Hi Paul, and thanks ! On 27/11/15 17:34, Paul Wouters wrote: > On Fri, 27 Nov 2015, John Crisp wrote: > > > You should use the DNS name (or %any/%defaultroute) for the right/left and > the syntax with the @ for the ID (to prevent the ID from being resolved > as a hostname) >
Ok - we got it thank you... we got our wires crossed here... ! >> It seems the ID from the Dynamic host does not match the secret but I > > If you use [email protected] and [email protected] then > use in ipsec.secrets: > > @remote.dyndns.org @local.dyndns.org : PSK "yoursecret" > OK - we'll try that. Think we may have had the same issue with mixing the IDs as above. > Note that if your local IP changes, you must run: > > ipsec whack --listen > ipsec auto --replace yourconn > (and ipsec auto --up yourconn if you want to start it right away) > OK, I understand that on the dynamic.... with this particular dynamic it is really just on reboots when it gets a new IP. On the static host we set the dpd to clear, the dynamic goes offline, the static clears the connection correctly but when the dynamic host comes back up with a new IP the static refuses to accept the connection. I believe that this is the case for IKE v1 (?), but for IKE v2 I believe it can just use IDs but we tried that and it was a miserable fail.... the static never accepts the new IP or an ID until the static has been restarted. Here 5.6.7.8 is the dynamic with its new IP address trying to reconnect 1.2.3.4 is the static host. Using rsasig and IKE v2 which works once both ends are restarted : Nov 29 02:22:31: packet from 5.6.7.8:500: initial parent SA message received on 1.2.3.4:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Nov 29 02:22:31: packet from 5.6.7.8:500: initial parent SA message received on 1.2.3.4:500 but no connection has been authorized with policy PSK+IKEV2_ALLOW Nov 29 02:22:31: packet from 5.6.7.8:500: initial parent SA message received on 1.2.3.4:500 but no connection has been authorized with policy AUTHNULL+IKEV2_ALLOW Nov 29 02:22:31: packet from 5.6.7.8:500: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to 5.6.7.8:500 ipsec whack --status shows static still looking for the old IP address. "TestToRemote": 192.168.80.0/24===1.2.3.4[@Remote]---60.x.x.1...4.3.2.1<previousip.dyndns.org>[@Local]===192.168.20.0/24; prospective erouted; eroute owner: #0 "TestToRemote": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW; Unless static is restarted the connection will not come up. I'm not sure if we are doing the impossible or not ? :-) As a side issue we also saw a few errors in the logs whilst testing ike v2 : 3.15 On static : EXPECTATION FAILED at /home/john/rpmbuild/BUILD/libreswan-3.15/programs/pluto/ikev2_parent.c:3930: !IS_CHILD_SA(st) On Dynamic : EXPECTATION FAILED at /home/john/rpmbuild/BUILD/libreswan-3.15/programs/pluto/ikev1.c:2843: r != NULL Any thoughts gratefully appreciated ! B. Rgds John
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
