Hi Hi Thanks for your input.
I would love to use IKEv2, but it is sadly not an option. Your changes to auto=start makes sense but dns1 is still the only connection that establishes an SA (STATE_MAIN_I4 ISAKMP SA ESTABLISHED). The other ones seems stuck in QUICK_INIT_I1. The connection should be using main mode only. If I run setkey -DP it only seems to add the UDP-connections if it adds anything at all. In the meantime I have configured racoon and setkey.conf (with 8 spdadd rules) and it does work for both lookups and zone transfers so I know the other end is correctly setup. After shutting down racoon I can't establish the connections again (timing out) so I guess I have to wait for the connections to time out (dpd is perhaps not used in both ends), so perhaps strongswan is working after your changes too? I will try again after a couple of hours when the connections hopefully has died in all ends. Questions: - Is QUICK_INIT in statusall related to aggressive mode, and if so is it possible to force MAIN (i thought strongswan didn't support aggressive at all)? - Don't I need 8 conn definitions in ipsec.conf too? I seem to be missing half the connections from the other end with my config compared to ACL/setkey.conf. Should I add a duplicate set of conn with a reversed "pair" of left and right IPs or is this not necessary as strongswan decides what left and right is for it self and therefore doing this automatically? Regards, Hans-Kristian Bakke On Mon, May 30, 2011 at 09:17, Andreas Steffen <[email protected]> wrote: > Hello Hans-Kristian, > > first I recommend to use IKEv2 which is much faster > and more robust: > > config setup > charonstart=yes > plutostart=no > > conn %default > keyexchange=ikev2 > ikelifetime=28800 > keylife=3600 > auth=esp > authby=psk > type=transport > ike=aes128-sha1-modp1024! > esp=aes128-sha1-modp1024! > dpdaction=restart > dpddelay=60 > dpdtimeout=500 > > You can still log to a file using strongswan.conf: > > http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration > > Do not put auto=start into the "conn %default" section since > "conn dns_SRV" will also be started, allowing all protocols. > > Rather define: > > conn dns1 > also=dns_SRV > leftprotoport=tcp > rightprotoport=tcp/53 > auto=start > > conn dns2 > also=dns_SRV > leftprotoport=udp > rightprotoport=udp/53 > auto=start > > conn dns3 > also=dns_SRV > leftprotoport=udp/53 > rightprotoport=udp > auto=start > > conn dns4 > also=dns_SRV > leftprotoport=tcp/53 > rightprotoport=tcp > auto=start > > conn dns_SRV > left=10.17.0.11 > right=10.27.64.11 > > Best regards > > Andreas > > On 05/30/2011 08:27 AM, Hans-Kristian Bakke wrote: >> >> Hi >> >> I need to set up a ipsec connection (in transport mode) directly >> between two DNS-servers (host to host). The point is that only >> DNS-server traffic should use the tunnel. >> This is normally easy using Cisco-equipment as a ACL can do this easily. >> However I am really struggling to find a way to do this with >> strongSwan. Using leftprotoport and rightprotoport and separate >> connections doesn't seem to work correctly. >> >> The ACL I need to replicate on my end is this one (I have no influence >> on the other end): >> permit tcp host 10.27.64.11 host 10.17.0.11 eq 53 >> permit tcp host 10.17.0.11 eq 53 host 10.27.64.11 >> permit tcp host 10.27.64.11 eq 53 host 10.17.0.11 >> permit tcp host 10.17.0.11 host 10.27.64.11 eq 53 >> permit udp host 10.27.64.11 host 10.17.0.11 eq 53 >> permit udp host 10.17.0.11 eq 53 host 10.27.64.11 >> permit udp host 10.27.64.11 eq 53 host 10.17.0.11 >> permit udp host 10.17.0.11 host 10.27.64.11 eq 53 >> >> This is my ipsec.conf so far. I can't get rid of the feeling that >> something is missing: >> (using v4.2.4-5+lenny3 on Debian Lenny) >> -- >> # ipsec.conf - strongSwan IPsec configuration file >> >> # basic configuration >> >> config setup >> charonstart=no >> plutostart=yes >> plutodebug=control >> nat_traversal=no >> plutostderrlog=/var/log/pluto.log >> >> conn %default >> keyexchange=ikev1 >> ikelifetime=28800 >> keylife=3600 >> auth=esp >> authby=psk >> auto=start >> type=transport >> ike=aes128-sha1-modp1024 >> esp=aes128-sha1-modp1024 >> dpdaction=restart >> dpddelay=60 >> dpdtimeout=500 >> >> conn dns1 >> leftprotoport=tcp >> rightprotoport=tcp/53 >> also=dns_SRV >> >> conn dns2 >> leftprotoport=udp >> rightprotoport=udp/53 >> also=dns_SRV >> >> conn dns3 >> leftprotoport=udp/53 >> rightprotoport=udp >> also=dns_SRV >> >> conn dns4 >> leftprotoport=tcp/53 >> rightprotoport=tcp >> also=dns_SRV >> >> conn dns_SRV >> left=10.17.0.11 >> right=10.27.64.11 >> --- >> >> When I run ipsec statusall dns1 gets to STATE_MAIN_I4 (ISAKMP SA >> ESTABLISHED) but the other ones doesn't seem to do anything. >> The DNS-traffic still goes out unencrypted. >> >> How can I replicate the ACL perfectly with strongswan? >> >> Mvh >> >> Hans-Kristian Bakke >> Mob: 91 76 17 38 > > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
