-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Tomek,
Read the introduction to strongswan and the article about forwarding and split tunneling on the wiki. Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 20.07.2015 um 16:13 schrieb [email protected]: > Hello! > > I have a lot of progress. IPsec connection set up properly. > Unfortunately ping does not work between networks. In OpenVPN I had > tunnels in interfaces with their own addresses. I set up routing > between them. Now I don't see the ends of the IPsec tunnel in > interfaces and don't know how to set routing. > > root@SomeWRT:~# ipsec statusall > no files found matching '/etc/strongswan.d/*.conf' > Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.49, mips): > uptime: 11 seconds, since Jul 20 15:58:34 2015 > malloc: sbrk 122880, mmap 0, used 116464, free 6416 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 1 > loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 > revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc > hmac attr kernel-netlink resolve socket-default stroke updown > xauth-generic > Listening IP addresses: > 192.168.2.1 > Connections: > somename: B.B.B.B...A.A.A.A IKEv1 > somename: local: [B.B.B.B] uses pre-shared key authentication > somename: remote: [A.A.A.A] uses pre-shared key authentication > somename: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL > Security Associations (1 up, 0 connecting): > somename[2]: ESTABLISHED 10 seconds ago, B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A] > somename[2]: IKEv1 SPIs: xxxxxxxxxxxxxxxx_i xxxxxxxxxxxxxxxx_r*, > rekeying disabled > somename[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > somename{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: xxxxxxxx_i xxxxxxxx_o > somename{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > disabled > somename{1}: 192.168.2.0/24 === 192.168.1.0/24 > > 2015-07-20 14:19 GMT+02:00 Noel Kuntze <[email protected]>: > Hello Tomek, > > I can tell from "Exchange Mode: Main" that it uses IKEv1. > Append an @ to the IDs on the strongSwan side > to force charon to send the ID as type FQDN, > which the other side expects (you set ID type to FQDN). > Use AES-128 instead of 3DES. You should also > use SHA1, not MD5. Furthermore, you enabled PFS in > the configuration on the TP link, but not in strongSwan. > Append the correct dh group to your ESP cipher settings. > > Look at the logs in the webinterface to find out what the TP link > side doesn't like. > > Mit freundlichen Grüßen/Regards, > Noel Kuntze > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > Am 20.07.2015 um 13:58 schrieb [email protected]: > >>> Hello! > >>> > >>> After the change from IKEv1 to IKEv2 I have errors as shown below. In > >>> the settings TP-Link I don't see the possibility to change IKEv1/v2. I > >>> don't know what is even set in TP-Link. A sample panel is visible on > >>> http://www.tp-link.com.pl/resources/simulator/TL-ER6120(UN)/userRpm/Index.htm. > >>> What is best to change 3DES? > >>> > >>> root@SomeWRT:~# ipsec up somename > >>> no files found matching '/etc/strongswan.d/*.conf' > >>> initiating Main Mode IKE_SA somename[1] to A.A.A.A > >>> generating ID_PROT request 0 [ SA V V V V ] > >>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (152 bytes) > >>> received packet: from A.A.A.A[500] to B.B.B.B[500] (56 bytes) > >>> parsed INFORMATIONAL_V1 request 1324794912 [ N(NO_PROP) ] > >>> received NO_PROPOSAL_CHOSEN error notify > >>> establishing connection 'somename' failed > >>> > >>> 2015-07-19 22:32 GMT+02:00 Noel Kuntze <[email protected]>: > >>>> > >>> Hello Tomek, > >>> > >>> Try using IKEv1, not IKEv2. And use a different cipher than 3DES. It is > >>> very slow. > >>> > >>> Mit freundlichen Grüßen/Kind Regards, > >>> Noel Kuntze > >>> > >>> GPG Key ID: 0x63EC6658 > >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > >>> > >>> Am 19.07.2015 um 13:34 schrieb tomek_byd: > >>>>>> I don't know how to write the correct config file for the connection. > >>>>>> My config is a conglomeration of many examples from the Internet. So > >>>>>> far I havn't had contact with IPsec. I'm under the control of > >>>>>> TL-ER6120 and OpenWRT so I can make changes on both devices. I see the > >>>>>> error "IDr payload missing" but parameter "leftid" is set in the > >>>>>> config file. > >>>>>> > >>>>>> LAN A (192.168.1.0/24) <-> TL-ER6120 (IP: A.A.A.A) <-> INTERNET <-> > >>>>>> OpenWRT with strongSwan (IP: B.B.B.B) <-> LAN B (192.168.2.0/24) > >>>>>> > >>>>>> TL-ER6120 configuration: > >>>>>> IKE Proposal: MD5, 3DES, DH2 > >>>>>> IKE Policy: > >>>>>> Exchange Mode: main, > >>>>>> Local ID Type: FQDN, > >>>>>> Local ID: A.A.A.A > >>>>>> Remote ID Type: FQDN > >>>>>> Remote ID: B.B.B.B > >>>>>> Pre-shared Key: XXXXXX > >>>>>> SA Lifetime: 28800 > >>>>>> DPD: Disable > >>>>>> IPsec Proposal: ESP, MD5, 3DES > >>>>>> IPsec Policy: > >>>>>> Mode: LAN-to-LAN > >>>>>> Local Subnet: 192.168.1.0/24 > >>>>>> Remote Subnet: 192.168.2.0/24 > >>>>>> WAN: WAN1 > >>>>>> Remote Gateway: B.B.B.B > >>>>>> Policy Mode: IKE > >>>>>> PFS: DH2 > >>>>>> SA Lifetime: 28800 > >>>>>> > >>>>>> OpenWRT configuration: > >>>>>> /etc/ipsec.conf: > >>>>>> config setup > >>>>>> # strictcrlpolicy = no > >>>>>> # uniqueids = no > >>>>>> conn somename > >>>>>> ikelifetime=60m > >>>>>> keylife=20m > >>>>>> rekeymargin=3m > >>>>>> keyingtries=1 > >>>>>> keyexchange=ikev2 > >>>>>> type=tunnel > >>>>>> authby=secret > >>>>>> ike=3des-md5-modp1024! > >>>>>> esp=3des-md5! > >>>>>> rekey=no > >>>>>> left=B.B.B.B > >>>>>> leftid=B.B.B.B > >>>>>> leftsubnet=192.168.2.0/24 > >>>>>> leftauth=psk > >>>>>> right=A.A.A.A > >>>>>> rightid=A.A.A.A > >>>>>> rightsubnet=192.168.1.0/24 > >>>>>> rightauth=psk > >>>>>> dpdaction=none > >>>>>> auto=add > >>>>>> mobike=no > >>>>>> /etc/ipsec.secrets > >>>>>> A.A.A.A : PSK "XXXXXX" > >>>>>> B.B.B.B : PSK "XXXXXX" > >>>>>> > >>>>>> Output: > >>>>>> root@SomeWRT:~# ipsec up somename > >>>>>> no files found matching '/etc/strongswan.d/*.conf' > >>>>>> initiating IKE_SA somename[1] to A.A.A.A > >>>>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > >>>>>> N(HASH_ALG) ] > >>>>>> sending packet: from B.B.B.B[500] to A.A.A.A[500] (316 bytes) > >>>>>> received packet: from A.A.A.A[500] to B.B.B.B[500] (332 bytes) > >>>>>> parsed IKE_SA_INIT response 0 [ N(NATD_S_IP) N(NATD_D_IP) SA KE No ] > >>>>>> local host is behind NAT, sending keep alives > >>>>>> remote host is behind NAT > >>>>>> authentication of 'B.B.B.B' (myself) with pre-shared key > >>>>>> establishing CHILD_SA somename > >>>>>> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi > >>>>>> TSr N(EAP_ONLY) ] > >>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (212 bytes) > >>>>>> received packet: from A.A.A.A[4500] to B.B.B.B[4500] (68 bytes) > >>>>>> parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) ] > >>>>>> IDr payload missing > >>>>>> generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] > >>>>>> sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (68 bytes) > >>>>>> establishing connection 'somename' failed > >>>>>> > >>>>>> _______________________________________________ > >>>>>> Users mailing list > >>>>>> [email protected] > >>>>>> https://lists.strongswan.org/mailman/listinfo/users > >>> > >>>> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVrQJPAAoJEDg5KY9j7GZY5CsP/2NQC3jyhEYpPy8oGTR7zXcR vljMdPbosggnBaOvV0SIRrgboVjSRKI9ZxwGbIjEhYHh0iB2ZI9fT+63P8xLuSp6 xfPCy3SZTzR4Q37Uz0mU8RUEcA/71DHaQaZIb7B7lXp7ktwI6Cbfe8R7ZIAwd6Rt hOKn4CMBD4j0gQb7ir8kPWGp+YGHPHEJGa9JqoJ++alpUbd2pAX0A7txlK90NXg2 P/g+tTlMwtND0KKGi+b/jyhS086TvnftCXgEJoieCfhpFtI81Qy0284s1svdz37+ q3/L8SNJRKXM42iGd2+C/u9JPilM1M7lZlwqq1+m5E6lpwitrLbUAfg7ELyP4f8S tDnq3bD4nolpGiJhSbmUwLTL9ik/TVVT6yqJHRtKOuXXr9JquJXUjw7mqgMiQAXe hbeosX2BLoby+CvbFTO6gP9aGKLQyeWvewx9QNtjTUDLvo7ivGFFhs28SBQ9+MCs KkuMVYl8Vv3BO+NRxdTHZfu2VVgLuTfg3FMiggwNjFk/qliwRUFnbt+1Or5nZ43V SX5cJkukf4j6usSUnRM8jZXRBYTQO8TDhAHa+AbqgEu5AfEbHYu1X1Hdkm65ufOs uRb3L+gNe7n6YDc5fNc6Ymz6kN29GSrUjWxQnnbbAh8jd1y4lJBoP+xr3gAafFbE 12O4Xnd1Gi1UwA/DG28m =Om+P -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
