IPSec VPN Host to Host on Ubuntu 14.04 with strongSwan

After spending a crazy amount of time trying to find something up to date regarding network security and host to host VPN I decided to write something which will hopefully be useful to other people in the same situation.

Setting up a host to host IPSec connection between two or more hosts running Ubuntu isn’t always a simple process. We want encryption to protect all the communication between two hosts and for this tutorial we will be using what I feel to be the simplest method of using Pre-shared Keys (PSK).

Remember that we’re creating a transport IPSec VPN and not a network to network VPN, we only want two or more hosts having encrypted conversations between them.

Why would you want to have a VPN running inside your network? Well possible use cases include:

  • You want to prevent the use of packet sniffing to discover network traffic
  • There are governance reasons why you must make two hosts communicate securely
  • You want to make sure that two or more hosts are having TCP and UDP communications which aren’t being tampered with

For this tutorial I will assume the following:

  • You have at least two Ubuntu 14.04 devices which you want to encrypt communications between (named Red and Blue in these examples)
  • These devices can access each other without any NAT in the way (NAT adds an additional layer of complexity for VPNs like this)
  • You want a comparatively quick and easy IPSec configuration so you want to use pre-shared keys (PSK) for authentication
    We want some assurance that things will be secure so we’ll be using Suite B assured cryptography for IPSec

In my example the servers I’m connecting together look like the below, they don’t have to be on the same subnet but as I mentioned above this method will not work with NAT.

Red Server IP 192.168.100.100/24
Blue Server IP 192.168.100.200/24

Instructions – Red Server

Firstly SSH onto your first server as normal and install the following dependancies:

apt-get install ipsec-tools strongswan-starter

Now we need to create the actual crypto maps which we’ll be using, so edit the IPSec configuration file on the Red:

nano /etc/ipsec.conf

And fill in the following with the details pertinent to your network at the end of that file, e.g. IP address:

conn red-to-blue
    authby=secret
    auto=route
    keyexchange=ike
    left=192.168.100.100
    right=192.168.100.200
    type=transport
    esp=aes128gcm16!

Now create the file which holds the PSKs

nano /etc/ipsec.secrets

Populate like the following with your IP datails (warning each element in this file should be separated by a space NOT a tab):

192.168.100.100 192.168.100.200 : PSK "Your password here!"

Lets restart our IPSec:

ipsec restart

Then you should have something like the following:

Stopping strongSwan IPsec…
Starting strongSwan 5.1.2 IPsec [starter]…

If you type in:

ipsec statusall

You should see something like the following which means we’re looking healthy and ready to go.

Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
uptime: 98 seconds, since Jun 05 19:34:12 2015
malloc: sbrk 1486848, mmap 0, used 318864, free 1167984
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
Listening IP addresses:
192.168.100.100
Connections:
red-to-blue: 192.168.100.100…192.168.100.200 IKEv1/2
red-to-blue: local: [192.168.100.100] uses pre-shared key authentication
red-to-blue: remote: [192.168.100.200] uses pre-shared key authentication
red-to-blue: child: dynamic === dynamic TRANSPORT
Routed Connections:
red-to-blue{1}: ROUTED, TRANSPORT
red-to-blue{1}: 192.168.100.100/32 === 192.168.100.200/32
Security Associations (0 up, 0 connecting):
none

Instructions – Blue Server

SSH onto this server as usual and do some very similar things as what we did on the Red server, other than some changes to IP addresses the rest is identical.

Make sure the necessary packages are installed:

apt-get install ipsec-tools strongswan-starter

Edit the ipsec.conf again:

nano /etc/ipsec.conf

And populate like the following, again bear in mind your IP addresses could be different and should be different than on our Red server, namely the left and right side of the tunnel:

conn blue-to-red
    authby=secret
    auto=route
    keyexchange=ike
    left=192.168.100.200
    right=192.168.100.100
    type=transport
    esp=aes128gcm16!

Now create the file which holds the PSKs

nano /etc/ipsec.secrets

Populate like the following with your IP datails (warning each element in this file should be separated by a space NOT a tab):

192.168.100.100 192.168.100.200 : PSK "Your password here!"

Lets restart IPsec:

ipsec restart

Testing our Tunnel

On the red server do the following and leave it running:

ping -s 4048 192.168.100.200

On the blue server run the following:

watch ipsec statusall

If you notice the the number of packets and the number of bytes should be increasing with the ping being run, this shows things are running the way they should be.

Or you could run the following to show the ESP packets hitting the interfaces:

tcpdump esp

But congratulations you now have a host to host VPN up and working on Ubuntu!

Update 17 July 2015 – Fixed the indentations on the ipsec.conf examples.

25 Comments on "IPSec VPN Host to Host on Ubuntu 14.04 with strongSwan"

  1. Sarat says:

    Hi thanks for this article! I am trying to configure a host2host VPN , and tried to follow your steps. In the first step, after editing the ipsec.conf and ipsec.secrets and restarting I get this message:
    Stopping strongSwan IPsec…
    Starting strongSwan 5.3.2 IPsec [starter]…
    /etc/ipsec.conf:9: syntax error, unexpected STRING [authby]
    invalid config file ‘/etc/ipsec.conf’
    unable to start strongSwan — fatal errors in config

    Can you please help me out. Thanks!

    • gyp says:

      Hi Sharat,

      Happy to help how I can, and I must apologise, the code snippets on this post are not correct. The syntax in the ipsec.conf file should be indented for everything under the “conn” section.

      When I copied and pasted from the original post I got the same errors as yourself, but it looks like it’s working great now.

      I’ve updated the main post if you could test again for me? But thanks for commenting!

      Gyp

      • Sarat says:

        Yeah I figured that out, but know I have a new problem for some reason, the ipsec statusall command on the red server doesn’t work. version of strongswan I am using is Linux strongSwan U5.1.2/K3.13.0-32-lowlatency .

        • gyp says:

          Thinking out load, could it be possible you’ve not “ipsec restart”? The other thing I’d try is something like “ipsec route blue-to-red” or whichever name you’ve given it. Although I dare say a reboot could help too 🙂

        • Sarat says:

          Reinstalling Strongswan worked. Doing ipsec statusall on the RED works, but doesn’t show any connections. Connections are shown on BLUE.

          • Sarat says:

            Okay ..finally succeeded.. 😀
            Problem was there were two different ipsec.conf files on the RED server. they were located in different locations.
            /usr/etc/ipec.conf
            /etc/ipsec.conf
            I was accessing the second file and the changes were not taking effect.. I changed the first file and Voila.. ipsec.statusall was displaying the connections!

            ping worked too,,,i was able to test the connection only once… the Other BLUE server was Unreachable later…and I wasn’t able to ssh into it. Any thoughts on this? Did the VPN effect it in anyway? THANKS!!!!!

          • gyp says:

            Hi Sarat,

            Glad you managed to get it working!

            That’s really quite strange, what version of Ubuntu are you using and are you logged on as root? The handful of times I’ve done this I’ve never seen the ipsec.conf file be anywhere else other than in etc, so I’m a little confused too 🙂

            But again glad you got it working and thanks for the help tidying up the configs on the post.

            Gyp

  2. Sarat says:

    Okay I was able to run the blue server, but on the red server the ipsec statusall command outputs nothing…
    I donno what the problem is…

  3. Sarat says:

    Thanks for your article..It is so much simpler than the other articles on Host2host configuration.. Now i am trying to implement certificate based authentication. Can you post another article dealing with certificates in strongswan…it would be great! 😀

  4. Hardik Gohil says:

    Hello I have followed the steps.
    I connected both the side using ipsec start and successfully connected.
    but esp packets are not seen in tcpdump -f esp output either in watch ipsec statusall

    [email protected]:/sbin ipsec statusall
    Status of IKE charon daemon (strongSwan 5.0.2, Linux 3.2.0-PD13.1.2, armv7l):
    uptime: 8 minutes, since Jan 01 00:41:38 1970
    malloc: sbrk 405504, mmap 0, used 94048, free 311456
    worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 0
    loaded plugins: charon curl aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
    Listening IP addresses:
    192.168.82.99
    192.168.4.11
    Connections:
    host-host: 192.168.82.99…192.168.82.111 IKEv1/2
    host-host: local: [192.168.82.99] uses pre-shared key authentication
    host-host: remote: [192.168.82.111] uses pre-shared key authentication
    host-host: child: dynamic === dynamic TRANSPORT
    Security Associations (0 up, 0 connecting):
    none

    • gyp says:

      Hello Hardik,

      Can you try:
      ipsec up [name of tunnel]
      ping 192.168.4.11

      And if it still doesn’t come up:
      ipsec restart

      And then:
      ipsec listall

      And we shall see what we can sort out 🙂

      Gyp

  5. Hardik Gohil says:

    Doesn’t work still

    CPU7501#~ipsec up host-host
    initiating IKE_SA host-host[3] to 192.168.100.111
    generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
    sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
    retransmit 1 of request with message ID 0
    sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
    retransmit 2 of request with message ID 0
    sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
    retransmit 3 of request with message ID 0
    sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
    retransmit 4 of request with message ID 0
    sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
    retransmit 5 of request with message ID 0
    sending packet: from 192.168.100.99[500] to 192.168.100.111[500] (708 bytes)
    giving up after 5 retransmits
    peer not responding, trying again (2/3)

    CPU6501#ipsec listall

    List of registered IKEv2 Algorithms:

    encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des]
    integrity: AES_XCBC_96[xcbc] AES_CMAC_96[cmac] HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac]
    HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_256_128[hmac] HMAC_SHA2_256_256[hmac]
    HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_256[hmac]
    aead:
    hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
    prf: PRF_KEYED_SHA1[sha1] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc] PRF_AES128_CMAC[cmac]
    PRF_HMAC_SHA1[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]
    PRF_HMAC_SHA2_512[hmac]
    dh-group: MODP_2048[gmp] MODP_2048_224[gmp] MODP_2048_256[gmp] MODP_1536[gmp] MODP_3072[gmp] MODP_4096[gmp]
    MODP_6144[gmp] MODP_8192[gmp] MODP_1024[gmp] MODP_1024_160[gmp] MODP_768[gmp] MODP_CUSTOM[gmp]
    random-gen: RNG_STRONG[random] RNG_TRUE[random]
    nonce-gen: [nonce]

    List of loaded Plugins:

    charon:
    CUSTOM:libcharon
    NONCE_GEN
    CUSTOM:libcharon-receiver
    CUSTOM:kernel-ipsec
    CUSTOM:kernel-net
    CUSTOM:libcharon-receiver
    HASHER:HASH_SHA1
    RNG:RNG_STRONG
    CUSTOM:socket
    curl:
    FETCHER:file://
    FETCHER:http://
    FETCHER:https://
    FETCHER:ftp://
    aes:
    CRYPTER:AES_CBC-16
    CRYPTER:AES_CBC-24
    CRYPTER:AES_CBC-32
    des:
    CRYPTER:3DES_CBC-24
    CRYPTER:DES_CBC-8
    CRYPTER:DES_ECB-8
    sha1:
    HASHER:HASH_SHA1
    PRF:PRF_KEYED_SHA1
    sha2:
    HASHER:HASH_SHA224
    HASHER:HASH_SHA256
    HASHER:HASH_SHA384
    HASHER:HASH_SHA512
    md5:
    HASHER:HASH_MD5
    random:
    RNG:RNG_STRONG
    RNG:RNG_TRUE
    nonce:
    NONCE_GEN
    RNG:RNG_WEAK
    x509:
    CERT_ENCODE:X509
    HASHER:HASH_SHA1
    CERT_DECODE:X509
    HASHER:HASH_SHA1
    PUBKEY:RSA (soft)
    PUBKEY:ECDSA (soft)
    PUBKEY:DSA (soft)
    CERT_ENCODE:X509_AC
    CERT_DECODE:X509_AC
    CERT_ENCODE:X509_CRL
    CERT_DECODE:X509_CRL
    CERT_ENCODE:X509_OCSP_REQUEST
    HASHER:HASH_SHA1
    RNG:RNG_WEAK
    CERT_DECODE:X509_OCSP_RESPONSE
    CERT_ENCODE:PKCS10_REQUEST
    CERT_DECODE:PKCS10_REQUEST
    revocation:
    constraints:
    pubkey:
    CERT_ENCODE:TRUSTED_PUBKEY
    CERT_DECODE:TRUSTED_PUBKEY
    PUBKEY:RSA (soft)
    PUBKEY:ECDSA (soft)
    PUBKEY:DSA (soft)
    pkcs1:
    PRIVKEY:RSA
    PUBKEY:ANY
    PUBKEY:RSA
    pkcs8:
    PRIVKEY:RSA
    PRIVKEY:ECDSA
    pgp:
    PRIVKEY:ANY
    PRIVKEY:RSA
    PUBKEY:ANY
    PUBKEY:RSA
    CERT_DECODE:PGP
    dnskey:
    PUBKEY:ANY
    PUBKEY:RSA
    pem:
    PRIVKEY:ANY
    PRIVKEY:ANY
    HASHER:HASH_MD5 (soft)
    PRIVKEY:RSA
    PRIVKEY:RSA
    HASHER:HASH_MD5 (soft)
    PRIVKEY:ECDSA
    PRIVKEY:ECDSA
    HASHER:HASH_MD5 (soft)
    PRIVKEY:DSA (not loaded)
    PRIVKEY:DSA
    HASHER:HASH_MD5 (soft)
    PUBKEY:ANY
    PUBKEY:ANY
    PUBKEY:RSA
    PUBKEY:RSA
    PUBKEY:ECDSA (not loaded)
    PUBKEY:ECDSA
    PUBKEY:DSA (not loaded)
    PUBKEY:DSA
    CERT_DECODE:ANY
    CERT_DECODE:X509 (soft)
    CERT_DECODE:PGP (soft)
    CERT_DECODE:X509
    CERT_DECODE:X509
    CERT_DECODE:X509_CRL
    CERT_DECODE:X509_CRL
    CERT_DECODE:X509_OCSP_REQUEST (not loaded)
    CERT_DECODE:X509_OCSP_REQUEST
    CERT_DECODE:X509_OCSP_RESPONSE
    CERT_DECODE:X509_OCSP_RESPONSE
    CERT_DECODE:X509_AC
    CERT_DECODE:X509_AC
    CERT_DECODE:PKCS10_REQUEST
    CERT_DECODE:PKCS10_REQUEST
    CERT_DECODE:TRUSTED_PUBKEY
    CERT_DECODE:TRUSTED_PUBKEY
    CERT_DECODE:PGP
    CERT_DECODE:PGP
    CERT_DECODE:PLUTO_CERT
    CERT_DECODE:PLUTO_AC
    fips-prf:
    PRF:PRF_FIPS_SHA1_160
    PRF:PRF_KEYED_SHA1
    gmp:
    DH:MODP_2048
    RNG:RNG_STRONG
    DH:MODP_2048_224
    RNG:RNG_STRONG
    DH:MODP_2048_256
    RNG:RNG_STRONG
    DH:MODP_1536
    RNG:RNG_STRONG
    DH:MODP_3072
    RNG:RNG_STRONG
    DH:MODP_4096
    RNG:RNG_STRONG
    DH:MODP_6144
    RNG:RNG_STRONG
    DH:MODP_8192
    RNG:RNG_STRONG
    DH:MODP_1024
    RNG:RNG_STRONG
    DH:MODP_1024_160
    RNG:RNG_STRONG
    DH:MODP_768
    RNG:RNG_STRONG
    DH:MODP_CUSTOM
    RNG:RNG_STRONG
    PRIVKEY:RSA
    PRIVKEY_GEN:RSA
    RNG:RNG_TRUE
    PUBKEY:RSA
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
    HASHER:HASH_SHA1
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
    HASHER:HASH_SHA224
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
    HASHER:HASH_SHA256
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
    HASHER:HASH_SHA384
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
    HASHER:HASH_SHA512
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
    HASHER:HASH_MD5
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
    HASHER:HASH_SHA1
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
    HASHER:HASH_SHA224
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
    HASHER:HASH_SHA256
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
    HASHER:HASH_SHA384
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
    HASHER:HASH_SHA512
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
    HASHER:HASH_MD5
    PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
    PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
    RNG:RNG_WEAK
    xcbc:
    PRF:PRF_AES128_XCBC
    CRYPTER:AES_CBC-16
    PRF:PRF_CAMELLIA128_XCBC (not loaded)
    CRYPTER:CAMELLIA_CBC-16
    CPU6501#ipsec listall

    List of registered IKEv2 Algorithms:

    encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des]
    integrity: AES_XCBC_96[xcbc] AES_CMAC_96[cmac] HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac]
    HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_256_128[hmac] HMAC_SHA2_256_256[hmac]
    HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_256[hmac]
    aead:
    hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
    prf: PRF_KEYED_SHA1[sha1] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc] PRF_AES128_CMAC[cmac]
    PRF_HMAC_SHA1[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]
    PRF_HMAC_SHA2_512[hmac]
    dh-group: MODP_2048[gmp] MODP_2048_224[gmp] MODP_2048_256[gmp] MODP_1536[gmp] MODP_3072[gmp] MODP_4096[gmp]
    MODP_6144[gmp] MODP_8192[gmp] MODP_1024[gmp] MODP_1024_160[gmp] MODP_768[gmp] MODP_CUSTOM[gmp]
    random-gen: RNG_STRONG[random] RNG_TRUE[random]
    nonce-gen: [nonce]

    List of loaded Plugins:

    charon:
    CUSTOM:libcharon
    NONCE_GEN
    CUSTOM:libcharon-receiver
    CUSTOM:kernel-ipsec
    CUSTOM:kernel-net
    CUSTOM:libcharon-receiver
    HASHER:HASH_SHA1
    RNG:RNG_STRONG
    CUSTOM:socket
    curl:
    FETCHER:file://
    FETCHER:http://
    FETCHER:https://
    FETCHER:ftp://
    aes:
    CRYPTER:AES_CBC-16
    CRYPTER:AES_CBC-24
    CRYPTER:AES_CBC-32
    des:
    CRYPTER:3DES_CBC-24
    CRYPTER:DES_CBC-8
    CRYPTER:DES_ECB-8
    sha1:
    HASHER:HASH_SHA1
    PRF:PRF_KEYED_SHA1
    sha2:
    HASHER:HASH_SHA224
    HASHER:HASH_SHA256
    HASHER:HASH_SHA384
    HASHER:HASH_SHA512
    md5:
    HASHER:HASH_MD5
    random:
    RNG:RNG_STRONG
    RNG:RNG_TRUE
    nonce:
    NONCE_GEN
    RNG:RNG_WEAK
    x509:
    CERT_ENCODE:X509
    HASHER:HASH_SHA1
    CERT_DECODE:X509
    HASHER:HASH_SHA1
    PUBKEY:RSA (soft)
    PUBKEY:ECDSA (soft)
    PUBKEY:DSA (soft)
    CERT_ENCODE:X509_AC
    CERT_DECODE:X509_AC
    CERT_ENCODE:X509_CRL
    CERT_DECODE:X509_CRL
    CERT_ENCODE:X509_OCSP_REQUEST
    HASHER:HASH_SHA1
    RNG:RNG_WEAK
    CERT_DECODE:X509_OCSP_RESPONSE
    CERT_ENCODE:PKCS10_REQUEST
    CERT_DECODE:PKCS10_REQUEST
    revocation:
    constraints:
    pubkey:
    CERT_ENCODE:TRUSTED_PUBKEY
    CERT_DECODE:TRUSTED_PUBKEY
    PUBKEY:RSA (soft)
    PUBKEY:ECDSA (soft)
    PUBKEY:DSA (soft)
    pkcs1:
    PRIVKEY:RSA
    PUBKEY:ANY
    PUBKEY:RSA
    pkcs8:
    PRIVKEY:RSA
    PRIVKEY:ECDSA
    pgp:
    PRIVKEY:ANY
    PRIVKEY:RSA
    PUBKEY:ANY
    PUBKEY:RSA
    CERT_DECODE:PGP
    dnskey:
    PUBKEY:ANY
    PUBKEY:RSA
    pem:
    PRIVKEY:ANY
    PRIVKEY:ANY
    HASHER:HASH_MD5 (soft)
    PRIVKEY:RSA
    PRIVKEY:RSA
    HASHER:HASH_MD5 (soft)
    PRIVKEY:ECDSA
    PRIVKEY:ECDSA
    HASHER:HASH_MD5 (soft)
    PRIVKEY:DSA (not loaded)
    PRIVKEY:DSA
    HASHER:HASH_MD5 (soft)
    PUBKEY:ANY
    PUBKEY:ANY
    PUBKEY:RSA
    PUBKEY:RSA
    PUBKEY:ECDSA (not loaded)
    PUBKEY:ECDSA
    PUBKEY:DSA (not loaded)
    PUBKEY:DSA
    CERT_DECODE:ANY
    CERT_DECODE:X509 (soft)
    CERT_DECODE:PGP (soft)
    CERT_DECODE:X509
    CERT_DECODE:X509
    CERT_DECODE:X509_CRL
    CERT_DECODE:X509_CRL
    CERT_DECODE:X509_OCSP_REQUEST (not loaded)
    CERT_DECODE:X509_OCSP_REQUEST
    CERT_DECODE:X509_OCSP_RESPONSE
    CERT_DECODE:X509_OCSP_RESPONSE
    CERT_DECODE:X509_AC
    CERT_DECODE:X509_AC
    CERT_DECODE:PKCS10_REQUEST
    CERT_DECODE:PKCS10_REQUEST
    CERT_DECODE:TRUSTED_PUBKEY
    CERT_DECODE:TRUSTED_PUBKEY
    CERT_DECODE:PGP
    CERT_DECODE:PGP
    CERT_DECODE:PLUTO_CERT
    CERT_DECODE:PLUTO_AC
    fips-prf:
    PRF:PRF_FIPS_SHA1_160
    PRF:PRF_KEYED_SHA1
    gmp:
    DH:MODP_2048
    RNG:RNG_STRONG
    DH:MODP_2048_224
    RNG:RNG_STRONG
    DH:MODP_2048_256
    RNG:RNG_STRONG
    DH:MODP_1536
    RNG:RNG_STRONG
    DH:MODP_3072
    RNG:RNG_STRONG
    DH:MODP_4096
    RNG:RNG_STRONG
    DH:MODP_6144
    RNG:RNG_STRONG
    DH:MODP_8192
    RNG:RNG_STRONG
    DH:MODP_1024
    RNG:RNG_STRONG
    DH:MODP_1024_160
    RNG:RNG_STRONG
    DH:MODP_768
    RNG:RNG_STRONG
    DH:MODP_CUSTOM
    RNG:RNG_STRONG
    PRIVKEY:RSA
    PRIVKEY_GEN:RSA
    RNG:RNG_TRUE
    PUBKEY:RSA
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1
    HASHER:HASH_SHA1
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224
    HASHER:HASH_SHA224
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256
    HASHER:HASH_SHA256
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384
    HASHER:HASH_SHA384
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512
    HASHER:HASH_SHA512
    PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5
    HASHER:HASH_MD5
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
    HASHER:HASH_SHA1
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
    HASHER:HASH_SHA224
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
    HASHER:HASH_SHA256
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
    HASHER:HASH_SHA384
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512
    HASHER:HASH_SHA512
    PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5
    HASHER:HASH_MD5
    PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1
    PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1
    RNG:RNG_WEAK
    xcbc:
    PRF:PRF_AES128_XCBC
    CRYPTER:AES_CBC-16
    PRF:PRF_CAMELLIA128_XCBC (not loaded)
    CRYPTER:CAMELLIA_CBC-16
    SIGNER:CAMELLIA_XCBC_96 (not loaded)
    CRYPTER:CAMELLIA_CBC-16
    SIGNER:AES_XCBC_96
    CRYPTER:AES_CBC-16
    cmac:
    PRF:PRF_AES128_CMAC
    CRYPTER:AES_CBC-16
    SIGNER:AES_CMAC_96
    CRYPTER:AES_CBC-16
    hmac:
    PRF:PRF_HMAC_SHA1
    HASHER:HASH_SHA1
    PRF:PRF_HMAC_MD5
    HASHER:HASH_MD5
    PRF:PRF_HMAC_SHA2_256
    HASHER:HASH_SHA256
    PRF:PRF_HMAC_SHA2_384
    HASHER:HASH_SHA384
    PRF:PRF_HMAC_SHA2_512
    HASHER:HASH_SHA512
    SIGNER:HMAC_SHA1_96
    HASHER:HASH_SHA1
    SIGNER:HMAC_SHA1_128
    HASHER:HASH_SHA1
    SIGNER:HMAC_SHA1_160
    HASHER:HASH_SHA1
    SIGNER:HMAC_MD5_96
    HASHER:HASH_MD5
    SIGNER:HMAC_MD5_128
    HASHER:HASH_MD5
    SIGNER:HMAC_SHA2_256_128
    HASHER:HASH_SHA256
    SIGNER:HMAC_SHA2_256_256
    HASHER:HASH_SHA256
    SIGNER:HMAC_SHA2_384_192
    HASHER:HASH_SHA384
    SIGNER:HMAC_SHA2_384_384
    HASHER:HASH_SHA384
    SIGNER:HMAC_SHA2_512_256
    HASHER:HASH_SHA512
    attr:
    kernel-netlink:
    CUSTOM:kernel-ipsec
    CUSTOM:kernel-net
    resolve:
    socket-default:
    CUSTOM:socket
    stroke:
    CUSTOM:stroke
    PRIVKEY:RSA (soft)
    PRIVKEY:ECDSA (soft)
    PRIVKEY:DSA (soft)
    CERT_DECODE:ANY (soft)
    CERT_DECODE:X509 (soft)
    CERT_DECODE:X509_CRL (soft)
    CERT_DECODE:X509_AC (soft)
    CERT_DECODE:TRUSTED_PUBKEY (soft)
    updown:
    xauth-generic:
    XAUTH_SERVER:generic
    XAUTH_CLIENT:generic

    List of IKE counters:

    ikeInitRekey 0
    ikeRspRekey 0
    ikeChildSaRekey 0
    ikeInInvalid 0
    ikeInInvalidSpi 0
    ikeInInitReq 0
    ikeInInitRsp 1
    ikeOutInitReq 1
    ikeOutInitRsp 0
    ikeInAuthReq 0
    ikeInAuthRsp 0
    ikeOutAuthReq 0
    ikeOutAuthRsp 0
    ikeInCrChildReq 0
    ikeInCrChildRsp 0
    ikeOutCrChildReq 0
    ikeOutCrChildRsp 0
    ikeInInfoReq 0
    ikeInInfoRsp 0
    ikeOutInfoReq 0
    ikeOutInfoRsp 0
    CPU6501#

    • gyp says:

      Hi Hardik,

      In your original post you had:
      host-host: 192.168.82.99…192.168.82.111 IKEv1/2

      And
      Listening IP addresses:
      192.168.82.99
      192.168.4.11

      But in what you’ve posted above you’ve got listed:
      192.168.100.99[500] to 192.168.100.111[500]

      The error message above looks like the communication just isn’t getting through, I’d be checking:
      – Make sure the IP addresses are correct both on your system and in your ipsec.conf
      – Make sure that the two hosts can communicate with each other without any NAT
      – Make sure IPtables isn’t blocking anything by running “iptables -L”
      – Turn off ipsec by running “ipsec stop” and trying pinging between the hosts

      Gyp

  6. Hardik Gohil says:

    Sorry IP addresses was the problem.Also i need to disable esp parameter.

  7. Vibha says:

    Excellent and well explained post. I had a small doubt. What if I wanted a tunnel mode instead of transport mode. Just changing the type=tunnel in the Ipsec.conf would do the task ?

    • gyp says:

      Hi Vibha,

      Thanks for dropping by and thanks for the comments.

      If you have host to host on the same network why would you want to use Tunnel Mode? But if you change the ipsec.conf with the details and give it a reload you should see some information in the logs. I suppose if you had two hosts which had internal IP ranges then yes this should work, and you would see the backend IPs in the logs on each device.

      Gyp

  8. Mohammed Abbas says:

    Hello,

    In client configuration where i should put the server public IP in order to connect?

  9. shahriar says:

    Hi,

    Just wanted to thank you for the article.
    I never leave comments but your article REALLY helped me and saved lot of time.

    Thanks man.

Trackbacks for this post

  1. IPSec VPN Host to Host on Windows 2012 R2 and Ubuntu 14.04 | Gyp the Cat dot Com
  2. Configuring Suite B, VPN-A and VPN-B in IPSec with Strongswan | Gyp the Cat dot Com

Got something to say? Go for it!