[strongSwan] Site-to-site VPN configuration help

Wed, 25 Mar 2020 07:14:35 -0700 

Hi,
I am using strongSwan to connect to a supplier's VPN, but am having trouble understanding the IP network ranges required. 


The server I'm connecting from is a Debian server with strongswan 5.5.1. 
It has one public IP in a /29 so has one interface (bond0 using 
eth0/eth1). There are iptables rules for incoming traffic, nothing for 
outgoing. I ended up adding an interface for 10.100.15.1 as that what 
appears to be required.



The 3rd party has supplied details for a Fortigate VPN. I have an AWS 
VPN endpoint IP along with the usual encryption details, using a PSK. It 
wants  AES256 + SHA256 + DH Group 5



It lists two 'encryption domain' IP ranges for their side. It also 
provides an encryption domain for our side. Here's the ipsec.conf, 
anonymised



config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

conn server-to-aws
        authby=secret
        type=tunnel
        auto=start
        compress=no

        leftid=server
# I tried these first
#       left=x.x.x.x (public IP of our server)
#       leftsubnet=x.x.x.x/29
        left=10.100.15.1

        leftsubnet=10.100.15.0/24 (encryption domain for our side, 
mandated by 3rd party)

        leftfirewall=no

        right=y.y.y.y (public VPN endpoint of 3rd party)
        rightid=aws

        rightsubnet=172.21.0.0/16, 172.22.0.0/16 (encryption domain of 
3rd party)

        keyexchange=ikev1
        ike=aes256-sha256-modp1536
        esp=aes256-sha256-modp1536
        ikelifetime=24h
        lifetime=24h
        dpddelay=15
        dpdtimeout=30

Here's the log, anonymised with the same IPs


Mar 25 14:03:55  charon: 00[DMN] Starting IKE charon daemon (strongSwan 
5.5.1, Linux 4.9.0-11-amd64, x86_64)
Mar 25 14:03:55  charon: 00[CFG] loading ca certificates from 
'/etc/ipsec.d/cacerts'
Mar 25 14:03:55  charon: 00[CFG] loading aa certificates from 
'/etc/ipsec.d/aacerts'
Mar 25 14:03:55  charon: 00[CFG] loading ocsp signer certificates from 
'/etc/ipsec.d/ocspcerts'
Mar 25 14:03:55  charon: 00[CFG] loading attribute certificates from 
'/etc/ipsec.d/acerts'

Mar 25 14:03:55  charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 25 14:03:55  charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'

Mar 25 14:03:55  charon: 00[CFG] expanding file expression 
'/var/lib/strongswan/ipsec.secrets.inc' failed

Mar 25 14:03:55  charon: 00[CFG]   loaded IKE secret for 10.100.15.1 y.y.y.y
Mar 25 14:03:55  charon: 00[CFG]   loaded IKE secret for x.x.x.x y.y.y.y

Mar 25 14:03:55  charon: 00[LIB] loaded plugins: charon aesni aes rc2 
sha2 sha1 md5 random nonce x509 revocation constrai
nts pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp 
agent xcbc hmac gcm attr kernel-netlink resolve

socket-default ck stroke updown

Mar 25 14:03:55  charon: 00[LIB] dropped capabilities, running as uid 0, 
gid 0

Mar 25 14:03:55  charon: 00[JOB] spawning 16 worker threads

Mar 25 14:03:55  charon: 16[CFG] received stroke: add connection 
'server-to-aws'

Mar 25 14:03:55  charon: 16[CFG] added configuration 'server-to-aws'
Mar 25 14:03:55  charon: 07[CFG] received stroke: initiate 'server-to-aws'

Mar 25 14:03:55  charon: 07[IKE] initiating Main Mode IKE_SA 
server-to-aws[1] to y.y.y.y
Mar 25 14:03:55  charon: 07[ENC] generating ID_PROT request 0 [ SA V V V 
V V ]
Mar 25 14:03:55  charon: 07[NET] sending packet: from 10.100.15.1[500] 
to y.y.y.y[500] (252 bytes)
Mar 25 14:03:59  charon: 12[IKE] sending retransmit 1 of request message 
ID 0, seq 1
Mar 25 14:03:59  charon: 12[NET] sending packet: from 10.100.15.1[500] 
to y.y.y.y[500] (252 bytes)
Mar 25 14:04:06  charon: 11[IKE] sending retransmit 2 of request message 
ID 0, seq 1
Mar 25 14:04:06  charon: 11[NET] sending packet: from 10.100.15.1[500] 
to y.y.y.y[500] (252 bytes)
Mar 25 14:04:15  charon: 07[NET] received packet: from y.y.y.y[500] to 
x.x.x.x[500] (292 bytes)
Mar 25 14:04:15  charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V 
V V V V V ]
Mar 25 14:04:15  charon: 07[IKE] no IKE config found for 
x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN
Mar 25 14:04:15  charon: 07[ENC] generating INFORMATIONAL_V1 request 
852369688 [ N(NO_PROP) ]
Mar 25 14:04:15  charon: 07[NET] sending packet: from x.x.x.x[500] to 
y.y.y.y[500] (40 bytes)

Mar 25 14:04:16  snmpd[1797]: error on subcontainer 'ia_addr' insert (-1)

Mar 25 14:04:18  charon: 10[NET] received packet: from y.y.y.y[500] to 
x.x.x.x[500] (292 bytes)
Mar 25 14:04:18  charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V 
V V V V V ]
Mar 25 14:04:18  charon: 10[IKE] no IKE config found for 
x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN
Mar 25 14:04:18  charon: 10[ENC] generating INFORMATIONAL_V1 request 
699850337 [ N(NO_PROP) ]
Mar 25 14:04:18  charon: 10[NET] sending packet: from x.x.x.x[500] to 
y.y.y.y[500] (40 bytes)
Mar 25 14:04:19  charon: 14[IKE] sending retransmit 3 of request message 
ID 0, seq 1
Mar 25 14:04:19  charon: 14[NET] sending packet: from 10.100.15.1[500] 
to y.y.y.y[500] (252 bytes)
Mar 25 14:04:24  charon: 00[DMN] signal of type SIGINT received. 
Shutting down
Mar 25 14:04:24  charon: 00[IKE] destroying IKE_SA in state CONNECTING 
without notification



thanks























					Reply via email to