Hello, I am trying to setup ikev2 connection with no luck. I see in radius logs that authentication successfull and radius reply contains a valid Framed-IP-Address however it seems I don't have appropriate option to use it in ipsec.conf.
Can someone point me where do I get the issue and how to make libreswan assign Framed-IP-Address to remote peer endpoint? My config: conn ikev2-cp left=1.1.1.1 leftcert=1.1.1.1 [email protected] leftsendcert=always leftrsasigkey=%cert right=%any rightid=%fromcert rightca=%same rightrsasigkey=%cert dpddelay=30 dpdtimeout=120 dpdaction=clear auto=add ikev2=insist rekey=no encapsulation=yes mobike=no pfs=no ike-frag=yes ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 pam-authorize=yes Logs: Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: processing IKE_SA_INIT request: SA,KE,Ni,N,N (message arrived 0 seconds ago) Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2: constructed local IKE proposals for ikev2-cp (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 5:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024 6:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: proposal 4:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP1024 chosen from remote proposals 1:IKE:ENCR=3DES;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024 2:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA1;DH=MODP1024 3:IKE:ENCR=3DES;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024 4:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP1024[first-match] 5:IKE:ENCR=3DES;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 6:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_384_192;PRF=HMAC_SHA2_384;DH=MODP1024 Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP1024} Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: processing encrypted IKE_AUTH request: SK (message arrived 0 seconds ago) Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N,CP,SA,TSi,TSr} Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: loading root certificate cache Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: certificate verified OK: O=myorg,CN=mycli Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=mycli, O=myorg' Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: Authenticated using RSA Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: IKEv2: [XAUTH]PAM method requested to authorize 'CN=mycli, O=myorg' Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: Got user name CN=mycli, O=myorg Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: ignore last_pass, force_prompt set Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: Sending RADIUS request code 1 Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7f278eae02e0. Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: Got RADIUS response code 2 Nov 24 16:29:36 myhost pluto[10844]: pam_radius_auth: authentication succeeded Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: PAM: #1: completed for user 'CN=mycli, O=myorg' with status SUCCESSS Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #2: deleting other state #2 (STATE_UNDEFINED) aged 0.000s and NOT sending notification Nov 24 16:29:36 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: responding to IKE_AUTH message (ID 1) from 2.2.2.2:4500 with encrypted notification TS_UNACCEPTABLE Nov 24 16:32:56 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: deleting incomplete state after 200.000 seconds Nov 24 16:32:56 myhost pluto[10826]: "ikev2-cp"[1] 2.2.2.2 #1: deleting state (STATE_PARENT_R2) aged 200.200s and sending notification Nov 24 16:32:56 myhost pluto[10826]: deleting connection "ikev2-cp"[1] 2.2.2.2 instance with peer 2.2.2.2 {isakmp=#0/ipsec=#0} -- Regards, Yevgeny _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
