Re: [strongSwan] Unable to connect to client - no matching peer config found

[Liong Kok Foo]

Hi Noel,

Awesome! Thanks for the guidance.

[root@uatvpngateway strongswan]# strongswan status
Security Associations (1 up, 0 connecting):
 net-net[3]: ESTABLISHED 8 minutes ago, 
10.15.66.10[192.168.40.34]...1.2.3.4[1.2.3.4]
 net-net{3}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: ce157096_i 
ca47d3e2_o

 net-net{3}:   192.168.40.32/30 === 192.168.118.0/24

The final thing I did was change leftsubnet=192.168.40.32/30.

Now I need to get the route working which is another problem to be solved.

Cheers!

On 10/6/2020 12:48 pm, Noel Kuntze wrote:

Hi Liong,

I'm pretty sure you can solve this little puzzle by yourself. The values are 
already there.

Kind regards

Noel

Am 10.06.20 um 06:20 schrieb Liong Kok Foo:

Hi Noel,

The client side is not allowing connection from my side as it is not using the 
IP they want. I have removed the alias and changed the leftid=192.168.40.34

Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] maximum IKE_SA lifetime 
86298s
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] looking for a child config 
for 192.168.40.32/30 === 192.168.118.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] proposing traffic 
selectors for us:
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG]  10.15.66.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] proposing traffic 
selectors for other:
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG]  192.168.118.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] traffic selectors 
192.168.40.32/30 === 192.168.118.0/24 unacceptable
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] failed to establish 
CHILD_SA, keeping IKE_SA
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[ENC] generating IKE_AUTH 
response 1 [ IDr AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[NET] sending packet: from 
10.15.66.10[500] to 1.2.3.4[500] (144 bytes)

Any idea? Or is this not possible to be done?


*Liong Kok Foo*
Team Lead, IT Infra

REVENUE GROUP OF COMPANIES
Email : liong.kok@revenue.com.my 
TEL : +60 3-9212 0505  (ext 1004)
FAX : +60 3-6242 8785
ADD : Wisma Revenue Group, No. 12, Jalan Udang Harimau 2, Kepong Business Park, 
51200. Kuala Lumpur
WEB : www.revenue.com.my  
(http://www.revenue.com.my/)
WEB : www.revpay.com.my  (http://www.revpay.com.my/)

On 10/6/2020 11:31 am, Noel Kuntze wrote:

Hello Liong,


You see, the client have their VPN setup such that we MUST connect to them from 
IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the reason why we 
had to use Strongswan and NAT to do this.


Your host is behind NAT, so the other peer won't ever see it. Also, that IP 
address is probably not routed to you by the next hop router. That's why you 
don't get any response for packets sent from the IP address 192.168.40.34.

You need to set leftid to the address. That will probably do it.


Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found for 
10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN

Yes, of course, because you sent left to 192.168.40.34, instead of the correct 
value of 10.15.66.10. Stop hitting yourself.


I created an alias eth0:0 192.168.40.34 for this server.

That doesn't help you at all. Also, aliases are deprecated for > 20 years 
already. Aliases are a crutch for using ifconfig with several IP addresses per 
interface.
ifconfig and route are deprecated for more than 20 years already, too.

Kind regards

Noel

Am 10.06.20 um 05:12 schrieb Liong Kok Foo:

Hi Noel,

Thanks changed the rightid and it is going somewhere.

However, I am stuck in another error.

Jun 10 11:02:19 uatvpngateway charon[20200]: 11[IKE] retransmit 3 of request 
with message ID 0
Jun 10 11:02:19 uatvpngateway charon[20200]: 11[NET] sending packet: from 
192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] received packet: from 
1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] parsed IKE_SA_INIT request 
0 [ SA KE No N(FRAG_SUP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[CFG] looking for an IKEv2 
config for 10.15.66.10...1.2.3.4
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found for 
10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] generating IKE_SA_INIT 
response 0 [ N(NO_PROP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] sending packet: from 
10.15.66.10[500] to 1.2.3.4[500] (36 bytes)
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[IKE] retransmit 4 of request 
with message ID 0
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[NET] sending packet: from 
192.168.40.34[500] to 1.2.3.4[500] (464 bytes)

You see, the client have their VPN setup such that we MUST connect to them from 
IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the reason why we 
had to use Strongswan and NAT 

Re: [strongSwan] Unable to connect to client - no matching peer config found

[Liong Kok Foo]

Hi Noel,

The client side is not allowing connection from my side as it is not 
using the IP they want. I have removed the alias and changed the 
leftid=192.168.40.34


Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] maximum IKE_SA 
lifetime 86298s
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] looking for a child 
config for 192.168.40.32/30 === 192.168.118.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] proposing traffic 
selectors for us:

Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] 10.15.66.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] proposing traffic 
selectors for other:

Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] 192.168.118.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] traffic selectors 
192.168.40.32/30 === 192.168.118.0/24 unacceptable
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] failed to establish 
CHILD_SA, keeping IKE_SA
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[ENC] generating IKE_AUTH 
response 1 [ IDr AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[NET] sending packet: 
from 10.15.66.10[500] to 1.2.3.4[500] (144 bytes)


Any idea? Or is this not possible to be done?


*Liong Kok Foo*
Team Lead, IT Infra

REVENUE GROUP OF COMPANIES
Email : liong.kok@revenue.com.my 
TEL : +60 3-9212 0505  (ext 1004)
FAX : +60 3-6242 8785
ADD : Wisma Revenue Group, No. 12, Jalan Udang Harimau 2, Kepong 
Business Park, 51200. Kuala Lumpur
WEB : www.revenue.com.my 
 (http://www.revenue.com.my/)
WEB : www.revpay.com.my 
 (http://www.revpay.com.my/)


On 10/6/2020 11:31 am, Noel Kuntze wrote:

Hello Liong,


You see, the client have their VPN setup such that we MUST connect to them from 
IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the reason why we 
had to use Strongswan and NAT to do this.


Your host is behind NAT, so the other peer won't ever see it. Also, that IP 
address is probably not routed to you by the next hop router. That's why you 
don't get any response for packets sent from the IP address 192.168.40.34.

You need to set leftid to the address. That will probably do it.


Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found for 
10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN

Yes, of course, because you sent left to 192.168.40.34, instead of the correct 
value of 10.15.66.10. Stop hitting yourself.


I created an alias eth0:0 192.168.40.34 for this server.

That doesn't help you at all. Also, aliases are deprecated for > 20 years 
already. Aliases are a crutch for using ifconfig with several IP addresses per 
interface.
ifconfig and route are deprecated for more than 20 years already, too.

Kind regards

Noel

Am 10.06.20 um 05:12 schrieb Liong Kok Foo:

Hi Noel,

Thanks changed the rightid and it is going somewhere.

However, I am stuck in another error.

Jun 10 11:02:19 uatvpngateway charon[20200]: 11[IKE] retransmit 3 of request 
with message ID 0
Jun 10 11:02:19 uatvpngateway charon[20200]: 11[NET] sending packet: from 
192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] received packet: from 
1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] parsed IKE_SA_INIT request 
0 [ SA KE No N(FRAG_SUP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[CFG] looking for an IKEv2 
config for 10.15.66.10...1.2.3.4
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found for 
10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] generating IKE_SA_INIT 
response 0 [ N(NO_PROP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] sending packet: from 
10.15.66.10[500] to 1.2.3.4[500] (36 bytes)
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[IKE] retransmit 4 of request 
with message ID 0
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[NET] sending packet: from 
192.168.40.34[500] to 1.2.3.4[500] (464 bytes)

You see, the client have their VPN setup such that we MUST connect to them from 
IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the reason why we 
had to use Strongswan and NAT to do this.

Because we are using a cloud server, our IP is eth0 10.15.66.10 and I created 
an alias eth0:0 192.168.40.34 for this server.

So now, I have changed the config a bit as below. Not sure what is the problem 
now. I have also enable debug-cfg 2.

conn net-net
#    left=10.15.66.10
     left=192.168.40.34
#    leftsubnet=10.15.66.0/24
     leftsubnet=192.168.40.32/30 (also tried 0.0.0.0/0)
     leftid=@rh
     leftfirewall=yes
     right=1.2.3.4
     rightsubnet=192.168.118.0/24
     rightid=1.2.3.4
     ike=aes256-sha2_256-modp2048!
     esp=aes256-sha2_256-modp2048!
     auto=start


ike should be correct as per requested from client's side:

IKE Group  

Re: [strongSwan] Unable to connect to client - no matching peer config found

[Liong Kok Foo]

Hi Noel,

Thanks changed the rightid and it is going somewhere.

However, I am stuck in another error.

Jun 10 11:02:19 uatvpngateway charon[20200]: 11[IKE] retransmit 3 of 
request with message ID 0
Jun 10 11:02:19 uatvpngateway charon[20200]: 11[NET] sending packet: 
from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] received packet: 
from 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] parsed IKE_SA_INIT 
request 0 [ SA KE No N(FRAG_SUP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[CFG] looking for an 
IKEv2 config for 10.15.66.10...1.2.3.4
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found 
for 10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] generating 
IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] sending packet: 
from 10.15.66.10[500] to 1.2.3.4[500] (36 bytes)
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[IKE] retransmit 4 of 
request with message ID 0
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[NET] sending packet: 
from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)


You see, the client have their VPN setup such that we MUST connect to 
them from IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the 
reason why we had to use Strongswan and NAT to do this.


Because we are using a cloud server, our IP is eth0 10.15.66.10 and I 
created an alias eth0:0 192.168.40.34 for this server.


So now, I have changed the config a bit as below. Not sure what is the 
problem now. I have also enable debug-cfg 2.


conn net-net
#    left=10.15.66.10
    left=192.168.40.34
#    leftsubnet=10.15.66.0/24
    leftsubnet=192.168.40.32/30 (also tried 0.0.0.0/0)
    leftid=@rh
    leftfirewall=yes
    right=1.2.3.4
    rightsubnet=192.168.118.0/24
    rightid=1.2.3.4
    ike=aes256-sha2_256-modp2048!
    esp=aes256-sha2_256-modp2048!
    auto=start


ike should be correct as per requested from client's side:

IKE Group   Group 14
IKE Encryption  AES-256
IKE Authentication  SHA2-256

Thanks

On 9/6/2020 6:30 pm, Noel Kuntze wrote:

Hi Liong,


Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching 
10.15.66.10[%any]...1.2.3.4[1.2.3.4]

rightid=1.2.3.4

Kind regards

Noel

Am 09.06.20 um 11:27 schrieb Liong Kok Foo:

Hi,

I am new to strongswan and have not had much experience setting up VPN 
connection.

I need to setup a new VPN connection to a client but just cannot seems to get 
it working.

Here are the information provided by client:

IKEv2 (Phase 1) Proposal
Available for ping (Yes/No) No
IKE Mode (Aggressive/Main)  Main
IKE Authentication method   Pre-shared key
IKE Pre-shared key  xx
IKE Group   Group 14
IKE Encryption  AES-256
IKE Authentication  SHA2-256
IKE Lifetime (seconds)  86400
Life Time (KB)  86400
  IPsec (Phase 2) Proposal
IPsec Group Group 14
IPsec Protocol  ESP
IPsec Encryption    AES-256
IPsec AuthenticationSHA2-256
IPsec Lifetime (seconds)3600
Life Time (KB)  28800
Enable Perfect Forward Secrecy  Yes
PFS / DH-group  Yes/Gp-14
Encapsulation Mode  Tunnel
IP addresses carried in tunnel (Private IP address, IP range assigned by 
client) Crypto ACL
Source (Encryption Domain)  192.168.40.33/30(DR)
192.168.40.34/30(UAT)
PortAny
VPN DPD always enabled  Enabled
To disable monitoring ICMP echo requests (or pings) à by right to determine if 
a VPN tunnel is up however for this case it’s dropping the VPN connections. 
 Disabled
To disable a proxy-ID negotiation, it is used during phase 2 of Internet Key 
Exchange (IKE) Virtual Private Network (VPN) negotiations. Disabled
NAT traversal (TCP4500) Disabled


Here is my configuration file:

IPsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

conn %default
     ikelifetime=1440m
     keylife=60m
     rekeymargin=3m
     keyingtries=1
     authby=secret
     keyexchange=ikev2
     mobike=no

conn net-net
     left=10.15.66.10
     leftsubnet=10.15.66.0/24
     leftid=@me
     leftfirewall=yes
     right=1.2.3.4 (client public IP changed)
     rightsubnet=192.168.118.0/24
     rightid=@client
     ike=aes256-sha2_256-modp2048!
     esp=aes256-sha2_256-modp2048!
     auto=start


ipsec.secrets:

# ipsec.secrets - strongSwan IPsec secrets file
@me @client : PSK "xx"


Here is a part of the message log:

Jun  9 17:14:32 uatvpngateway charon: 06[NET] received packet: from 
1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun  9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA 
KE No N(FRAG_SUP) ]
Jun  9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an IKE_SA
Jun  9 17:14:32 uatvpngateway charon: 

Re: [strongSwan] Services unreachable after first connection

[Tasslehoff Burrfoot]

Thanks you very much Tobias, I have another question.
During some tests I noticed that if I let run a simple script (basically a
loop cycle with "nmap -sT -P0 -p 389 10.128.4.15 10.128.4.16" and 5 seconds
sleep) to test 389 port on the two destination AD domain controllers, every
ldapsearch action (or in general every action that involves a connection to
389 port of those two domain controllers) works perfectly fine and nmap
always returns 389 port open.
If I stop the nmap loop cycle after a few ldapsearch runs I got problems,
connection to ldap stuck and nmap test returns 389 port filtered.

I noticed that 389 port result unreachable for exactly 300 second, after
that nmap detects it open again.

I added some debug parameters to my ipsec.conf file (charondebug="ike 2,
knl 2, cfg 2") but I didn't noticed something significant when the ldap
connection get stuck or opens again after 5 minutes.

Can be anything related to some dpd or keepalive feature?

Best regards

Tas

---
*"Arguing that you don't care about the right to privacy because you have
nothing to hide is no different than saying you don't care about free
speech because you have nothing to say."*



On Fri, Jun 5, 2020 at 10:12 AM Tobias Brunner 
wrote:

> Hi Tas,
>
> > Do you think this strange behaviour can be cause by our strongswan
> > configuration?
>
> One thing that comes to mind in regards to TCP over IPsec are MTU/MSS
> issues [1].  But those would only have an effect on larger transmits,
> not on the initial TCP handshake.  That is, you should be able to create
> a new TCP connection even after another stalled.  If that's not the
> case, some firewall or routing issue could be the culprit (or a problem
> with the IPsec tunnel on the other end).
>
> By the way, you'll never see outbound plaintext traffic (e.g. a TCP SYN)
> in tcpdump [2].
>
> Regards,
> Tobias
>
> [1]
>
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#MTUMSS-issues
> [2]
>
> https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Capturing-outbound-plaintext-packets-with-tcpdumpwireshark
>

Re: [strongSwan] Unable to connect to client - no matching peer config found

[Noel Kuntze]

Hi Liong,

> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs 
> matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]

rightid=1.2.3.4

Kind regards

Noel

Am 09.06.20 um 11:27 schrieb Liong Kok Foo:
> Hi,
> 
> I am new to strongswan and have not had much experience setting up VPN 
> connection.
> 
> I need to setup a new VPN connection to a client but just cannot seems to get 
> it working.
> 
> Here are the information provided by client:
> 
> IKEv2 (Phase 1) Proposal 
> Available for ping (Yes/No)   No
> IKE Mode (Aggressive/Main)Main
> IKE Authentication method Pre-shared key
> IKE Pre-shared keyxx
> IKE Group Group 14
> IKE Encryption    AES-256
> IKE AuthenticationSHA2-256
> IKE Lifetime (seconds)86400
> Life Time (KB)86400
>  IPsec (Phase 2) Proposal 
> IPsec Group   Group 14
> IPsec ProtocolESP
> IPsec Encryption  AES-256
> IPsec Authentication  SHA2-256
> IPsec Lifetime (seconds)  3600
> Life Time (KB)28800
> Enable Perfect Forward SecrecyYes
> PFS / DH-groupYes/Gp-14
> Encapsulation ModeTunnel
> IP addresses carried in tunnel (Private IP address, IP range assigned by 
> client) Crypto ACL
> Source (Encryption Domain)192.168.40.33/30(DR)
> 192.168.40.34/30(UAT)
> Port  Any
> VPN DPD always enabledEnabled
> To disable monitoring ICMP echo requests (or pings) à by right to determine 
> if a VPN tunnel is up however for this case it’s dropping the VPN 
> connections.Disabled
> To disable a proxy-ID negotiation, it is used during phase 2 of Internet Key 
> Exchange (IKE) Virtual Private Network (VPN) negotiations.   Disabled
> NAT traversal (TCP4500)   Disabled
> 
> 
> Here is my configuration file:
> 
> IPsec.conf
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
> 
> conn %default
>     ikelifetime=1440m
>     keylife=60m
>     rekeymargin=3m
>     keyingtries=1
>     authby=secret
>     keyexchange=ikev2
>     mobike=no
> 
> conn net-net
>     left=10.15.66.10
>     leftsubnet=10.15.66.0/24
>     leftid=@me
>     leftfirewall=yes
>     right=1.2.3.4 (client public IP changed)
>     rightsubnet=192.168.118.0/24
>     rightid=@client
>     ike=aes256-sha2_256-modp2048!
>     esp=aes256-sha2_256-modp2048!
>     auto=start
> 
> 
> ipsec.secrets:
> 
> # ipsec.secrets - strongSwan IPsec secrets file
> @me @client : PSK "xx"
> 
> 
> Here is a part of the message log:
> 
> Jun  9 17:14:32 uatvpngateway charon: 06[NET] received packet: from 
> 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
> Jun  9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request 0 [ 
> SA KE No N(FRAG_SUP) ]
> Jun  9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an IKE_SA
> Jun  9 17:14:32 uatvpngateway charon: 06[CFG] selected proposal: 
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> Jun  9 17:14:32 uatvpngateway charon: 06[ENC] generating IKE_SA_INIT response 
> 0 [ SA KE No N(FRAG_SUP) N(MULT_AUTH) ]
> Jun  9 17:14:32 uatvpngateway charon: 06[NET] sending packet: from 
> 10.15.66.10[500] to 1.2.3.4[500] (392 bytes)
> Jun  9 17:14:32 uatvpngateway charon: 07[NET] received packet: from 
> 1.2.3.4[500] to 10.15.66.10[500] (448 bytes)
> Jun  9 17:14:32 uatvpngateway charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi 
> N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs 
> matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] no matching peer config found
> Jun  9 17:14:32 uatvpngateway charon: 07[ENC] generating IKE_AUTH response 1 
> [ N(AUTH_FAILED) ]
> Jun  9 17:14:32 uatvpngateway charon: 07[NET] sending packet: from 
> 10.15.66.10[500] to 1.2.3.4[500] (80 bytes)
> 
> Would appreciate if anyone can help to provide guidance on getting this 
> working.
> 
> Thanks
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>Virus-free. www.avast.com 
> 
> 
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>



signature.asc
Description: OpenPGP digital signature

[strongSwan] Unable to connect to client - no matching peer config found

[Liong Kok Foo]

Hi,

I am new to strongswan and have not had much experience setting up VPN 
connection.


I need to setup a new VPN connection to a client but just cannot seems 
to get it working.


Here are the information provided by client:

IKEv2 (Phase 1) Proposal
Available for ping (Yes/No) No
IKE Mode (Aggressive/Main)  Main
IKE Authentication method   Pre-shared key
IKE Pre-shared key  xx
IKE Group   Group 14
IKE Encryption  AES-256
IKE Authentication  SHA2-256
IKE Lifetime (seconds)  86400
Life Time (KB)  86400
IPsec (Phase 2) Proposal
IPsec Group Group 14
IPsec Protocol  ESP
IPsec EncryptionAES-256
IPsec AuthenticationSHA2-256
IPsec Lifetime (seconds)3600
Life Time (KB)  28800
Enable Perfect Forward Secrecy  Yes
PFS / DH-group  Yes/Gp-14
Encapsulation Mode  Tunnel
IP addresses carried in tunnel (Private IP address, IP range assigned by 
client) Crypto ACL

Source (Encryption Domain)  192.168.40.33/30(DR)
192.168.40.34/30(UAT)
PortAny
VPN DPD always enabled  Enabled
To disable monitoring ICMP echo requests (or pings) à by right to 
determine if a VPN tunnel is up however for this case it’s dropping the 
VPN connections. 	Disabled
To disable a proxy-ID negotiation, it is used during phase 2 of Internet 
Key Exchange (IKE) Virtual Private Network (VPN) negotiations. 	Disabled

NAT traversal (TCP4500) Disabled


Here is my configuration file:

IPsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

conn %default
    ikelifetime=1440m
    keylife=60m
    rekeymargin=3m
    keyingtries=1
    authby=secret
    keyexchange=ikev2
    mobike=no

conn net-net
    left=10.15.66.10
    leftsubnet=10.15.66.0/24
    leftid=@me
    leftfirewall=yes
    right=1.2.3.4 (client public IP changed)
    rightsubnet=192.168.118.0/24
    rightid=@client
    ike=aes256-sha2_256-modp2048!
    esp=aes256-sha2_256-modp2048!
    auto=start


ipsec.secrets:

# ipsec.secrets - strongSwan IPsec secrets file
@me @client : PSK "xx"


Here is a part of the message log:

Jun  9 17:14:32 uatvpngateway charon: 06[NET] received packet: from 
1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun  9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request 
0 [ SA KE No N(FRAG_SUP) ]
Jun  9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an 
IKE_SA
Jun  9 17:14:32 uatvpngateway charon: 06[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun  9 17:14:32 uatvpngateway charon: 06[ENC] generating IKE_SA_INIT 
response 0 [ SA KE No N(FRAG_SUP) N(MULT_AUTH) ]
Jun  9 17:14:32 uatvpngateway charon: 06[NET] sending packet: from 
10.15.66.10[500] to 1.2.3.4[500] (392 bytes)
Jun  9 17:14:32 uatvpngateway charon: 07[NET] received packet: from 
1.2.3.4[500] to 10.15.66.10[500] (448 bytes)
Jun  9 17:14:32 uatvpngateway charon: 07[ENC] parsed IKE_AUTH request 1 
[ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs 
matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]

Jun  9 17:14:32 uatvpngateway charon: 07[CFG] no matching peer config found
Jun  9 17:14:32 uatvpngateway charon: 07[ENC] generating IKE_AUTH 
response 1 [ N(AUTH_FAILED) ]
Jun  9 17:14:32 uatvpngateway charon: 07[NET] sending packet: from 
10.15.66.10[500] to 1.2.3.4[500] (80 bytes)


Would appreciate if anyone can help to provide guidance on getting this 
working.


Thanks






























--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus