Hi Miroslav,
Thank you.
We've made progress. I haven't included the any of the log file as it is
very verbose (24488 lines - for ipsec up, statusall, down). Please let me
know which sections to look at and I'll grab those.
As you can see below the transaction request below seems to be very
laboured but does result in a success statement. Following that I have
tried to test with openl2tp to create the l2tp ppp tunnel. Openl2tp seems
create this tunnel but ifconfig does not show any ppp interfaces.
The lines in the conn left/rightprotoport do not seem to affect the
outcome whether included or not. The charondebug line when uncommented
prevents any output and I suspect that the syntax is wrong there.
code:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# charondebug="ike 3, cfg 3, app 3, chd 3, dmn 3, net 3"
conn VPN-OFFICE-COM
keyexchange=ikev1
type=tunnel
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%any
leftsourceip=%config
# leftprotoport=udp/l2tp
right=vpn.office.com
# rightprotoport=udp/l2tp
rightid=17.11.7.5
rightsubnet=0.0.0.0/0
auto=add
# ipsec up VPN-OFFICE-COM
initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [HIDDEN]
received unknown vendor ID: [HIDDEN]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN-OFFICE-COM[1] established between
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating TRANSACTION request [HIDDEN] [ HASH CPRQ(ADDR DNS U_SPLITINC
U_LOCALLAN) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
sending retransmit 1 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
sending retransmit 2 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
sending retransmit 3 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ]
sending keep alive to 17.11.7.5[4500]
sending retransmit 4 of request message ID [HIDDEN], seq 4
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ]
received DELETE for IKE_SA VPN-OFFICE-COM[1]
deleting IKE_SA VPN-OFFICE-COM[1] between
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
initiating Main Mode IKE_SA VPN-OFFICE-COM[2] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
connection 'VPN-OFFICE-COM' established successfully
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo,
x86_64):
uptime: 112 seconds, since Apr 20 09:23:17 2015
malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN]
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon ldap mysql sqlite aes des rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac curl attr
kernel-netlink resolve socket-default socket-dynamic farp stroke vici
updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym
eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls
xauth-generic xauth-eap xauth-pam dhcp lookip led unity
Listening IP addresses:
1.2.3.4
Connections:
VPN-OFFICE-COM: %any...vpn.office.com IKEv1
VPN-OFFICE-COM: local: [1.2.3.4] uses pre-shared key authentication
VPN-OFFICE-COM: remote: [17.11.7.5] uses pre-shared key authentication
VPN-OFFICE-COM: child: dynamic[udp/l2tp] === 172.18.7.0/24[udp/l2tp] TUNNEL
Security Associations (1 up, 0 connecting):
VPN-OFFICE-COM[2]: ESTABLISHED 40 seconds ago,
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
VPN-OFFICE-COM[2]: IKEv1 SPIs: [HIDDEN]_i* [HIDDEN]_r, rekeying disabled
VPN-OFFICE-COM[2]: IKE proposal:
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
VPN-OFFICE-COM[2]: Tasks queued: QUICK_MODE ISAKMP_DPD ISAKMP_DPD
ISAKMP_DPD
VPN-OFFICE-COM[2]: Tasks active: MODE_CONFIG
# ipsec down VPN-OFFICE-COM
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ]
received DELETE for IKE_SA VPN-OFFICE-COM[2]
deleting IKE_SA VPN-OFFICE-COM[2] between
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
initiating Main Mode IKE_SA VPN-OFFICE-COM[3] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
IKE_SA [2] closed successfully
--
Kind regards
Stephen Feyrer
On Mon, 20 Apr 2015 00:57:42 +0100, Miroslav Svoboda
<goodmi...@goodmirek.cz> wrote:
Hi Stephen,
Please delete type=transport or change it to type=tunnel.
Also delete rightprotoport and leftprotoport.
If this did not help, please provide again ipsec statusall + enable
logging at higher level as described here and >provide logfile.
Regards,
Miroslav
On Monday, April 20, 2015 at 1:47:48 AM UTC+2, Stephen Feyrer wrote:
Hi Miroslav,
You are correct, the syntax error is gone. Sadly, there is not much
which I can tell you about my office Network >>topology. All that I do
know is that we pass through a Windows Firewall before being able to
connect our work >>stations.
code:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn VPN-OFFICE-COM
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%any
leftsourceip=%config
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
rightsubnet=0.0.0.0/0
auto=add
# ipsec up VPN-OFFICE-COM
initiating Main Mode IKE_SA VPN-OFFICE-COM[14] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [HIDDEN]
received unknown vendor ID: [HIDDEN]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN-OFFICE-COM[14] established between
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA NAT-OA
]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N(([HIDDEN]))
NAT-OA ]
received 28800s lifetime, configured 0s
no acceptable traffic selectors found
establishing connection 'VPN-OFFICE-COM' failed
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo,
x86_64):
uptime: 3 hours, since Apr 19 20:50:15 2015
malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN]
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
loaded plugins: charon ldap mysql sqlite aes des rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints >>pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac
curl attr >>kernel-netlink resolve socket-default socket-dynamic farp
stroke vici updown eap-identity eap-sim eap-aka eap->>aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-radius eap-tls xauth-generic >>xauth-eap xauth-pam dhcp lookip led
unity
Listening IP addresses:
1.2.3.4
Connections:
VPN-OFFICE-COM: %any...vpn.office.com IKEv1
VPN-OFFICE-COM: local: [1.2.3.4] uses pre-shared key authentication
VPN-OFFICE-COM: remote: [17.11.7.5] uses pre-shared key authentication
VPN-OFFICE-COM: child: dynamic[udp/l2tp] === dynamic[udp/l2tp] TRANSPORT
Security Associations (1 up, 0 connecting):
VPN-OFFICE-COM[14]: ESTABLISHED 6 seconds ago,
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
VPN-OFFICE-COM[14]: IKEv1 SPIs: [HIDDEN]_i* [HIDDEN]_r, rekeying
disabled
VPN-OFFICE-COM[14]: IKE proposal:
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Thank you for your help. I hope this tells you more than it does me.
--
Kind regards
Stephen Feyrer.
On Sun, 19 Apr 2015 09:11:04 +0100, Miroslav Svoboda
<good...@goodmirek.cz> wrote:
Hi Stephen,
So I assume there is no longer any syntax error reported.
From logfile I see there is no acceptable traffic selector. I assume
that you have a home PC (Ubuntu) with >>>Strongswan which you want to
connect to the office VPN concentrator with IP 17.11.7.5 running
Windows. I suppose >>>VPN concentrator in the office is not configured
to route any traffic towards you home PC's IP address, thus you
>>>will need a virtual IP address assigned to your home PC by the VPN
concentrator. Also I suppose you want to >>>route all traffic via that
VPN once connected.
Then, please try to modify "left=%defaultroute" to "left=%any" and add
"rightsubnet=0.0.0.0/0" and >>>"leftsourceip=%config". You should not
specify "leftsubnet", it has same effect as "leftsubnet=%dynamic".
According to documentation at wiki configuration directive
"left=defaultroute%" was used prior to version 5.0.0, >>>superseded by
"left=%any".
leftsubnet=%dynamic (or omitting leftsubnet at all) and
rightsubnet=0.0.0.0/0 will create your traffic selector. >>>It says
that anything (0.0.0.0/0) from your side will be routed to remote host
and that the remote host will >>>route towards your PC (left==local) a
traffic which would fit your dynamically assigned IP. Should you want
to >>>route towards office network only office-related traffic then
change >>>"rightsubnet=<subnet_used_in_Stephen's_office>".
If that didn't help please can you provide output of 'ipsec statusall'
and also more details about network >>>topology?
Regards,
Miroslav
On Saturday, April 18, 2015 at 5:28:12 PM UTC+2, Stephen Feyrer wrote:
Hi Miroslav,
Thank you. The conn section as presented below was copied and pasted
from web page for convenience (this >>>>stripped the leading white
spaced from the conn section). For the moment the white spaces are
in form of TAB >>>>characters. I will test with space characters and
complete this email.
I Apologise for the lack of white spaces in the conn section of below
email. I have now tested with both >>>>spaces and tabs, each
producing the same error as below.
--
Kind regards
Stephen Feyrer.
On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda
<good...@goodmirek.cz> wrote:
Hi Stephen,
I believe the issue might be caused as the "conn" section is not
compliant with prescribed format. There >>>>>should be at least one
whitespace at the beginning of each line within the section. Only
sections can and >>>>>shall start at the first character of the line.
Supposed correction:
conn VPN-OFFICE-COM
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
auto=add
Regards,
Miroslav
Message: 3
Date: Fri, 17 Apr 2015 14:08:57 +0100
From: "Stephen Feyrer" <stephen...@btinternet.com>
To: us...@lists.strongswan.org
Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: syntax error,
unexpected NAME, expecting NEWLINE or '{' or '=' [vpn]
Message-ID: <op.xw8ms...@sveta.home.org>
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
Hi Neol,
Thank you. I have removed the file /etc/strongswan.d/VPN.conf
In /etc/ipsec.conf I have the same configuration. At least there is
progress, unfortunately I am still baffled. This is the previously
working configuration.
code:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn VPN-OFFICE-COM
keyexchange=ikev1
type=transport
authby=secret
ike=3des-sha1-modp1024
rekey=no
left=%defaultroute
leftprotoport=udp/l2tp
right=vpn.office.com
rightprotoport=udp/l2tp
rightid=17.11.7.5
auto=add
Having restarted ipsec, I get the following result
code:
# ipsec up VPN-OFFICE-COM
initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes)
received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: [Available On Request]
received unknown vendor ID: [Available On Request]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA VPN-OFFICE-COM[1] established between
1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5]
generating QUICK_MODE request [Available On Request] [ HASH SA No ID
ID
NAT-OA NAT-OA ]
sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes)
received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes)
parsed QUICK_MODE response [Available On Request] [ HASH SA No ID ID
N((24576)) NAT-OA ]
received 28800s lifetime, configured 0s
no acceptable traffic selectors found
establishing connection 'VPN-OFFICE-COM' failed
--
Kind regards
Stephen Feyrer
--Kind regards
Stephen Feyrer
--
Kind regards
Stephen Feyrer
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users