Hi Noel,
Thanks changed the rightid and it is going somewhere.
However, I am stuck in another error.
Jun 10 11:02:19 uatvpngateway charon[20200]: 11[IKE] retransmit 3 of
request with message ID 0
Jun 10 11:02:19 uatvpngateway charon[20200]: 11[NET] sending packet:
from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] received packet:
from 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(FRAG_SUP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[CFG] looking for an
IKEv2 config for 10.15.66.10...1.2.3.4
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found
for 10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] generating
IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] sending packet:
from 10.15.66.10[500] to 1.2.3.4[500] (36 bytes)
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[IKE] retransmit 4 of
request with message ID 0
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[NET] sending packet:
from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
You see, the client have their VPN setup such that we MUST connect to
them from IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the
reason why we had to use Strongswan and NAT to do this.
Because we are using a cloud server, our IP is eth0 10.15.66.10 and I
created an alias eth0:0 192.168.40.34 for this server.
So now, I have changed the config a bit as below. Not sure what is the
problem now. I have also enable debug-cfg 2.
conn net-net
# left=10.15.66.10
left=192.168.40.34
# leftsubnet=10.15.66.0/24
leftsubnet=192.168.40.32/30 (also tried 0.0.0.0/0)
leftid=@rh
leftfirewall=yes
right=1.2.3.4
rightsubnet=192.168.118.0/24
rightid=1.2.3.4
ike=aes256-sha2_256-modp2048!
esp=aes256-sha2_256-modp2048!
auto=start
ike should be correct as per requested from client's side:
IKE Group Group 14
IKE Encryption AES-256
IKE Authentication SHA2-256
Thanks
On 9/6/2020 6:30 pm, Noel Kuntze wrote:
Hi Liong,
Jun 9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching
10.15.66.10[%any]...1.2.3.4[1.2.3.4]
rightid=1.2.3.4
Kind regards
Noel
Am 09.06.20 um 11:27 schrieb Liong Kok Foo:
Hi,
I am new to strongswan and have not had much experience setting up VPN
connection.
I need to setup a new VPN connection to a client but just cannot seems to get
it working.
Here are the information provided by client:
IKEv2 (Phase 1) Proposal
Available for ping (Yes/No) No
IKE Mode (Aggressive/Main) Main
IKE Authentication method Pre-shared key
IKE Pre-shared key xxxxxx
IKE Group Group 14
IKE Encryption AES-256
IKE Authentication SHA2-256
IKE Lifetime (seconds) 86400
Life Time (KB) 86400
IPsec (Phase 2) Proposal
IPsec Group Group 14
IPsec Protocol ESP
IPsec Encryption AES-256
IPsec Authentication SHA2-256
IPsec Lifetime (seconds) 3600
Life Time (KB) 28800
Enable Perfect Forward Secrecy Yes
PFS / DH-group Yes/Gp-14
Encapsulation Mode Tunnel
IP addresses carried in tunnel (Private IP address, IP range assigned by
client) Crypto ACL
Source (Encryption Domain) 192.168.40.33/30(DR)
192.168.40.34/30(UAT)
Port Any
VPN DPD always enabled Enabled
To disable monitoring ICMP echo requests (or pings) à by right to determine if
a VPN tunnel is up however for this case it’s dropping the VPN connections.
Disabled
To disable a proxy-ID negotiation, it is used during phase 2 of Internet Key
Exchange (IKE) Virtual Private Network (VPN) negotiations. Disabled
NAT traversal (TCP4500) Disabled
Here is my configuration file:
IPsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn net-net
left=10.15.66.10
leftsubnet=10.15.66.0/24
leftid=@me
leftfirewall=yes
right=1.2.3.4 (client public IP changed)
rightsubnet=192.168.118.0/24
rightid=@client
ike=aes256-sha2_256-modp2048!
esp=aes256-sha2_256-modp2048!
auto=start
ipsec.secrets:
# ipsec.secrets - strongSwan IPsec secrets file
@me @client : PSK "xxxxxx"
Here is a part of the message log:
Jun 9 17:14:32 uatvpngateway charon: 06[NET] received packet: from
1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun 9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(FRAG_SUP) ]
Jun 9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an IKE_SA
Jun 9 17:14:32 uatvpngateway charon: 06[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 9 17:14:32 uatvpngateway charon: 06[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(FRAG_SUP) N(MULT_AUTH) ]
Jun 9 17:14:32 uatvpngateway charon: 06[NET] sending packet: from
10.15.66.10[500] to 1.2.3.4[500] (392 bytes)
Jun 9 17:14:32 uatvpngateway charon: 07[NET] received packet: from
1.2.3.4[500] to 10.15.66.10[500] (448 bytes)
Jun 9 17:14:32 uatvpngateway charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Jun 9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching
10.15.66.10[%any]...1.2.3.4[1.2.3.4]
Jun 9 17:14:32 uatvpngateway charon: 07[CFG] no matching peer config found
Jun 9 17:14:32 uatvpngateway charon: 07[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jun 9 17:14:32 uatvpngateway charon: 07[NET] sending packet: from
10.15.66.10[500] to 1.2.3.4[500] (80 bytes)
Would appreciate if anyone can help to provide guidance on getting this working.
Thanks
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon>
Virus-free. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
