXRf3Zp8 >> nh4lP69UwtikWftw0LZFtpXJCrARa/4R3bX7E7vEGnwW5Gt0aTtx4PJEPGffS+Oy >> KfDdcivIZhVL8GAGb6USYbpygcvzb1syoGOHj+6GTOVgTykHJr4eLxtCnIpNBXcg >> fJexVxkZX6ETI13zXXh9Ysis1B14BSustWAxODuSJf3BbTvjMB+1rdpWsKnx3xR4 >> sIVagIAdLeRoShFfCNj37JzfcwufKGqJ8OiyZrkIFR8Xv3JW1BaBMymTyWzy+aGj >> WpBXlrLrXhYTftwYZ+CcjxmJMNUs+i+bP3dYZlZFKFyIxlG6WyhHYwd4s5IjzAaX >> 6Sh6G7lpJLSSDcT+Wkvi06sLUvf+j8hT1cDyJUwVQkpcQGc6ibqZuAvDE+R+hGHG >> 7l4qJri2HU6xOlUmNju+lbkGlQnKkdbqLwIC6WNXD1nvRWBnYgYsUVEzhfdliO2x >> +OK8c/RSQAwDTiBi0BkZe1vP1uQ++w7/cB2ydEuHTPNbN37JDYByPop0oB9WRz92 >> 4VsfhJ2ZgVptAPi9AEnLWak7ziIJljdFykokpm0Ee4YFfZEEJm8kZjryzcULYTFW >> fF9Zgnl6pKOYH5BIzEX0wbkcDkFImtXN3CqjTHmjZraC2RFxkL+DnsjlM8bs9jmu >> 7n7QSIDcWhrXQdAOhVuV >> =RpI6 >> -----END PGP SIGNATURE----- >> >> > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -- Randy W. Wyatt [email protected] Home: 858-309-5303 Cell: 858-598-4421 Fax: 858-408-7554
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
