ich nutze hier über einen virtuellen Windows-Rechner mit dem Lancom Advanced VPN Client eine VPN-Verbindung in's Büro.
Aber eigentlich ist der Plan die IPSec-Verbindung direkt unter Manjaro KDE aufzubauen. Nun habe ich hier (https://gist.github.com/kralo/8afd817bc ... 76365ca3ab) eine knappe "Anleitung" gefunden wie man aus der Lancom-Ini-Datei die beiden Dateien für StrongSwan erstellt.
Meine (hoffentlich ordentlich anonymisierten) Dateien:
Code: Alles auswählen
===============================
buero.ini
-------------------------------
[PROFILE1]
Name=lcbuero-WIN
ConnMedia=21
ConnMode=0
SeamRoaming=1
PriVoIP=1
Gateway=aaa.bbb.ccc.ddd
PFS=14
UseComp=0
IkeIdType=3
IkeIdStr=geheime-Daten
Secret=ganz-geheime-Daten
UseXAUTH=0
IpAddrAssign=0
IkeDhGroup=2
ExchMode=4
IKE-Policy=WIZ-PSK-AES-SHA
IPSEC-Policy=WIZ-ESP-AES-SHA
[IKEPOLICY1]
IkeName=WIZ-PSK-AES-SHA
IkeAuth=1
IkeCrypt=6
IkeHash=2
[IKEPOLICY2]
IkeName=WIZ-PSK-AES-SHA
IkeAuth=1
IkeCrypt=4
IkeHash=2
[IPSECPOLICY1]
IPSecName=WIZ-ESP-AES-SHA
IpsecCrypt=6
IpsecAuth=2
[IPSECPOLICY2]
IPSecName=WIZ-ESP-AES-SHA
IpsecCrypt=4
IpsecAuth=2
===============================
ipsec.conf
-------------------------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn sysing
keyexchange=ikev2
auto=add
authby=secret
left=%defaultroute
leftid=geheime-Daten
leftauth=secret
leftsourceip=%config4, %config6
right=aaa.bbb.ccc.ddd
rightsubnet=192.168.254.0/24
rightid=geheime-Daten
rightauth=secret
===============================
ipsec.secrets
-------------------------------
geheime-Daten : PSK "ganz-geheime-Daten"
Code: Alles auswählen
sudo ipsec start
Code: Alles auswählen
sudo ipsec start
Starting strongSwan 5.9.5 IPsec [starter]...
Code: Alles auswählen
sudo ipsec up buero
Code: Alles auswählen
initiating IKE_SA buero[1] to aaa.bbb.ccc.ddd
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.128.128[500] to aaa.bbb.ccc.ddd[500] (968 bytes)
received packet: from aaa.bbb.ccc.ddd[500] to 192.168.128.128[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group CURVE_25519, it requested MODP_2048
initiating IKE_SA buero[1] to aaa.bbb.ccc.ddd
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.128.128[500] to aaa.bbb.ccc.ddd[500] (1192 bytes)
received packet: from aaa.bbb.ccc.ddd[500] to 192.168.128.128[500] (505 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(FRAG_SUP) CERTREQ V ]
received unknown vendor ID: aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:1c:66:d1:42
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
received 1 cert requests for an unknown ca
authentication of 'lcbuero-WIN' (myself) with pre-shared key
establishing CHILD_SA buero{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.128.128[4500] to aaa.bbb.ccc.ddd[4500] (464 bytes)
received packet: from aaa.bbb.ccc.ddd[4500] to 192.168.128.128[4500] (80 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'buero' failed