Hi, I'm trying to get a stronswan based vpn running. My linuxbased strongswan client is configured to act as roadwarrior to connect to a lancom vpn router. Authentication is done with certs and most of the stuff is also running. But my strongswan client isn't able to get an ip via ike-configmode.
log on my strongswan client: Jul 27 14:47:45 box1 pluto[7087]: "VPN" #3: initiating Main Mode Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload [RFC3947] Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: ignoring Vendor ID payload [eeefa37809e32ad4de4f6b010c26a640] Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload [XAUTH] Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: received Vendor ID payload [Dead Peer Detection] Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: enabling possible NAT-traversal with method 3 Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: NAT-Traversal: Result using RFC 3947: both are NATed Jul 27 14:47:46 box1 pluto[7087]: "VPN" #3: we have a cert and are sending it upon request Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=N, L=O, O=N, OU=T, CN=GW, [email protected]' Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: crl not found Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: certificate status unknown Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: ISAKMP SA established Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: sending ModeCfg request Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: parsing ModeCfg reply Jul 27 14:47:47 box1 pluto[7087]: "VPN" #3: received ModeCfg reply, established log on lancom vpn server: root@GW:/ > [VPN-Status] 2011/07/27 14:47:49,420 IKE info: The remote server 109.44.202.224:4500 (UDP) peer def-main-peer id supports draft-ietf-ipsec-isakmp-xauth IKE info: The remote server 109.44.202.224:4500 (UDP) peer def-main-peer id negotiated rfc-3706-dead-peer-detection IKE info: The remote server 109.44.202.224:4500 (UDP) peer def-main-peer id supports NAT-T in mode rfc IKE info: The remote server 109.44.202.224:4500 (UDP) peer def-main-peer id supports NAT-T in mode rfc IKE info: The remote server 109.44.202.224:4500 (UDP) peer def-main-peer id supports NAT-T in mode rfc IKE info: The remote server 109.44.202.224:4500 (UDP) peer def-main-peer id supports NAT-T in mode rfc IKE info: The remote server 109.44.202.224:4500 (UDP) peer def-main-peer id supports NAT-T in mode rfc [VPN-Status] 2011/07/27 14:47:49,420 IKE info: phase-1 proposal failed: remote No 1 authentication method = rsa signature local No 1 authentication method = PRE_SHARED IKE info: Phase-1 remote proposal 1 for peer def-main-peer matched with local proposal 2 [VPN-Status] 2011/07/27 14:47:49,940 IKE info: Set local ID to </C=DE/ST=N/L=O/O=N/OU=T/CN=GW/[email protected]> [VPN-Status] 2011/07/27 14:47:50,170 IKE info: Phase-1 [responder] for peer def-main-peer between initiator id [email protected],CN=Box1,OU=T,O=N,L=O,ST=N,C=DE, responder id [email protected],CN=GW,OU=T,O=N,L=O,ST=N,C=DE done IKE info: NAT-T enabled in mode rfc, we are behind a nat, the remote side is behind a nat IKE info: SA ISAKMP for peer def-main-peer encryption aes-cbc authentication md5 IKE info: life time ( 3600 sec/ 0 kb) [VPN-Status] 2011/07/27 14:47:50,170 IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer def-main-peer set to 3240 seconds (Responder) [VPN-Status] 2011/07/27 14:47:50,170 IKE info: Phase-1 SA Timeout (Hard-Event) for peer def-main-peer set to 3600 seconds (Responder) [VPN-Status] 2011/07/27 14:47:50,420 IKE info: IKE-CFG: Received REQUEST message with id 0 from peer def-main-peer IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 value (none) received IKE info: IKE-CFG: Attribute INTERNAL_IP4_NETMASK len 4 value 255.255.255.255 received [VPN-Status] 2011/07/27 14:47:50,420 IKE info: IKE-CFG: Creating REPLY message with id 0 for peer def-main-peer IKE info: IKE-CFG: Attribute INTERNAL_IP4_NETMASK len 0 skipped IKE info: IKE-CFG: Attribute INTERNAL_IP4_ADDRESS len 0 skipped IKE info: IKE-CFG: Sending message ipsec statusall: 000 Status of IKEv1 pluto daemon (strongSwan 4.3.2): 000 interface lo/lo ::1:500 000 interface lo/lo 127.0.0.1:4500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 10.2.4.1:4500 000 interface eth0/eth0 10.2.4.1:500 000 interface eth1/eth1 192.168.200.109:4500 000 interface eth1/eth1 192.168.200.109:500 000 interface wlan0/wlan0 10.2.3.100:4500 000 interface wlan0/wlan0 10.2.3.100:500 000 %myid = (none) 000 loaded plugins: curl ldap random pubkey openssl hmac gmp 000 debug options: none 000 000 "VPN": %modecfg===10.2.3.100:4500[C=DE, ST=N, L=O, O=N, OU=T, CN=Box1, [email protected]]---10.2.3.1...85.17.130.131:4500[C=DE, ST=N, L=O, O=N, OU=T, CN=GW, [email protected]]===192.168.1.0/24; unrouted; eroute owner: #0 000 "VPN": CAs: 'C=DE, ST=N, L=O, O=N, OU=T, CN=LinuxVPNCA, [email protected]'...'%any' 000 "VPN": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "VPN": policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32; interface: wlan0; 000 "VPN": newest ISAKMP SA: #3; newest IPsec SA: #0; 000 "VPN": IKE proposal: AES_CBC_128/HMAC_MD5/MODP_1024 000 000 #3: "VPN" STATE_MODE_CFG_I2 (received ModeCfg reply, established); EVENT_SA_REPLACE in 3225s; newest ISAKMP 000 #3: pending Phase 2 for "VPN" replacing #0 000 In the logfiles, I can see, that my roadwarrior tries to get an ip, but why does my vpn route don't give him one? Anyone tried to get such a combination running? rest regards Andre _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
