6
votes
IPSec/L2TP VPN connection fails
Could you delete the temporary secrets files that didn't get deleted :
sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec-*.secrets
The NO_PROPOSAL_CHOSEN error indicates there is still something wrong with the ...
- 196
5
votes
Accepted
strongswan: What is the difference between left and leftid?
One defines the local IP address(es), left, which does not have to be specified unless it should be restricted. The other, leftid, the local identity used during authentication, which will default to ...
- 859
5
votes
Accepted
What's the "new" way of checking the established connections in strongswan
That's swanctl --list-sas, aka swanctl -l (with the lowercase L) for short:
star6: #1, ESTABLISHED, IKEv2, c87e1f22cf7e22a6_i* d3f4680ff0337849_r
local 'ember.nullroute.lt' @ 2001:778:e27f:0:9618:...
- 15.2k
4
votes
Accepted
IPSec tunnel works until rekeying, then gets NO_PROPOSAL_CHOSEN
Furthermore, I did ask for different algorithms inside of my swanctl configuration file.
You have only done so for IKE, not for ESP/IPsec.
I am having trouble understanding why the proposals do not ...
- 859
4
votes
NAT outbound IPSEC packets using pf on FreeBSD 11 and StrongSwan x FortiGATE
After several days struggling I've been able to handle this doing the following steps and will post the solution here to help others
Get the unique ID of the desired SA you want to nat source to, ...
- 101
2
votes
IPsec VPN with strongSwan to FortiGate
I've blogged about that when I needed it last. The main trick is that Fortinet requires aggressive mode, so the configuration parameters need to match closely already in the beginning.
For reference, ...
- 5,110
2
votes
Accepted
using IPsec behind NAT in freebsd 7.3
You have already figured out that you need to patch your kernel sources as you have a very old version. Never versions already have the option. And I think that -current (what will become 12) have ...
- 3,609
2
votes
Accepted
Install Linux Kernel modules
Linux xxx 2.6.32-042stab127.2 #1 SMP Thu Jan 4 16:41:44 MSK 2018 x86_64 GNU/Linux
That is definitely not a standard Debian 9 kernel. For a vanilla Debian 9, you would expect a 4.9.x series kernel.
...
- 114k
2
votes
Accepted
Random SSH Agent Generates on Boot in tmp Directory Even with Networking Disabled
All of those things look completely normal.
The SSH agent is started on login as part of your graphical desktop. Yes it doesn't care whether you have an Ethernet cable or not (nor should it). Yes it ...
- 15.2k
2
votes
rekey ipsec using "ip xfrm"
Figured it out:
ip xfrm state add ${DDIR} proto esp spi ${SPI2} reqid ${SPI} \
mode transport auth sha256 ${SHAKEY2} enc aes ${AESKEY2}
On both nodes to allow receipt with the new SPI and ...
- 51
2
votes
Accepted
StrongSwan - ipsec pki command
In its default configuration pki's --gen command generates RSA keys using the random and gmp plugins. Since the random plugin reads from /dev/random this might take a while as that device blocks (i.e. ...
- 859
1
vote
Connect IPSEC VPN to network interface
It seems that the issue is related to the fact that the tun0 interface does not have a default route, and therefore, it does not know how to forward packets to the VPN server.
To fix this, you can add ...
1
vote
Accepted
Fix "unmanaged" network interface if it worked before
For some reason networking was disabled. So nmcli networking on fixed this issue. Maybe it's my oversight, but I think I've seen this flag unchecked before, so I assumed it was OK if it was off (I ...
- 31
1
vote
ipsec pki error (plugin-openssl-failed-to-load-openssl-plugin-create-not found and no plugin file available)
The openssl plugin is shipped in the libstrongswan-standard-plugin package on Debian-based systems. Since the libstrongswan package only only recommends that package it might not be installed ...
- 859
1
vote
Undoing full cone NAT using IPtables for IPsec
Seemingly I was following a red herring.
In Android, the system I was using at that moment due to the lack of access to a desktop machine, the issue presented as a connection that attempts to connect, ...
1
vote
IPsec PSK VPN with strongSwan to FortiGate with one-time-password(Fortitoken)
It is possible to connect to a FortiGate VPN using StrongSwan and a FortiToken one-time password (OTP). I haven't tried with a hardware token, but I expect it to work the same.
The main trick is to ...
- 111
1
vote
Redirect DNS traffic via tunnel interface, all other traffic to use kernel routing table
Thanks to @A.B The commands I used were the following (Note I made the table's id the same as DNS protocol number [53]):
ip route add table 53 0.0.0.0/0 dev vti01
ip rule add iif lo ipproto udp dport ...
- 732
1
vote
Why does ipsec want me to disable redirects?
For send_redirects you can find an answer in the Libreswan FAQ:
Let's say you have a VPN server in a cloud that you use with your
phone. Your phone will setup an IPsec VPN and all its traffic is
...
- 689
1
vote
FreeBSD 11.2: how to add the aesni plugin to strongswan?
try compiling from /usr/ports/security/strongswan port with copying strongswan to strongswan_my_aesni_edition and editing the code to compile your very own one with additional option. --enable-aesni
...
- 21
1
vote
How to fix csv string format
If there is no nested parentheses as you didn't say that, then with sed:
sed ':repeat s/\(([^,)]*\),\([^)]*)\)/\1;\2/;t repeat' infile
- 41.9k
1
vote
Accepted
How to fix csv string format
Based on the example you show, a quick hack would be
not to replace , within (...)
but to replace pkts, with pkts;
giving :
echo "sr_mesh_aws_21{24}: AES_CBC_256/HMAC_SHA1_96, 59189 bytes_i (...
- 1,168
1
vote
StrongSwan IPSEC Policy
In this classic hub and spoke scenario, you need to negotiate IPsec policies (via left|rightsubnet) that include A's and C's subnet on the local side of these connections.
So for B->A you'd have to ...
- 859
1
vote
Unable to connect to company VPN using L2TP over ipsec on Fedora 32
libreswan >= 3.30 isn't built with DH (modp1024) support by default anymore. I'm not sure why you aren't getting an algorithm 'modp1024' is not supported error with libreswan. See:
https://github....
- 196
1
vote
How do I route traffic back over a VPN to other servers
OK, so I do not know how much you understand how routing works, so I'll try to explain and we'll see how much sense you can make out of my explanation. The explanation is not exactly correct because ...
- 654
1
vote
Accepted
strongswan get RANDOM dns
It was a not-pached bug in the strongswan rpm package:
https://bugzilla.redhat.com/show_bug.cgi?id=1574939
Fixed in strongswan-5.6.2-6.fc28, issue solved with system upgrade:
dnf clean all
dnf ...
- 126
1
vote
Connecting to 'unix"//var/run/charon.ctl' failed: connection refused
By default only root is allowed to access that socket (and others created by strongSwan). There are options to change that. For instance, with charon.group in strongswan.conf users that are members of ...
- 859
1
vote
Accepted
enabling ipsec, ah and esp on CentOS with firewalld in place
The masquerade rule tells the system to enable nat on outgoing connections, which is typical of networks using private internal addressing. It's a routing rule not technically related to ipsec ...
- 128
1
vote
Accepted
how overlapping subnet in 2 SA in strongswan determine which tunnel to go?
That's decided by the outbound IPsec policies and their priorities. You can see those with the ip xfrm policy command. When installing such policies, strongSwan uses higher priorities (lower numeric ...
- 859
1
vote
ipsec on linux,a simple and fast question
You can use the SAME ipsec.conf on both servers. Quoting from https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection (my emphasis),
Connection descriptions are defined in terms of a left ...
- 128k
Only top scored, non community-wiki answers of a minimum length are eligible