IPSec Tunnel no IKE config found for …
-
I must not be communicating something.
I have an IkeV1 site:site tunnel which needs to connect to 4 different subnets on the other end. My config is below.
Whenever I try to bring this config up, I am only able to contact the first subnet in the rightsubnet list.
The problem is stated in the strongswan documentation here (https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection) scroll down to the rightsubnet description
"IKEv2 supports multiple subnets separated by commas, IKEv1 only interprets the first subnet of such a definition,
unless the Cisco Unity extension plugin is enabled (available since 5.0.1)."Hence my request for the cisco unity plugin to be installed.
I have my config below. Please take a look and let me know if I am missing something, or if it is possible to add the cisco unity plugin.
conn con1
aggressive = no
fragmentation = yes
keyexchange = ikev1
reauth = yes
rekey = yes
reqid = 1
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = x.x.x.x
right = y.y.y.y
leftid = x.x.x.x
ikelifetime = 86400s
lifetime = 28800s
rightsubnet = 10.43.12.0/24,10.43.22.0/24,10.43.32.0/24,10.43.42.0/24
leftsubnet = 192.168.1.0/24
ike = 3des-sha1-modp1024!
esp = 3des-sha1,3des-sha1!
leftauth = psk
rightauth = psk
rightid = y.y.y.y -
Any update on getting a build with the unity plugin? Are you just using the package release instead of building from source? I've tried building this on a separate freebsd box and copying all the binaries over, but could not get the pfsense box to recognize the new binaries. Let me know how to proceed,
Thanks,
-Karl
-
I have the exact same problem.
-
Unity plugin has been enabled please test with latest snapshot.
-
@ermal:
Unity plugin has been enabled please test with latest snapshot.
Unity still does not show up as a plugin:
[2.2-BETA][root@pfsense.localdomain]/var/etc/ipsec: uname -a FreeBSD pfsense.localdomain 10.1-RC3 FreeBSD 10.1-RC3 #40 927f39f(releng/10.1)-dirty: Sun Oct 26 06:27:12 CDT 2014 root@pf22-amd64-snap:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.10 amd64 [2.2-BETA][root@pfsense.localdomain]/var/etc/ipsec: ipsec statusall | grep -i unity [2.2-BETA][root@pfsense.localdomain]/var/etc/ipsec:It does show as a module in the strongswan unit tests here http://www.strongswan.org/uml/testresults/ikev1/rw-cert-unity/moon.daemon.log:
Oct 19 09:10:39 moon charon: 00[LIB] loaded plugins: charon test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default attr unity
There are some unity-related patches in 5.2.1 (just released), and also some changes that may address IKEv1 re-keying issues I've seen (but haven't posted here yet, sorry; your ipsec plate seems full at the moment).
-
Unity plugin is now included, the plugin was missing.
Strongswan is on 5.2.1 version.
-
@ermal:
Unity plugin is now included, the plugin was missing.
Strongswan is on 5.2.1 version.
Good news is yes, unity plugin is now included, and we're on 5.2.1
Bad news is that it was built without support for IKEv1 (similar to this: https://forum.pfsense.org/index.php?topic=78431.0) Can you fix that before the next snapshot?
Oct 30 09:11:05 pfsense charon: 07[ENC] generating INFORMATIONAL response 0 [ N(INVAL_MAJOR) ]
Oct 30 09:11:05 pfsense charon: 07[NET] sending packet: from 24.74.47xx.xx[500] to 173.15.yy.yy[500] (36 bytes)
Oct 30 09:11:05 pfsense charon: 07[NET] received unsupported IKE version 1.0 from 173.15.yy.yy, sending INVALID_MAJOR_VERSION
[2.2-BETA][root@pfsense.localdomain]/var/log: uname -a
FreeBSD pfsense.localdomain 10.1-RC3 FreeBSD 10.1-RC3 #47 72c1d40(releng/10.1)-dirty: Wed Oct 29 23:32:18 CDT 2014 root@pf22-amd64-snap:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.10 amd64 -
Its rebuilding sorry about the occurence.
-
Has the rebuild shown up in the latest snapshot yet?
-
Yes, since at least 31-Oct, but I have not been in a position to test it.
