Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 27 subscribers
  • Views 5896 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Site to site using Strongswan on ubuntu

addy sharma1

Hello,

 

I am trying to setup a site to site IPsec connection from ubuntu server using Strongswan . I tried both in "Respond Only" mode and "Initiate Connection Mode" but it doesn't work. My Strong swan conf is as folllowed :

 

# Add connections here.
conn sophosZT
        ikelifetime=60m
        keylife=8h
        rekeymargin=3m
        keyingtries=5
        mobike=no


  # This server
  left=88.121.253.82
  leftid=@vyas.freeboxos.fr
  # The network behind this server
  leftsourceip=192.168.0.40
  leftsubnet=192.168.0.0/24
  # The remote SonicWall
  right=77.157.207.143
  rightid=77.157.207.143
  # The network behind remote Sophos
  rightsubnet=172.16.2.0/24
  # Connection parameters
  keyexchange=ikev2
  authby=psk
  ike=aes256-sha1-modp2048!
  esp=aes256-sha1-modp2048!
  dpddelay=30
  dpdtimeout=120
  dpdaction=restart
  auto=start

 

 

 

and the logs that I have on sophos with "initiate connection" mode is as followed :

2018-11-03 19:28:03 - swanctl --initiate --timeout 15 --child Addytestsetup-1
initiate failed: establishing CHILD_SA 'Addytestsetup-1' failed
[IKE] initiating IKE_SA Addytestsetup-1[100] to 88.121.253.82
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.1.254[500] to 88.121.253.82[500] (958 bytes)
[NET] received packet: from 88.121.253.82[500] to 192.168.1.254[500] (36 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN notify error
[DMN]
[IKE] IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER
[IKE] IKE_SA has_condition COND_START_OVER retry initiate in 60 sec
kill -9 8982 > /dev/null 2>&1
2018-11-03 19:28:03 - Operation fails status: 1

 

On ubuntu server once I do ipsec statusall it gives :

 

root@ubuntu:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-1017-raspi2, armv7l):
  uptime: 8 minutes, since Nov 03 19:19:26 2018
  malloc: sbrk 1216512, mmap 0, used 289624, free 926888
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  192.168.0.40
Connections:
    sophosZT:  88.121.253.82...77.157.207.143  IKEv2, dpddelay=30s
    sophosZT:   local:  [vyas.freeboxos.fr] uses pre-shared key authentication
    sophosZT:   remote: [77.157.207.143] uses pre-shared key authentication
    sophosZT:   child:  192.168.0.0/24 === 172.16.2.0/24 TUNNEL, dpdaction=restart
Security Associations (0 up, 1 connecting):
    sophosZT[1]: CONNECTING, 88.121.253.82[%any]...77.157.207.143[%any]
    sophosZT[1]: IKEv2 SPIs: 5820e3fb237323c3_i* 0000000000000000_r
    sophosZT[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME

 

 

Please help.



This thread was automatically locked due to age.