[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] =?gb2312?b?tPC4tDogIGhvdyB0byBjb25maWcgbXVsdGlwbGUg?= =?gb2312?b?c3BlY2lmaWMgdmlydHVhbC
From: <ioiioi () live ! cn>
Date: 2016-01-14 7:08:07
Message-ID: SG2PR0601MB13924C24907DCCC4B8DC77EFCFCC0 () SG2PR0601MB1392 ! apcprd06 ! prod ! outlook ! com
[Download RAW message or body]
wow, what an elegent solution!
thanks andreas.
I am still struggling on migrate from ipsec.conf to swanctl.conf, when I initial \
child_sa from client, it failed:
[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN notify error
initiate failed: establishing CHILD_SA 'gw1-jklab-chd' failed
here is my config and error log:
gateway swanctl.conf
-------------8<-----------------
connections {
rw-ssTester {
local_addrs = 192.168.111.93
pools = ssTester
local {
auth = pubkey
certs = gw1.jklab.cert.pem
id = gateway1.jklab.qmcc
}
remote {
auth = pubkey
id = ssTester@jklab.qmcc
}
children {
rw-ssTester {
local_ts = 192.168.33.0/24, 192.168.66.0/24
start_action = none
updown = /opt/strongswan/libexec/ipsec/_updown iptables
rekey_time = 10m
esp_proposals = aes128gcm128-modp2048
}
}
version = 2
reauth_time = 60m
rekey_time = 20m
proposals = aes128-sha256-modp2048
}
}
pools {
ssTester {
addrs = 192.168.8.10/32
}
}
-------------8<-----------------
client swanctl.conf
-------------8<-----------------
when I initial child_sa from client:
connections {
gw1-jklab {
local_addrs = 10.10.0.17
remote_addrs = 221.182.254.189
vips = 0.0.0.0
version = 2
reauth_time = 60m
rekey_time = 20m
# proposals = aes128-sha256-modp2048
local {
auth = pubkey
certs = ssTester.cert.pem
id = ssTester@jklab.qmcc
}
remote {
auth = pubkey
id = gateway1.jklab.qmcc
}
children {
gw1-jklab-chd {
remote_ts = 192.168.33.0/24, 192.168.66.0/24
start_action = none
updown = /opt/strongswan/libexec/ipsec/_updown iptables
rekey_time = 10m
# esp_proposals = aes128gcm128-modp2048
}
}
}
}
# no matter what if I enable or disable client's esp_proposals/proposals,
# I got the same result.
-------------8<-----------------
# swanctl -i -c gw1-jklab-chd
[IKE] initiating IKE_SA gw1-jklab[20] to xx.xx.254.189
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) \
N(HASH_ALG) ] [NET] sending packet: from 10.10.0.17[500] to xx.xx.254.189[500] (1064 \
bytes) [NET] received packet: from xx.xx.254.189[500] to 10.10.0.17[500] (36 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN notify error
initiate failed: establishing CHILD_SA 'gw1-jklab-chd' failed
and the gateway's charon-systemd log:
Jan 14 00:22:29 d8-64-gw-1 charon-systemd[5213]: received packet: from \
xx.xx.236.34[9863] to 192.168.33.93[500] (1064 bytes)
Jan 14 00:22:29 d8-64-gw-1 charon-systemd[5213]: parsed IKE_SA_INIT request 0 [ SA KE \
No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Jan 14 00:22:29 d8-64-gw-1 charon-systemd[5213]: no IKE config found for \
192.168.33.93...xx.xx.236.34, sending NO_PROPOSAL_CHOSEN
Jan 14 00:22:29 d8-64-gw-1 charon-systemd[5213]: generating IKE_SA_INIT response 0 [ \
N(NO_PROP) ]
Jan 14 00:22:29 d8-64-gw-1 charon-systemd[5213]: sending packet: from \
192.168.33.93[500] to xx.xx.236.34[9863] (36 bytes)
what is the problem?
________________________________________
·¢¼þÈË: Andreas Steffen <andreas.steffen@strongswan.org>
·¢ËÍʱ¼ä: 2016Äê1Ô 14ÈÕ 1:23
ÊÕ¼þÈË: ³ Èñ; users@lists.strongswan.org
Ö÷Ìâ: Re: [strongSwan] how to config multiple specific virtual ips per road warrior \
on swanctl.conf?
Hi,
if you want to explicitly assign a specific virtual IP to each client
then you could use an include statement in swanctl.conf which includes
the common parameters for each connection definition and define
specific single address poll for each roadwarrior as in the following
example I did for you:
https://www.strongswan.org/testing/config-payload/swanctl/config-payload/
The common parameters are defined in /etc/swanctl/swanctl_base.conf:
local_addrs = 192.168.0.1
local {
auth = pubkey
certs = moonCert.pem
id = moon.strongswan.org
}
children {
net {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm128-modp3072
}
}
version = 2
proposals = aes128-sha256-modp3072
Best regards
Andreas
On 01/13/2016 09:31 AM, ³ Èñ wrote:
> hello,
>
>
> I got multiple road warriors to logon and get specific virtualip from
> strongswan. I have been successful got it works with charon/ipsec.conf.
> unfortunally, debian 8 have been move to systemd, so I have to change
> from ipsec.conf to swanctl.conf because of charon-systemd. the following
> is my ipsec.conf on strongswan gateway:
>
>
>
> config setup
> # uniqueids=never
>
> #############################################
> # ikev2 road warrios pubkey template
> #############################################
> conn ikev2-rw-pub-template
> keyexchange=ikev2
> left=%defaultroute
> leftauth=pubkey
> #leftfirewall=yes
> leftsubnet=0.0.0.0/0
> leftcert=gw1.jklab.cert.pem
> leftid=gateway1.jklab.qmcc
> right=%any
> rightauth=pubkey
> auto=add
>
> # ikev2 road warrios pubkey linux client
> conn ikev2-rw-pub-linux-ssTester
> also=ikev2-rw-pub-template
> #rightdns=192.168.5.12
> rightsourceip=192.168.8.10
> rightid="ssTester@jklab.qmcc"
>
> # ikev2 road warrios pubkey windows7+ client
> conn ikev2-rw-pub-win7-chenrui
> also=ikev2-rw-pub-template
> ike=aes256-sha1-modp1024!
> rekey=no
> rightsourceip=192.168.8.2
> rightid="OU=syharman, CN=chenrui@syharman.qmcc"
>
> how to translate it to swanctl.conf?
>
>
>
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
======================================================================
Andreas Steffen andreas.steffen@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic