The following simple configuration does not work anymore:
vpn { ipsec { esp-group TEST-ESP { compression disable lifetime 3600 mode tunnel pfs enable proposal 1 { encryption aes128 hash sha1 } } ike-group TEST-IKE { ikev2-reauth no key-exchange ikev1 lifetime 28000 proposal 1 { encryption aes128 hash sha1 } } ipsec-interfaces { interface eth0 } site-to-site { peer 10.131.0.101 { authentication { mode pre-shared-secret pre-shared-secret abc } connection-type initiate ike-group TEST-IKE local-address 10.131.0.102 tunnel 1 { allow-nat-networks disable allow-public-networks disable esp-group TEST-ESP local { prefix 192.168.20.0/24 } protocol all remote { prefix 192.168.10.0/24 } } } } } }
The following error occurred on the log file:
Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: # bad protocol: leftprotoport=all Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: bad argument value in conn 'peer-10.131.0.101-tunnel-1' Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: # bad protocol: rightprotoport=all Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: bad argument value in conn 'peer-10.131.0.101-tunnel-1' Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: # ignored conn 'peer-10.131.0.101-tunnel-1' due to 2 parsing errors Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: ### 2 parsing errors (0 fatal) ###
When you change the protocol from all to ip it works.
set vpn ipsec site-to-site peer 10.131.0.101 tunnel 1 protocol ip
Looks like it's not working anymore when changed from Strongswan 4.x to 5.x
Regards
Markus