> IPSEC configuration issue. I previously posted Strongswan config files
> for my working DNAT setup.
>
> -Tom
True, and I'm basing my endpoint (IPSEC gateway) config on that:
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=3
keyexchange=ikev2
conn ipv4
left=192.168.111.16
leftid=quantum-equities.com
leftsubnet=192.168.111.0/24,10.1.1.0/24
leftcert=carl-ipseccert.pem
leftid=@quantum-equities.com
right=%any
rightsourceip=192.168.111.0/24
rightdns=192.168.111.10
auto=add
The StrongSwan app doesn't allow much flexibility in what can be set, so I
think that's right:
Server: quantum-equities.com
VPN Type: IKEv2 Certificate
User Cert: carl-ipsec's VPN cert
User ID: c.a.c...@quantum-equities.com
CA Cert: Select automatically
Profile Name: quantum-equities.com
... no Advanced Settings.
The error has only changed once, when I added hosts and tunnels, and that
change was only the source daemon. (went from strongswan to charon) I'm
putting my ipsec.conf file in /etc/strongswan/ipsec.d which should be picked up
by the daemon, and seems to be from systemctl status strongswan.
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor
preset: disabled)
Active: active (running) since Sun 2017-12-24 11:09:50 PST; 3s ago
Main PID: 47590 (starter)
CGroup: /system.slice/strongswan.service
├─47590 /usr/libexec/strongswan/starter --daemon charon --nofork
└─47599 /usr/libexec/strongswan/charon
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading aa
certificates from '/etc/strongswan/ipsec.d/aacerts'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading ocsp signer
certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading attribute
certificates from '/etc/strongswan/ipsec.d/acerts'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading crls from
'/etc/strongswan/ipsec.d/crls'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loading secrets from
'/etc/strongswan/ipsec.secrets'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[CFG] loaded RSA private
key from '/etc/strongswan/ipsec.d/private/carl-ipseckey.pem'
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[LIB] loaded plugins:
charon random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac
stroke kernel-netlink socket-default updown
Dec 24 11:09:50 zeta.darkmatter.org charon[47599]: 00[JOB] spawning 16 worker
threads
Dec 24 11:09:50 zeta.darkmatter.org ipsec_starter[47590]: charon (47599)
started after 20 ms
Dec 24 11:09:50 zeta.darkmatter.org strongswan[47590]: charon (47599) started
after 20 ms
For some reason the endpoint sees me trying to authenticate from 172.58.40.177
rather than from at 29.124.236.116, my phone's actual IP.
I must be consistently doing something fundamentally wrong, which few other
people out there have done, judging from searches. Two weeks full-time, trying
to learn and fix this, and I am out of ideas. It seems hopeless.
Dec 24 11:15:17 zeta charon: 05[NET] received packet: from 172.58.40.177[23037]
to 192.168.111.16[500] (704 bytes)
Dec 24 11:15:17 zeta charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 24 11:15:17 zeta charon: 05[IKE] no IKE config found for
192.168.111.16...172.58.40.177, sending NO_PROPOSAL_CHOSEN
Dec 24 11:15:17 zeta charon: 05[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
Dec 24 11:15:17 zeta charon: 05[NET] sending packet: from 192.168.111.16[500]
to 172.58.40.177[23037] (36 bytes)------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
