[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] Mixed ikev1/ikev2 rw setup
From:       Russ Cox <russ.cox () e-dba ! net>
Date:       2010-02-26 11:27:27
Message-ID: 4B87B01F.4070204 () e-dba ! net
[Download RAW message or body]

You are a lovely lovely man - that change plus a few easier to debug
problems has ikev1 working for me from my offsite linux box - now to get
XP and OS X working

Thanks so much for the quick reply ;D

R

ps - In case it's of any use to someone else - below is my current
gateway config for a dual ikev1 and ikev2 nat rw setup

=================# ipsec.conf - strongSwan IPsec configuration file

config setup
         crlcheckinterval0
         strictcrlpolicy=no
         nat_traversal=yes
         charonstart=yes
         plutostart=yes
         plutodebug=control


# Add connections here.

conn %default
         ikelifetime`m
         keylife m
         rekeymargin=3m
         keyingtries=1
         leftcert=vpngw.mydomain.net-cert.pem
         leftid=@vpngw.mydomain.net
         leftfirewall=yes

conn rw-nat-ikev2
         left=%any
         leftsubnet=0.0.0.0/0
         right=%any
         keyexchange=ikev2
         rightsourceip2.168.5.0/24
         auto­d

conn rw-nat-ikev1
         left=%defaultroute
         pfs=no
         leftsubnet=0.0.0.0/0
         right=%any
         rightsourceip2.168.5.0/24
         keyexchange=ikev1
         auto­d
===============
On 25/02/10 17:50, Andreas Steffen wrote:
> Hi Russ,
> 
> I think the problem is that the Pluto IKEv1 daemon does not support
> left=%any, i.e. multi-homing where the source IP is determined
> automatically based on the route to right. So please set left either
> to %defaultroute or to a static IP address for the IKEv1 case.
> left=%any is ok with IKEv2.
> 
> Best regards
> 
> Andreas
> 
> Russ Cox wrote:
> 
> > Hi all - I've managed to get a roadwarrior setup working using ikev2 and
> > x509 certs, which is great for Linux and Windows 7 rw's but I need ikev1
> > working alongside for XP, Vista and OS X rw's - so far not having much
> > joy and google isn't throwing up much.
> > 
> > If I change the roadwarrior ipsec.conf 'keyexchange=ikev1" to ikev2 - it
> > works fine.
> > 
> > Any help would be fantastic, I would love to just get this out the way -
> > it's been dragging on now ;D
> > 
> > My setup
> > 
> > Strongswan gw
> > 
> > vpngw===nat/router==tinternet===nat/router===rw machine
> > 192.168.0.18                                          y.y.y.y
> > 
> > 
> > Config is below;
> > 
> > RW machine;
> > 
> > ===============>> ted:/etc/ipsec.d# ipsec up nat
> > 002 "nat" #1: initiating Main Mode
> > 104 "nat" #1: STATE_MAIN_I1: initiate
> > 010 "nat" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
> > 010 "nat" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
> > 031 "nat" #1: max number of retransmissions (2) reached STATE_MAIN_I1.
> > No response (or no acceptable response) to our first IKE message
> > ================>>
> > /var/log/auth.log on VPN GW
> > 
> > ========>> Feb 25 12:34:02 lister pluto[16253]: | next event EVENT_REINIT_SECRET \
> > in 2400 seconds
> > Feb 25 12:34:12 lister pluto[16253]: |
> > Feb 25 12:34:12 lister pluto[16253]: | *received 288 bytes from [RW NAT
> > IP]:500 on eth0
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [strongSwan 4.3.2]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [Cisco-Unity]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > received Vendor ID payload [XAUTH]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > received Vendor ID payload [Dead Peer Detection]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > received Vendor ID payload [RFC 3947]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> > Feb 25 12:34:12 lister pluto[16253]: | preparse_isakmp_policy: peer
> > requests PUBKEY authentication
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > initial Main Mode message received on 192.168.0.18:500 but no connection
> > has been authorized with policy=PUBKEY
> > Feb 25 12:34:12 lister pluto[16253]: | next event EVENT_REINIT_SECRET in
> > 2390 seconds
> > Feb 25 12:34:32 lister pluto[16253]: |
> > ========>>
> > 
> > VPN GW machine- strongswan 4.3.5 - ipsec.conf
> > 
> > ====START====>> config setup
> > crlcheckinterval0
> > strictcrlpolicy=no
> > nat_traversal=yes
> > charonstart=yes
> > plutostart=yes
> > plutodebug=control
> > 
> > # Add connections here.
> > 
> > conn %default
> > ikelifetime`m
> > keylife m
> > rekeymargin=3m
> > keyingtries=1
> > left=%any
> > leftcert=vpngw.mydomain.net-cert.pem
> > leftid=@vpngw.mydomain.net
> > leftfirewall=yes
> > 
> > conn nat-ikev2
> > leftsubnet=0.0.0.0/0
> > right=%any
> > keyexchange=ikev2
> > rightsourceip2.168.5.0/24
> > auto­d
> > 
> > conn nat-ikev1
> > pfs=no
> > leftsubnet=0.0.0.0/0
> > right=%any
> > rightsourceip2.168.6.0/24
> > keyexchange=ikev1
> > auto­d
> > ======END =====>>
> > 
> > 
> > Test roadwarrior machine - debian 4 with strongswan 4.3.2
> > ipsec.conf
> > 
> > ====START===>>
> > config setup
> > crlcheckinterval0
> > strictcrlpolicy=no
> > charonstart=no
> > plutodebug=control
> > nat_traversal=yes
> > 
> > conn %default
> > ikelifetime`m
> > keylife m
> > rekeymargin=3m
> > keyingtries=1
> > keyexchange=ikev1
> > 
> > conn nat
> > left=%defaultroute
> > forceencaps=yes
> > compress=yes
> > leftsourceip=%config
> > leftcert=russ.mydomain.net-cert.pem
> > leftid=russ.cox@mydomain.net
> > leftauth=pubkey
> > right=vpngw.mydomain.net
> > rightid=@vpngw.mydomain.net
> > rightsubnet=0.0.0.0/24
> > auto­d
> > 
> > ====END===>>
> =====================================================================> Andreas \
> Steffen                         andreas.steffen@strongswan.org strongSwan - the \
> Linux VPN Solution!                www.strongswan.org Institute for Internet \
> Technologies and Applications University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]=>

--

Russ Cox
Systems Engineer

e-DBA Ltd.
48A Old Steine,
Brighton, East Sussex,
BN1 1NH

Main:      +44 (0) 870 366 7800
Direct:    +44 (0) 127 322 4704
email:     russ.cox@e-dba.net
Msn:	   russ.cox@e-dba.net
Skype:     russc0x

Company No: 365969

Oracle Partner of the Year
General Business Technology

UKOUG Partner of the year
(4 categories)

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic