Start strongSwan and check the connection (Fedora/RHEL/Centos client)
How to start strongSwan and check the IPsec RA VPN connection, after you have installed and configured it.
- Enable and start strongSwan.
$ systemctl enable strongswan $ systemctl start strongswan $ swanctl -c
- Instruct the IPsec client to initiate a tunnel connection to the server.
$ swanctl -i --ike devcloud --child tunnel-1
[IKE] initiating IKE_SA devcloud[4] to 10.10.2.3 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] [NET] sending packet: from 172.16.0.1[500] to 10.10.2.3[500] (264 bytes) [NET] received packet: from 10.10.2.3[500] to 172.16.0.1[500] (289 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] [IKE] local host is behind NAT, sending keep alives [IKE] received cert request for "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test Root CA" [IKE] sending cert request for "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test Root CA" [IKE] authentication of 'C=UK, O=RAVPNWhitePaper, CN=devcloud1' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] sending end entity cert "C=UK, O=RAVPNWhitePaper, CN=devcloud1" [IKE] establishing CHILD_SA tunnel-1{4} [ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [ENC] splitting IKE message with length of 1661 bytes into 2 fragments [ENC] generating IKE_AUTH request 1 [ EF(1/2) ] [ENC] generating IKE_AUTH request 1 [ EF(2/2) ] [NET] sending packet: from 172.16.0.1[4500] to 10.10.2.3[4500] (1248 bytes) [NET] sending packet: from 172.16.0.1[4500] to 10.10.2.3[4500] (478 bytes) [NET] received packet: from 10.10.2.3[4500] to 172.16.0.1[4500] (1248 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(1/2) ] [ENC] received fragment #1 of 2, waiting for complete IKE message [NET] received packet: from 10.10.2.3[4500] to 172.16.0.1[4500] (391 bytes) [ENC] parsed IKE_AUTH response 1 [ EF(2/2) ] [ENC] received fragment #2 of 2, reassembling fragmented IKE message [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr ] [IKE] received end entity cert "C=UK, O=RAVPNWhitePaper, CN=server" [CFG] using certificate "C=UK, O=RAVPNWhitePaper, CN=server" [CFG] using trusted ca certificate "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test Root CA" [CFG] checking certificate status of "C=UK, O=RAVPNWhitePaper, CN=server" [CFG] fetching crl from 'http://crl.vpn.am/ca/root-ca.crl' ... # <-- Revocation Check [CFG] using trusted certificate "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test Root CA" [CFG] crl correctly signed by "C=UK, O=RAVPNWhitePaper, OU=RAVPNWhitePaper Test CA, CN=RAVPNWhitePaper Test Root CA" [CFG] crl is valid: until Feb 02 15:14:45 2020 [CFG] certificate status is good [CFG] reached self-signed root ca with a path length of 0 [IKE] authentication of 'C=UK, O=RAVPNWhitePaper, CN=server' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] IKE_SA devcloud[4] established between 172.16.0.1[C=UK, O=RAVPNWhitePaper, CN=devcloud1]...10.10.2.3[C=UK, O=RAVPNWhitePaper, CN=server] [IKE] scheduling rekeying in 14095s [IKE] maximum IKE_SA lifetime 15535s [IKE] installing new virtual IP 10.200.0.1 [IKE] CHILD_SA tunnel-1{4} established with SPIs c2b54ecc_i c540ea9b_o and TS 10.200.0.1/32 === 10.90.9.0/24 initiate completed successfully