Hi, Some things: 1) Your tunnel only protects traffic between exactly two IP addresses (XXX.XXX.166.2/32 and 10.10.10.1/32), which is probably not what you want.
Looks like the remote peer narrows the TS to the IP addresses instead of the networks you want. Did you configure the exact networks you require? 2) The iptables/nftables rules also pertain the function of the VPN. Please provide all data as shown on the HelpRequests[1] page. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Am 30.03.20 um 11:42 schrieb jl.bous...@laposte.net: > Hello > I need to configure a VPN server for road warriors devices > RW establishes the tunnel and then a local process of the server hosting the > stongswan must access to the rw device. > RW config is preset, i can only change the VPN server IP @ to reach. > My VPN server is behind my internet acces router with nat and Port forwarding > of ports 500/4500 > I must do a stupide error but I cannot make it run > I looked at samples, i tried both ipsec.conf and swanctl.conf > with Ipsec.conf , I always fail with no "matching peer config found" > with swanwctl, I found a way to establish the tunnel, keep alive are > exchanged but tunnel seems not be well configured > (for that I must add my public IP in the local-ts local_ts = > 192.168.1.55,XXX.XXX.166.2) > I would appreciate your help > > Peer1 - AccessRouter1wNAT ============== MyAccessRouterwithNAT > =================== ServerStrongSwan > @PUB1 My@Pub > 192.168.1.1(Defgwy) 192.168.1.55 > > Port Foward (500,4500) =========================> > <=========================================== HTTPS over Tunnel > =================== > > ------------------------------------------------------------------------------------------------ > # ipsec.conf - strongSwan IPsec configuration file > config setup > charondebug="all" > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > authby=secret > conn Peervpn > right=%any > rightsubnet=10.10.10.0/28 > > #My@PUB=XXX.XXX.166.2 # don't know what to do with my @ Pub > > left=192.168.1.55 > leftfirewall=yes > leftsubnet=192.168.1.0/24 > > ah=aes256-sha256-modp2048 > esp=aes256-sha256-modp2048 > ike=aes256-sha256-modp2048 > auto=add > ------------------------------------------------------------------------------------------------ > ipsec.secrets: > # This file holds shared secrets or RSA private keys for authentication. > 10.10.10.1 : PSK myterriblesecretwithpeer1 > myPeer1 : PSK myterriblesecretwithpeer1 > ------------------------------------------------------------------------------------------------ > sudo ipsec statusall > Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.19.66-v7+, armv7l): > uptime: 6 seconds, since Mar 30 09:45:02 2020 > malloc: sbrk 1216512, mmap 0, used 215368, free 1001144 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 0 > loaded plugins: charon aes rc2 sha2 sha1 md5 random nonce x509 revocation > constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl > fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default > connmark stroke vici updown > Listening IP addresses: > 192.168.1.55 > 2a01:cb10:593:cf00:137:62f2:f7e8:274c > 10.6.0.1 > Connections: > Peervpn: 192.168.1.55...%any IKEv2 > Peervpn: local: [192.168.1.55] uses pre-shared key authentication > Peervpn: remote: uses pre-shared key authentication > Peervpn: child: 192.168.1.0/24 === 10.10.10.0/28 TUNNEL > Security Associations (0 up, 0 connecting): none > ------------------------------------------------------------------------------------------------ > sudo swanctl --log > 10[NET] received packet: from 80.14.87.221[58694] to 192.168.1.55[500] (464 > bytes) > 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > 10[IKE] 80.14.87.221 is initiating an IKE_SA > 10[IKE] local host is behind NAT, sending keep alives > 10[IKE] remote host is behind NAT > 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] > 10[NET] sending packet: from 192.168.1.55[500] to 80.14.87.221[58694] (464 > bytes) > 14[NET] received packet: from 80.14.87.221[58698] to 192.168.1.55[4500] (304 > bytes) > 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR > DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) > N(MSG_ID_SYN_SUP) ] > 14[CFG] looking for peer configs matching > 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] > 14[CFG] no matching peer config found > 14[IKE] peer supports MOBIKE > 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] > 14[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58698] (80 > bytes) > > > ------------------------------------------------------------------------------------------------ > ------------------------------------------------------------------------------------------------ > Don't waste your time with this second syntaxe based on swanctl, if you found > how to set the ipconf one > > When using Swanctl.conf with my PUB IP in local_ts, the tunnel seems to be > established but not the routing > Should i make it by hand in place of _updown script or is this tunnel badly > set ? > > XXX.XXX.166.2 { > RemotePeers { > version = 2 > proposals = aes256-sha256-modp2048 > local_addrs = 192.168.1.55 > pools = rw_pool > local { # dont know why auth for local... > auth = psk > } > remote { > auth = psk > } > children { > RemotePeersVPN { > local_ts = 192.168.1.55,XXX.XXX.166.2 > #local_ts = 192.168.1.55 > > # Dont know why cannot find it in /usr/local/libexec but found > /usr/lib > # updown = /usr/local/libexec/ipsec/_updown iptables > updown = /usr/lib/ipsec/_updown iptables > } > } > } > } > pools { > rw_pool { > addrs = 10.10.10.0/28 > } > } > secrets { > ike-remote-Peer1 { > id = myPeer1 > secret = myterriblesecretwithpeer1 > } > } > ------------------------------------------------------------------------------------------------ > sudo ipsec statusall > XXX.XXX.166.2: > RemotePeers: 192.168.1.55...%any IKEv2 > RemotePeers: local: uses pre-shared key authentication > RemotePeers: remote: uses pre-shared key authentication > RemotePeersVPN: child: 192.168.1.55/32 XXX.XXX.166.2/32 === dynamic TUNNEL > Security Associations (0 up, 0 connecting): none > ------------------------------------------------------------------------------------------------ > sudo swanctl --log > 12[NET] received packet: from 80.14.87.221[58736] to 192.168.1.55[500] (464 > bytes) > 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > 12[IKE] 80.14.87.221 is initiating an IKE_SA > 12[IKE] local host is behind NAT, sending keep alives > 12[IKE] remote host is behind NAT > 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] > 12[NET] sending packet: from 192.168.1.55[500] to 80.14.87.221[58736] (464 > bytes) > 10[NET] received packet: from 80.14.87.221[58737] to 192.168.1.55[4500] (304 > bytes) > 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR > DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) > N(MSG_ID_SYN_SUP) ] > 10[CFG] looking for peer configs matching > 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] > 10[CFG] selected peer config 'RemotePeers' > 10[IKE] authentication of 'myPeer1' with pre-shared key successful > 10[IKE] peer supports MOBIKE > 10[IKE] authentication of 'XXX.XXX.166.2' (myself) with pre-shared key > 10[IKE] IKE_SA RemotePeers[1] established between > 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] > 10[IKE] scheduling rekeying in 13593s > 10[IKE] maximum IKE_SA lifetime 15033s > 10[IKE] peer requested virtual IP %any > 10[CFG] assigning new lease to 'myPeer1' > 10[IKE] assigning virtual IP 10.10.10.1 to peer 'myPeer1' > 10[IKE] CHILD_SA RemotePeersVPN{1} established with SPIs ca64039c_i > c33dcf71_o and TS XXX.XXX.166.2/32 === 10.10.10.1/32 > 10[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr > N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ] > 10[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58737] (288 > bytes) > 05[IKE] sending keep alive to 80.14.87.221[58737] > 08[NET] received packet: from 80.14.87.221[58737] to 192.168.1.55[4500] (128 > bytes) > 08[ENC] parsed INFORMATIONAL request 2 [ N(NATD_S_IP) N(NATD_D_IP) ] > 08[ENC] generating INFORMATIONAL response 2 [ N(NATD_S_IP) N(NATD_D_IP) ] > 08[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58737] (128 > bytes) > ---------- > Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.19.66-v7+, armv7l): > XXX.XXX.166.2: > RemotePeers: 192.168.1.55...%any IKEv2 > RemotePeers: local: uses pre-shared key authentication > RemotePeers: remote: uses pre-shared key authentication > RemotePeersVPN: child: 192.168.1.55/32 XXX.XXX.166.2/32 === dynamic TUNNEL > Security Associations (1 up, 0 connecting): > RemotePeers[1]: ESTABLISHED 7 minutes ago, > 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] > RemotePeers[1]: IKEv2 SPIs: 51aac4f5007e70b6_i 88876b56d5d9029d_r*, rekeying > in 3 hours > RemotePeers[1]: IKE proposal: > AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 > RemotePeersVPN{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca64039c_i > c33dcf71_o > RemotePeersVPN{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, > rekeying in 47 minutes > RemotePeersVPN{1}: XXX.XXX.166.2/32 === 10.10.10.1/32 > >
signature.asc
Description: OpenPGP digital signature