i need to do a site to site vpn, however have no luck using strongswan vpn client. researched online and read the manuals to no avail, any assistance would be appreciated. turned off UFW just to confirm not firewall.
- left ip: lll.lll.lll.lll
- right ip: rrr.rrr.rrr.rrr
- pre shared key(psk): pskpskpskpskpskpsk
/etc/ipsec.secrets
lll.lll.lll.lll : PSK "pskpskpskpskpskpsk"
rrr.rrr.rrr.rrr : PSK "pskpskpskpskpskpsk"
/etc/ipsec.conf
conn ikev2-vpn
right=lll.lll.lll.lll
rightid=rrr.rrr.rrr.rrr
rightsubnet=0.0.0.0/0
rightauth=secret
leftid=lll.lll.lll.lll
leftsubnet=0.0.0.0/0
auto=start
tail -f /var/log/syslog
Jun 19 16:53:59 server-2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-73-generic, x86_64)
Jun 19 16:53:59 server-2 charon: 00[LIB] providers loaded by OpenSSL: legacy default
Jun 19 16:53:59 server-2 charon: 00[NET] using forecast interface eth0
Jun 19 16:53:59 server-2 charon: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Jun 19 16:53:59 server-2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 19 16:53:59 server-2 charon: 00[CFG] loaded IKE secret for lll.lll.lll.lll
Jun 19 16:53:59 server-2 charon: 00[CFG] loaded IKE secret for rrr.rrr.rrr.rrr
Jun 19 16:53:59 server-2 charon: 00[CFG] loaded 0 RADIUS server configurations
Jun 19 16:53:59 server-2 charon: 00[CFG] HA config misses local/remote address
Jun 19 16:53:59 server-2 charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Jun 19 16:53:59 server-2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 19 16:53:59 server-2 charon: 00[JOB] spawning 16 worker threads
Jun 19 16:53:59 server-2 charon: 05[CFG] received stroke: add connection 'ikev2-vpn'
Jun 19 16:53:59 server-2 charon: 05[CFG] added configuration 'ikev2-vpn'
Jun 19 16:53:59 server-2 charon: 07[CFG] received stroke: initiate 'ikev2-vpn'
Jun 19 16:53:59 server-2 charon: 07[IKE] initiating IKE_SA ikev2-vpn[1] to lll.lll.lll.lll
Jun 19 16:53:59 server-2 charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 19 16:53:59 server-2 charon: 07[NET] sending packet: from rrr.rrr.rrr.rrr[500] to lll.lll.lll.lll[500] (904 bytes)
Jun 19 16:54:03 server-2 charon: 16[IKE] retransmit 1 of request with message ID 0
Jun 19 16:54:03 server-2 charon: 16[NET] sending packet: from rrr.rrr.rrr.rrr[500] to lll.lll.lll.lll[500] (904 bytes)
Jun 19 16:54:10 server-2 charon: 07[IKE] retransmit 2 of request with message ID 0
Below is information about the server:
crypto ikev2 policy 4
encryption aes-256
integrity sha256
group 2
lifetime seconds 86400
tunnel-group rrr.rrr.rrr.rrr type ipsec-l2l
tunnel-group rrr.rrr.rrr.rrr general-attributes
tunnel-group rrr.rrr.rrr.rrr ipsec-attributes
ikev2 remote-authentication pre-shared-key pskpskpskpskpskpsk
ikev2 local-authentication pre-shared-key pskpskpskpskpskpsk
access-list 166 extended permit ip host lll.lll.lll.lll host rrr.rrr.rrr.rrr
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto map gtvpn-rules 166 set peer rrr.rrr.rrr.rrr
crypto map gtvpn-rules 166 match address 166
crypto map gtvpn-rules 166 set pfs group14
crypto map gtvpn-rules 166 set ikev2 ipsec-proposal AES-256
crypto map gtvpn-rules 166 set security-association lifetime seconds 3600