Re: [strongSwan] Don't know where to start

Rene Maurer Tue, 25 Apr 2017 10:06:18 -0700

Hello Noel

On 25.04.2017 12:50, Noel Kuntze wrote:


Thank you very much for answering!

> "left=%config" doesn't make sense. %config is neither a known keyword nor a 
> valid resolvable hostname.
> If your routing table is sane and specifies the source IPs for the routes, 
> you don't need to set this at all.

Thanks again. This is ok now.
Routing is as follows:

# ip route show table 220
10.4.30.0/24 via xxx.137.25.195 dev ppp0  proto static src 10.4.48.1

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.4.48.0       0.0.0.0         255.255.240.0   U     0      0        0 eth0

And as already said:
>> # net.ipv4.ip_forward = 1
>> # iptables -t nat -A POSTROUTING -o ppp0 -j ACCEPT
>> # iptables -A FORWARD -i eth0 -j ACCEPT

> Make sure you use the right IKE version.
Ok. Switch uses "IKEv2 only mode" and I use "keyexchange=ikev2".

> Check if the packets arrive at the switch.
My partner (at remote site) can do this tomorrow.

But when I look at the log on my site together with
"tcpdump -i ppp0", I have the impression that ikev2_auth
is sent (once).

----------------------------------------------------------------------
Apr 25 16:32:28 daemon.info syslog: 05[IKE] establishing CHILD_SA home{1}
Apr 25 16:32:28 authpriv.info syslog: 05[IKE] establishing CHILD_SA home{1}
Apr 25 16:32:28 daemon.info syslog: 05[ENC] generating IKE_AUTH request 1 [ IDi 
CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) 
N(EAP_ONLY) ]
Apr 25 16:32:28 daemon.info syslog: 05[NET] sending packet: from 
10.64.33.100[4500] to xxx.137.25.195[4500] (1120 bytes)
16:32:32.802620 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: 
isakmp: child_sa  ikev2_auth[I]
Apr 25 16:32:32 daemon.info syslog: 03[IKE] retransmit 1 of request with 
message ID 1
Apr 25 16:32:32 daemon.info syslog: 03[NET] sending packet: from 
10.64.33.100[4500] to xxx.137.25.195[4500] (1120 bytes)
16:32:33.888422 IP xxx.137.25.195.4500 > 10.64.33.100.4500: NONESP-encap: 
isakmp: parent_sa inf2
16:32:33.898140 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: 
isakmp: parent_sa inf2[IR]
Apr 25 16:32:33 daemon.info syslog: 02[NET] received packet: from 
xxx.137.25.195[4500] to 10.64.33.100[4500] (80 bytes)
Apr 25 16:32:33 daemon.info syslog: 02[ENC] parsed INFORMATIONAL request 0 [ ]
Apr 25 16:32:33 daemon.info syslog: 02[ENC] generating INFORMATIONAL response 0 
[ ]
Apr 25 16:32:33 daemon.info syslog: 02[NET] sending packet: from 
10.64.33.100[4500] to xxx.137.25.195[4500] (80 bytes)
16:32:38.947424 IP xxx.137.25.195.4500 > 10.64.33.100.4500: NONESP-encap: 
isakmp: child_sa  inf2
16:32:38.964954 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: 
isakmp: child_sa  inf2[IR]
----------------------------------------------------------------------

NB: Any idea why I have seen your answer only on the mail-archive website?

Kind regards
René
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Don't know where to start

Reply via email to