Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi Stephen, I believe the issue might be caused as the conn section is not compliant with prescribed format. There should be at least one whitespace at the beginning of each line within the section. Only sections can and shall start at the first character of the line. Supposed correction: *conn VPN-OFFICE-COM* * keyexchange=ikev1* *type=transport* *authby=secret* *ike=3des-sha1-modp1024* *rekey=no* *left=%defaultroute* *leftprotoport=udp/l2tp* *right=vpn.office.com http://vpn.office.com* *rightprotoport=udp/l2tp* *rightid=17.11.7.5* *auto=add* Regards, Miroslav Message: 3 Date: Fri, 17 Apr 2015 14:08:57 +0100 From: Stephen Feyrer stephen.fey...@btinternet.com To: users@lists.strongswan.org Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] Message-ID: op.xw8ms7kfx77...@sveta.home.org Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'VPN-OFFICE-COM' failed -- Kind regards Stephen Feyrer ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Incorrect Phase II for Cisco IOS Transport VPN
I'm trying to build a gre tunnel / transport based IPSec VPN between a Cisco IOS router and a device running strongswan on openwrt. I successfully negotiate phase 1 but then fail to negotiate phase 2. The Cisco device indicates proxy identities are not supported, which would suggest that the IPSec session is being negotiated with the wrong IP addresses. Here are the log messages from the Cisco device: .Apr 18 08:26:03.870: ISAKMP:(13414):Checking IPSec proposal 0 .Apr 18 08:26:03.870: ISAKMP: transform 1, ESP_AES .Apr 18 08:26:03.870: ISAKMP: attributes in transform: .Apr 18 08:26:03.870: ISAKMP: key length is 128 .Apr 18 08:26:03.870: ISAKMP: authenticator is HMAC-SHA512 .Apr 18 08:26:03.870: ISAKMP: encaps is 2 (Transport) .Apr 18 08:26:03.870: ISAKMP: SA life type in seconds .Apr 18 08:26:03.870: ISAKMP: SA life duration (basic) of 3600 .Apr 18 08:26:03.870: ISAKMP:(13414):atts are acceptable. .Apr 18 08:26:03.870: IPSEC(ipsec_process_proposal): proxy identities not supported .Apr 18 08:26:03.870: ISAKMP:(13414): IPSec policy invalidated proposal with error 32 .Apr 18 08:26:03.870: ISAKMP:(13414): phase 2 SA policy not acceptable! (local x.x.x.x remote 10.2.0.29) And here is the configuration for strongswan. I had originally omitted the subnet definitions but I added them to ensure that the correct subnets were specified. conn host-host left=10.2.0.29 leftid=10.2.0.29 leftsubnet=10.2.0.29/32 right=x.x.x.x rightid=x.x.x.x rightsubnet=x.x.x.x/32 type=transport auto=start keyexchange=ikev1 ike=aes128-sha256-modp4096! esp=aes128-sha512! authby=secret I am running strongswan 5.2.2 on Openwrt. The Cisco router is running a dev special release of 15.3(3)M3.2. Thank you in advance for your help, -JohnF ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Hi Miroslav, Thank you. The conn section as presented below was copied and pasted from web page for convenience (this stripped the leading white spaced from the conn section). For the moment the white spaces are in form of TAB characters. I will test with space characters and complete this email. I Apologise for the lack of white spaces in the conn section of below email. I have now tested with both spaces and tabs, each producing the same error as below. -- Kind regards Stephen Feyrer. On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda goodmi...@goodmirek.cz wrote: Hi Stephen, I believe the issue might be caused as the conn section is not compliant with prescribed format. There should be at least one whitespace at the beginning of each line within the section. Only sections can and shall start at the first character of the line. Supposed correction: conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Regards, Miroslav Message: 3 Date: Fri, 17 Apr 2015 14:08:57 +0100 From: Stephen Feyrer stephen.fey...@btinternet.com To: users@lists.strongswan.org Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] Message-ID: op.xw8ms7kfx77...@sveta.home.org Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Hi Neol, Thank you. I have removed the file /etc/strongswan.d/VPN.conf In /etc/ipsec.conf I have the same configuration. At least there is progress, unfortunately I am still baffled. This is the previously working configuration. code: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no conn VPN-OFFICE-COM keyexchange=ikev1 type=transport authby=secret ike=3des-sha1-modp1024 rekey=no left=%defaultroute leftprotoport=udp/l2tp right=vpn.office.com rightprotoport=udp/l2tp rightid=17.11.7.5 auto=add Having restarted ipsec, I get the following result code: # ipsec up VPN-OFFICE-COM initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: [Available On Request] received unknown vendor ID: [Available On Request] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA VPN-OFFICE-COM[1] established between 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID N((24576)) NAT-OA ] received 28800s lifetime, configured 0s no acceptable traffic selectors found establishing connection 'VPN-OFFICE-COM' failed -- Kind regards Stephen Feyrer___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] How to tunnel traffic towards the public IP of the remote gateway?
Cheers. It worked beautifully. Tiago On 17-04-2015 08:27, Martin Willi wrote: Hi, Does %dynamic work in net2net? Or only in road-warrior scenarios? If any has been negotiated, %dynamic resolves to the virtual IP for that endpoint. If not, it resolves to the IKE endpoint address. It can be used in either scenario, but has a slightly different behavior. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users