Okay now i tried the following configs and something happen.
ipsec.conf:
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:192.168.179.0./24,%v4:192.168.177.0./24
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=
conn Site-to-Site
authby=secret
auto=add
type=tunnel
aggrmode=yes
left= PUBLIC IP ADRESS OF NSSERVER
leftid= FQDN OF NSSERVER
leftnexthop=%defaultroute
leftsourceip=192.168.177.21
leftsubnet=192.168.177.0/24
right=%any
rightsubnet=192.168.179.0/24
rightid= FQDN OF FRITZBOX
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048
Fritzbox config:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "ANYNAME";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = PUBLIC IP OF NSSERVER;
remote_virtualip = 0.0.0.0;
localid {
fqdn = "FQDN OF FRITZBOX";
}
remoteid {
ipaddr = "PUBLIC IP ADRESS OF NSSERVER";
}
mode = phase1_mode_aggressive;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "SECRET KEY";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.179.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.177.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.177.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
// EOF
And the ipsec.log shows this on and on:
Sep 24 11:20:09 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [XAUTH]
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [RFC 3947]
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [XAUTH]
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [RFC 3947]
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [XAUTH]
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [RFC 3947]
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [XAUTH]
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [RFC 3947]
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [XAUTH]
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [RFC 3947]
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Disabling aggressive mode on both sides gives this:
Sep 24 11:45:48 NET01 pluto[8193]: packet from 79.235.30.110:500: initial Main Mode message received on 192.168.177.6:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [XAUTH]
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [RFC 3947]
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: initial Main Mode message received on 192.168.177.6:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [XAUTH]
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [RFC 3947]
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: initial Main Mode message received on 192.168.177.6:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Whats wrong?