windows – Strongswan does not have ip

Here is the situation:
– Configuration of a server (CentOS7) with strongswan (5.7.2) to obtain ipsec / ikev2 connections from Windows clients (roadwarrior mode)
– at this point, just an authentication certificate

The connection between the customer and the answering machine is correct, but no communication is possible.
The Windows client is IP, but not the gateway. Then, in Windows ip settings, it does not have a gateway.


# ipsec.conf - strongSwan IPsec configuration file

conn IKEv2
esp = aes256-sha384-modp1024
ike = aes256-sha384-modp1024
left =
leftsourceip =
leftcert = gwCert.pem
leftauth = pubkey
leftsubnet = / 0
right =% any
rightsourceip = / 24
rightauth = eap-tls
rightsendcert = never
eap_identity =% any
keyexchange = ikev2
auto = add

ip route show table 220 on the gateway is empty.

What is the problem in my configuration?

StrongSwan – double password Windows

I needed to use a single virtual IP pool per peer config (identity). Clients would connect with the help of a default Windows VPN client and each connected client should get the virtual IP address of a different pool. Multiple clients can use the same credentials to obtain a virtual IP address from the pool configured with the peer configuration. However, customers using different credentials will get the IP of different virtual pools.

For windows, matching identity-based (connections) between peers does not work, so I followed the indicated approach on the link below (see the answer)

Strongswan Customer Access Rights

Although the solution works well, but the challenge is that the use of right groups The configuration causes an additional password prompt on Windows (using the default VPN client). I think this happens because of the dummy connection switch that occurs due to the right handed with identity =% none (eap-init).

Is there a way to solve the problem of double password prompt?

vpn – Strongswan with Cisco AnyConnect "NO_PROPOSAL_CHOSEN" problem

I want to connect to an IPSec VPN server on Linux. I've recovered the configuration of a Cisco AnyConnect client that uses the IKEv2 protocol with EAP-MSCHAPv2 authentication.
I have created an IPsec.conf file accordingly but upon login, the error "received error NO_PROPOSAL_CHOSEN notify" was received.

I'm trying to figure out what other protocol or what configuration the server is waiting for.
Is the Cisco AnyConnect client the only one that can connect to the server? Thank you for your help

Here are the configuration files:


conn VPN
leftauth = eap-mschapv2
leftsourceip =% config
leftauth = eap
rightauth = pubkey
right =
rightsubnet = / 0
keyexchange = ikev2
eap_identity = "user"
auto = add


user: EAP "P @ ssw0rd"

Here is the Cisco AnyConnect client content (which is currently working):

[Cisco AnyConnect Profile.xml]


network – Strongswan has connected but can not do anything

I've received data from some companies to establish a s2s connection:

Gateway VPN of the company: 195.x.37.168
IKE: Ikev1 AES256-SHA1 group 2 1440min
IPSEC: group 2 AES128-SHA1 3600 sec (60 min)
VPN gateway on the left: 185.x.192.227
Left network: 172.x.74.200 / 29
Company Network:,,,,
Test host (ping):

So I created this /etc/ipsec.conf

conn comp
left = 185.x.192.227
leftsubnet = 172.x.74.200 / 29
leftfirewall = yes
right = 195.x.37.168
rightsubnet = / 24, / 24, / 24, / 24, / 24
rightfirewall = yes
rightsourceip =% config
authby = secret
keyexchange = ikev1
keylife = 60m
auto = road
esp = aes128-sha1
ike = aes256-sha1-modp1024
ikelifetime = 1440m
lefthostaccess = yes
type = tunnel

The connection seems to be OK:

sudo ipsec up comp
generation of the request QUICK_MODE 2398914035 [ HASH SA No ID ID ]
package delivery: from 217.x.73.231[500] to 195.x.37.168[500] (204 bytes)
package received: from 195.x.37.168[500] at 217.x.73.231[500] (172 bytes)
Answer parsed QUICK_MODE 2398914035 [ HASH SA No ID ID ]
CHILD_SA comp {123} established with SPI c776f6f6_i a38bf565_o and TS 172.x.74.200 / 29 === 10.x.7.0 / 24
connection & # 39; comp & # 39; successfully established

sudo ipsec status

Routed connections:
lpp {122}: ROUTED, TUNNEL, asks 4
lpp {122}: 172.x.74.200 / 29 ===

But I can not mess anything of the company network.

linux – How to configure the StrongSwan VPN server as a router

I have a StrongSwan VPN server running Ubuntu 16.04.5 LTS. The public IP is 51.x.x.x. The site-to-site configuration between my StrongSwan VPN server and the other VPN server, which is an ASA cisco firewall with public IP, is working properly.

Once the tunnel is enabled, I could ping and telnet to the private server behind the Cisco ASA firewall. The server is not accessible through open Internet access except through the VPN tunnel. Note that the IP address is a public IP address.

I've configured this strongswan VPN server for it to act as a bridge between my private network and the cisco ASA firewall (my Strongswan vpn server private IP is That is, I want to be able to ping or telnet in from, via the Strongswan VPN server, acting as a router.

My VPN server has two NICS: Ens18 that carries a public IP address and Ens19 with a private IP address.

I've defined two areas on my VPN server: public and internal areas. I've assigned a public interface to a public zone and a private interface to an inner zone

I managed to execute this command on the packet transmission but I do not see its sudo effect firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o ens18 -j MASQUERADE -s -d

When I try to ping, it fails. 100% packet loss.

Here are my configurations on the Strongswan VPN server:

sore @ ubuntu-vpnserver: ~ $ firewall-cmd sudo –list-all –zone = public [sudo] password for sore: public (default, active) interfaces: ens18 sources: services: dhcpv6-client ports ssh ipsec: 4500 / udp 500 / protocols udp: masquerade: yes following ports: port = 4500: proto = udp: toport = 443: toaddr = port = 500: proto = udp: toport = 443: toaddr = port = 4500: proto = udp: toport = 443: toaddr = port = 500: proto = udp: toport = 443: toaddr = icmp blocks: rich rules: rule protocol value = "ah" accept rule protocol value = "esp" accept

Here is my file / etc / network / interfaces

auto ens18 iface ens18 inet static address net mask broadcast post-up route add 54.36.12x.x dev ens18 post-up route add default gw 54.36.12x.x pre-descent road del 54.36.12x .x dev ens18 pre-down route of default gw 56.36.12x.x DNS name servers 213.186.xx

auto ens19 iface ens19 inet static address net mask getway


That's my first post here, and I'd like to thank you for your help right off the bat. I'm developing a custom DMVPN solution for Unix. For this, I use OpenNHRP and StrongSwan. To test it, I use a router CISCO and UNIX Box. Currently, I can not establish the IPSEc connection between two machines without a chosen proposal. The very simple configuration of StrongSwan is:

connections {
conn12233 {
local_addrs =
remote_addrs =
proposals = default
local {
auth = psk
remote {
auth = psk
children {
conn12233 {
#esp_proposals = default
esp_proposals = aes256-sha256-3des, default
rekey_time = 10m
mode = transport
version = 2
mobike = no

secrets {
ike-conn12233 {
secret = secret

And my Cisco configuration:


proposal crypto ikev2 proposal ikev2
encryption aes-cbc-256 aes-cbc-128 aes-cbc-192
integrity sha256 sha512
group 14 2
crypto policy ikev2 IKEPOLICYLOCAL
match any fvrf
match local game
proposal ikev2-proposal
crypto keychain ikev2
peer everything
pre-shared key
pre-shared key
crypto profile ikev2 IKEPROFILE
to match the remote address of identity
pre-sharing remote authentication
pre-sharing local authentication
keychain local keychain
crypto isakmp policy 1
encr 3des
hash sha256
pre-sharing authentication
group 14
secret key isakmp secret address
crypto ipsec transform-set transform-gre esp-3des esp-sha256-hmac
mode of transport
Crypto ipsec transform-set transform-gre-transport esp-3des esp-sha256-hmac
mode of transport
crypto transformation game ipsec TS esp-3des esp-sha256-hmac
mode of transport
crypto profile ipsec IPSECPROFILE
set transform-set TS
set profile ikev2 IKEPROFILE
crypto profile ipsec dmvpn-protect3
define transform-set transform-gre-transport
Tunnel0 interface
ip address
no ip redirects
ip nhrp dynamic multicast map
ip nhrp network identifier 1
ip ospf network broadcast
GigabitEthernet tunnel source0 / 1
tunnel mode gre multipoint
tunnel protection ipsec profile IPSECPROFILE
Embedded-Service-Engine interface0 / 0
no ip address
to close
GigabitEthernet interface0 / 0
ip address dhcp
to close
automatic duplex
automatic speed
GigabitEthernet interface0 / 1
ip address
automatic duplex
automatic speed

The result of swanctl –initiate –child conn12233 is:

[IKE]    launch of IKE_SA 192_168_200_2-to-192_168_200_1_MAIN[423]
[ENC] generation of IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET]    package delivery: from[500][500] (794 bytes)
[NET] package received: from[500][500] (38 bytes)
[ENC] IKE_SA_INIT response analyzed 0 [ N(INVAL_KE) ]
[IKE]    the counterpart did not accept DH group ECP_256, he asked MODP_2048
[IKE] launch of IKE_SA 192_168_200_2-to-192_168_200_1_MAIN[423]
[ENC] generation of IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET]    package delivery: from[500][500] (986 bytes)
[NET] package received: from[500][500] (464 bytes)
[ENC] IKE_SA_INIT response analyzed 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
[IKE]    received Cisco removal reason reasoner ID
[ENC] received an unknown vendor ID: 46: 4c: 45: 58: 56: 50: 4e: 2d: 53: 55: 50: 50: 4f: 52: 54: 45: 44
[CFG] no IDi configured, use the IP address
[IKE] authentication of & quot; & quot; (myself) with pre-shared key
[IKE] establishment of CHILD_SA 192_168_200_2-to-192_168_200_1 {6196}
[NET]    package delivery: from[4500][4500] (288 bytes)
[NET] package received: from[4500][4500] (160 bytes)
[ENC] IKE_AUTH response analyzed 1 [ V IDr AUTH N(NO_PROP) ]
[IKE]    authentication of & quot; & quot; with pre-shared key successful
[IKE] IKE_SA 192_168_200_2-to-192_168_200_1_MAIN[423] established between[]...[]
[IKE]    reorganization of programming in 13195s
[IKE] Maximum IKE_SA lifetime: 14635s
[IKE] NO_PROPOSAL_CHOSEN received, no CHILD_SA built
[IKE] could not establish CHILD_SA, retaining IKE_SA
Failed to initialize: CHILD_SA failed to establish 192_168_200_2-to-192_168_200_1 & # 39;

What challenges me is the debug output of CISCO:

What is the problem here? I looked for the answer but all that I found was very confusing.