[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Mixed ikev1/ikev2 rw setup
From: Russ Cox <russ.cox () e-dba ! net>
Date: 2010-02-26 11:27:27
Message-ID: 4B87B01F.4070204 () e-dba ! net
[Download RAW message or body]
You are a lovely lovely man - that change plus a few easier to debug
problems has ikev1 working for me from my offsite linux box - now to get
XP and OS X working
Thanks so much for the quick reply ;D
R
ps - In case it's of any use to someone else - below is my current
gateway config for a dual ikev1 and ikev2 nat rw setup
=================# ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval0
strictcrlpolicy=no
nat_traversal=yes
charonstart=yes
plutostart=yes
plutodebug=control
# Add connections here.
conn %default
ikelifetime`m
keylife m
rekeymargin=3m
keyingtries=1
leftcert=vpngw.mydomain.net-cert.pem
leftid=@vpngw.mydomain.net
leftfirewall=yes
conn rw-nat-ikev2
left=%any
leftsubnet=0.0.0.0/0
right=%any
keyexchange=ikev2
rightsourceip2.168.5.0/24
autod
conn rw-nat-ikev1
left=%defaultroute
pfs=no
leftsubnet=0.0.0.0/0
right=%any
rightsourceip2.168.5.0/24
keyexchange=ikev1
autod
===============
On 25/02/10 17:50, Andreas Steffen wrote:
> Hi Russ,
>
> I think the problem is that the Pluto IKEv1 daemon does not support
> left=%any, i.e. multi-homing where the source IP is determined
> automatically based on the route to right. So please set left either
> to %defaultroute or to a static IP address for the IKEv1 case.
> left=%any is ok with IKEv2.
>
> Best regards
>
> Andreas
>
> Russ Cox wrote:
>
> > Hi all - I've managed to get a roadwarrior setup working using ikev2 and
> > x509 certs, which is great for Linux and Windows 7 rw's but I need ikev1
> > working alongside for XP, Vista and OS X rw's - so far not having much
> > joy and google isn't throwing up much.
> >
> > If I change the roadwarrior ipsec.conf 'keyexchange=ikev1" to ikev2 - it
> > works fine.
> >
> > Any help would be fantastic, I would love to just get this out the way -
> > it's been dragging on now ;D
> >
> > My setup
> >
> > Strongswan gw
> >
> > vpngw===nat/router==tinternet===nat/router===rw machine
> > 192.168.0.18 y.y.y.y
> >
> >
> > Config is below;
> >
> > RW machine;
> >
> > ===============>> ted:/etc/ipsec.d# ipsec up nat
> > 002 "nat" #1: initiating Main Mode
> > 104 "nat" #1: STATE_MAIN_I1: initiate
> > 010 "nat" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
> > 010 "nat" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
> > 031 "nat" #1: max number of retransmissions (2) reached STATE_MAIN_I1.
> > No response (or no acceptable response) to our first IKE message
> > ================>>
> > /var/log/auth.log on VPN GW
> >
> > ========>> Feb 25 12:34:02 lister pluto[16253]: | next event EVENT_REINIT_SECRET \
> > in 2400 seconds
> > Feb 25 12:34:12 lister pluto[16253]: |
> > Feb 25 12:34:12 lister pluto[16253]: | *received 288 bytes from [RW NAT
> > IP]:500 on eth0
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [strongSwan 4.3.2]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [Cisco-Unity]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > received Vendor ID payload [XAUTH]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > received Vendor ID payload [Dead Peer Detection]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > received Vendor ID payload [RFC 3947]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> > Feb 25 12:34:12 lister pluto[16253]: | preparse_isakmp_policy: peer
> > requests PUBKEY authentication
> > Feb 25 12:34:12 lister pluto[16253]: packet from [RW NAT IP]:500:
> > initial Main Mode message received on 192.168.0.18:500 but no connection
> > has been authorized with policy=PUBKEY
> > Feb 25 12:34:12 lister pluto[16253]: | next event EVENT_REINIT_SECRET in
> > 2390 seconds
> > Feb 25 12:34:32 lister pluto[16253]: |
> > ========>>
> >
> > VPN GW machine- strongswan 4.3.5 - ipsec.conf
> >
> > ====START====>> config setup
> > crlcheckinterval0
> > strictcrlpolicy=no
> > nat_traversal=yes
> > charonstart=yes
> > plutostart=yes
> > plutodebug=control
> >
> > # Add connections here.
> >
> > conn %default
> > ikelifetime`m
> > keylife m
> > rekeymargin=3m
> > keyingtries=1
> > left=%any
> > leftcert=vpngw.mydomain.net-cert.pem
> > leftid=@vpngw.mydomain.net
> > leftfirewall=yes
> >
> > conn nat-ikev2
> > leftsubnet=0.0.0.0/0
> > right=%any
> > keyexchange=ikev2
> > rightsourceip2.168.5.0/24
> > autod
> >
> > conn nat-ikev1
> > pfs=no
> > leftsubnet=0.0.0.0/0
> > right=%any
> > rightsourceip2.168.6.0/24
> > keyexchange=ikev1
> > autod
> > ======END =====>>
> >
> >
> > Test roadwarrior machine - debian 4 with strongswan 4.3.2
> > ipsec.conf
> >
> > ====START===>>
> > config setup
> > crlcheckinterval0
> > strictcrlpolicy=no
> > charonstart=no
> > plutodebug=control
> > nat_traversal=yes
> >
> > conn %default
> > ikelifetime`m
> > keylife m
> > rekeymargin=3m
> > keyingtries=1
> > keyexchange=ikev1
> >
> > conn nat
> > left=%defaultroute
> > forceencaps=yes
> > compress=yes
> > leftsourceip=%config
> > leftcert=russ.mydomain.net-cert.pem
> > leftid=russ.cox@mydomain.net
> > leftauth=pubkey
> > right=vpngw.mydomain.net
> > rightid=@vpngw.mydomain.net
> > rightsubnet=0.0.0.0/24
> > autod
> >
> > ====END===>>
> =====================================================================> Andreas \
> Steffen andreas.steffen@strongswan.org strongSwan - the \
> Linux VPN Solution! www.strongswan.org Institute for Internet \
> Technologies and Applications University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]=>
--
Russ Cox
Systems Engineer
e-DBA Ltd.
48A Old Steine,
Brighton, East Sussex,
BN1 1NH
Main: +44 (0) 870 366 7800
Direct: +44 (0) 127 322 4704
email: russ.cox@e-dba.net
Msn: russ.cox@e-dba.net
Skype: russc0x
Company No: 365969
Oracle Partner of the Year
General Business Technology
UKOUG Partner of the year
(4 categories)
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic