Hello,
I'm trying to get to grips with Strongswan specifically creating a site to site
VPN between Strongswan and a Cisco router or firewall. Although my background
is networking I've not much experience with VPNs.
I'm using GNS3 to play with these things in a virtual environment and have been
able to create a connection between two linux boxes running Strongswan - it
works perfectly. However, when I try to create a connection from Strongswan to
the router or the firewall I run into problems. For some reason Strongswan
seems to be changing the traffic selector for both these connections as below.
I read something about the unity plugin and it seemed to describe something
similar to my issue but enabling it doesn't appear to have helped.
Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] proposing traffic selectors for us:
Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] 10.1.0.0/24
Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] proposing traffic selectors for
other:
Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] 10.2.0.0/24
Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] changing proposed traffic selectors
for other:
Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] 0.0.0.0/0
I've pasted my config below and attached a screenshot of my topology. If anyone
could offer any advice on where to start I'd be very grateful. Apologies if
this is a bit of a newby issue. I really hope it's not something silly.
conn strongswan-router
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
ike=aes128-sha1-modp1536!
authby=secret
left=192.168.0.1
leftsubnet=10.1.0.0/24
leftid=192.168.0.1
leftfirewall=yes
right=192.168.1.1
rightsubnet=10.2.0.0/24
rightid=192.168.1.1
auto=start
R2#sh run
version 12.4
!
!
<omitted several lines>
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key cisco12 address 192.168.0.1
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 192.168.0.1
set transform-set myset
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
speed 100
full-duplex
crypto map mymap
!
interface FastEthernet0/1
ip address 10.2.0.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route 192.168.0.0 255.255.255.0 192.168.1.2
!
<omitted several lines>
!
access-list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
<omitted several lines>
!
R2#
A0089-Mint1 etc # ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
uptime: 2 minutes, since Aug 07 12:06:02 2014
malloc: sbrk 1867776, mmap 532480, used 701088, free 1166688
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon test-vectors curl soup unbound ldap sqlite pkcs11 aes
rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg
fips-prf gmp agent xcbc cmac hmac ctr ccm gcm ntru attr kernel-netlink resolve
socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic
eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam
xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp
whitelist lookip error-notify certexpire led duplicheck radattr addrblock unity
Listening IP addresses:
192.168.0.1
10.1.0.1
Connections:
strongswan-router: 192.168.0.1...192.168.1.1 IKEv1
strongswan-router: local: [192.168.0.1] uses pre-shared key authentication
strongswan-router: remote: [192.168.1.1] uses pre-shared key authentication
strongswan-router: child: 10.1.0.0/24 === 10.2.0.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
strongswan-router[1]: ESTABLISHED 2 minutes ago,
192.168.0.1[192.168.0.1]...192.168.1.1[192.168.1.1]
strongswan-router[1]: IKEv1 SPIs: d2072b8b790bcf8a_i* 0172409d7563a91c_r,
pre-shared key reauthentication in 53 minutes
strongswan-router[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
R2#debug crypto ipsec
Crypto IPSEC debugging is on
R2#
*Mar 1 15:46:58.504: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
*Mar 1 15:46:58.516: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 10.1.0.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 15:46:58.520: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 10.1.0.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 15:46:58.528: map_db_find_best did not find matching map
*Mar 1 15:46:58.528: IPSEC(validate_transform_proposal): no IPSEC cryptomap
exists for local address 192.168.1.1
*Mar 1 15:46:58.528: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 15:46:58.532: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 10.1.0.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 15:46:58.532: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 10.1.0.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 15:46:58.532: map_db_find_best did not find matching map
*Mar 1 15:46:58.532: IPSEC(validate_transform_proposal): no IPSEC cryptomap
exists for local address 192.168.1.1
*Mar 1 15:46:58.532: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
*Mar 1 15:46:58.532: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 10.1.0.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 15:46:58.532: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 10.1.0.0
protocol : 0
src port : 0
dst port : 0
*Mar 1 15:46:58.532: map_db_find_best did not find matching map
*Mar 1 15:46:58.532: IPSEC(validate_transform_proposal): no IPSEC cryptomap
exists for local address 192.168.1.1
*Mar 1 15:46:58.540: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode
failed with peer at 192.168.0.1
R2#
Please consider the environment before printing this email
*********************************************************************
This e-mail and any attachments are confidential. If it is not for you,
please inform us and delete it immediately without disclosing, copying, or
distributing it. If the content is not about the business of PayWizard Group
PLC or its clients, then it is neither from nor sanctioned by PayWizard Group
PLC. Use of this or any other PayWizard Group PLC e-mail facility signifies
consent to interception by PayWizard Group PLC. The views expressed in this
email or any attachments may not reflect the views and opinions of PayWizard
Group PLC. This message has been scanned for viruses and dangerous content by
MailScanner, but PayWizard Group PLC accepts no liability for any damage caused
by the transmission of any viruses. PayWizard Group PLC is a public limited
company registered in Scotland (SC175703) with its registered office at Cluny
Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.
********************************************************************
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
