: Re: [strongSwan] Connecting but not connected
This message was sent from outside of Greensill Capital. Please do not open
attachments or click on links unless you recognise the source of this email and
are certain the content is safe.
Hi Stephen,
> This looks to me like it has worked bu
Hi Stephen,
> This looks to me like it has worked but I may be wrong. Is there a
> quick test to prove success?
>
> For example should 'ip address' offer a 'PPP' interface or something
> like that?
No, there is no separate interface. The virtual IP address is added to
a local interface (the ou
to 50.45.0.51[4500] (92 bytes)
Mon, 2019-08-19 11:49 07[IKE] activating new tasks
Mon, 2019-08-19 11:49 07[IKE] nothing to initiate
Mon, 2019-08-19 11:50 09[NET] received packet: from
50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes)
Mon, 2019-08-19 11:50 09[ENC] parsed INFORMATIONAL_V1 request
154
Hi Stephen,
> I
> will send updates for push and pull separately. Sorry for all the emails...
Don't bother with `push`, it's definitely not the way to go.
The problem now are your either the ESP algorithm proposals and/or the
traffic selectors (`left|rightsubnet`). Start with
`rightsubnet=0.0.
172 bytes)
Fri, 2019-08-16 16:12 06[NET] received packet: from
50.45.0.51[4500] to 10.0.0.3[4500] (76 bytes)
Fri, 2019-08-16 16:12 06[ENC] parsed INFORMATIONAL_V1 request
3215514754 [ HASH N(NO_PROP) ]
Fri, 2019-08-16 16:12 06[IKE] received NO_PROPOSAL_CHOSEN error
notify
Fri, 2019-08-16 16:1
Hi Stephen,
> Part Pull
The log/status doesn't seem to match that. There is no mode config
exchange in the log and the queued task given as QUICK_MODE. With
`pull` (that's actually the default) the client should send a mode
config request after XAuth.
Regards,
Tobias
19-08-16 16:17 05[NET] received packet: from
50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes)
Fri, 2019-08-16 16:17 05[ENC] parsed INFORMATIONAL_V1 request
4173293943 [ HASH N(DPD) ]
Fri, 2019-08-16 16:17 05[IKE] queueing ISAKMP_DPD task
Fri, 2019-08-16 16:17 05[IKE] activating new tasks
Fri, 2019-08-16 16:17 05[IKE]activating I
19-08-16 16:17 05[NET] received packet: from
50.45.0.51[4500] to 10.0.0.3[4500] (92 bytes)
Fri, 2019-08-16 16:17 05[ENC] parsed INFORMATIONAL_V1 request
4173293943 [ HASH N(DPD) ]
Fri, 2019-08-16 16:17 05[IKE] queueing ISAKMP_DPD task
Fri, 2019-08-16 16:17 05[IKE] activating new tasks
Fri, 2019-08-16 16:17 05[IKE]activating I
Hi Stephen,
> I have already advised the team that Aggressive
> mode with psk is unsafe.
If you are at it, they shouldn't use IKEv1 or L2TP (if they actually do)
anymore either.
Looks like you might now have to add leftsourceip=%config again (the
peer is apparently not ready yet to accept Quick
] sending packet: from 10.0.0.3[4500]
to 50.45.0.51[4500] (204 bytes)
Fri, 2019-08-16 14:48 14[IKE] sending retransmit 2 of request
message ID 4038947095, seq 3
Fri, 2019-08-16 14:48 14[NET] sending packet: from 10.0.0.3[4500]
to 50.45.0.51[4500] (204 bytes)
Fri, 2019-08-16 14:48 15[CFG] proposing traff
Hi Stephen,
> Here are the details in full:
That fist log you posted is useless. It's not the daemon's log (you
configured logging to a separate file yourself in strongswan.conf).
Your problem now is the `authby` setting. Since the peer wants to do
XAuth you have to set it to `xauthpsk` (which
be relevant:
Phase 1,
IKE version 1, Aggressive, Mode Config, Dead Peer Detection, NAT Traversal
IKE Proposal AES128 SHA1
AES256 SHA256
Phase 2,
Enable Replay Detection
IKE Proposal AES128 SHA1
AES256 SHA1
DH Group 5
The responder is a FortiGate NVA applianc
Hi Stephen,
> I have tried with:
>
> # leftsourceip=%config
> modeconfig=pull
Leave both enabled to use a virtual IP. Comment both (as you tried) to
not use one.
> These both result with:
Please post the full logs.
Regards,
Tobias
] Connecting but not connected
This message was sent from outside of Greensill Capital. Please do not open
attachments or click on links unless you recognise the source of this email and
are certain the content is safe.
Hi Stephen,
> Thank you for your helpful response.
>
> Unfortunately
Hi Stephen,
> Thank you for your helpful response.
>
> Unfortunately this has resulted in a similar outcome:
As I said, `leftsourceip=%config` might not be applicable if the goal is
to use L2TP.
Regards,
Tobias
Hi Stephen,
> modeconfig=push
You probably want to use `pull` here (at least if you actually want to
use a virtual IP and `leftsourceip=%config` is there on purpose - with
L2TP, which `left|rightprotoport` and your previous messages seem to
indicate, no virtual IPs are usually used).
Regards
Hi there,
I have found this informative page:
wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
I am unable to establish a connection, connecting but not connected. Please
help.
Thus please find the required details below:
Logs
Aug 15 17:13:30 Ubuntu-18 sudo[1932]: user : TTY=pts/0
17 matches
Mail list logo