Hi Stephen, Please delete type=transport or change it to type=tunnel. Also delete rightprotoport and leftprotoport.
If this did not help, please provide again ipsec statusall + enable logging at higher level as described here <https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration> and provide logfile. Regards, Miroslav On Monday, April 20, 2015 at 1:47:48 AM UTC+2, Stephen Feyrer wrote: > > Hi Miroslav, > > You are correct, the syntax error is gone. Sadly, there is not much which > I can tell you about my office Network topology. All that I do know is > that we pass through a Windows Firewall before being able to connect our > work stations. > > > code: > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > # strictcrlpolicy=yes > # uniqueids = no > > conn VPN-OFFICE-COM > keyexchange=ikev1 > type=transport > authby=secret > ike=3des-sha1-modp1024 > rekey=no > left=%any > leftsourceip=%config > leftprotoport=udp/l2tp > right=vpn.office.com > rightprotoport=udp/l2tp > rightid=17.11.7.5 > rightsubnet=0.0.0.0/0 > auto=add > > > > # ipsec up VPN-OFFICE-COM > initiating Main Mode IKE_SA VPN-OFFICE-COM[14] to 17.11.7.5 > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) > received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) > parsed ID_PROT response 0 [ SA V V ] > received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > received FRAGMENTATION vendor ID > generating ID_PROT request 0 [ KE No NAT-D NAT-D ] > sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) > received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) > parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] > received Cisco Unity vendor ID > received XAuth vendor ID > received unknown vendor ID: [HIDDEN] > received unknown vendor ID: [HIDDEN] > local host is behind NAT, sending keep alives > generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) > parsed ID_PROT response 0 [ ID HASH V ] > received DPD vendor ID > IKE_SA VPN-OFFICE-COM[14] established between > 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] > generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA ] > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) > parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N(([HIDDEN])) > NAT-OA ] > received 28800s lifetime, configured 0s > no acceptable traffic selectors found > establishing connection 'VPN-OFFICE-COM' failed > > > # ipsec statusall > Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo, > x86_64): > uptime: 3 hours, since Apr 19 20:50:15 2015 > malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN] > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 1 > loaded plugins: charon ldap mysql sqlite aes des rc2 sha1 sha2 md4 md5 > random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 > pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac curl attr > kernel-netlink resolve socket-default socket-dynamic farp stroke vici > updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym > eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls > xauth-generic xauth-eap xauth-pam dhcp lookip led unity > Listening IP addresses: > 1.2.3.4 > Connections: > VPN-OFFICE-COM: %any...vpn.office.com IKEv1 > VPN-OFFICE-COM: local: [1.2.3.4] uses pre-shared key authentication > VPN-OFFICE-COM: remote: [17.11.7.5] uses pre-shared key authentication > VPN-OFFICE-COM: child: dynamic[udp/l2tp] === dynamic[udp/l2tp] TRANSPORT > Security Associations (1 up, 0 connecting): > VPN-OFFICE-COM[14]: ESTABLISHED 6 seconds ago, > 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] > VPN-OFFICE-COM[14]: IKEv1 SPIs: [HIDDEN]_i* [HIDDEN]_r, rekeying disabled > VPN-OFFICE-COM[14]: IKE proposal: > 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > > > Thank you for your help. I hope this tells you more than it does me. > > > -- > Kind regards > > Stephen Feyrer. > > > > On Sun, 19 Apr 2015 09:11:04 +0100, Miroslav Svoboda <[email protected] > <javascript:>> wrote: > > Hi Stephen, > > So I assume there is no longer any syntax error reported. > > From logfile I see there is no acceptable traffic selector. I assume that > you have a home PC (Ubuntu) with Strongswan which you want to connect to > the office VPN concentrator with IP 17.11.7.5 running Windows. I suppose > VPN concentrator in the office is not configured to route any traffic > towards you home PC's IP address, thus you will need a virtual IP address > assigned to your home PC by the VPN concentrator. Also I suppose you want > to route all traffic via that VPN once connected. > Then, please try to modify "left=%defaultroute" to "left=%any" and add > "rightsubnet=0.0.0.0/0" and "leftsourceip=%config". You should not > specify "leftsubnet", it has same effect as "leftsubnet=%dynamic". > According to documentation at wiki > <https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection> > configuration > directive "left=defaultroute%" was used prior to version 5.0.0, superseded > by "left=%any". > leftsubnet=%dynamic (or omitting leftsubnet at all) and rightsubnet= > 0.0.0.0/0 will create your traffic selector. It says that anything ( > 0.0.0.0/0) from your side will be routed to remote host and that the > remote host will route towards your PC (left==local) a traffic which would > fit your dynamically assigned IP. Should you want to route towards office > network only office-related traffic then change > "rightsubnet=<subnet_used_in_Stephen's_office>". > > If that didn't help please can you provide output of 'ipsec statusall' and > also more details about network topology? > > Regards, > Miroslav > > On Saturday, April 18, 2015 at 5:28:12 PM UTC+2, Stephen Feyrer wrote: >> >> Hi Miroslav, >> >> Thank you. The conn section as presented below was copied and pasted >> from web page for convenience (this stripped the leading white spaced from >> the conn section). For the moment the white spaces are in form of TAB >> characters. I will test with space characters and complete this email. >> >> I Apologise for the lack of white spaces in the conn section of below >> email. I have now tested with both spaces and tabs, each producing the >> same error as below. >> >> >> -- >> Kind regards >> >> Stephen Feyrer. >> >> >> On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda < >> [email protected]> wrote: >> >> Hi Stephen, >> >> I believe the issue might be caused as the "conn" section is not >> compliant with prescribed format. There should be at least one whitespace >> at the beginning of each line within the section. Only sections can and >> shall start at the first character of the line. >> >> Supposed correction: >> *conn VPN-OFFICE-COM* >> * keyexchange=ikev1* >> *type=transport* >> *authby=secret* >> *ike=3des-sha1-modp1024* >> *rekey=no* >> *left=%defaultroute* >> *leftprotoport=udp/l2tp* >> *right=vpn.office.com <http://vpn.office.com>* >> *rightprotoport=udp/l2tp* >> *rightid=17.11.7.5* >> *auto=add* >> >> Regards, >> Miroslav >> >> Message: 3 >> Date: Fri, 17 Apr 2015 14:08:57 +0100 >> From: "Stephen Feyrer" <[email protected]> >> To: [email protected] >> Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error, >> unexpected NAME, expecting NEWLINE or '{' or '=' [vpn] >> Message-ID: <[email protected]> >> Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes >> >> Hi Neol, >> >> Thank you. I have removed the file /etc/strongswan.d/VPN.conf >> >> In /etc/ipsec.conf I have the same configuration. At least there is >> progress, unfortunately I am still baffled. This is the previously >> working configuration. >> >> code: >> >> # ipsec.conf - strongSwan IPsec configuration file >> >> # basic configuration >> >> config setup >> # strictcrlpolicy=yes >> # uniqueids = no >> >> conn VPN-OFFICE-COM >> keyexchange=ikev1 >> type=transport >> authby=secret >> ike=3des-sha1-modp1024 >> rekey=no >> left=%defaultroute >> leftprotoport=udp/l2tp >> right=vpn.office.com >> rightprotoport=udp/l2tp >> rightid=17.11.7.5 >> auto=add >> >> >> Having restarted ipsec, I get the following result >> >> code: >> >> # ipsec up VPN-OFFICE-COM >> initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 >> generating ID_PROT request 0 [ SA V V V V ] >> sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) >> received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) >> parsed ID_PROT response 0 [ SA V V ] >> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID >> received FRAGMENTATION vendor ID >> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] >> sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) >> received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) >> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] >> received Cisco Unity vendor ID >> received XAuth vendor ID >> received unknown vendor ID: [Available On Request] >> received unknown vendor ID: [Available On Request] >> local host is behind NAT, sending keep alives >> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] >> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) >> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) >> parsed ID_PROT response 0 [ ID HASH V ] >> received DPD vendor ID >> IKE_SA VPN-OFFICE-COM[1] established between >> 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] >> generating QUICK_MODE request [Available On Request] [ HASH SA No ID ID >> NAT-OA NAT-OA ] >> sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) >> received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) >> parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID >> N((24576)) NAT-OA ] >> received 28800s lifetime, configured 0s >> no acceptable traffic selectors found >> establishing connection 'VPN-OFFICE-COM' failed >> >> >> >> -- >> Kind regards >> >> >> Stephen Feyrer >> >> > > > -- > Kind regards > > > Stephen Feyrer >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
