strongswan interview questions
Top strongswan frequently asked interview questions
I've been trying to config an IKE2 VPN using Strongswan. I've been using cert authentication so I can ultimately configure an on-demand VPN on iOS 9 devices.
When I try to connect the logs on the VPN server side show that keep alives fail. The client side (iOS or OS X) logs just show a stacktrace and crash in the network process.
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn ios
keyexchange=ikev2
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; OS X is 3DES, sha-1, modp1024
esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is aes256-sha256, OS X is 3des-shal1
leftid="@badvpn.cuddeford.com"
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftsendcert=always
leftcert=serverCert.pem
right=%any
rightauth=eap-tls
rightsendcert=never
eap_identity=%any
rightsourceip=10.0.0.0/24
rightid="badvpn"
auto=add
leftauth=pubkey
N.b I downgraded the ike protocols as this is the best that OS X 10.11 will care to propose
VPN server logs on connect
Mar 21 20:03:07 ip-172-31-40-0 charon: 16[NET] received packet: from 70.197.1.132[8586] to 172.31.40.0[500] (388 bytes)
Mar 21 20:03:07 ip-172-31-40-0 charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
Mar 21 20:03:07 ip-172-31-40-0 charon: 16[IKE] 70.197.1.132 is initiating an IKE_SA
Mar 21 20:03:07 ip-172-31-40-0 charon: 16[IKE] local host is behind NAT, sending keep alives
Mar 21 20:03:07 ip-172-31-40-0 charon: 16[IKE] remote host is behind NAT
Mar 21 20:03:07 ip-172-31-40-0 charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Mar 21 20:03:07 ip-172-31-40-0 charon: 16[NET] sending packet: from 172.31.40.0[500] to 70.197.1.132[8586] (312 bytes)
Mar 21 20:03:07 ip-172-31-40-0 charon: 06[NET] received packet: from 70.197.1.132[8594] to 172.31.40.0[4500] (428 bytes)
Mar 21 20:03:07 ip-172-31-40-0 charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Mar 21 20:03:07 ip-172-31-40-0 charon: 06[CFG] looking for peer configs matching 172.31.40.0[badvpn.cuddeford.com]...70.197.1.132[badvpn]
Mar 21 20:03:07 ip-172-31-40-0 charon: 06[CFG] selected peer config 'ios'
Mar 21 20:03:07 ip-172-31-40-0 charon: 06[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 21 20:03:07 ip-172-31-40-0 charon: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mar 21 20:03:07 ip-172-31-40-0 charon: 06[IKE] peer supports MOBIKE
Mar 21 20:03:07 ip-172-31-40-0 charon: 06[IKE] authentication of 'badvpn.cuddeford.com' (myself) with RSA signature successful
Mar 21 20:03:07 ip-172-31-40-0 charon: 06[IKE] sending end entity cert "C=CH, O=Justinhe, CN=badvpn.cuddeford.com"
Mar 21 20:03:07 ip-172-31-40-0 charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar 21 20:03:07 ip-172-31-40-0 charon: 06[NET] sending packet: from 172.31.40.0[4500] to 70.197.1.132[8594] (1260 bytes)
Device logs from iPhone show
Mar 21 13:04:12 iPhone neagent[761] <Error>: Failed to receive IKE Auth packet
Mar 21 13:04:12 iPhone neagent[761] <Notice>: BUG in libdispatch client: kevent[EVFILT_READ] delete: "Bad file descriptor" - 0x9
Mar 21 13:04:12 iPhone nesessionmanager[697] <Notice>: NESMIKEv2VPNSession[Badvpn.cuddeford.com:FEF33D52-C062-4D68-A9B9-7CA32CCCCD26]: status changed to disconnecting
Mar 21 13:04:12 iPhone symptomsd[116] <Error>: -[FlowAnalyticsEngine _newFlowData:] netanalyticsdebug: (2) no head-end for flow badvpn.cuddeford.com, discarding all its records
I have followed a lot of tutorials on cert generation and have both the client cert, root CA and the server key all installed on the iOS device. I'm running 9.2.1. Does anyone know what I can do to debug further?
Source: (StackOverflow)
I'm trying to wrap my head around IPSEC tunnels for a project at work, and am having trouble getting a site to site to work with overlapping subnets, hopefully someone can figure out the last mile for me. I appologize in advance for the length of this, but I want to try and provide all the details.
First, I'm trying to replicate this in my home lab on ESXi. The end result will be an IPSEC tunnel between a customer network and a VPC in AWS, but I need to model it first in vmware so that engineering can code this into our product.
The following diagram is how I have it currently working 
AWS side ipsec.conf
conn net-net
authby=secret
auto=start
## phase 1 ##
keyexchange=ikev2
## phase 2 ##
esp=3des-md5
type=tunnel
left=192.168.1.210
leftsourceip=10.1.0.32
leftsubnet=10.1.0.0/24
leftfirewall=yes
leftid=@awslan
right=192.168.1.220
rightsubnet=10.0.0.0/24
rightid=@custlan
mobike=no
AWS ipsec.secrets:
@awslan @custlan : PSK "123"
Customer side ipsec.conf
conn net-net
authby=secret
auto=start
## phase 1 ##
keyexchange=ikev2
## phase 2 ##
esp=3des-md5
type=tunnel
left=%defaultroute
leftsourceip=10.0.0.13
leftsubnet=10.0.0.0/24
leftfirewall=yes
leftid=@custlan
right=192.168.1.210
rightsourceip=10.1.0.32
rightsubnet=10.1.0.0/24
rightid=@awslan
mobike=no
Customer side ipsec.secrets
@custlan %any : PSK "123"
In the vm failed over (10.1.0.30), I've added a route statement to allow packets to come back across the VPN
ip route add 10.0.0.0/24 via 10.1.0.32 dev eth0
We need to be able to support multiple failed over machines, so alternate IP's need to be added on the customer side:
ipconfig eth0:1 10.0.0.14 netmask 255.255.255.0 up
ipconfig eth0:2 10.0.0.15 netmask 255.255.255.0 up
With the above layout, I can successfully ping forwards and backwards across the tunnel.
The implementation we need however, is to have the same subnet on either side, and then translate over the tunnel. Again, this is the first time I've ever messed with IPSEC, so the following is likely wrong.
Not working layout
AWS ipsec.conf
conn net-net
authby=secret
auto=start
## phase 1 ##
keyexchange=ikev2
## phase 2 ##
esp=3des-md5
type=tunnel
left=%defaultroute
leftsourceip=192.168.1.205
leftsubnet=10.20.0.0/24
leftfirewall=yes
leftid=@awslan
right=192.168.1.220
rightsubnet=10.10.0.0/24
rightid=@custlan
mobike=no
customer lan ipsec.conf
conn net-net
authby=secret
auto=start
## phase 1 ##
keyexchange=ikev2
## phase 2 ##
esp=3des-md5
type=tunnel
left=%defaultroute
leftsourceip=10.10.0.1
leftsubnet=10.10.0.0/24
leftfirewall=yes
leftid=@custlan
right=192.168.1.205
rightsubnet=10.20.0.0/24
rightid=@awslan
mobike=no
I haven't even been able to get to the IPTABLES netmap tasks to allow for same-subnet routing because i can't get the tunnel to come up. The above seems to establish a half-tunnel for a short time, as seen by ipsec status:
It seems to be missing the actual tunnel, as seen in this Screenshot:
In a paragraph, here's what I am trying to accomplish:
Take a customer subnet, say 10.0.0.0/24, bring this up in another network (ultimately AWS). So both sides are now 10.0.0.0/24. Between these, set up an ipsec tunnel that bridges the two, using a ip range outside customers network (10.50.x.x->10.60.x.x, etc). Then use IP tables pre/post routing to translate the source ips into the tunnel range and then back on the other side so that when a customer tries to access say, 10.0.0.30 on one side, they ping 10.0.0.30 on the otherside. Multiple IP's will be setup on the internal facing interface so that any machines we bring up virtually in the cloud will be pingable/reachable from the customers network...could be 1, could be 10
Again, the diagrams shown are how I'm trying to reproduce this in ESXi 6 on my home lab network, running on a Supermicro 8 core atom box with 2 of 4 nics connected to my home network.
Thanks in advance for any help anyone might have.
Source: (StackOverflow)
I have a IPsec VPN server that I set up with ubuntu14.04/Strongswan.
And now I have a CentOS 6 laptop which have openswan installed. So the question is : Is it possible to use openswan as VPN client and get connected to Strongswan server? How should openswan client configured to support ikev2 to get connected with Strongswan server?
Source: (StackOverflow)
I'm trying to create alternative from DDNS to remote a mini pc.
I've setup a server hosted as VM Azure with Ubuntu Server 14.04 and installed StrongSwan.
I also setup the client to connect to my server. The Client is using 3G Card (Telkomsel). Client can connect to server.
I cannot ping the client IP from the server
Server Info :
config
config setup
uniqueids=never
#charondebug="cfg 2, dmn 2, ike 2, net 2"
charonstart=yes
plutostart=no
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=aes.iot.co.id/32
leftid=aes.iot.co.id
leftcert=vpnHostCert.der
right=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=172.16.16.0/24
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
rightauth=pubkey
rightauth2=xauth
auto=add
ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.19.0-47-generic, x86_64):
uptime: 40 hours, since Jun 22 15:58:23 2016
malloc: sbrk 2568192, mmap 0, used 428576, free 2139616
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
Virtual IP pools (size/online/offline):
172.16.16.0/24: 254/1/0
Listening IP addresses:
10.1.0.4
Connections:
IPSec-IKEv2: %any...%any IKEv2, dpddelay=300s
IPSec-IKEv2: local: [aes.iot.co.id] uses public key authentication
IPSec-IKEv2: cert: "C=TW, O=Adlink Technology Inc., CN=aes.iot.co.id"
IPSec-IKEv2: remote: uses public key authentication
IPSec-IKEv2: child: === dynamic TUNNEL, dpdaction=clear
IPSec-IKEv2-EAP: %any...%any IKEv2, dpddelay=300s
IPSec-IKEv2-EAP: local: [aes.iot.co.id] uses public key authentication
IPSec-IKEv2-EAP: cert: "C=TW, O=Adlink Technology Inc., CN=aes.iot.co.id"
IPSec-IKEv2-EAP: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
IPSec-IKEv2-EAP: child: === dynamic TUNNEL, dpdaction=clear
CiscoIPSec: %any...%any IKEv1, dpddelay=300s
CiscoIPSec: local: [aes.iot.co.id] uses public key authentication
CiscoIPSec: cert: "C=TW, O=Adlink Technology Inc., CN=aes.iot.co.id"
CiscoIPSec: remote: uses public key authentication
CiscoIPSec: remote: uses XAuth authentication: any
CiscoIPSec: child: === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
IPSec-IKEv2[3]: ESTABLISHED 3 minutes ago, 10.1.0.4[aes.iot.co.id]...114.121.135.168[vpnclient@adlinktech.com]
IPSec-IKEv2[3]: IKEv2 SPIs: e1d6acc34e286fae_i edbda3a9ca9c740e_r*, rekeying disabled
IPSec-IKEv2[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
CLient Info :
config
config setup
#charondebug="ike 2, knl 2, cfg 2, mgr 2, chd 2, net 2"
charonstart=yes
plutostart=no
conn %default
keyexchange=ikev2
ike=aes256-sha256-modp1024!
esp=aes256-sha256!
rekey=no
conn vpnserver
left=%any
leftsourceip=%config
leftid=vpnclient@adlinktech.com
leftcert=vpnClientCert.der
leftfirewall=yes
right=aes.iot.co.id
rightid=aes.iot.co.id
rightsubnet=aes.iot.co.id/32
auto=start
ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.6.3):
uptime: 19 minutes, since Jun 24 01:55:38 2016
malloc: sbrk 262432, mmap 0, used 113360, free 149072
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: curl aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-raw stroke updown
Listening IP addresses:
192.168.2.120
172.31.255.1
192.168.0.1
10.138.115.245
Connections:
vpnserver: %any...aes.iot.co.id
vpnserver: local: [vpnclient@adlinktech.com] uses public key authentication
vpnserver: cert: "C=TW, O=Adlink Technology Inc., CN=vpnclient@adlinktech.com"
vpnserver: remote: [aes.iot.co.id] uses any authentication
vpnserver: child: dynamic === TUNNEL
Security Associations (1 up, 0 connecting):
vpnserver[1]: ESTABLISHED 19 minutes ago, 10.138.115.245[vpnclient@adlinktech.com]...13.67.51.3[aes.iot.co.id]
vpnserver[1]: IKE SPIs: e1d6acc34e286fae_i* edbda3a9ca9c740e_r, rekeying disabled
vpnserver[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Is there anything wrong or missed?
Source: (StackOverflow)
I have to setup a VPN tunnel based on ipsec and pre-shared key on a headless Ubuntu.
I don't have any knowledge of setting up such a connection. My requirements are
IKE Phase 1 – IPSec-Parameter
- Main mode
- AES 256
- sha
- Diffie Hellmann Group 2 (1024 bits)
- pre-shared secret >> "a pre shared key"
- Default: SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
................................................................................................................
IKE Phase 2 – IPSec-Parameter
- AES 256
- sha
- ESP tunnel mode
- Diffie Hellmann Group 2 (1024 bits)
- (PFS on) Perfect forward secrecy for rekeying
- Default: SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
IP address of the VPN gateway is provided and a proxy ip
please advice how to proceed. Please let me know if any other info is needed. I have absolutely no idea how to do the setup.
I have googled and found few instructions on setting up openswan/ strongswan etc but I could not get it working.
Source: (StackOverflow)
I want to use strongSwan connect to many remote sites. Which may have the same private subnets. So how can I configure? The topology is shown like this:
Source: (StackOverflow)
How do I configure raspberry pi as VPN-CLIENT?
i tried to use openVPN/opwnswan/strongswan but failed every time.
can you recommend a SIMPLE method to do that?
my server is a FORTIGATE FW.
Thanx!
Tom.zabari
Source: (StackOverflow)
I have strongswan VPN server and FreeIPA LDAP server.
I want to authorize to VPN using LDAP users, how i can do it ?
Source: (StackOverflow)
I'm trying to establish a connection between two AWS EC2 instances in different regions (us-east and sa-east). The connection establishes succesfully, and the tunnel goes up, but I can't access hosts other than the instances that are making the tunnel.
We have another IPSec VPN with our office established on moon, on a Fortigate firewall, with similar configs, and it works perfectly.
Below are the ipsec configs (IPs redacted for security):
Moon - ipsec.conf
conn aws-sp
dpdaction=restart
type=tunnel
authby=psk
auto=start
# Moon
leftid=@moon.domain.com
left=%defaultroute
leftsubnet=10.113.128.0/20
leftfirewall=yes
# Sun
right=<sun's public ip>
rightid=@sun.domain.com
rightsubnet=10.113.0.0/21
# Phase 01
ike=aes256-sha256-modp1024
ikelifetime=86400s
# Phase 02
esp=aes128-sha1-modp1024
keylife=3600s
Moon - ipsec statusall
Listening IP addresses:
10.113.128.8
Connections:
aws-sp: %any...<sun's public ip> IKEv1/2, dpddelay=30s
aws-sp: local: [moon.domain.com] uses pre-shared key authentication
aws-sp: remote: [sun.domain.com] uses pre-shared key authentication
aws-sp: child: 10.113.128.0/20 === 10.113.0.0/21 TUNNEL, dpdaction=restart
Security Associations (3 up, 0 connecting):
aws-sp[17]: ESTABLISHED 16 hours ago, 10.113.128.8[moon.domain.com]...<sun's public ip>[sun.domain.com]
aws-sp[17]: IKEv2 SPIs: 374692beb28c03b0_i e8caa617c44b7af4_r*, pre-shared key reauthentication in 7 hours
aws-sp[17]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
aws-sp{12}: INSTALLED, TUNNEL, ESP in UDP SPIs: cfaa91a1_i cc130943_o
aws-sp{12}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 119 seconds
aws-sp{12}: 10.113.128.0/20 === 10.113.0.0/21
Moon - iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- ip-192-168-1-0.ec2.internal/24 ip-10-113-128-0.ec2.internal/20 policy match dir in pol ipsec reqid 13 proto esp
ACCEPT all -- ip-10-113-128-0.ec2.internal/20 ip-192-168-1-0.ec2.internal/24 policy match dir out pol ipsec reqid 13 proto esp
ACCEPT all -- ip-10-113-0-0.ec2.internal/21 ip-10-113-128-0.ec2.internal/20 policy match dir in pol ipsec reqid 12 proto esp
ACCEPT all -- ip-10-113-128-0.ec2.internal/20 ip-10-113-0-0.ec2.internal/21 policy match dir out pol ipsec reqid 12 proto esp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Sun - ipsec.conf
conn aws
dpdaction=restart
type=tunnel
authby=psk
auto=start
# Sun
leftid=@sun.domain.com
left=%defaultroute
leftsubnet=10.113.0.0/21
leftfirewall=yes
# Moon
right=<moon's public ip>
rightid=@moon.domain.com
rightsubnet=10.113.128.0/20
# Phase 01
ike=aes256-sha256-modp1024
ikelifetime=86400s
# Phase 02
esp=aes128-sha1-modp1024
keylife=3600s
Sun - ipsec statusall
Listening IP addresses:
10.113.0.5
Connections:
aws: %any...<moon's public ip> IKEv1/2, dpddelay=30s
aws: local: [sun.domain.com] uses pre-shared key authentication
aws: remote: [moon.domain.com] uses pre-shared key authentication
aws: child: 10.113.0.0/21 === 10.113.128.0/20 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
aws[2]: ESTABLISHED 16 hours ago, 10.113.0.5[sun.domain.com]...<moon's public ip>[moon.domain.com]
aws[2]: IKEv2 SPIs: 374692beb28c03b0_i* e8caa617c44b7af4_r, pre-shared key reauthentication in 6 hours
aws[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
aws{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c62d4aa9_i c336b724_o
aws{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 44 minutes
aws{2}: 10.113.0.0/21 === 10.113.128.0/20
Sun - iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- ip-192-168-70-0.sa-east-1.compute.internal/23 ip-10-113-0-0.sa-east-1.compute.internal/21 policy match dir in pol ipsec reqid 3 proto esp
ACCEPT all -- ip-10-113-0-0.sa-east-1.compute.internal/21 ip-192-168-70-0.sa-east-1.compute.internal/23 policy match dir out pol ipsec reqid 3 proto esp
ACCEPT all -- ip-10-113-128-0.sa-east-1.compute.internal/20 ip-10-113-0-0.sa-east-1.compute.internal/21 policy match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-113-0-0.sa-east-1.compute.internal/21 ip-10-113-128-0.sa-east-1.compute.internal/20 policy match dir out pol ipsec reqid 2 proto esp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Source: (StackOverflow)
Host-to-host tunnel between Ubuntu Stongswan and Windows 7
I am having a simple configuration for host-to-host tunnel creation between IPSec ubuntu (strongSwan 4.5.2 ) and Windows 7
Below is my configuration in Ubuntu:
1) ipsec.conf
conn windows
type=transport
authby=secret
left=15.213.139.215
right=15.213.122.91
keyexchange=ikev1
ike=3des-sha1,3des-sha1-modp1024!
esp=3des-sha1,3des-sha1-modp1024!
compress=no
auto=start
2) ipsec.secrets
15.213.139.215 15.213.122.91 : PSK "my_ubuntu_windows_key"
3) No changes in strongswan.conf
Below is configuration in Windows 7:
Preshared Key => my_ubuntu_windows_key
IPSec setting Main mode:
Integrity: SHA1
Encription: 3DES
DH Group: 2
key lifetime: 28800 secs
IPSec setting Quick mode:
protocol: ESP
Integrity: SHA1
Encription: 3DES
Key lifetime: 3600 secs
Problem: Main Mode is passed (output is below), but quick mode negotiation is failing. Error logged into the Windows saying "Policy match error". Below is the terminal output from command "ipsec statusall"
000 "windows": 15.213.139.215[15.213.139.215]...15.213.122.91[15.213.122.91]; unrouted; eroute owner: #0
000 "windows": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "windows": policy: PSK+ENCRYPT+PFS+UP; prio: 32,32; interface: eth0;
000 "windows": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "windows": IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
000
000 #2: "windows" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 16s
000 #1: "windows" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 9793s; newest ISAKMP
Can anyone please help, have I did something wrong in configuration ? why the quick mode negotiation is faling ????
Below is the key timeout in both peers:
Ubuntu: ike_life: 10800s; ipsec_life: 3600s;
Windows: ike_life: 28800s; ipsec_life: 3600s;
Source: (StackOverflow)
Hi I am having issues where the VPN connection will force all traffic over the VPN connection.
I am using StrongSwan 5.1.2 in IKEv1.
This is my ipsec.conf for Strongswan.
config setup
uniqueids = no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=3
right=%any
left=VPN_SERVER_IP
leftid=@VPN_Server_NAME
leftsubnet=0.0.0.0/0
rightsourceip=192.168.200.0/24
mobike=yes
reauth=no
conn iMacs-AndroidNative
keyexchange=ikev1
leftauth=psk
authby=xauthpsk
xauth=server
rightauth=psk
rightauth2=xauth
auto=add
The apache server, which is also installed on the same server as the VPN server, when accessing the websites, while connected to the VPN, the apache logs show the actual IP of the user, and not VPN IP.
This is creating a little issues with the website.
The IP Table Rules added to the Firewall:
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 192.168.200.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.200.0/24 ! -d 192.168.200.0/24 -o eth1 -j MASQUERADE
iptables -I FORWARD -o tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -L -n
I am not sure what I have set wrong so as the apache would not pick-up the VPN IP.
If it helps, I have disabled webRTC for the ChromeBrowser I am using to access the website, so only the VPN IP is shown. Still does not luck.
Let me know if you would need more information.
Source: (StackOverflow)
I tried to add uniqueids=never into ipsec.conf on my Strongswan server(5.3.2)but when I restart, it will give error:
unsupported keyword 'uniqueids' in conn 'ios'
Do I need to apply additional patch in order to have this option? Many thanks.
J.
Source: (StackOverflow)
My version is running on CENTOS6
I use the user name/Password/PSK to authenticate (without requiring certificate):
config setup
plutostart=yes
nat_traversal=yes
uniqueids=never
conn ios
keyexchange=ikev1
authby=xauthpsk
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightsubnet=10.8.0.0/24
rightsourceip=10.8.0.1/24
pfs=no
dpdaction=clear
auto=add
rightdns=8.8.8.8,8.8.4.4
I also added following rules to make sure it will route:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -p esp -j ACCEPT
/sbin/iptables -A INPUT -p 50 -j ACCEPT
/sbin/iptables -A INPUT -p 51 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 500 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 4500 -j ACCEPT
Whenever I start StrongSwan, it will give:
no netkey IPsec stack detected
sh: modprobe: command not found
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
Is it related?
Now I can connect but I cannot browse any websites, strange thing is I used the same configuration and it is working perfectly on Linode but not working on Jelastic.
Can you please advise which part I should look at? Thanks.
Source: (StackOverflow)