Re: [strongSwan] new to strongswan and couldn't establish a connection
Hi, What are you trying to do is i think x2tp with ipsec, if your machine is behind NAT you need to compile strongswan with NAT support, being very addictive to vpn and fan of strongswan I have also wrote an ebook on implementing PPTP,L2TP,IPSec,SSL vpn Mobile Vpn on http://www.ebooksyours.com/how_to_vpn.html . Thanks, Alok On Wed, Jan 19, 2011 at 9:12 PM, Spacelee fjct...@gmail.com wrote: this is the first time I try strongswan, and I couldn't establish a connection, here is the configuration file : server : centos 5.5 64 bit strongswan : newest client : mac os ipsec.conf : config setup # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes nat_traversal=yes charonstart=yes plutostart=yes conn L2TP authby=psk pfs=no rekey=no type=tunnel left=192.168.1.97 leftnexthop=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/%any rightsubnetwithin=0.0.0.0/0 auto=add xl2tpd.conf [global] debug network = yes debug tunnel = yes [lns default] ip range = 10.0.0.200-10.0.0.254 local ip = 10.0.0.1 require chap = yes refuse pap = yes require authentication = yes name = NIELSPEEN.COM ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes options.xl2tpd ipcp-accept-local ipcp-accept-remote ms-dns 8.8.8.8 noccp auth crtscts idle 1800 mtu 1410 mru 1410 nodefaultroute debug lock proxyarp connect-delay 5000 ipsec.secrets 192.168.1.97 %any : PSK testpsk and the /var/log/secure Jan 19 23:31:18 localhost pluto[13051]: listening for IKE messages Jan 19 23:31:18 localhost pluto[13051]: adding interface eth0/eth0 192.168.1.97:500 Jan 19 23:31:18 localhost pluto[13051]: adding interface eth0/eth0 192.168.1.97:4500 Jan 19 23:31:18 localhost pluto[13051]: adding interface lo/lo 127.0.0.1:500 Jan 19 23:31:18 localhost pluto[13051]: adding interface lo/lo 127.0.0.1:4500 Jan 19 23:31:18 localhost pluto[13051]: adding interface lo/lo ::1:500 Jan 19 23:31:18 localhost pluto[13051]: loading secrets from /etc/ipsec.secrets Jan 19 23:31:18 localhost pluto[13051]: loaded PSK secret for 192.168.1.97 %any Jan 19 23:31:18 localhost ipsec_starter[13050]: charon (13069) started after 20 ms Jan 19 23:31:18 localhost pluto[13051]: added connection description L2TP Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: received Vendor ID payload [RFC 3947] Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662] Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b] Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: received Vendor ID payload [Dead Peer Detection] Jan 19 23:31:25 localhost pluto[13051]: packet from 192.168.1.102:500: initial Main Mode message received on 192.168.1.97:500 but no connection has been authorized with policy=PSK Jan 19 23:31:28 localhost pluto[13051]: packet from 192.168.1.102:500: received Vendor ID payload [RFC 3947] Jan 19 23:31:28 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662] Jan 19 23:31:28 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] Jan 19 23:31:28 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] Jan 19 23:31:28 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] Jan 19 23:31:28 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] Jan 19 23:31:28 localhost pluto[13051]: packet from 192.168.1.102:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b] Jan 19 23:31:28 localhost
Re: [strongSwan] strongswan ipsec XAUTH+PSK and iphone Problem !
Hi Techies, I am in a severe problem with the help of andreas and my grey cells we made the iphone working for ipsec too but the thing is I am not able to browse when I connect to isec vpn from iphone wiht xauth + psk. I have masquerading enabled and this rule works fine for l2tp + ipsec. When I see on iphone and mac book I don't get a dns ip from strongswan ipsec. Is there any parameter to manually push the dns from ipsec.conf. Please help me ASAP I am stucked due to this. Thanks, Alok On Tue, Sep 8, 2009 at 8:36 PM, Alok Thaker alok.a...@gmail.com wrote: What could the possible resolutions I checked the command comes from ipsec which is from /usr/local/sbin/ipsec and it reads the /usr/local/etc/ipsec.conf created by strongswan, I am awaiting for your answer for the dns and internet browsing. And if strongswan-4.3.5 is introduced what how would we define it. It is very urgent for me to atleast make the internet running Thanks, Alok On Tue, Sep 8, 2009 at 11:01 AM, Andreas Steffen andreas.stef...@strongswan.org wrote: Hi Alok, strongSwan doesn't have an ipsec verify command and does not enable opportunistic encryption by default. I think you got that from an earlier Openswan installation. Currently the IKEv1 pluto daemon does not support virtual IP pools yet. This feature will be introduced with the 4.3.5 release in November. Currently you have to define one connection for each iphone client. Best regards Andreas Alok Thaker wrote: Hi Andreas, I fired command ipsec verify it shows opportunitistic encryptions checks on is that might be the reason for not allowing client to browse internet and if i have kept rightsourceip=some ip it wld be used for all iphone clients simultaneously, can i give a range of ip to it or not. Please help on this issue. Thanks, Alok On Tue, Sep 8, 2009 at 7:43 AM, Alok Thaker alok.a...@gmail.com wrote: Hi Andreas, No still iphone clients can connect to strongswan but can't browse, I also added that rule but it isn't working. Thanks, Alok On Mon, Sep 7, 2009 at 8:39 AM, Alok Thaker alok.a...@gmail.com wrote: Would test and let you know andreas at present there is an internet downtime at my office. I am sending this message from my blackberry. Would let u know if this works or not in some time. Thanks, Alok On Mon, Sep 7, 2009 at 8:23 AM, andi andreas.stef...@strongswan.org wrote: Could you try to exempt traffic to be tunneled from masquerading by inserting the following rule: iptables -t nat -I POSTROUTING 1 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT Andreas On Mon, 7 Sep 2009 08:18:51 -0400, Alok Thaker alok.a...@gmail.com wrote: Here it is Anderas. iptables -v -n -t nat -L POSTROUTING Chain POSTROUTING (policy ACCEPT 188 packets, 13511 bytes) pkts bytes target prot opt in out source destination 122 15835 MASQUERADE all -- * eth00.0.0.0/0 0.0.0.0/0 113K 8162K MASQUERADE all -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] I can ping to google but can't browse in iphone/macbook + strongswan !
Hi Techies, I made the ping running through ipsec but the only thing is that neither macbook/iphone gets the dns ip so that it can resolvecan you let me know how can i push our dns ip to the ipsec clients which connect to our strongswan. i also tried keeping in charon but strongswan doesn't allows include /usr/local/etc/strongswan.conf at line charon - Unexpected string, I have also tried compiling --enable-charon=yes while make of strongswan. Please help I am near to success the only thing is I suppose it is not getting the dns ip pushing from ipsec server to resolve the net. Thanks, Alok ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
