Hi Gordon, Use the configuration examples from the UsableExamples[1] page. If you continue having trouble, provide the complete information that is listed on the HelpRequests[2] page, please.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples [2] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 08.11.2017 01:48, Gordon Johnstone wrote: > I've installed strongswan on a new CentOS 7 server following > https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html > > Connections from Windows 10 and Android are fine. My understanding of all > things VPN is very basic. > > Getting the backup CentOS 6 libreswan connected has stumped me, I'm unable to > get past "no IKE config found for 10.240.0.2 ...<client_public_ip>" > > I can see entries relating to the client and server certificates looking at > "ipsec status" so I think certificates are ok. Experimenting with specific > ike and phasealg entries on client hasn't got me anywhere. > > There are no ikev2 mentions in the logs which seems wrong, so many Google > results. > > Could someone please point me in the right direction. > > Gordon. > > > > > ------------- server messages > > Nov 8 10:46:17 buddyi charon: 03[NET] received packet: from > <client_public_ip>[500 > ] to 10.240.0.2[500] > Nov 8 10:46:17 buddyi charon: 03[NET] waiting for data on sockets > Nov 8 10:46:17 buddyi charon: 05[MGR] checkout IKEv1 SA by message with SPIs > a3 > 0b15eb151113bc_i 0000000000000000_r > Nov 8 10:46:17 buddyi strongswan: 14[ENC] parsed ID_PROT request 0 [ SA V V > V V > V V ] > Nov 8 10:46:17 buddyi strongswan: 14[CFG] looking for an ike config for > 10.240. > 0.2...<client_public_ip> > Nov 8 10:46:17 buddyi strongswan: 14[IKE] no IKE config found for > 10.240.0.2... > <client_public_ip>, sending NO_PROPOSAL_CHOSEN > Nov 8 10:46:17 buddyi strongswan: 14[ENC] generating INFORMATIONAL_V1 > request 1 > 476202834 [ N(NO_PROP) ] > > > ------------ client:/etc/ipsec.conf > > version 2.0 # conforms to second version of ipsec.conf specification > > # basic configuration > config setup > # interfaces="ipsec0=eth1" > > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.100.64/27 > > <http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:%2110.0.100.64/27> > # Debug-logging controls: "none" for (almost) none, "all" for lots. > klipsdebug=none > # klipsdebug=all > # plutodebug="control parsing" > # plutodebug=all > # plutostderrlog=/var/log/pluto.log > # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey > protostack=netkey > nat_traversal=yes > virtual_private= > oe=off > > > > > # trying to connect libreswan here to strongswan on buddy > > conn buddy > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > > authby=rsasig > leftcert="gj's VPN Certificate" > leftsendcert=always > > > leftid=%fromcert > left=%defaultroute > leftsubnet=10.0.100.0/24 <http://10.0.100.0/24> > leftprotoport=17/1701 > > # Replace IP address with your VPN server's IP > right=<server_public_ip> > rightprotoport=17/1701 > auto=add > > > #include /etc/ipsec.d/*.conf > > ---------- server ipsec.conf > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > # strictcrlpolicy=yes > # uniqueids = no > > # Add connections here. > > # Sample VPN connections > > #conn sample-self-signed > # leftsubnet=10.1.0.0/16 <http://10.1.0.0/16> > # leftcert=selfCert.der > # leftsendcert=never > # right=192.168.0.2 > # rightsubnet=10.2.0.0/16 <http://10.2.0.0/16> > # rightcert=peerCert.der > # auto=start > > #conn sample-with-ca-cert > # leftsubnet=10.1.0.0/16 <http://10.1.0.0/16> > # leftcert=myCert.pem > # right=192.168.0.2 > # rightsubnet=10.2.0.0/16 <http://10.2.0.0/16> > # rightid="C=CH, O=Linux strongSwan CN=peer name" > # auto=start > > # ipsec.conf - strongSwan IPsec configuration file > > config setup > charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" > > conn %default > keyexchange=ikev2 > > ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! > > esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! > > > dpdaction=clear > dpddelay=300s > rekey=no > > > #Server side > left=%any > # left=10.240.0.2 > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> > leftcert=vpnHostCert.der > # leftfirewall=yes > > > #Client side > right=%any > rightdns=8.8.8.8,8.8.4.4 > rightsourceip=10.42.42.0/24 <http://10.42.42.0/24> > > conn IPSec-IKEv2 > keyexchange=ikev2 > auto=add > > > conn IPSec-IKEv2-EAP > also="IPSec-IKEv2" > rightauth=eap-mschapv2 > rightauthby2=pubkey > rightsendcert=never > eap_identity=%any > > #conn CiscoIPSec > # keyexchange=ikev1 > # forceencaps=yes > # authby=xauthrsasig > # xauth=server > # auto=add > > >
signature.asc
Description: OpenPGP digital signature
