3

I am having trouble configuring a connection to an Android device using a fedora 17 linux machine and strongSwanv5.0.1dr2. I have made some progress but when I try adding the configuration to support xauth authentication I receive an error when I try to reload the configuration file. I get a similar error for the value ikev1 for the keyexchange setting , and whenever i try to set a value for rightauth. Has anyone else had this problem The man page for ipsec.conf and the documentation on the strongswan wiki both indicated that these settings and values should be fine in 5.0.x.x. I could try setting authby but that is deprecated according to the documentation i read and the xauthpsk value isn't working. Any help is much appreciated thanks.

can not load config '/etc/ipsec.conf': /etc/ipsec.conf:25: syntax error, unexpected STRING [leftauth]

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
       # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0
        plutodebug=all
conn %default
        ikelifetime=240m
        #keylifetime=20m
        keyingtries=3
        ikev2=no


conn android
        left=10.1.12.212
        right=10.1.12.140
        leftxauthserver=yes
        leftauth=psk
        rightauth=xauth
        keyexchange=ikev1
        type=tunnel
        pfs=no
        rekey=no
        auto=start
        ike=aes256-md5;modp1024
        phase2=esp
        ikev2=no
#You may put your configuration (.conf) file in the "/etc/ipsec.d/"
#include /etc/ipsec.d/*.conf
dudebrobro
  • 195
  • 1
  • 2
  • 8

1 Answers1

5

To configure XAuth PSK with strongSwan 5.0.x (as responder) you have to use:

    leftauth=psk
    rightauth=psk
    rightauth2=xauth

While deprecated authby=xauthpsk would actually still work as an alias for the above (with xauth=server also added).

can not load config '/etc/ipsec.conf': /etc/ipsec.conf:25: syntax error, unexpected STRING [leftauth]

This error and the fact that several options used here are no valid strongSwan options (e.g. phase2 and leftxauthserver, the semicolon in the value for ike is also invalid) lead me to believe that you actually don't use strongSwan but Openswan instead (leftauth is an invalid option there).

As you probably built the developer release directly from the tarball the reason could be that you did not provide the proper ./configure options (e.g. --prefix and --sysconfdir) to replace the ipsec script provided by the default Fedora Openswan package. To avoid conflict you might want to remove that package anyway, if not, you could also use the --with-ipsec-script=strongswan option to rename strongSwan's ipsec script to strongswan.

ecdsa
  • 3,973
  • 15
  • 29
  • Thanks for the help. I removed the default Openswan package and now things are working and making much more sense – dudebrobro Sep 13 '12 at 14:07