Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi Stephen,
I believe the issue might be caused as the conn section is not compliant
with prescribed format. There should be at least one whitespace at the
beginning of each line within the section. Only sections can and shall
start at the first character of the line.
Supposed correction:
*conn VPN-OFFICE-COM*
* keyexchange=ikev1*
*type=transport*
*authby=secret*
*ike=3des-sha1-modp1024*
*rekey=no*
*left=%defaultroute*
*leftprotoport=udp/l2tp*
*right=vpn.office.com http://vpn.office.com*
*rightprotoport=udp/l2tp*
*rightid=17.11.7.5*
*auto=add*
Regards,
Miroslav
Message: 3
Date: Fri, 17 Apr 2015 14:08:57 +0100
From: Stephen Feyrer stephen.fey...@btinternet.com
To: users@lists.strongswan.org
Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error,
unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Message-ID: op.xw8ms7kfx77...@sveta.home.org
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
Hi Neol,
Thank you. I have removed the file /etc/strongswan.d/VPN.conf
In /etc/ipsec.conf I have the same configuration. At least there is
progress, unfortunately I am still baffled. This is the previously
working configuration.
code:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn VPN-OFFICE-COM
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
auto=add
Having restarted ipsec, I get the following result
code:
# ipsec up VPN-OFFICE-COM
initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN-OFFICE-COM[1] established between
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID
NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID
N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
no acceptable traffic selectors found
establishing connection 'VPN-OFFICE-COM' failed
--
Kind regards
Stephen Feyrer
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Incorrect Phase II for Cisco IOS Transport VPN
I'm trying to build a gre tunnel / transport based IPSec VPN between a Cisco IOS router and a device running strongswan on openwrt. I successfully negotiate phase 1 but then fail to negotiate phase 2. The Cisco device indicates proxy identities are not supported, which would suggest that the IPSec session is being negotiated with the wrong IP addresses. Here are the log messages from the Cisco device: .Apr 18 08:26:03.870: ISAKMP:(13414):Checking IPSec proposal 0 .Apr 18 08:26:03.870: ISAKMP: transform 1, ESP_AES .Apr 18 08:26:03.870: ISAKMP: attributes in transform: .Apr 18 08:26:03.870: ISAKMP: key length is 128 .Apr 18 08:26:03.870: ISAKMP: authenticator is HMAC-SHA512 .Apr 18 08:26:03.870: ISAKMP: encaps is 2 (Transport) .Apr 18 08:26:03.870: ISAKMP: SA life type in seconds .Apr 18 08:26:03.870: ISAKMP: SA life duration (basic) of 3600 .Apr 18 08:26:03.870: ISAKMP:(13414):atts are acceptable. .Apr 18 08:26:03.870: IPSEC(ipsec_process_proposal): proxy identities not supported .Apr 18 08:26:03.870: ISAKMP:(13414): IPSec policy invalidated proposal with error 32 .Apr 18 08:26:03.870: ISAKMP:(13414): phase 2 SA policy not acceptable! (local x.x.x.x remote 10.2.0.29) And here is the configuration for strongswan. I had originally omitted the subnet definitions but I added them to ensure that the correct subnets were specified. conn host-host left=10.2.0.29 leftid=10.2.0.29 leftsubnet=10.2.0.29/32 right=x.x.x.x rightid=x.x.x.x rightsubnet=x.x.x.x/32 type=transport auto=start keyexchange=ikev1 ike=aes128-sha256-modp4096! esp=aes128-sha512! authby=secret I am running strongswan 5.2.2 on Openwrt. The Cisco router is running a dev special release of 15.3(3)M3.2. Thank you in advance for your help, -JohnF ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi Miroslav,
Thank you. The conn section as presented below was copied and pasted from
web page for convenience (this stripped the leading white spaced from the
conn section). For the moment the white spaces are in form of TAB
characters. I will test with space characters and complete this email.
I Apologise for the lack of white spaces in the conn section of below
email. I have now tested with both spaces and tabs, each producing the
same error as below.
--
Kind regards
Stephen Feyrer.
On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda
goodmi...@goodmirek.cz wrote:
Hi Stephen,
I believe the issue might be caused as the conn section is not
compliant with prescribed format. There should be at least one
whitespace at the beginning of each line within the section. Only
sections can and shall start at the first character of the line.
Supposed correction:
conn VPN-OFFICE-COM
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
auto=add
Regards,
Miroslav
Message: 3
Date: Fri, 17 Apr 2015 14:08:57 +0100
From: Stephen Feyrer stephen.fey...@btinternet.com
To: users@lists.strongswan.org
Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error,
unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Message-ID: op.xw8ms7kfx77...@sveta.home.org
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
Hi Neol,
Thank you. I have removed the file /etc/strongswan.d/VPN.conf
In /etc/ipsec.conf I have the same configuration. At least there is
progress, unfortunately I am still baffled. This is the previously
working configuration.
code:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn VPN-OFFICE-COM
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
auto=add
Having restarted ipsec, I get the following result
code:
# ipsec up VPN-OFFICE-COM
initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN-OFFICE-COM[1] established between
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID
NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID
N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
no acceptable traffic selectors found
establishing connection 'VPN-OFFICE-COM' failed
--
Kind regards
Stephen Feyrer___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] How to tunnel traffic towards the public IP of the remote gateway?
Cheers. It worked beautifully. Tiago On 17-04-2015 08:27, Martin Willi wrote: Hi, Does %dynamic work in net2net? Or only in road-warrior scenarios? If any has been negotiated, %dynamic resolves to the virtual IP for that endpoint. If not, it resolves to the IKE endpoint address. It can be used in either scenario, but has a slightly different behavior. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
