Is there any working site-to-site ipesec config?
-
Aug 24 10:04:49 charon 08[NET] <con1|5>sending packet: from 172.31.xxx.xxx[4500] to 213.200.xxx.xxx[4500] (256 bytes)
Aug 24 10:04:49 charon 08[NET] <con1|5>received packet: from 213.200.xxx.xxx[4500] to 172.31.xxx.xxx[4500] (80 bytes)You can't sent packets directly between an RFC1918 address and a public address. Either something else is in the middle you're not telling me about or you have the configuration screwed up. Slow down, be careful, do it right, and it'll work.</con1|5></con1|5>
-
Okay I will delete it and start again.
-
If one side is behind another NAT device, you probably need to set "My identifier" on that side to be the actual public IP address - the one you see from there when you go to http://ifconfig.io/ for example.
My identifier: IP address: Actual public IP address
Like I said, every situation is different. There is no "universal walk through" to setting up a VPN.
-
WOHOOOOOO YOU ARE MY HERO !!!!! after I changed my Identifier to the public IP VPN is working. Now I have to setup mobile devices with greenbow. Could I use the same?
-
I hope you take my advice and use IKEv2, AES-GCM, etc.
No idea about the remote access. Completely different thread required.
-
Thank you so much. I did it like your example :). Will create a new thread vor IPSec mobile.
-
THANKS!
I was about to post this question (i might add it here for some additional key words relating to this)
–----------------
I've been reading about the 'issues' that might present in swanstrong for the authentication of identifiers that could be causing me problems. (possibly adding pre-shared keys?) I've been trying all sorts but just cant seem to hit a working configuration.
I have approx 25 remote PPPoE sites connecting to each other and to a static IP address great. I recently added a new site using Australian NBN (the customer IP is assigned via DHCP)
I cant get the new DHCP site to connect to the Static IP server, it connects fine to other PPPoE servers.I'm running APU box and virtual pfsense routers:
Do you consider this VPN config the best all rounder settings?
What was key to this config allowing the DHCP to Static IP connections to work successfully? -
Connecting to a static IP address doesn't generally require anything special. Are you connecting from behind another NAT device?
-
Both IPs are fully Public IPs once being allocated by DHCP rather than PPPoE was the only difference I could discern - the other was always Static.
Anyway - working a treat now :)
Do you consider using those specs as a basic for all tunnels to be the most efficient/CPU wise v's no massive need for crazy security v's stability etc?
I was previously using V2 DH2 P1-AES256 SHA1 / P2 AES128 Hash SHA1
-
AES-GCM in a child SA provides authenticated encryption and therefore does not require a separate authentication/hash step (like SHA1/SHA256) and will therefore perform better especially with AES-NI enabled.
I personally believe that AES-128 is perfectly acceptable in almost all circumstances but you will not likely notice a difference between AES-128 and AES-256 so why not…
So, yes, I like the settings I used in this example. That's why I used them. :)
