Score:0

Strongswan ikev2 client 22.04

lb flag

i need to do a site to site vpn, however have no luck using strongswan vpn client. researched online and read the manuals to no avail, any assistance would be appreciated. turned off UFW just to confirm not firewall.

  • left ip: lll.lll.lll.lll
  • right ip: rrr.rrr.rrr.rrr
  • pre shared key(psk): pskpskpskpskpskpsk

/etc/ipsec.secrets

lll.lll.lll.lll : PSK "pskpskpskpskpskpsk"
rrr.rrr.rrr.rrr : PSK "pskpskpskpskpskpsk"

/etc/ipsec.conf

conn ikev2-vpn
    right=lll.lll.lll.lll
    rightid=rrr.rrr.rrr.rrr
    rightsubnet=0.0.0.0/0
    rightauth=secret
    leftid=lll.lll.lll.lll
    leftsubnet=0.0.0.0/0
    auto=start

tail -f /var/log/syslog

Jun 19 16:53:59 server-2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-73-generic, x86_64)
Jun 19 16:53:59 server-2 charon: 00[LIB] providers loaded by OpenSSL: legacy default
Jun 19 16:53:59 server-2 charon: 00[NET] using forecast interface eth0
Jun 19 16:53:59 server-2 charon: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Jun 19 16:53:59 server-2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun 19 16:53:59 server-2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 19 16:53:59 server-2 charon: 00[CFG]   loaded IKE secret for lll.lll.lll.lll
Jun 19 16:53:59 server-2 charon: 00[CFG]   loaded IKE secret for rrr.rrr.rrr.rrr
Jun 19 16:53:59 server-2 charon: 00[CFG] loaded 0 RADIUS server configurations
Jun 19 16:53:59 server-2 charon: 00[CFG] HA config misses local/remote address
Jun 19 16:53:59 server-2 charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Jun 19 16:53:59 server-2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 19 16:53:59 server-2 charon: 00[JOB] spawning 16 worker threads
Jun 19 16:53:59 server-2 charon: 05[CFG] received stroke: add connection 'ikev2-vpn'
Jun 19 16:53:59 server-2 charon: 05[CFG] added configuration 'ikev2-vpn'
Jun 19 16:53:59 server-2 charon: 07[CFG] received stroke: initiate 'ikev2-vpn'
Jun 19 16:53:59 server-2 charon: 07[IKE] initiating IKE_SA ikev2-vpn[1] to lll.lll.lll.lll
Jun 19 16:53:59 server-2 charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 19 16:53:59 server-2 charon: 07[NET] sending packet: from rrr.rrr.rrr.rrr[500] to lll.lll.lll.lll[500] (904 bytes)
Jun 19 16:54:03 server-2 charon: 16[IKE] retransmit 1 of request with message ID 0
Jun 19 16:54:03 server-2 charon: 16[NET] sending packet: from rrr.rrr.rrr.rrr[500] to lll.lll.lll.lll[500] (904 bytes)
Jun 19 16:54:10 server-2 charon: 07[IKE] retransmit 2 of request with message ID 0

Below is information about the server:

crypto ikev2 policy 4
 encryption aes-256
 integrity sha256
 group 2
 lifetime seconds 86400

tunnel-group rrr.rrr.rrr.rrr type ipsec-l2l
tunnel-group rrr.rrr.rrr.rrr general-attributes
tunnel-group rrr.rrr.rrr.rrr ipsec-attributes
    ikev2 remote-authentication pre-shared-key pskpskpskpskpskpsk
    ikev2 local-authentication pre-shared-key pskpskpskpskpskpsk

access-list 166 extended permit ip host lll.lll.lll.lll host rrr.rrr.rrr.rrr
 
crypto ipsec ikev2 ipsec-proposal AES-256
  protocol esp encryption aes-256
  protocol esp integrity sha-256

crypto map gtvpn-rules 166 set peer rrr.rrr.rrr.rrr
crypto map gtvpn-rules 166 match address 166
crypto map gtvpn-rules 166 set pfs group14
crypto map gtvpn-rules 166 set ikev2 ipsec-proposal AES-256
crypto map gtvpn-rules 166 set security-association lifetime seconds 3600
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.