On Thu, 4 Oct 2018, Johannes C. Schulz wrote:
Hello LibreSwan community!It was a long way to get my libreswan connecting to a
vpn-server (which is actually a dsl-router from bintec). The server accepts
IPsec IKEv1
connection with PSK. I can connect, but there is no traffic through the tunnel.
The problem must be on roadwarriors-side, because I can connect and transfer
data through the tunnel if I connect with a windows machine to the vpn-server
(using
ShrewSoft).
I wrote this config:
config setup
protostack = netkey
conn Office1
authby = secret
right = some.domain.tld
rightid = @Office_admin
rightnexthop = %defaultroute
left = 192.168.42.91
leftsubnet = 192.168.92.0/24
leftvti = 192.168.92.234/24
leftid = @Office
keyexchange = ike
ike = aes256-sha2;modp2048
esp = aes256-sha2;modp2048
ikelifetime = 4h
keylife = 8h
auto = add
aggrmode = yes
vti-interface = vti0
vti-routing = yes
mark = 5/0xffffffff
Try adding sha2_truncbug=yes and see if that fixes your issue. The
router might be doing "broken linux compatibility" mode by default.
netstat -r -n
Kernel-IP-Routentabelle
Ziel Router Genmask Flags MSS Fenster irtt Iface
0.0.0.0 192.168.42.129 0.0.0.0 UG 0 0 0
enp0s12u2
xx.yyy.zzz.vv 0.0.0.0 255.255.255.255 UH 0 0 0 vti0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
enp0s12u2
192.168.42.0 0.0.0.0 255.255.255.0 U 0 0 0
enp0s12u2
192.168.92.0 0.0.0.0 255.255.255.0 U 0 0 0 vti0
What does "ip route" say. It is important to see if you got the proper
route into the VTI interface. I assume xx.yyy.zzz.vv is some.domain.tld's IP ?
ping 192.168.92.10
PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data.
From 192.168.92.234 icmp_seq=1 Destination Host Unreachable
Is this in the remote end? because you defined that to be on your end?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
