[strongSwan] Resolved: IOS connection only working over ipv6
RESOLVED I have managed to fix this, the cause was that I was using the same left subnet ip address as the one I connect into by hostname creating two routes, I noticed this by running a ping from the ipsec adapter to the server and it worked. when I changed the left subnet side, I was able to telnet to the ports the server provides on that left subnet. On 04/07/2022 15:01, Lewis Robson wrote: Hello all, I am having issues under certain conditions with IOS devices not correctly connecting into my ipsec solution. my full set up consists of two parts: An android connection using the strongswan application which works as expected, the device connects and the server / client can ping each other. The device can fully access the servers listening ports and the solution works. An Iphone connection which connects and works on mobile data that is only provided an ipv6 address, however, does not work on ipv4 addresses, including the same network that the android solution works on. Iphone 11, software version: 15.5 In addition to this and worth a mention in case it's related: when attempting connection from a macbook (Monterey 12.3.1), the device connects and gets assigned an IP, the server can then ping the device and receive a response, however, the device cant ping the server directly or connect to any of the ports, we dont require for the mac to be a part of the final solution currently so this isnt an issue however maybe this is a clue? I believe it is likely I am missing a policy rule in one of the strongswan config files because the android device works without issue and the iphone works over mobile data with only an ipv6 address (the provider using nat64 translate to ipv4). the ipsec.conf is as follows: config setup charondebug="all" uniqueids=no conn android auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@cerberus.conscious.co.uk leftcert=cerberus.conscious.co.uk.crt leftsendcert=always leftsubnet=156.67.0.0/16 right=%any rightid=%any rightauth=pubkey rightsourceip=10.10.10.0/16 rightdns=10.1.0.50,8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1! conn apple inactivity = 6000 dpdtimeout =6000s dpddelay = 30 auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@cerberus.conscious.co.uk leftcert=cerberus.conscious.co.uk.crt leftsendcert=always leftsubnet=156.67.0.0/16 right=%any rightid=%any rightauth=eap-tls #pubkey didnt work so using eap-tls rightsourceip=10.10.10.0/24 rightdns=10,1,0,50,8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1! here is the last few lines from the logs when connection is attempted from the iphone over wifi / with an ipv4 address. Jul 4 14:22:43 cerberus charon[3945804]: 05[ENC] parsed IKE_AUTH request 9 [ EAP/RES/TLS ] Jul 4 14:22:43 cerberus charon[3945804]: 05[IKE] EAP method EAP_TLS succeeded, MSK established Jul 4 14:22:43 cerberus charon[3945804]: 05[ENC] generating IKE_AUTH response 9 [ EAP/SUCC ] Jul 4 14:22:43 cerberus charon[3945804]: 05[NET] sending packet: from external-ip[4500] to clients-ip[4500] (76 bytes) Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] received packet: from clien
[strongSwan] IOS connection only working over ipv6
xternal-ip[cerberus.conscious.co.uk]...clients-ip[u...@conscious.co.uk] Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] peer requested virtual IP %any Jul 4 14:22:43 cerberus charon[3945804]: 07[CFG] reassigning offline lease to 'u...@conscious.co.uk' Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] assigning virtual IP 10.10.10.1 to peer 'u...@conscious.co.uk' Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] peer requested virtual IP %any6 Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] no virtual IP found for %any6 requested by 'u...@conscious.co.uk' Jul 4 14:22:43 cerberus charon[3945804]: 07[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] CHILD_SA apple{2} established with SPIs c1c88d8d_i 0e330f25_o and TS external-ip/32 === 10.10.10.1/32 Jul 4 14:22:43 cerberus charon[3945804]: 07[ENC] generating IKE_AUTH response 10 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] sending packet: from external-ip[4500] to clients-ip[4500] (252 bytes) Jul 4 14:22:43 cerberus charon[3945804]: 07[ENC] generating IKE_AUTH response 10 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] sending packet: from external-ip[4500] to clients-ip[4500] (252 bytes) Jul 4 14:23:29 cerberus charon[3945804]: 01[NET] received packet: from clients-ip[4500] to external-ip[4500] (76 bytes) Jul 4 14:23:29 cerberus charon[3945804]: 01[ENC] parsed INFORMATIONAL request 11 [ D ] Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] received DELETE for IKE_SA apple[4] Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] deleting IKE_SA apple[4] between external-ip[cerberus.conscious.co.uk]...clients-ip[a...@conscious.co.uk] Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] IKE_SA deleted Jul 4 14:23:29 cerberus charon[3945804]: 01[ENC] generating INFORMATIONAL response 11 [ ] Jul 4 14:23:29 cerberus charon[3945804]: 01[NET] sending packet: from external-ip[4500] to clients-ip4500] (76 bytes) Jul 4 14:23:29 cerberus charon[3945804]: 01[CFG] lease 10.10.10.1 by 'u...@conscious.co.uk' went offline ==> /var/log/secure <== Jul 4 14:22:43 cerberus charon[3945804]: 15[IKE] clients-ip is initiating an IKE_SA Jul 4 14:22:43 cerberus charon[3945804]: 06[IKE] clients-ip is initiating an IKE_SA Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] IKE_SA apple[4] established between external-ip[cerberus.conscious.co.uk]...clients-ip[u...@conscious.co.uk] Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] CHILD_SA apple{2} established with SPIs c1c88d8d_i 0e330f25_o and TS external-ip/32 === 10.10.10.1/32 does anyone have any thoughts and / or suggestions as to what I could be missing or guidance on where to look to fix this? Thankyou -- Lewis Robson Systems Administrator Conscious Solutions Limited Tel: 0117 325 0200 Web: https://www.conscious.co.uk
Re: [strongSwan] problem with IOS / Iphone, android works okay, please help :)
that worked, thankyou :) On 08/10/2021 16:47, Lewis Robson wrote: Hi Tobias, no it isnt a subject altname in the certificate, we will look to add this in and check back, thanks :) On 08/10/2021 16:11, Tobias Brunner wrote: Is "user" a subjectAltName in the client certificate? -- Lewis Robson Systems Administrator Conscious Solutions Limited Tel: 0117 325 0200 Web: https://www.conscious.co.uk
Re: [strongSwan] problem with IOS / Iphone, android works okay, please help :)
Hi Tobias, no it isnt a subject altname in the certificate, we will look to add this in and check back, thanks :) On 08/10/2021 16:11, Tobias Brunner wrote: Is "user" a subjectAltName in the client certificate? -- Lewis Robson Systems Administrator Conscious Solutions Limited Tel: 0117 325 0200 Web: https://www.conscious.co.uk
[strongSwan] problem with IOS / Iphone, android works okay, please help :)
Hello all, we are having some problems connecting in an iphone user to the strongswan solution, android works okay, through the strongswan app, however apple doesnt seem to work and doesnt have a strongswan app. the certificates are signed by our external ca, the user certs were generated the same way and as mentioned the android config( a different config to the one below) works fine (and ios doesnt work with out android config) the error we are seeing when trying to connect in the iphone is: received TLS peer certificate Oct 7 15:27:19 charon[21758]: 12[TLS] received TLS intermediate certificate CN=our CA, E=ca@company' Oct 7 15:27:19 charon[21758]: 12[TLS] no trusted certificate found for 'user' to verify TLS peer Oct 7 15:27:19 charon[21758]: 12[TLS] sending fatal TLS alert 'certificate unknown' the user has the CA aswell as the key(s) on the phone. the config ipsec.conf we are using: conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@cerberus.conscious.co.uk leftcert=theservercertificate leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-tls rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1! any help much appreciated thankyou
Re: [strongSwan] Fwd: problem with setup for android connecting in
All, got this sorted in the end it turned out that even though we were using iptables, firewalld daemon was running in the background and was intefering :) On 27/09/2021 11:54, Lewis Robson wrote: Hello all, still having the same problem with this one. this morning i set up another site to site from another external node to make sure that the server im working on can talk out, the connection set up and worked fine. back to the drawing board, using the below config or playing about with other ones, I cant get users in via android device even using just EAP authentication, ive just tried the config from https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Roadwarrior-scenario and had no luck. has anyone got any links, configs, advice etc on setting up so that my mobile client can connect in properly? thankyou Forwarded Message Subject:[strongSwan] problem with setup for android connecting in Date: Fri, 24 Sep 2021 16:43:14 +0100 From: Lewis Robson To: users@lists.strongswan.org Hi all, trying to re create our strongswan setup on a new server, we had a working proof of concept but the old server was scrapped. We had some files copied for the config that unfortunately arent working for some reason now. also, with charon debug we are not receiving logs for some reason, nothing in journalctl to help either? the scenario server with an external facing IP hosting strongswan (no firewall currently for testing setup) clients connecting in via mobile strongswan with certificate and EAP so that they can be on the network, the plan is to have it so that any phone traffic routes through here and any other traffic doesnt. we have done the local server as the ca for testing, and copied the ca cert to the phone, however it wont connect, as theres no logs server side this doesnt help (but a tcpdump when trying to connect shows: isakmp: isakmp: parent_sa ikev2_init[I] admin prohibited filter, length 556 phone logs show: unable to terminate ike_sa, peer not responding I here is the config file that i named "android working" from the old server that isnt working now. (there are duplicate entries of right send cert, should this be never?, aso for the right auth, what should i be expecting my .secrets file to look like?) config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=my-servers-external-ip leftcert=the-server-cert leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightsendcert=always rightauth=pubkey authby=pubkey #rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! any help much appreciated thankyou kindly -- Lewis Robson Systems Administrator Conscious Solutions Limited Tel: 0117 325 0200 Web: https://www.conscious.co.uk
[strongSwan] Fwd: problem with setup for android connecting in
Hello all, still having the same problem with this one. this morning i set up another site to site from another external node to make sure that the server im working on can talk out, the connection set up and worked fine. back to the drawing board, using the below config or playing about with other ones, I cant get users in via android device even using just EAP authentication, ive just tried the config from https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Roadwarrior-scenario and had no luck. has anyone got any links, configs, advice etc on setting up so that my mobile client can connect in properly? thankyou Forwarded Message Subject:[strongSwan] problem with setup for android connecting in Date: Fri, 24 Sep 2021 16:43:14 +0100 From: Lewis Robson To: users@lists.strongswan.org Hi all, trying to re create our strongswan setup on a new server, we had a working proof of concept but the old server was scrapped. We had some files copied for the config that unfortunately arent working for some reason now. also, with charon debug we are not receiving logs for some reason, nothing in journalctl to help either? the scenario server with an external facing IP hosting strongswan (no firewall currently for testing setup) clients connecting in via mobile strongswan with certificate and EAP so that they can be on the network, the plan is to have it so that any phone traffic routes through here and any other traffic doesnt. we have done the local server as the ca for testing, and copied the ca cert to the phone, however it wont connect, as theres no logs server side this doesnt help (but a tcpdump when trying to connect shows: isakmp: isakmp: parent_sa ikev2_init[I] admin prohibited filter, length 556 phone logs show: unable to terminate ike_sa, peer not responding I here is the config file that i named "android working" from the old server that isnt working now. (there are duplicate entries of right send cert, should this be never?, aso for the right auth, what should i be expecting my .secrets file to look like?) config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=my-servers-external-ip leftcert=the-server-cert leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightsendcert=always rightauth=pubkey authby=pubkey #rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! any help much appreciated thankyou kindly
[strongSwan] problem with setup for android connecting in
Hi all, trying to re create our strongswan setup on a new server, we had a working proof of concept but the old server was scrapped. We had some files copied for the config that unfortunately arent working for some reason now. also, with charon debug we are not receiving logs for some reason, nothing in journalctl to help either? the scenario server with an external facing IP hosting strongswan (no firewall currently for testing setup) clients connecting in via mobile strongswan with certificate and EAP so that they can be on the network, the plan is to have it so that any phone traffic routes through here and any other traffic doesnt. we have done the local server as the ca for testing, and copied the ca cert to the phone, however it wont connect, as theres no logs server side this doesnt help (but a tcpdump when trying to connect shows: isakmp: isakmp: parent_sa ikev2_init[I] admin prohibited filter, length 556 phone logs show: unable to terminate ike_sa, peer not responding I here is the config file that i named "android working" from the old server that isnt working now. (there are duplicate entries of right send cert, should this be never?, aso for the right auth, what should i be expecting my .secrets file to look like?) config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=my-servers-external-ip leftcert=the-server-cert leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightsendcert=always rightauth=pubkey authby=pubkey #rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! any help much appreciated thankyou kindly
Re: [strongSwan] transport mode android problems
Thankyou kindly :) On 22/07/2021 19:46, Noel Kuntze wrote: Hello Lewis, That is because the Android app can only reasonably support tunnel mode with virtual IPs. See the wiki article[1] for it, please. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient Am 22.07.21 um 15:31 schrieb Lewis Robson: Hi all, I am having trouble connecting an android device to strongswan in transport mode. android works with tunnel mode and certificates android doesnt work with transport mode and certificates here is my current config I am using for testing transport mode (working tunnel mode conf below) conn host left=myexternalip leftcert=mycert leftsendcert=always leftauth=pubkey right=%any rightid=%any type=transport auto=add rightauth=pubkey authby=pubkey error im seeing from server end: peer requested virtual IP %any no virtual IP found, sending INTERNAL_ADDRESS_FAILURE Jul 22 14:25:50 cerberus charon: 16[IKE] configuration payload negotiation failed, no CHILD_SA built Jul 22 14:25:50 cerberus charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA from android end: received internal address failure notify, no child sa built closing ike sa due child sa setup failure config that works with android device in tunnel mode and x509 certificates thats working below (removing left subnet, changing type and removing right source ip breaks the connection ad i cant get in) conn phones-on auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=externalip leftcert=mycert leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightsendcert=always rightauth=pubkey authby=pubkey #rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! any ideas? thankyou :) -- Lewis Robson Systems Administrator Conscious Solutions Limited Tel: 0117 325 0200 Web: https://www.conscious.co.uk
[strongSwan] transport mode android problems
Hi all, I am having trouble connecting an android device to strongswan in transport mode. android works with tunnel mode and certificates android doesnt work with transport mode and certificates here is my current config I am using for testing transport mode (working tunnel mode conf below) conn host left=myexternalip leftcert=mycert leftsendcert=always leftauth=pubkey right=%any rightid=%any type=transport auto=add rightauth=pubkey authby=pubkey error im seeing from server end: peer requested virtual IP %any no virtual IP found, sending INTERNAL_ADDRESS_FAILURE Jul 22 14:25:50 cerberus charon: 16[IKE] configuration payload negotiation failed, no CHILD_SA built Jul 22 14:25:50 cerberus charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA from android end: received internal address failure notify, no child sa built closing ike sa due child sa setup failure config that works with android device in tunnel mode and x509 certificates thats working below (removing left subnet, changing type and removing right source ip breaks the connection ad i cant get in) conn phones-on auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=externalip leftcert=mycert leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightsendcert=always rightauth=pubkey authby=pubkey #rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! any ideas? thankyou :) -- Lewis Robson Systems Administrator
Re: [strongSwan] help setting up connection for 1 type of traffic
third one! ive figured it, i think, removing the subnet line seems to be doing the job, i think? On 14/07/2021 11:42, Lewis Robson wrote: Just a follow up, its the auto line that stops connection, not the type Thanks On 14/07/2021 11:30, Lewis Robson wrote: Hello all. Ive been stuck on this one for many, many hours now! I am trying to set up a connection (split routing?) that will allow 1 type of traffic, and the rest will be normally routed through the users device as per there usual connection. e.g. if they hit x ip address with y service, it will be allowed through, otherwise if they went to google and did a whats my ip, there current ip will show and not the ipsec ip. with my current set up, ipsec is working but users get the ipsec ip, if i set to transport mode, I can still connect to the vpn however it stops me being able to ssh on until i stop the strongswan service) here is my config conn into-ext-vpn auto=route compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=servers external ip leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.0.3.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1! please can someone advise on how to go about setting it up so that i can have users connect in when they request 1 specific service, otherwise they continue to use there current network thankyou -- Lewis Robson Systems Administrator Conscious Solutions Limited Tel: 0117 325 0200 Web: https://www.conscious.co.uk
Re: [strongSwan] help setting up connection for 1 type of traffic
Just a follow up, its the auto line that stops connection, not the type Thanks On 14/07/2021 11:30, Lewis Robson wrote: Hello all. Ive been stuck on this one for many, many hours now! I am trying to set up a connection (split routing?) that will allow 1 type of traffic, and the rest will be normally routed through the users device as per there usual connection. e.g. if they hit x ip address with y service, it will be allowed through, otherwise if they went to google and did a whats my ip, there current ip will show and not the ipsec ip. with my current set up, ipsec is working but users get the ipsec ip, if i set to transport mode, I can still connect to the vpn however it stops me being able to ssh on until i stop the strongswan service) here is my config conn into-ext-vpn auto=route compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=servers external ip leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.0.3.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1! please can someone advise on how to go about setting it up so that i can have users connect in when they request 1 specific service, otherwise they continue to use there current network thankyou -- Lewis Robson Systems Administrator Conscious Solutions Limited Tel: 0117 325 0200 Web: https://www.conscious.co.uk
[strongSwan] help setting up connection for 1 type of traffic
Hello all. Ive been stuck on this one for many, many hours now! I am trying to set up a connection (split routing?) that will allow 1 type of traffic, and the rest will be normally routed through the users device as per there usual connection. e.g. if they hit x ip address with y service, it will be allowed through, otherwise if they went to google and did a whats my ip, there current ip will show and not the ipsec ip. with my current set up, ipsec is working but users get the ipsec ip, if i set to transport mode, I can still connect to the vpn however it stops me being able to ssh on until i stop the strongswan service) here is my config conn into-ext-vpn auto=route compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=servers external ip leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.0.3.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1! please can someone advise on how to go about setting it up so that i can have users connect in when they request 1 specific service, otherwise they continue to use there current network thankyou