Re: [strongSwan] Site-to-site VPN configuration help
> Wed, 2020-03-25 15:08 14[CFG] <3> looking for pre-shared key peer configs > matching x.x.x.x...y.y.y.y[172.20.0.10] > Wed, 2020-03-25 15:08 14[IKE] <3> no peer config found > rightid=aws Wrong id. The remote peer sends 172.20.0.10 as its own id, not 'aws'. Am 25.03.20 um 16:13 schrieb Dafydd Tomos: > On 25/03/2020 14:50, Noel Kuntze wrote: >>> server-to-aws: 10.100.15.1...y.y.y.y IKEv1, dpddelay=15s >>> I ended up adding an interface for 10.100.15.1 as that what appears to be >>> required. >> The conn is configured for x.x.x.x, not 10.100.15.1. strongSwan doesn't need >> such an address. >> Set left=x.x.x.x. >> > Ah thanks. That's what I did originally in fact. The log now shows it looping > around those proposing traffic selectors. Before this change it was trying to > connect. Now it says 0 connecting. > > Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-11-amd64, x86_64): > uptime: 5 seconds, since Mar 25 15:07:42 2020 > malloc: sbrk 2297856, mmap 0, used 418656, free 1879200 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 0 > loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p > gp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr > kernel-netlink resolve socket-default connmark stroke updown > Listening IP addresses: > x.x.x.x > 10.100.15.1 > Connections: > server-to-aws: x.x.x.x...y.y.y.y IKEv1, dpddelay=15s > server-to-aws: local: [server] uses pre-shared key authentication > server-to-aws: remote: [aws] uses pre-shared key authentication > server-to-aws: child: 10.100.15.0/24 === 172.21.0.0/16 172.22.0.0/16 > TUNNEL, dpdaction=restart > Security Associations (0 up, 0 connecting): > none > > > Wed, 2020-03-25 15:08 13[IKE] <3> y.y.y.y is initiating a Main Mode IKE_SA > Wed, 2020-03-25 15:08 13[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED > => CONNECTING > Wed, 2020-03-25 15:08 13[CFG] <3> selecting proposal: > Wed, 2020-03-25 15:08 13[CFG] <3> proposal matches > Wed, 2020-03-25 15:08 13[CFG] <3> received proposals: > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 > Wed, 2020-03-25 15:08 13[CFG] <3> configured proposals: > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_ > CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC > /HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES > 128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, > > IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 > Wed, 2020-03-25 15:08 13[CFG] <3> selected proposal: > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 > Wed, 2020-03-25 15:08 13[IKE] <3> sending XAuth vendor ID > Wed, 2020-03-25 15:08 13[IKE] <3> sending DPD vendor ID > Wed, 2020-03-25 15:08 13[IKE] <3> sending FRAGMENTATION vendor ID > Wed, 2020-03-25 15:08 13[IKE] <3> sending NAT-T (RFC 3947) vendor ID > Wed, 2020-03-25 15:08 13[ENC] <3> generating ID_PROT response 0 [ SA V V V V ] > Wed, 2020-03-25 15:08 13[NET] <3> sending packet: from x.x.x.x[500] to > y.y.y.y[500] (164 bytes) > Wed, 2020-03-25 15:08 10[NET] <3> received packet: from y.y.y.y[500] to > x.x.x.x[500] (316 bytes) > Wed, 2020-03-25 15:08 10[ENC] <3> parsed ID_PROT request 0 [ KE No NAT-D > NAT-D ] > Wed, 2020-03-25 15:08 10[LIB] <3> size of DH secret exponent: 1535 bits > Wed, 2020-03-25 15:08 10[IKE] <3> remote host is behind NAT > Wed, 2020-03-25 15:08 10[ENC] <3> generating ID_PROT response 0 [ KE No NAT-D > NAT-D ] > Wed, 2020-03-25 15:08 10[NET] <3> sending packet: from x.x.x.x[500] to > y.y.y.y[500] (332 bytes) > Wed, 2020-03-25 15:08 14[NET] <3> received packet: from y.y.y.y[4500] to > x.x.x.x[4500] (108 bytes) > Wed, 2020-03-25 15:08 14[ENC] <3> parsed ID_PROT request 0 [ ID HASH > N(INITIAL_CONTACT) ] > Wed, 2020-03-25 15:08 14[CFG] <3> looking for pre-shared key peer configs > matching x.x.x.x...y.y.y.y[172.20.0.10] > Wed, 2020-03-25 15:08 14[IKE] <3> no peer config found > Wed, 2020-03-25 15:08 14[IKE] <3> queueing INFORMATIONAL task > Wed, 2020-03-25 15:08 14[IKE] <3> activating new tasks > Wed, 2020-03-25 15:08 14[IKE] <3> activating INFORMATIONAL task > Wed, 2020-03-25 15:08 1
Re: [strongSwan] Site-to-site VPN configuration help
On 25/03/2020 14:50, Noel Kuntze wrote: server-to-aws: 10.100.15.1...y.y.y.y IKEv1, dpddelay=15s I ended up adding an interface for 10.100.15.1 as that what appears to be required. The conn is configured for x.x.x.x, not 10.100.15.1. strongSwan doesn't need such an address. Set left=x.x.x.x. Ah thanks. That's what I did originally in fact. The log now shows it looping around those proposing traffic selectors. Before this change it was trying to connect. Now it says 0 connecting. Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-11-amd64, x86_64): uptime: 5 seconds, since Mar 25 15:07:42 2020 malloc: sbrk 2297856, mmap 0, used 418656, free 1879200 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p gp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown Listening IP addresses: x.x.x.x 10.100.15.1 Connections: server-to-aws: x.x.x.x...y.y.y.y IKEv1, dpddelay=15s server-to-aws: local: [server] uses pre-shared key authentication server-to-aws: remote: [aws] uses pre-shared key authentication server-to-aws: child: 10.100.15.0/24 === 172.21.0.0/16 172.22.0.0/16 TUNNEL, dpdaction=restart Security Associations (0 up, 0 connecting): none Wed, 2020-03-25 15:08 13[IKE] <3> y.y.y.y is initiating a Main Mode IKE_SA Wed, 2020-03-25 15:08 13[IKE] <3> IKE_SA (unnamed)[3] state change: CREATED => CONNECTING Wed, 2020-03-25 15:08 13[CFG] <3> selecting proposal: Wed, 2020-03-25 15:08 13[CFG] <3> proposal matches Wed, 2020-03-25 15:08 13[CFG] <3> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 Wed, 2020-03-25 15:08 13[CFG] <3> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_ CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC /HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES 128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 Wed, 2020-03-25 15:08 13[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 Wed, 2020-03-25 15:08 13[IKE] <3> sending XAuth vendor ID Wed, 2020-03-25 15:08 13[IKE] <3> sending DPD vendor ID Wed, 2020-03-25 15:08 13[IKE] <3> sending FRAGMENTATION vendor ID Wed, 2020-03-25 15:08 13[IKE] <3> sending NAT-T (RFC 3947) vendor ID Wed, 2020-03-25 15:08 13[ENC] <3> generating ID_PROT response 0 [ SA V V V V ] Wed, 2020-03-25 15:08 13[NET] <3> sending packet: from x.x.x.x[500] to y.y.y.y[500] (164 bytes) Wed, 2020-03-25 15:08 10[NET] <3> received packet: from y.y.y.y[500] to x.x.x.x[500] (316 bytes) Wed, 2020-03-25 15:08 10[ENC] <3> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Wed, 2020-03-25 15:08 10[LIB] <3> size of DH secret exponent: 1535 bits Wed, 2020-03-25 15:08 10[IKE] <3> remote host is behind NAT Wed, 2020-03-25 15:08 10[ENC] <3> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Wed, 2020-03-25 15:08 10[NET] <3> sending packet: from x.x.x.x[500] to y.y.y.y[500] (332 bytes) Wed, 2020-03-25 15:08 14[NET] <3> received packet: from y.y.y.y[4500] to x.x.x.x[4500] (108 bytes) Wed, 2020-03-25 15:08 14[ENC] <3> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Wed, 2020-03-25 15:08 14[CFG] <3> looking for pre-shared key peer configs matching x.x.x.x...y.y.y.y[172.20.0.10] Wed, 2020-03-25 15:08 14[IKE] <3> no peer config found Wed, 2020-03-25 15:08 14[IKE] <3> queueing INFORMATIONAL task Wed, 2020-03-25 15:08 14[IKE] <3> activating new tasks Wed, 2020-03-25 15:08 14[IKE] <3> activating INFORMATIONAL task Wed, 2020-03-25 15:08 14[ENC] <3> generating INFORMATIONAL_V1 request 266312254 [ HASH N(AUTH_FAILED) ] Wed, 2020-03-25 15:08 14[NET] <3> sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (108 bytes) Wed, 2020-03-25 15:08 14[IKE] <3> IKE_SA (unnamed)[3] state change: CONNECTING => DESTROYING Wed, 2020-03-25 15:08 03[CFG] proposing traffic selectors for us: Wed, 2020-03-25 15:08 03[CFG] 10.100.15.0/24 Wed, 2020-03-25 15:08 03[CFG] proposing traffic selectors for other: Wed, 2020-0
Re: [strongSwan] Site-to-site VPN configuration help
> server-to-aws: 10.100.15.1...y.y.y.y IKEv1, dpddelay=15s > I ended up adding an interface for 10.100.15.1 as that what appears to be > required. The conn is configured for x.x.x.x, not 10.100.15.1. strongSwan doesn't need such an address. Set left=x.x.x.x. Am 25.03.20 um 15:47 schrieb Dafydd Tomos: > Status output and debug below (anonymised, but consistent) > > > Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-11-amd64, x86_64): > uptime: 4 seconds, since Mar 25 14:45:06 2020 > malloc: sbrk 1892352, mmap 0, used 417440, free 1474912 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 1 > loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p > gp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr > kernel-netlink resolve socket-default connmark stroke updown > Listening IP addresses: > x.x.x.x > 10.100.15.1 > Connections: > server-to-aws: 10.100.15.1...y.y.y.y IKEv1, dpddelay=15s > server-to-aws: local: [server] uses pre-shared key authentication > server-to-aws: remote: [aws] uses pre-shared key authentication > server-to-aws: child: 10.100.15.0/24 === 172.21.0.0/16 172.22.0.0/16 > TUNNEL, dpdaction=restart > Security Associations (0 up, 1 connecting): > server-to-aws[1]: CONNECTING, 10.100.15.1[%any]...y.y.y.y[%any] > server-to-aws[1]: IKEv1 SPIs: f8ad92b2d16ea9a4_i* _r > server-to-aws[1]: Tasks queued: QUICK_MODE > server-to-aws[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE > ISAKMP_CERT_POST ISAKMP_NATD > > > Wed, 2020-03-25 14:41 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, > Linux 4.9.0-11-amd64, x86_64) > Wed, 2020-03-25 14:41 00[LIB] plugin 'aesni': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'aes': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'rc2': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'sha2': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'sha1': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'md5': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'random': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'nonce': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'x509': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'revocation': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'constraints': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pubkey': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs1': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs7': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs8': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs12': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pgp': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'dnskey': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'sshkey': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'pem': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'openssl': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'fips-prf': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'gmp': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'agent': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'xcbc': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'hmac': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'gcm': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'attr': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'kernel-netlink': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'resolve': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'socket-default': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'connmark': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'stroke': loaded successfully > Wed, 2020-03-25 14:41 00[LIB] plugin 'updown': loaded successfully > Wed, 2020-03-25 14:41 00[KNL] known interfaces and IP addresses: > Wed, 2020-03-25 14:41 00[KNL] lo > Wed, 2020-03-25 14:41 00[KNL] 127.0.0.1 > Wed, 2020-03-25 14:41 00[KNL] ::1 > Wed, 2020-03-25 14:41 00[KNL] eth0 > Wed, 2020-03-25 14:41 00[KNL] eth1 > Wed, 2020-03-25 14:41 00[KNL] bond0 > Wed, 2020-03-25 14:41 00[KNL] x.x.x.x > Wed, 2020-03-25 14:41 00[KNL] 10.100.15.1 > Wed, 2020-03-25 14:41 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet > dependency: PUBKEY:DSA > Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet > dependency: PRIVKEY:DSA > Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet > dependency: PRIVKEY:BLISS > Wed, 2020-03-25 14:41 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin > 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST > Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1
Re: [strongSwan] Site-to-site VPN configuration help
Status output and debug below (anonymised, but consistent) Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-11-amd64, x86_64): uptime: 4 seconds, since Mar 25 14:45:06 2020 malloc: sbrk 1892352, mmap 0, used 417440, free 1474912 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1 loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p gp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown Listening IP addresses: x.x.x.x 10.100.15.1 Connections: server-to-aws: 10.100.15.1...y.y.y.y IKEv1, dpddelay=15s server-to-aws: local: [server] uses pre-shared key authentication server-to-aws: remote: [aws] uses pre-shared key authentication server-to-aws: child: 10.100.15.0/24 === 172.21.0.0/16 172.22.0.0/16 TUNNEL, dpdaction=restart Security Associations (0 up, 1 connecting): server-to-aws[1]: CONNECTING, 10.100.15.1[%any]...y.y.y.y[%any] server-to-aws[1]: IKEv1 SPIs: f8ad92b2d16ea9a4_i* _r server-to-aws[1]: Tasks queued: QUICK_MODE server-to-aws[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD Wed, 2020-03-25 14:41 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-11-amd64, x86_64) Wed, 2020-03-25 14:41 00[LIB] plugin 'aesni': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'aes': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'rc2': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'sha2': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'sha1': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'md5': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'random': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'nonce': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'x509': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'revocation': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'constraints': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'pubkey': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs1': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs7': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs8': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs12': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'pgp': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'dnskey': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'sshkey': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'pem': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'openssl': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'fips-prf': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'gmp': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'agent': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'xcbc': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'hmac': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'gcm': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'attr': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'kernel-netlink': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'resolve': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'socket-default': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'connmark': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'stroke': loaded successfully Wed, 2020-03-25 14:41 00[LIB] plugin 'updown': loaded successfully Wed, 2020-03-25 14:41 00[KNL] known interfaces and IP addresses: Wed, 2020-03-25 14:41 00[KNL] lo Wed, 2020-03-25 14:41 00[KNL] 127.0.0.1 Wed, 2020-03-25 14:41 00[KNL] ::1 Wed, 2020-03-25 14:41 00[KNL] eth0 Wed, 2020-03-25 14:41 00[KNL] eth1 Wed, 2020-03-25 14:41 00[KNL] bond0 Wed, 2020-03-25 14:41 00[KNL] x.x.x.x Wed, 2020-03-25 14:41 00[KNL] 10.100.15.1 Wed, 2020-03-25 14:41 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS Wed, 2020-03-25 14:41 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224 Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256 Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384 Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_
Re: [strongSwan] Site-to-site VPN configuration help
Hi, Configure debug logging as shown on the HelpRequests[1] page and post it. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Am 25.03.20 um 15:13 schrieb Dafydd Tomos: > Hi, > > I am using strongSwan to connect to a supplier's VPN, but am having trouble > understanding the IP network ranges required. > > The server I'm connecting from is a Debian server with strongswan 5.5.1. It > has one public IP in a /29 so has one interface (bond0 using eth0/eth1). > There are iptables rules for incoming traffic, nothing for outgoing. I ended > up adding an interface for 10.100.15.1 as that what appears to be required. > > The 3rd party has supplied details for a Fortigate VPN. I have an AWS VPN > endpoint IP along with the usual encryption details, using a PSK. It wants > AES256 + SHA256 + DH Group 5 > > It lists two 'encryption domain' IP ranges for their side. It also provides > an encryption domain for our side. Here's the ipsec.conf, anonymised > > > config setup > # strictcrlpolicy=yes > # uniqueids = no > charondebug="all" > uniqueids=yes > strictcrlpolicy=no > > conn server-to-aws > authby=secret > type=tunnel > auto=start > compress=no > > leftid=server > # I tried these first > # left=x.x.x.x (public IP of our server) > # leftsubnet=x.x.x.x/29 > left=10.100.15.1 > leftsubnet=10.100.15.0/24 (encryption domain for our side, mandated > by 3rd party) > leftfirewall=no > > right=y.y.y.y (public VPN endpoint of 3rd party) > rightid=aws > rightsubnet=172.21.0.0/16, 172.22.0.0/16 (encryption domain of 3rd > party) > keyexchange=ikev1 > ike=aes256-sha256-modp1536 > esp=aes256-sha256-modp1536 > ikelifetime=24h > lifetime=24h > dpddelay=15 > dpdtimeout=30 > > Here's the log, anonymised with the same IPs > > Mar 25 14:03:55 charon: 00[DMN] Starting IKE charon daemon (strongSwan > 5.5.1, Linux 4.9.0-11-amd64, x86_64) > Mar 25 14:03:55 charon: 00[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > Mar 25 14:03:55 charon: 00[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts' > Mar 25 14:03:55 charon: 00[CFG] loading ocsp signer certificates from > '/etc/ipsec.d/ocspcerts' > Mar 25 14:03:55 charon: 00[CFG] loading attribute certificates from > '/etc/ipsec.d/acerts' > Mar 25 14:03:55 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' > Mar 25 14:03:55 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' > Mar 25 14:03:55 charon: 00[CFG] expanding file expression > '/var/lib/strongswan/ipsec.secrets.inc' failed > Mar 25 14:03:55 charon: 00[CFG] loaded IKE secret for 10.100.15.1 y.y.y.y > Mar 25 14:03:55 charon: 00[CFG] loaded IKE secret for x.x.x.x y.y.y.y > Mar 25 14:03:55 charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 > sha1 md5 random nonce x509 revocation constrai > nts pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp > agent xcbc hmac gcm attr kernel-netlink resolve > socket-default ck stroke updown > Mar 25 14:03:55 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 > Mar 25 14:03:55 charon: 00[JOB] spawning 16 worker threads > Mar 25 14:03:55 charon: 16[CFG] received stroke: add connection > 'server-to-aws' > Mar 25 14:03:55 charon: 16[CFG] added configuration 'server-to-aws' > Mar 25 14:03:55 charon: 07[CFG] received stroke: initiate 'server-to-aws' > Mar 25 14:03:55 charon: 07[IKE] initiating Main Mode IKE_SA server-to-aws[1] > to y.y.y.y > Mar 25 14:03:55 charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ] > Mar 25 14:03:55 charon: 07[NET] sending packet: from 10.100.15.1[500] to > y.y.y.y[500] (252 bytes) > Mar 25 14:03:59 charon: 12[IKE] sending retransmit 1 of request message ID > 0, seq 1 > Mar 25 14:03:59 charon: 12[NET] sending packet: from 10.100.15.1[500] to > y.y.y.y[500] (252 bytes) > Mar 25 14:04:06 charon: 11[IKE] sending retransmit 2 of request message ID > 0, seq 1 > Mar 25 14:04:06 charon: 11[NET] sending packet: from 10.100.15.1[500] to > y.y.y.y[500] (252 bytes) > Mar 25 14:04:15 charon: 07[NET] received packet: from y.y.y.y[500] to > x.x.x.x[500] (292 bytes) > Mar 25 14:04:15 charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V > V V V ] > Mar 25 14:04:15 charon: 07[IKE] no IKE config found for x.x.x.x...y.y.y.y, > sending NO_PROPOSAL_CHOSEN > Mar 25 14:04:15 charon: 07[ENC] generating INFORMATIONAL_V1 request > 852369688 [ N(NO_PROP) ] > Mar 25 14:04:15 charon: 07[NET] sending packet: from x.x.x.x[500] to > y.y.y.y[500] (40 bytes) > Mar 25 14:04:16 snmpd[1797]: error on subcontainer 'ia_addr' insert (-1) > Mar 25 14:04:18 charon: 10[NET] received packet: from y.y.y.y[500] to > x.x.x.x[500] (292 bytes) > Mar 25 14:04:18 charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V > V V V ] > Mar 25 14:04
[strongSwan] Site-to-site VPN configuration help
Hi, I am using strongSwan to connect to a supplier's VPN, but am having trouble understanding the IP network ranges required. The server I'm connecting from is a Debian server with strongswan 5.5.1. It has one public IP in a /29 so has one interface (bond0 using eth0/eth1). There are iptables rules for incoming traffic, nothing for outgoing. I ended up adding an interface for 10.100.15.1 as that what appears to be required. The 3rd party has supplied details for a Fortigate VPN. I have an AWS VPN endpoint IP along with the usual encryption details, using a PSK. It wants AES256 + SHA256 + DH Group 5 It lists two 'encryption domain' IP ranges for their side. It also provides an encryption domain for our side. Here's the ipsec.conf, anonymised config setup # strictcrlpolicy=yes # uniqueids = no charondebug="all" uniqueids=yes strictcrlpolicy=no conn server-to-aws authby=secret type=tunnel auto=start compress=no leftid=server # I tried these first # left=x.x.x.x (public IP of our server) # leftsubnet=x.x.x.x/29 left=10.100.15.1 leftsubnet=10.100.15.0/24 (encryption domain for our side, mandated by 3rd party) leftfirewall=no right=y.y.y.y (public VPN endpoint of 3rd party) rightid=aws rightsubnet=172.21.0.0/16, 172.22.0.0/16 (encryption domain of 3rd party) keyexchange=ikev1 ike=aes256-sha256-modp1536 esp=aes256-sha256-modp1536 ikelifetime=24h lifetime=24h dpddelay=15 dpdtimeout=30 Here's the log, anonymised with the same IPs Mar 25 14:03:55 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-11-amd64, x86_64) Mar 25 14:03:55 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Mar 25 14:03:55 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Mar 25 14:03:55 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Mar 25 14:03:55 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Mar 25 14:03:55 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Mar 25 14:03:55 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Mar 25 14:03:55 charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed Mar 25 14:03:55 charon: 00[CFG] loaded IKE secret for 10.100.15.1 y.y.y.y Mar 25 14:03:55 charon: 00[CFG] loaded IKE secret for x.x.x.x y.y.y.y Mar 25 14:03:55 charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constrai nts pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default ck stroke updown Mar 25 14:03:55 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 Mar 25 14:03:55 charon: 00[JOB] spawning 16 worker threads Mar 25 14:03:55 charon: 16[CFG] received stroke: add connection 'server-to-aws' Mar 25 14:03:55 charon: 16[CFG] added configuration 'server-to-aws' Mar 25 14:03:55 charon: 07[CFG] received stroke: initiate 'server-to-aws' Mar 25 14:03:55 charon: 07[IKE] initiating Main Mode IKE_SA server-to-aws[1] to y.y.y.y Mar 25 14:03:55 charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ] Mar 25 14:03:55 charon: 07[NET] sending packet: from 10.100.15.1[500] to y.y.y.y[500] (252 bytes) Mar 25 14:03:59 charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 1 Mar 25 14:03:59 charon: 12[NET] sending packet: from 10.100.15.1[500] to y.y.y.y[500] (252 bytes) Mar 25 14:04:06 charon: 11[IKE] sending retransmit 2 of request message ID 0, seq 1 Mar 25 14:04:06 charon: 11[NET] sending packet: from 10.100.15.1[500] to y.y.y.y[500] (252 bytes) Mar 25 14:04:15 charon: 07[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (292 bytes) Mar 25 14:04:15 charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ] Mar 25 14:04:15 charon: 07[IKE] no IKE config found for x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN Mar 25 14:04:15 charon: 07[ENC] generating INFORMATIONAL_V1 request 852369688 [ N(NO_PROP) ] Mar 25 14:04:15 charon: 07[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes) Mar 25 14:04:16 snmpd[1797]: error on subcontainer 'ia_addr' insert (-1) Mar 25 14:04:18 charon: 10[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (292 bytes) Mar 25 14:04:18 charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ] Mar 25 14:04:18 charon: 10[IKE] no IKE config found for x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN Mar 25 14:04:18 charon: 10[ENC] generating INFORMATIONAL_V1 request 699850337 [ N(NO_PROP) ] Mar 25 14:04:18 charon: 10[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes) Mar 25 14:04:19 charon: 14[IKE] sending retransmit 3 of request message ID 0, seq 1 Mar 25 14:04:19 charon: 14[NET] sending packet: