Hello, Apologies in advance for the rather long message but I'm new to strongSwan and want to include as much information as I think is relevant to my problem.
I'm having some problems using strongSwan-5.2.2 to establish a connection to a host on the subnet 10.180.0.0/16 which is behind the gateway 213.163.70.4. The IP address of my machine is 192.168.42.162 and I'm using NAT to access the internet. My public IP address is: 83.161.66.130. I don't control the 213.163.70.4 gateway and I have been told it uses the following settings: Target address: 213.163.70.4 Source address: 83.161.66.130 IKE SA: Phase 1 Encryption: AES-128 with SHA-1 Diffie-hellman: Group 2 SA lifetime: 86400 seconds IKE negotistion mode: Main (non aggressive) Pre-shared key: XXXX (censored) IPsec proposal: Phase 2 Encryption: AES-128 with SHA-1 IPsec type: ESP IPsec tunnel lifetime: 3600 seconds I set my ipsec.secrets (censored) to: 213.163.70.4 %any : PSK 0xXXXX ipsec.conf: conn data-display aggressive=no authby=secret auto=add esp=aes128-sha1 fragmentation=yes ike=des-sha1-modp1024 ikelifetime=24h keyexchange=ikev1 left=%any leftfirewall=yes leftid=83.161.66.130 lifetime=1h right=213.163.70.4 rightsubnet=10.180.0.0/16 I noticed from the strongSwan logs that the gateway is a Cisco Unity device so I configured strongSwan with --enable-unity. I'm not sure that is required. When I start stongSwan using "sudo systemctl start strongswan" I get the following log (I'm using logging level 2): http://pastebin.com/pC1WYegL I'm a bit confused why I get the "no netkey IPsec stack detected" warning since all required[1] kernel options are enabled (either build in or as modules). In particular: cat /proc/config.gz | gunzip | grep CONFIG_NET_KEY= CONFIG_NET_KEY=m Since it's a warning I ignore it for a moment and try to start up the "data-display" connection using "sudo ipsec up data-display". I get the following output: initiating Main Mode IKE_SA data-display[1] to 213.163.70.4 generating ID_PROT request 0 [ SA V V V V V ] sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (220 bytes) received packet: from 213.163.70.4[500] to 192.168.42.162[500] (128 bytes) parsed ID_PROT response 0 [ SA V V ] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 192.168.42.162[500] to 213.163.70.4[500] (244 bytes) received packet: from 213.163.70.4[500] to 192.168.42.162[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: c5:dd:ab:2d:d0:7e:27:16:a3:59:1d:ba:91:49:75:8d received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (84 bytes) received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA data-display[1] established between 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4] scheduling reauthentication in 85593s maximum IKE_SA lifetime 86133s generating QUICK_MODE request 3299461263 [ HASH SA No ID ID ] sending packet: from 192.168.42.162[4500] to 213.163.70.4[4500] (204 bytes) received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes) parsed INFORMATIONAL_V1 request 1571124148 [ HASH N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify received packet: from 213.163.70.4[4500] to 192.168.42.162[4500] (84 bytes) parsed INFORMATIONAL_V1 request 3331205321 [ HASH D ] received DELETE for IKE_SA data-display[1] deleting IKE_SA data-display[1] between 192.168.42.162[83.161.66.130]...213.163.70.4[213.163.70.4] establishing connection 'data-display' failed The following is posted to syslog: http://pastebin.com/1Vj1rXaq So I can see that an IKE_SA is established between me and the gateway. However, after that something goes wrong. Can somebody explain what is going wrong and point me in the right direction? Also note that I'm using NixOS running in VirtualBox. My virtual NIC is bridged to my physical NIC. Let me know if any more information is desired. Cheers, Bas [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
