I have stumbled in the following problem when assigning an Virtual IP address to my road warrior behind traversal NAT configuration, described in strongswan web page “IKE2 confgiuration examples “RSA authentication with X.509 certificates” – NAT.
When following parameter “leftsourceip=%config“ and “rightsourceip=192.168.20.0/24”are being entered in the config of my client and server correspondingly, the following message is being seen in the logs: “no acceptable traffic selectors found” It is not possible to ping anything behind the server! Without those two parameters the configuration is working but I have no virtual ip addresses assign to the clients! Dose someone have seen this before and if so can you point me to some Documentation what traffic selectors are and how they work! I have found this post, but still I could not get it what actually traffic selectors are! IKE_SA nat-t[1] established between 192.168.26.200[C=BG, ST=Plovdivska, O=Tnet, OU=Tito, [email protected]]...78.130.224.aaa[some.sytes.net] installing DNS server 89.25.0.253 to /var/run/strongswan/resolv.conf installing DNS server 192.168.0.101 to /var/run/strongswan/resolv.conf installing new virtual IP 192.168.20.1 no acceptable traffic selectors found Jan 13 12:14:36 linux-a9id charon: 12[IKE] peer requested virtual IP %any Jan 13 12:14:36 linux-a9id charon: 12[CFG] reassigning offline lease to 'C=BG, ST=Plovdivska, O=Tnet, OU=Tito, [email protected]' Jan 13 12:14:36 linux-a9id charon: 12[IKE] assigning virtual IP 192.168.20.1 to peer Jan 13 12:14:36 linux-a9id vpn: + C=BG, ST=Plovdivska, O=Tnet, OU=Tito, [email protected] 192.168.26.0/24 == 79.245.26.BBB -- 78.130.224.AAA == 192.168.25.0/24 Jan 13 12:14:36 linux-a9id charon: 12[IKE] CHILD_SA nat-t{2} established with SPIs c8102dc9_i c9f61bbc_o and TS 192.168.25.0/24 === 192.168.26.0/24 Jan 13 12:14:36 linux-a9id charon: 12[IKE] CHILD_SA nat-t{2} established with SPIs c8102dc9_i c9f61bbc_o and TS 192.168.25.0/24 === 192.168.26.0/24 Jan 13 12:14:36 linux-a9id charon: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ] Jan 13 12:14:36 linux-a9id charon: 12[NET] sending packet: from 78.130.224.AAA[4500] to 79.245.26.BBB[4500] //roadwarior client config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no # charondebug="cfg 4" conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 leftsendcert=yes conn nat-t left=%defaultroute leftsourceip=%config leftcert=someCert.pem [email protected] leftfirewall=yes right=some.sytes.net [email protected] rightsubnet=192.168.25.0/24 auto=add //server # ipsec.conf - strongSwan IPsec configuration file config setup crlcheckinterval=180 strictcrlpolicy=no plutostart=no # charondebug="cfg 4" conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 left=some.sytes.net leftcert=serverCert.pem [email protected] leftfirewall=yes conn net-net leftsubnet=192.168.25.0/24 right=bartsimpson.sytes.net rightsubnet=192.168.26.0/24 [email protected] auto=add conn host-host right=bartsimpson.sytes.net [email protected] auto=add conn nat-t leftsubnet=192.168.25.0/24 right=%any rightsubnet=192.168.26.0/24 rightsourceip=192.168.20.0/24 auto=add -- Sincerely / Mit freundlichen Gruessen / искренне Ваш / искрено Ваш / bien à vous Konstantin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
