Hi Noel, thanks for your help. I've set a Debian 9 pc, so I am now using Strongswan 5.5.1-4 as you suggested. I cannot get 5.5.3 since is not available under debian. As a bonus, now my linux kernel is 4.9.0-3.
This are my ipsec.conf (I followed your hints and semplified whatever I could) and charon_debug.log: === ipsec.conf ====================== config setup # strictcrlpolicy=yes # uniqueids = no conn home ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev1 # leftcert=my_crt.pem leftsourceip=192.168.145.128 # CP-known client IP leftfirewall=yes # right=CP_FW_IP rightid=CP_FW_IP rightsubnet= 192.168.2.0/24, 192.168.3.0/24 rightcert=cp_fw_crt.pem # auto=start === charon_debug.log ====================== Mon, 2017-08-07 15:57 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-3-amd64, x86_64) Mon, 2017-08-07 15:57 00[LIB] plugin 'test-vectors': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'ldap': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs11': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'aesni': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'aes': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'rc2': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'sha2': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'sha1': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'md5': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'rdrand': loaded successfully Mon, 2017-08-07 15:57 00[LIB] detected RDRAND support, enabled Mon, 2017-08-07 15:57 00[LIB] plugin 'random': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'nonce': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'x509': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'revocation': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'constraints': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'pubkey': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs1': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs7': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs8': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'pkcs12': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'pgp': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'dnskey': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'sshkey': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'pem': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'openssl': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'gcrypt': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'af-alg': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'fips-prf': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'gmp': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'agent': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'xcbc': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'cmac': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'hmac': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'ctr': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'ccm': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'gcm': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'curl': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'attr': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'kernel-netlink': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'resolve': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'socket-default': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'connmark': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'farp': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'stroke': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'updown': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-identity': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-aka': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-md5': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-gtc': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-mschapv2': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-radius': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-tls': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-ttls': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'eap-tnc': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-generic': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-eap': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'xauth-pam': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'tnc-tnccs': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'dhcp': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'ha': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'lookip': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'error-notify': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'certexpire': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'led': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'addrblock': loaded successfully Mon, 2017-08-07 15:57 00[LIB] plugin 'unity': loaded successfully Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS Mon, 2017-08-07 15:57 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224 Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256 Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384 Mon, 2017-08-07 15:57 00[LIB] feature PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512 Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_224 Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_256 Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_384 Mon, 2017-08-07 15:57 00[LIB] feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet dependency: HASHER:HASH_SHA3_512 Mon, 2017-08-07 15:57 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Mon, 2017-08-07 15:57 00[CFG] loaded ca certificate "O=my_ca" from '/etc/ipsec.d/cacerts/ca_crt.pem' Mon, 2017-08-07 15:57 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Mon, 2017-08-07 15:57 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Mon, 2017-08-07 15:57 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Mon, 2017-08-07 15:57 00[CFG] loading crls from '/etc/ipsec.d/crls' Mon, 2017-08-07 15:57 00[CFG] loading secrets from '/etc/ipsec.secrets' Mon, 2017-08-07 15:57 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/my_key.der' Mon, 2017-08-07 15:57 00[CFG] loaded 0 RADIUS server configurations Mon, 2017-08-07 15:57 00[CFG] HA config misses local/remote address Mon, 2017-08-07 15:57 00[LIB] feature CUSTOM:ha in plugin 'ha' failed to load Mon, 2017-08-07 15:57 00[LIB] unloading plugin 'ha' without loaded features Mon, 2017-08-07 15:57 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity Mon, 2017-08-07 15:57 00[LIB] unable to load 13 plugin features (12 due to unmet dependencies) Mon, 2017-08-07 15:57 00[LIB] dropped capabilities, running as uid 0, gid 0 Mon, 2017-08-07 15:57 00[JOB] spawning 16 worker threads Mon, 2017-08-07 15:57 01[LIB] created thread 01 [2935] Mon, 2017-08-07 15:57 02[LIB] created thread 02 [2936] Mon, 2017-08-07 15:57 03[LIB] created thread 03 [2937] Mon, 2017-08-07 15:57 04[LIB] created thread 04 [2938] Mon, 2017-08-07 15:57 05[LIB] created thread 05 [2939] Mon, 2017-08-07 15:57 06[LIB] created thread 06 [2940] Mon, 2017-08-07 15:57 07[LIB] created thread 07 [2941] Mon, 2017-08-07 15:57 08[LIB] created thread 08 [2942] Mon, 2017-08-07 15:57 09[LIB] created thread 09 [2943] Mon, 2017-08-07 15:57 10[LIB] created thread 10 [2944] Mon, 2017-08-07 15:57 11[LIB] created thread 11 [2945] Mon, 2017-08-07 15:57 12[LIB] created thread 12 [2946] Mon, 2017-08-07 15:57 13[LIB] created thread 13 [2947] Mon, 2017-08-07 15:57 14[LIB] created thread 14 [2948] Mon, 2017-08-07 15:57 15[LIB] created thread 15 [2949] Mon, 2017-08-07 15:57 16[LIB] created thread 16 [2950] Mon, 2017-08-07 15:57 07[CFG] received stroke: add connection 'home' Mon, 2017-08-07 15:57 07[CFG] conn home Mon, 2017-08-07 15:57 07[CFG] left=%any Mon, 2017-08-07 15:57 07[CFG] leftsourceip=192.168.145.128 Mon, 2017-08-07 15:57 07[CFG] leftcert=my_crt.pem Mon, 2017-08-07 15:57 07[CFG] leftupdown=ipsec _updown iptables Mon, 2017-08-07 15:57 07[CFG] right=CP_FW_IP Mon, 2017-08-07 15:57 07[CFG] rightsubnet=192.168.2.0/24, 192.168.3.0/24 Mon, 2017-08-07 15:57 07[CFG] rightid=CP_FW_IP Mon, 2017-08-07 15:57 07[CFG] rightcert=cp_fw_crt.pem Mon, 2017-08-07 15:57 07[CFG] ike=aes128-sha256-modp3072 Mon, 2017-08-07 15:57 07[CFG] esp=aes128-sha256 Mon, 2017-08-07 15:57 07[CFG] dpddelay=30 Mon, 2017-08-07 15:57 07[CFG] dpdtimeout=150 Mon, 2017-08-07 15:57 07[CFG] mediation=no Mon, 2017-08-07 15:57 07[CFG] keyexchange=ikev1 Mon, 2017-08-07 15:57 07[CFG] loaded certificate "O=my_ca, OU=users, CN=my_name" from 'my_crt.pem' Mon, 2017-08-07 15:57 07[CFG] id '%any' not confirmed by certificate, defaulting to 'O=my_ca, OU=users, CN=my_name' Mon, 2017-08-07 15:57 07[CFG] loaded certificate "O=my_ca, OU=users, CN=cp_fw_cert" from 'cp_fw_crt.pem' Mon, 2017-08-07 15:57 07[CFG] added configuration 'home' Mon, 2017-08-07 15:57 08[CFG] received stroke: initiate 'home' Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_VENDOR task Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_CERT_PRE task Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing MAIN_MODE task Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_CERT_POST task Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing ISAKMP_NATD task Mon, 2017-08-07 15:57 08[IKE] <home|1> queueing QUICK_MODE task Mon, 2017-08-07 15:57 08[IKE] <home|1> activating new tasks Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_VENDOR task Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_CERT_PRE task Mon, 2017-08-07 15:57 08[IKE] <home|1> activating MAIN_MODE task Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_CERT_POST task Mon, 2017-08-07 15:57 08[IKE] <home|1> activating ISAKMP_NATD task Mon, 2017-08-07 15:57 08[IKE] <home|1> sending XAuth vendor ID Mon, 2017-08-07 15:57 08[IKE] <home|1> sending DPD vendor ID Mon, 2017-08-07 15:57 08[IKE] <home|1> sending FRAGMENTATION vendor ID Mon, 2017-08-07 15:57 08[IKE] <home|1> sending NAT-T (RFC 3947) vendor ID Mon, 2017-08-07 15:57 08[IKE] <home|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID Mon, 2017-08-07 15:57 08[IKE] <home|1> initiating Main Mode IKE_SA home[1] to CP_FW_IP Mon, 2017-08-07 15:57 08[IKE] <home|1> IKE_SA home[1] state change: CREATED => CONNECTING Mon, 2017-08-07 15:57 08[CFG] <home|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024 Mon, 2017-08-07 15:57 08[ENC] <home|1> generating ID_PROT request 0 [ SA V V V V V ] Mon, 2017-08-07 15:57 08[NET] <home|1> sending packet: from 192.168.1.122[500] to CP_FW_IP[500] (240 bytes) Mon, 2017-08-07 15:57 10[NET] <home|1> received packet: from CP_FW_IP[500] to 192.168.1.122[500] (40 bytes) Mon, 2017-08-07 15:57 10[ENC] <home|1> parsed INFORMATIONAL_V1 request 111406742 [ N(NO_PROP) ] Mon, 2017-08-07 15:57 10[IKE] <home|1> received NO_PROPOSAL_CHOSEN error notify Mon, 2017-08-07 15:57 10[IKE] <home|1> IKE_SA home[1] state change: CONNECTING => DESTROYING ======================================= So now the problems seems to be that no proposal is choosen... any hint? Thanks, larzeni On Sat, Aug 5, 2017 at 11:20 AM, Noel Kuntze < noel.kuntze+strongswan-users-ml@thermi.consulting> wrote: > Hi, > > On 05.08.2017 02:27, Luca Arzeni wrote: > > [...] > > I'm on a debian jessie 8.0, openswan 2.6.37 and I need to migrate to > StrongSWAN 5.2.1 > You better get 5.5.3 right away. 5.2.1 is already pretty old. > > > [...] > > ============================================================== > > > > Now I'm trying to use StrongSWAN to setup a connection, but I'm not able > to connect. > > This is my StrongSWAN ipsec.conf: > > > > ============================================================== > > > > # ipsec.conf - strongSwan IPsec configuration file > > > > config setup > > # strictcrlpolicy=yes > > # uniqueids = no > > charondebug = dmn 2, mgr 2, ike 2, chd 2, job 0, cfg 2, knl 2, net 2, > asn 0, enc 0, lib 0, esp 2, tls 2, tnc 2, imc 2, imv 2, pts 2 > Remove that. Use the logger configuration from the HelpRequests[1] page > instead and pastebin us that, after you made the following changes. > > > > conn home > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=1 > > keyexchange=ikev1 > > # > > left=%any > Remove left. It is unnecessary. > > leftcert=my_cert.pem > > leftrsasigkey=%cert > > leftid="my certificate subject" > leftrsasigkey and leftid are unnecessary, if not counterproductive. > > > #leftauth=pubkey > > leftfirewall=yes > > # > > leftsourceip=A.B.C.D # CP-known client IP (not necessarily my ip), I > need to set it because I'm using also a "rightsubnets" list > > leftsubnet=A.B.C.D/32 # CP-known client IP(not necessarily my ip), I > need to set it because I'm using also a "rightsubnets" list > Remove leftsubnet. > > # > > rightcert=fwncest_2012-11-07_cert.pem > > rightrsasigkey=%cert > Remove rightrsasigkey. > > right=X.Y.Z.W (FW1_IP_ADDESS) > > rightid=X.Y.Z.W (I cannot use FW cert or other values, I MUST > use the firewall public IP) > > rightsubnet= 192.168.1.0/24 <http://192.168.1.0/24>, > 192.168.2.0/24 <http://192.168.2.0/24>, ecc... > > rightcert=firewall_cert.pem > > rightrsasigkey=%cert > Duplicate settings. Pick one of the certs, remove rightrsasigkey anyway. > > # > > auto=start > Careful: Charon does not try to reestablish IKE_SAs or CHILD_SAs if the > remote peer deletes them. This behaves differently than openswan. > > > # after establishing the vpn, run these script to allow routes > from my client to server behind the firevall > > # > > # /sbin/iptables -t nat -I POSTROUTING -d 192.168.1.0/24 < > http://192.168.1.0/24> -j SNAT --to my_ip > > # /sbin/iptables -t nat -I POSTROUTING -d 192.168.2.0/24 < > http://192.168.2.0/24> -j SNAT --to my_ip > > > > include /var/lib/strongswan/ipsec.conf.inc > Remove the include. > > > ============================================================ > =============== > > > > But this setup is not working. > > Provide all the information from the HelpRequests[1] page, please. > > Kind regards > > Noel > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests > > -- Luca Arzeni