[ added libreswan list to the CC: ] On Wed, 4 Dec 2024, DaniloL88s wrote:
I really have several problems when I try to configure the ikev2 client to assign a static IP to a Windows client. I put below all the config files and what appears to me from the ipsec trafficstatus. I can't understand what the problem is also because I have really tried so many times
Yes, we need to add a better simpler method to support static IP leases.
`conn ikev2-cp rightaddresspool=192.168.43.100-192.168.43.250
[...]
conn ikev2-shared left=%defaultroute leftcert=45.xx.xxx.xxx leftsendcert=always leftsubnet=0.0.0.0/0 leftrsasigkey=%cert right=%any rightca=%same rightrsasigkey=%cert narrowing=yes dpddelay=30 retransmit-timeout=300s dpdaction=clear ikev2=insist rekey=no pfs=no ike=aes_gcm_c_256-hmac_sha2_256-ecp_256,aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1 phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2 ikelifetime=24h salifetime=24h encapsulation=yes leftid=45.xx.xxx.xxx modecfgdns="8.8.8.8 8.8.4.4" mobike=no
conn DaniloPC rightid="CN=DaniloPC, O=IKEv2 VPN" rightaddresspool=192.168.43.20-192.168.43.20 also=ikev2-shared conn username rightid="CN=username, O=IKEv2 VPN" rightaddresspool=192.168.43.22-192.168.43.22 also=ikev2-shared` Trafficstatus log: #2: "ikev2-cp"[1] MYIP, type=ESP, add_time=1733338737, inBytes=119392, outBytes=354784, maxBytes=2^63B, id='CN=DaniloPC, O=IKEv2 VPN', lease=192.168.43.100/32 I don't understand why despite the various ipsec restarts and reboots of the operating system, despite having tried with different certificates and therefore clients, the problem persists. Do I forget to do something? Am I forgetting some step?
It looks like you got matched with conn ikev2-cp and not conn DaniloPC. I think instead of hacking this into the template vs instance code selection, we should have a simple file allowing ID:IP matches to be used with a generic addresspool. A workaround could be to use a different leftid= for ikev2-cp vs the individual conns. But that would then require custom params on the clients as well. Paul _______________________________________________ Swan mailing list -- [email protected] To unsubscribe send an email to [email protected]
