[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] local host is behind NAT, sending keep alives
From: Stephen Feyrer <stephen.feyrer () greensill ! com>
Date: 2019-08-14 14:16:52
Message-ID: VI1PR0501MB23361AE25B0225F65F03177394AD0 () VI1PR0501MB2336 ! eurprd05 ! prod ! outlook ! com
[Download RAW message or body]
Hi Team,
An update.
ipsec.conf
conn officeVPN
aggressive=yes
type=transport
authby=secret
keyexchange=ikev1
ike=aes128-sha1-modp2048,aes256-sha1-modp2048!
left=%defaultroute
leftsourceip=%config
modeconfig=push
leftprotoport=udp/l2tp
right= 50.45.0.51
rightprotoport=udp/l2tp
righted=10.0.0.254
auto=add
ipsec.secret:
50.45.0.51 %any : PSK "StrongKey-Honest!"
strongswan.conf
keep_alive=0
i_dont_care_about_security_and_use_aggressive_mode_psk=yes
$ sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
IKE_SA officeVPN[1] established between 1.0.0.127[1.0.0.127]... \
50.54.0.51[10.0.0.254] scheduling reauthentication in 9761s
maximum IKE_SA lifetime 10301s
generating AGGRESSIVE request 0 [ HASH NAT-D ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (140 bytes)
received packet: from 50.54.0.51[4500] to 1.0.0.127[4500] (92 bytes)
generating TRANSACTION response 890044400 [ HASH CP ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 7654321098 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 2109876543 [ HASH N(DPD_ACK) ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 3210987654 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 6543210987 [ HASH N(DPD_ACK) ]
Please help, thanks.
--
Stephen Feyrer
DevOps Engineer
Greensill Capital
stephen.feyrer@greensill.com<mailto:stephen.feyrer@greensill.com>
http://www.greensill.com
From: Stephen Feyrer
Sent: 13 August 2019 13:11
To: users@lists.strongswan.org
Subject: local host is behind NAT, sending keep alives
Hey everyone,
I have a laptop tethered via my phone, Ubuntu 18.4. I am unable to establish a \
connection and none of my research has thus far revealed anything helpful. Please \
review the below and advise. Other proprietary clients are able to connect without \
issue.
I have an ipsec.conf file which looks like:
conn officeVPN
aggressive=yes
type=tunnel
authby=secret
keyexchange=ikev1
ike=aes128-sha1-modp2048
esp= aes256-sha256-modp2048
mobike=no
left=%defaultroute
leftsourceip=%config
modeconfig=push
leftprotoport=udp/l2tp
right= 50.45.0.51
rightprotoport=udp/l2tp
righted=10.0.0.254
auto=add
xauth_identity=user
An ipsec.secrets that looks like:
50.45.0.51 %any : PSK "StrongKey-Honest!"
user %any : XAUTH "password"
An /etc/strongswan.conf that has the following line:
i_dont_care_about_security_and_use_aggressive_mode_psk=yes
Then the ipsec up officeVPN command is run:
$ sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
IKE_SA officeVPN[1] established between 1.0.0.127[1.0.0.127]... \
50.54.0.51[10.0.0.254] scheduling reauthentication in 9761s
maximum IKE_SA lifetime 10301s
generating AGGRESSIVE request 0 [ HASH NAT-D ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet: from 50.54.0.51[4500] to 1.0.0.127[4500] (76 bytes)
generating TRANSACTION response 890044400 [ HASH CP ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (76 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 7654321098 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 2109876543 [ HASH N(DPD_ACK) ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 3210987654 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 6543210987 [ HASH N(DPD_ACK) ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
deleting IKE_SA officeVPN[1] between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254]
sending DELETE for IKE_SA officeVPN[1]
parsed INFORMATIONAL_V1 request 5432109876 [ HASH D ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
establishing connection 'officeVPN' failed
Thank you.
--
Stephen Feyrer
DevOps Engineer
Greensill Capital
stephen.feyrer@greensill.com<mailto:stephen.feyrer@greensill.com>
http://www.greensill.com
This message is for the designated recipient only and may contain privileged, \
proprietary or otherwise confidential information. If you have received this in \
error, please contact the sender immediately and delete the original. Any other use \
of this e-mail by you is prohibited. If we collect and use your personal data we will \
use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. \
Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: \
8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, \
United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 \
132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, \
Australia.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:x="urn:schemas-microsoft-com:office:excel" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">An update.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ipsec.conf<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">conn officeVPN<o:p></o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> \
aggressive=yes<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> \
type=transport<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> authby=secret<o:p></o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> keyexchange=ikev1<o:p></o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> \
ike=aes128-sha1-modp2048,aes256-sha1-modp2048!<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> \
left=%defaultroute <o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> leftsourceip=%config<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"> \
modeconfig=push<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> leftprotoport=udp/l2tp \
<o:p> </o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> right= \
50.45.0.51<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> \
rightprotoport=udp/l2tp <o:p> </o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> righted=10.0.0.254<o:p></o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> auto=add<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ipsec.secret:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">50.45.0.51 %any : PSK \
"StrongKey-Honest!"<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">strongswan.conf \
<o:p></o:p></p> <p class="MsoNormal"> \
keep_alive=0<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">i_dont_care_about_security_and_use_aggressive_mode_psk=yes<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">$ sudo ipsec up \
officeVPN<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">initiating \
Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating AGGRESSIVE request 0 [ SA KE No ID V V V \
V V ]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received packet: \
from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">parsed AGGRESSIVE response 0 [ SA KE \
No ID HASH V NAT-D NAT-D V V V V V ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received NAT-T (RFC 3947) vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received DPD vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received XAuth vendor ID<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received unknown vendor ID: \
00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received FRAGMENTATION vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received FRAGMENTATION vendor \
ID<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">local host is \
behind NAT, sending keep alives<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">remote host is behind NAT<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">IKE_SA officeVPN[1] established between \
1.0.0.127[1.0.0.127]… 50.54.0.51[10.0.0.254]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">scheduling reauthentication in \
9761s<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">maximum IKE_SA \
lifetime 10301s<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating AGGRESSIVE request 0 [ HASH NAT-D \
]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
from 1.0.0.127[4500] to 50.54.0.51[4500] (140 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received packet: \
from 50.54.0.51[4500] to 1.0.0.127[4500] (92 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">generating TRANSACTION response \
890044400 [ HASH CP ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending packet: from 1.0.0.127[4500] to \
50.54.0.51[4500] (108 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received packet: from 50.54.0.51[500] to \
1.0.0.127[500] (108 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) \
]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">generating \
INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending packet: from \
1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received packet: from 50.54.0.51[500] to \
1.0.0.127[500] (108 bytes) <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request \
7654321098 [ HASH N(DPD) ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating INFORMATIONAL_V1 request 2109876543 [ HASH \
N(DPD_ACK) ] <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received packet: \
from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes) <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request \
3210987654 [ HASH N(DPD) ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating INFORMATIONAL_V1 request 6543210987 [ HASH \
N(DPD_ACK) ] <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Please help, thanks.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">--<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">Stephen \
Feyrer</span></b><b><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></b></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB">DevOps \
Engineer</span><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB">Greensill \
Capital<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB"><a \
href="mailto:stephen.feyrer@greensill.com">stephen.feyrer@greensill.com</a></span><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB"><a \
href="http://www.greensill.com">http://www.greensill.com</a> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" \
style="mso-fareast-language:EN-GB">From:</span></b><span lang="EN-US" \
style="mso-fareast-language:EN-GB"> Stephen Feyrer <br>
<b>Sent:</b> 13 August 2019 13:11<br>
<b>To:</b> users@lists.strongswan.org<br>
<b>Subject:</b> local host is behind NAT, sending keep alives<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hey everyone,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have a laptop tethered via my phone, Ubuntu 18.4. I am \
unable to establish a connection and none of my research has thus far revealed \
anything helpful. Please review the below and advise. Other proprietary \
clients are able to connect without issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have an ipsec.conf file which looks like:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">conn officeVPN<o:p></o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> \
aggressive=yes<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> type=tunnel \
<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> authby=secret<o:p></o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> keyexchange=ikev1<o:p></o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> \
ike=aes128-sha1-modp2048<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> esp= \
aes256-sha256-modp2048<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> \
mobike=no<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> \
left=%defaultroute <o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> leftsourceip=%config<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt"> \
modeconfig=push<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> leftprotoport=udp/l2tp \
<o:p> </o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> right= \
50.45.0.51<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt"> \
rightprotoport=udp/l2tp <o:p> </o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> righted=10.0.0.254<o:p></o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> auto=add<o:p></o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt"> \
xauth_identity=user<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">An ipsec.secrets that looks like:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">50.45.0.51 %any : PSK \
"StrongKey-Honest!"<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">user %any : XAUTH “password”<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">An /etc/strongswan.conf \
that has the following line:<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">i_dont_care_about_security_and_use_aggressive_mode_psk=yes<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Then the ipsec up officeVPN command is run:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">$ sudo ipsec up \
officeVPN<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">initiating \
Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating AGGRESSIVE request 0 [ SA KE No ID V V V \
V V ]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received packet: \
from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">parsed AGGRESSIVE response 0 [ SA KE \
No ID HASH V NAT-D NAT-D V V V V V ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received NAT-T (RFC 3947) vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received DPD vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received XAuth vendor ID<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received unknown vendor ID: \
00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received FRAGMENTATION vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received FRAGMENTATION vendor \
ID<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">local host is \
behind NAT, sending keep alives<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">remote host is behind NAT<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">IKE_SA officeVPN[1] established between \
1.0.0.127[1.0.0.127]… 50.54.0.51[10.0.0.254]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">scheduling reauthentication in \
9761s<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">maximum IKE_SA \
lifetime 10301s<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating AGGRESSIVE request 0 [ HASH NAT-D \
]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received packet: \
from 50.54.0.51[4500] to 1.0.0.127[4500] (76 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">generating TRANSACTION response \
890044400 [ HASH CP ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending packet: from 1.0.0.127[4500] to \
50.54.0.51[4500] (76 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received packet: from 50.54.0.51[500] to \
1.0.0.127[500] (92 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) \
]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">generating \
INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending packet: from \
1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received packet: from \
50.54.0.51[500] to 1.0.0.127[500] (92 bytes) <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request \
7654321098 [ HASH N(DPD) ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating INFORMATIONAL_V1 request 2109876543 [ HASH \
N(DPD_ACK) ] <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received packet: from 50.54.0.51[500] to \
1.0.0.127[500] (92 bytes) <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request \
3210987654 [ HASH N(DPD) ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating INFORMATIONAL_V1 request 6543210987 [ HASH \
N(DPD_ACK) ] <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500] \
<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500] \
<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500] \
<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">deleting IKE_SA officeVPN[1] between \
1.0.0.127[1.0.0.127]… 50.54.0.51[10.0.0.254]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending DELETE for IKE_SA \
officeVPN[1]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">parsed \
INFORMATIONAL_V1 request 5432109876 [ HASH D ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending packet: from 1.0.0.127[4500] to \
50.54.0.51[4500] (92 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">establishing connection ‘officeVPN’ \
failed<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">--<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">Stephen \
Feyrer</span></b><b><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></b></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB">DevOps \
Engineer</span><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB">Greensill \
Capital<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB"><a \
href="mailto:stephen.feyrer@greensill.com">stephen.feyrer@greensill.com</a></span><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB"><a \
href="http://www.greensill.com">http://www.greensill.com</a> <o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p style="font-size:6pt; font-family: 'Cambria','times roman',serif;">This message \
is for the designated recipient only and may contain privileged, proprietary or \
otherwise confidential information. If you have received this in error, please \
contact the sender immediately and delete the original. Any other use of this e-mail \
by you is prohibited. If we collect and use your personal data we will use it in \
accordance with our <a href="http://www.greensill.com/privacy/">privacy policy</a>. \
Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: \
8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, \
United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 \
132. Registered Office: 62 –66 Woondooma Street, Bundaberg, Queensland 4670, \
Australia.</p> <br>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic