Jianjun, I see at least one issue, "left" config is wrong, instead of
left=0.0.0.0 you want left=%any Regards, Jafar On 9/2/19 5:03 PM, Jianjun Shen Shen wrote: > Hello, > > I am using strongswan (U5.3.5/K4.4.0-87-generic) on Ubuntu (16.04.3 LTS). > > Running "/usr/lib/ipsec/charon --debug-cfg 4 --debug-ike 4" got the > following log messages: > 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux > 4.4.0-87-generic, x86_64) > 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' > 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' > 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' > 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' > 00[CFG] loading crls from '/etc/ipsec.d/crls' > 00[CFG] loading secrets from '/etc/ipsec.secrets' > 00[CFG] loaded IKE secret for 0.0.0.0 10.162.19.54 > 00[CFG] secret: 73:77:6f:72:64:66:69:73:68 > 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 > random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 > pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr > kernel-netlink resolve socket-default stroke updown > 00[LIB] dropped capabilities, running as uid 0, gid 0 > 00[JOB] spawning 16 worker threads > 05[NET] received packet: from 10.162.19.54[500] to 10.162.19.55[500] > (660 bytes) > 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(HASH_ALG) ] > 05[CFG] looking for an ike config for 10.162.19.55...10.162.19.54 > 05[IKE] no IKE config found for 10.162.19.55...10.162.19.54, sending > NO_PROPOSAL_CHOSEN > 05[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ] > 05[NET] sending packet: from 10.162.19.55[500] to 10.162.19.54[500] > (36 bytes) > 05[IKE] IKE_SA (unnamed)[1] state change: CREATED => DESTROYING > > And my ipsec.conf is quite simple: > config setup > uniqueids=yes > > conn %default > keyingtries=%forever > type=transport > keyexchange=ikev2 > auto=route > ike=aes256gcm16-sha256-modp2048 > esp=aes256gcm16-modp2048 > > conn host54 > left=0.0.0.0 > right=10.162.19.54 > authby=psk > leftprotoport=gre > rightprotoport=gre > > "ipsec statusall" shows the following: > Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-87-generic, > x86_64): > uptime: 3 seconds, since Sep 02 22:00:24 2019 > malloc: sbrk 1216512, mmap 0, used 251808, free 964704 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 0 > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random > nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp > dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve > socket-default stroke updown > Listening IP addresses: > 10.162.19.55 > fd01:0:101:2616:20c:29ff:fe2f:26c4 > 172.17.0.1 > 192.168.0.55 > Connections: > host54: 0.0.0.0...10.162.19.54 IKEv2 > host54: local: uses pre-shared key authentication > host54: remote: [10.162.19.54] uses pre-shared key authentication > host54: child: dynamic[gre] === dynamic[gre] TRANSPORT > Routed Connections: > host54 {1}: ROUTED, TRANSPORT, reqid 1 > host54 {1}: 10.162.19.55/32[gre] <http://10.162.19.55/32[gre]> > === 10.162.19.54/32[gre] <http://10.162.19.54/32[gre]> > Security Associations (0 up, 0 connecting): > none > > So, I could not see anything wrong. Could you please help? > > Regards, > Jianjun > > >
smime.p7s
Description: S/MIME Cryptographic Signature