-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Tomek,
Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is very slow. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 19.07.2015 um 13:34 schrieb tomek_byd: > I don't know how to write the correct config file for the connection. My > config is a conglomeration of many examples from the Internet. So far I > havn't had contact with IPsec. I'm under the control of TL-ER6120 and OpenWRT > so I can make changes on both devices. I see the error "IDr payload missing" > but parameter "leftid" is set in the config file. > > LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> OpenWRT > with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24) > > TL-ER6120 configuration: > IKE Proposal: MD5, 3DES, DH2 > IKE Policy: > Exchange Mode: main, > Local ID Type: FQDN, > Local ID: A.A.A.A > Remote ID Type: FQDN > Remote ID: B.B.B.B > Pre-shared Key: XXXXXX > SA Lifetime: 28800 > DPD: Disable > IPsec Proposal: ESP, MD5, 3DES > IPsec Policy: > Mode: LAN-to-LAN > Local Subnet: 192.168.1.0/24 > Remote Subnet: 192.168.2.0/24 > WAN: WAN1 > Remote Gateway: B.B.B.B > Policy Mode: IKE > PFS: DH2 > SA Lifetime: 28800 > > OpenWRT configuration: > /etc/ipsec.conf: > config setup > # strictcrlpolicy = no > # uniqueids = no > conn somename > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > type=tunnel > authby=secret > ike=3des-md5-modp1024! > esp=3des-md5! > rekey=no > left=B.B.B.B > leftid=B.B.B.B > leftsubnet=192.168.2.0/24 > leftauth=psk > right=A.A.A.A > rightid=A.A.A.A > rightsubnet=192.168.1.0/24 > rightauth=psk > dpdaction=none > auto=add > mobike=no > /etc/ipsec.secrets > A.A.A.A : PSK "XXXXXX" > B.B.B.B : PSK "XXXXXX" > > Output: > root@SomeWRT:~# ipsec up somename > no files found matching '/etc/strongswan.d/*.conf' > initiating IKE_SA somename[1] to A.A.A.A > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(HASH_ALG) ] > sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes) > received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes) > parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ] > local host is behind NAT, sending keep alives > remote host is behind NAT > authentication of 'B.B.B.B' (myself) with pre-shared key > establishing CHILD_SA somename > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr > N(EAP_ONLY) ] > sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes) > received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes) > parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ] > IDr payload missing > generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] > sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes) > establishing connection 'somename' failed > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVrAl0AAoJEDg5KY9j7GZYzA4QAJaMsDMGmUTy3zw26s+3UBbg t8HUb4PeqkVOcAPN6eoKD7cElOfltyEFVeQzkPo3zfFUFAwxMQV/rHpy34YByU9X uFHVTxmYcxeWQKHewajIsahhD2ks05fu31agczOzWqpunZT/X0tGECI4rFG/dUFa wKkKf030C92e80PSQMnirNHVVQKreCc1B+gXCBGkkyFaSsTN+gNd8rae7VRAaJdw 88XyaI1Xkfk+59rKcnXBdLl071es12Dj36CTCWHQx3styN9VAxXFvoBBJGR3gTwU pDaG283ZEB+Dg7hEDWy0Q2ZEKPw5c8Ln20eY6KongDIF01L3FH4LJT0dxNkt5R3I 9xTa/apQeCASTNFHMNCSkANmvSOu6JbcaNUB4jlm90gLMOBXx7q17I9M23jaAoHL 7CJuSZudAfNPzUFgAngww4AIF2Fl3EdtcJv3En47IWcx2dMhd07eghTpqaZb8pzI Kcwz0IuQbGGTWw1R7czvheKkOz9JZQGmtz+Hdh+mSJynpgkzz7SSzRqAH6MV0Dmk 0Nem+FJpow5bVDVP96jRKWdgdf+obZ2ppjuxlTeS3j+CfPdOOOi6e6iYKo7RFjOL qUUPvGwnQtO3H+U55CEkG14Bfg96MQqxQ8kxNztuoSf59aCoYKu4kmBps0mCwFmI 7QiHscwnx9SV7O05feeH =B9Uu -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
