-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Stephen,
Your original configuration looks like l2tp/IPsec. Your configuration was correct for that purpose. Where this is going right now, is a general roadwarrior configuration for IKEv1. Please check what is actually configured on the IOS device, so we can solve this quickly. Mit freundlichen Grüßen/Regards, Noel Kuntze Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 20.04.2015 um 11:01 schrieb Stephen Feyrer: > Hi Miroslav, > > Thank you. > > We've made progress. I haven't included the any of the log file as it is > very verbose (24488 lines - for ipsec up, statusall, down). Please let me > know which sections to look at and I'll grab those. > > As you can see below the transaction request below seems to be very laboured > but does result in a success statement. Following that I have tried to test > with openl2tp to create the l2tp ppp tunnel. Openl2tp seems create this > tunnel but ifconfig does not show any ppp interfaces. > > The lines in the conn left/rightprotoport do not seem to affect the outcome > whether included or not. The charondebug line when uncommented prevents any > output and I suspect that the syntax is wrong there. > > > > code: > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > # strictcrlpolicy=yes > # uniqueids = no > # charondebug="ike 3, cfg 3, app 3, chd 3, dmn 3, net 3" > > conn VPN-OFFICE-COM > keyexchange=ikev1 > type=tunnel > authby=secret > ike=3des-sha1-modp1024 > rekey=no > left=%any > leftsourceip=%config > # leftprotoport=udp/l2tp > right=vpn.office.com > # rightprotoport=udp/l2tp > rightid=17.11.7.5 > rightsubnet=0.0.0.0/0 > auto=add > > > # ipsec up VPN-OFFICE-COM > initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) > received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) > parsed ID_PROT response 0 [ SA V V ] > received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > received FRAGMENTATION vendor ID > generating ID_PROT request 0 [ KE No NAT-D NAT-D ] > sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) > received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) > parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] > received Cisco Unity vendor ID > received XAuth vendor ID > received unknown vendor ID: [HIDDEN] > received unknown vendor ID: [HIDDEN] > local host is behind NAT, sending keep alives > generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) > parsed ID_PROT response 0 [ ID HASH V ] > received DPD vendor ID > IKE_SA VPN-OFFICE-COM[1] established between > 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] > generating TRANSACTION request [HIDDEN] [ HASH CPRQ(ADDR DNS U_SPLITINC > U_LOCALLAN) ] > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) > sending retransmit 1 of request message ID [HIDDEN], seq 4 > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) > sending retransmit 2 of request message ID [HIDDEN], seq 4 > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) > sending retransmit 3 of request message ID [HIDDEN], seq 4 > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) > parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ] > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) > parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ] > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) > parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH N(DPD) ] > sending keep alive to 17.11.7.5[4500] > sending retransmit 4 of request message ID [HIDDEN], seq 4 > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) > parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ] > received DELETE for IKE_SA VPN-OFFICE-COM[1] > deleting IKE_SA VPN-OFFICE-COM[1] between > 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] > initiating Main Mode IKE_SA VPN-OFFICE-COM[2] to 17.11.7.5 > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) > connection 'VPN-OFFICE-COM' established successfully > > > # ipsec statusall > Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo, x86_64): > uptime: 112 seconds, since Apr 20 09:23:17 2015 > malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN] > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 2 > loaded plugins: charon ldap mysql sqlite aes des rc2 sha1 sha2 md4 md5 random > nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey > sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac curl attr > kernel-netlink resolve socket-default socket-dynamic farp stroke vici updown > eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym > eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls > xauth-generic xauth-eap xauth-pam dhcp lookip led unity > Listening IP addresses: > 1.2.3.4 > Connections: > VPN-OFFICE-COM: %any...vpn.office.com IKEv1 > VPN-OFFICE-COM: local: [1.2.3.4] uses pre-shared key authentication > VPN-OFFICE-COM: remote: [17.11.7.5] uses pre-shared key authentication > VPN-OFFICE-COM: child: dynamic[udp/l2tp] === 172.18.7.0/24[udp/l2tp] TUNNEL > Security Associations (1 up, 0 connecting): > VPN-OFFICE-COM[2]: ESTABLISHED 40 seconds ago, > 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] > VPN-OFFICE-COM[2]: IKEv1 SPIs: [HIDDEN]_i* [HIDDEN]_r, rekeying disabled > VPN-OFFICE-COM[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > VPN-OFFICE-COM[2]: Tasks queued: QUICK_MODE ISAKMP_DPD ISAKMP_DPD ISAKMP_DPD > VPN-OFFICE-COM[2]: Tasks active: MODE_CONFIG > > > # ipsec down VPN-OFFICE-COM > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) > parsed INFORMATIONAL_V1 request [HIDDEN] [ HASH D ] > received DELETE for IKE_SA VPN-OFFICE-COM[2] > deleting IKE_SA VPN-OFFICE-COM[2] between > 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] > initiating Main Mode IKE_SA VPN-OFFICE-COM[3] to 17.11.7.5 > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) > IKE_SA [2] closed successfully > > > > > -- > Kind regards > > Stephen Feyrer > > > > On Mon, 20 Apr 2015 00:57:42 +0100, Miroslav Svoboda <goodmi...@goodmirek.cz> > wrote: > > Hi Stephen, > > Please delete type=transport or change it to type=tunnel. > Also delete rightprotoport and leftprotoport. > > If this did not help, please provide again ipsec statusall + enable > logging at higher level as described here > <https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration> > and provide logfile. > > Regards, > Miroslav > > On Monday, April 20, 2015 at 1:47:48 AM UTC+2, Stephen Feyrer wrote: > > Hi Miroslav, > > You are correct, the syntax error is gone. Sadly, there is not much > which I can tell you about my office Network topology. All that I do know is > that we pass through a Windows Firewall before being able to connect our work > stations. > > > code: > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > # strictcrlpolicy=yes > # uniqueids = no > > conn VPN-OFFICE-COM > keyexchange=ikev1 > type=transport > authby=secret > ike=3des-sha1-modp1024 > rekey=no > left=%any > leftsourceip=%config > leftprotoport=udp/l2tp > right=vpn.office.com <http://vpn.office.com> > rightprotoport=udp/l2tp > rightid=17.11.7.5 > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> > auto=add > > > > # ipsec up VPN-OFFICE-COM > initiating Main Mode IKE_SA VPN-OFFICE-COM[14] to 17.11.7.5 > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 bytes) > received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 bytes) > parsed ID_PROT response 0 [ SA V V ] > received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > received FRAGMENTATION vendor ID > generating ID_PROT request 0 [ KE No NAT-D NAT-D ] > sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 bytes) > received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 bytes) > parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] > received Cisco Unity vendor ID > received XAuth vendor ID > received unknown vendor ID: [HIDDEN] > received unknown vendor ID: [HIDDEN] > local host is behind NAT, sending keep alives > generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 bytes) > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (84 bytes) > parsed ID_PROT response 0 [ ID HASH V ] > received DPD vendor ID > IKE_SA VPN-OFFICE-COM[14] established between > 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] > generating QUICK_MODE request [HIDDEN] [ HASH SA No ID ID NAT-OA > NAT-OA ] > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (220 bytes) > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] (180 bytes) > parsed QUICK_MODE response [HIDDEN] [ HASH SA No ID ID N(([HIDDEN])) > NAT-OA ] > received 28800s lifetime, configured 0s > no acceptable traffic selectors found > establishing connection 'VPN-OFFICE-COM' failed > > > # ipsec statusall > Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.16.5-gentoo, > x86_64): > uptime: 3 hours, since Apr 19 20:50:15 2015 > malloc: sbrk [HIDDEN], mmap 0, used [HIDDEN], free [HIDDEN] > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 1 > loaded plugins: charon ldap mysql sqlite aes des rc2 sha1 sha2 md4 > md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 > pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac curl attr > kernel-netlink resolve socket-default socket-dynamic farp stroke vici updown > eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym > eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls > xauth-generic xauth-eap xauth-pam dhcp lookip led unity > Listening IP addresses: > 1.2.3.4 > Connections: > VPN-OFFICE-COM: %any...vpn.office.com <http://vpn.office.com> IKEv1 > VPN-OFFICE-COM: local: [1.2.3.4] uses pre-shared key authentication > VPN-OFFICE-COM: remote: [17.11.7.5] uses pre-shared key authentication > VPN-OFFICE-COM: child: dynamic[udp/l2tp] === dynamic[udp/l2tp] > TRANSPORT > Security Associations (1 up, 0 connecting): > VPN-OFFICE-COM[14]: ESTABLISHED 6 seconds ago, > 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] > VPN-OFFICE-COM[14]: IKEv1 SPIs: [HIDDEN]_i* [HIDDEN]_r, rekeying > disabled > VPN-OFFICE-COM[14]: IKE proposal: > 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > > > Thank you for your help. I hope this tells you more than it does me. > > > -- > Kind regards > > Stephen Feyrer. > > > > On Sun, 19 Apr 2015 09:11:04 +0100, Miroslav Svoboda > <good...@goodmirek.cz <javascript:>> wrote: > > Hi Stephen, > > So I assume there is no longer any syntax error reported. > > From logfile I see there is no acceptable traffic selector. I > assume that you have a home PC (Ubuntu) with Strongswan which you want to > connect to the office VPN concentrator with IP 17.11.7.5 running Windows. I > suppose VPN concentrator in the office is not configured to route any traffic > towards you home PC's IP address, thus you will need a virtual IP address > assigned to your home PC by the VPN concentrator. Also I suppose you want to > route all traffic via that VPN once connected. > Then, please try to modify "left=%defaultroute" to "left=%any" > and add "rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>" and > "leftsourceip=%config". You should not specify "leftsubnet", it has same > effect as "leftsubnet=%dynamic". > According to documentation at wiki > <https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection> > configuration directive "left=defaultroute%" was used prior to version 5.0.0, > superseded by "left=%any". > leftsubnet=%dynamic (or omitting leftsubnet at all) and > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> will create your traffic selector. > It says that anything (0.0.0.0/0 <http://0.0.0.0/0>) from your side will be > routed to remote host and that the remote host will route towards your PC > (left==local) a traffic which would fit your dynamically assigned IP. Should > you want to route towards office network only office-related traffic then > change "rightsubnet=<subnet_used_in_Stephen's_office>". > > If that didn't help please can you provide output of 'ipsec > statusall' and also more details about network topology? > > Regards, > Miroslav > > On Saturday, April 18, 2015 at 5:28:12 PM UTC+2, Stephen Feyrer > wrote: > > Hi Miroslav, > > Thank you. The conn section as presented below was copied > and pasted from web page for convenience (this stripped the leading white > spaced from the conn section). For the moment the white spaces are in form > of TAB characters. I will test with space characters and complete this email. > > I Apologise for the lack of white spaces in the conn section > of below email. I have now tested with both spaces and tabs, each producing > the same error as below. > > > -- > Kind regards > > Stephen Feyrer. > > > On Sat, 18 Apr 2015 13:25:20 +0100, Miroslav Svoboda > <good...@goodmirek.cz> wrote: > > Hi Stephen, > > I believe the issue might be caused as the "conn" section > is not compliant with prescribed format. There should be at least one > whitespace at the beginning of each line within the section. Only sections > can and shall start at the first character of the line. > > Supposed correction: > *conn VPN-OFFICE-COM* > * keyexchange=ikev1* > * **type=transport* > * **authby=secret* > * **ike=3des-sha1-modp1024* > * **rekey=no* > * **left=%defaultroute* > * **leftprotoport=udp/l2tp* > * **right=vpn.office.com <http://vpn.office.com>* > * **rightprotoport=udp/l2tp* > * **rightid=17.11.7.5* > * **auto=add* > > Regards, > Miroslav > > Message: 3 > Date: Fri, 17 Apr 2015 14:08:57 +0100 > From: "Stephen Feyrer" <stephen...@btinternet.com> > To: us...@lists.strongswan.org > Subject: Re: [strongSwan] /etc/strongswan.d/VPN.conf:1: > syntax error, > unexpected NAME, expecting NEWLINE or '{' or '=' > [vpn] > Message-ID: <op.xw8ms...@sveta.home.org> > Content-Type: text/plain; charset=utf-8; format=flowed; > delsp=yes > > Hi Neol, > > Thank you. I have removed the file > /etc/strongswan.d/VPN.conf > > In /etc/ipsec.conf I have the same configuration. At > least there is > progress, unfortunately I am still baffled. This is the > previously > working configuration. > > code: > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > # strictcrlpolicy=yes > # uniqueids = no > > conn VPN-OFFICE-COM > keyexchange=ikev1 > type=transport > authby=secret > ike=3des-sha1-modp1024 > rekey=no > left=%defaultroute > leftprotoport=udp/l2tp > right=vpn.office.com <http://vpn.office.com> > rightprotoport=udp/l2tp > rightid=17.11.7.5 > auto=add > > > Having restarted ipsec, I get the following result > > code: > > # ipsec up VPN-OFFICE-COM > initiating Main Mode IKE_SA VPN-OFFICE-COM[1] to 17.11.7.5 > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (212 > bytes) > received packet: from 17.11.7.5[500] to 1.2.3.4[500] (116 > bytes) > parsed ID_PROT response 0 [ SA V V ] > received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > received FRAGMENTATION vendor ID > generating ID_PROT request 0 [ KE No NAT-D NAT-D ] > sending packet: from 1.2.3.4[500] to 17.11.7.5[500] (244 > bytes) > received packet: from 17.11.7.5[500] to 1.2.3.4[500] (304 > bytes) > parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] > received Cisco Unity vendor ID > received XAuth vendor ID > received unknown vendor ID: [Available On Request] > received unknown vendor ID: [Available On Request] > local host is behind NAT, sending keep alives > generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) > ] > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] (84 > bytes) > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] > (84 bytes) > parsed ID_PROT response 0 [ ID HASH V ] > received DPD vendor ID > IKE_SA VPN-OFFICE-COM[1] established between > 1.2.3.4[1.2.3.4]...17.11.7.5[17.11.7.5] > generating QUICK_MODE request [Available On Request] [ > HASH SA No ID ID > NAT-OA NAT-OA ] > sending packet: from 1.2.3.4[4500] to 17.11.7.5[4500] > (220 bytes) > received packet: from 17.11.7.5[4500] to 1.2.3.4[4500] > (180 bytes) > parsed QUICK_MODE response [Available On Request] [ HASH > SA No ID ID > N((24576)) NAT-OA ] > received 28800s lifetime, configured 0s > no acceptable traffic selectors found > establishing connection 'VPN-OFFICE-COM' failed > > > > -- > Kind regards > > > Stephen Feyrer > > > > > -- > Kind regards > > > Stephen Feyrer > > > > > -- > Kind regards > > > Stephen Feyrer > > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVNNzJAAoJEDg5KY9j7GZY8z0QAJ7703tO6Unb5O/6wc8ImHck hDLKZj0wrlMDD/uDCWVA7bbi//HmIeFqnf032GzeTQLTUAeEwUyght8ocoBImmr2 yiT3D9KkXlRzixKs8Ci/CSvfzW49wjz7ZEO3MgMGzZDi1yYJJ3sNbzBUKAbxbGDC djFeQkNWuIVRoCylj3E0ND5qM2i5Qkt9tuqpLw3YKniCQiWjJMvNp7Kie/0fYL94 jbjlydABLuIlJX09QISUCrrdi6sho+d0OOOwh6kJEhpXc0ED/I2KCSfjAzC2MKbc Dhfesz5HMmpWKYMvws7KW/kfvbm+Mhu8CyUCrgpJ7fKc4tsLrmTlFovZfgd04vk4 aMhXGkWBVZUmBksF4gOk7nkeNlAXgd3fcsDdm7crD1o1tfPnR0QLQMfDJzX2AXky mvYPiZQ1LYNmL+V8AqK7h4lUwrpFK5Eh7rWaejxHKmC7HQ2exjdvjRkmS3Am1AAf HvCxkiHyFMqhtti3I1tKq+N5aiU4ybz0UyjJ1rQVYJLNZPYmZk6oJry8gmC//JWK 0h8zkbwFitwunclN+B+Ls1FUNFZIkhhHySO87GgcNR1Yoj2D8znk5vv4KxKGgHZx SDa+RR8w8AgQ1GYU0J+GqBDshWzTPM1hPM4yn+72y/6nLx0nukIzAoecoKM7QtoW B3txnEFN/Q7sF0xYi08t =kk8O -----END PGP SIGNATURE----- _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users