Hi Tobias,
I was looking yesterday at a lot of articles on wiki.strongswan.org to no
avail. Here is my complete config / ip route + some logging. For me, everything
looks ok... Still, when connected via VPN, I can't access my network internals
and my data is still not routhed through (ipaddress.com still shows I'm not
going through my private infrastructure)
config setup
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
charondebug="ike 2, knl 2, cfg 1, enc -1, lib -1"
charonstart=yes
plutostart=no
conn %default
keyexchange=ikev2
dpdaction=clear
ike=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha1-modp1024,aes128-sha256-ecp256,aes256-sha384-ecp384
esp=aes128-sha1,aes256-sha1,aes128gcm128-ecp256,aes256gcm128-ecp384
dpddelay=300s
rekey=no
conn winCert
left=%defaultroute
# left=%any
leftcert=vpn.server.cert.pem
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftfirewall=yes
# forceencaps=yes
right=%any
rightauth=eap-tls
eap_identity=%identity
rightsendcert=never
rightsourceip=172.20.1.0/24
rightsubnet=172.20.1.0/24
keyexchange=ikev2
#type=passthrough
auto=add
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN group
default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether c0:b0:a6:c0:fd:21 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.3/24 brd 192.168.0.255 scope global eth0
inet6 fe80::c2b0:a6ff:fec0:fd21/64 scope link
valid_lft forever preferred_lft forever
3: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN group default
link/ipip 0.0.0.0 brd 0.0.0.0
$ip route
default via 192.168.0.1 dev eth0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.3
$# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.20.1.1 anywhere policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- anywhere 172.20.1.1 policy match
dir out pol ipsec reqid 2 proto esp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
charon.log
May 6 09:09:54 11[CFG] <winCert|1> selecting traffic selectors for us:
May 6 09:09:54 11[CFG] <winCert|1> config: 0.0.0.0/0, received: 0.0.0.0/0 =>
match: 0.0.0.0/0
May 6 09:09:54 11[CFG] <winCert|1> selecting traffic selectors for other:
May 6 09:09:54 11[CFG] <winCert|1> config: 172.20.1.0/24, received: 0.0.0.0/0
=> match: 172.20.1.0/24
May 6 09:09:54 11[KNL] <winCert|1> adding SAD entry with SPI cda74c88 and
reqid {1}
May 6 09:09:54 11[KNL] <winCert|1> using encryption algorithm AES_CBC with
key size 128
May 6 09:09:54 11[KNL] <winCert|1> using integrity algorithm HMAC_SHA1_96
with key size 160
May 6 09:09:54 11[KNL] <winCert|1> adding SAD entry with SPI 6e551312 and
reqid {1}
May 6 09:09:54 11[KNL] <winCert|1> using encryption algorithm AES_CBC with
key size 128
May 6 09:09:54 11[KNL] <winCert|1> using integrity algorithm HMAC_SHA1_96
with key size 160
May 6 09:09:54 11[KNL] <winCert|1> adding policy 0.0.0.0/0 === 172.20.1.0/24
out
May 6 09:09:54 11[KNL] <winCert|1> adding policy 172.20.1.0/24 === 0.0.0.0/0 in
May 6 09:09:54 11[KNL] <winCert|1> adding policy 172.20.1.0/24 === 0.0.0.0/0
fwd
May 6 09:09:54 11[KNL] <winCert|1> getting a local address in traffic selector
0.0.0.0/0
May 6 09:09:54 11[KNL] <winCert|1> using host %any
May 6 09:09:54 11[KNL] <winCert|1> getting address to reach XXX.XXX.210.187
May 6 09:09:54 11[KNL] <winCert|1> getting interface name for 192.168.0.3
May 6 09:09:54 11[KNL] <winCert|1> 192.168.0.3 is on interface eth0
May 6 09:09:54 11[KNL] <winCert|1> installing route: 172.20.1.0/24 via
192.168.0.1 src %any dev eth0
May 6 09:09:54 11[KNL] <winCert|1> getting iface index for eth0
May 6 09:09:54 11[IKE] <winCert|1> CHILD_SA winCert{1} established with SPIs
cda74c88_i 6e551312_o and TS 0.0.0.0/0 === 172.20.1.0/24
Thanks,
Arne
----------------------------------------
> Subject: Re: [strongSwan] Win7 and Window10Mobile: IKE authentication
> credentials are unacceptable
> To: [email protected]; [email protected]
> From: [email protected]
> Date: Wed, 4 May 2016 16:42:37 +0200
>
> Hi Arne,
>
>> With TLS_RSA_WITH_AES_256_CBC_SHA256 the authentication works.
>
> OK, strange. I currently don't have access to a Win10 Mobile device but
> would be interesting to do some experiments to find out what's wrong
> with the other suite.
>
>> I'm not able to reach any devices inside my network and the traffic is not
>> routed over the vpn (whatismyip.com still shows my real IP instead of that
>> of the vpn) - but I'll tackle that one next.
>
> If your config is still the same as in your original mail the problem is
> probably leftsubnet=0.0.0.0/24. To tunnel everything you have to use
> leftsubnet=0.0.0.0/0. And please also have a look at [1].
>
> Regards,
> Tobias
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
>
>
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
