Hi Tito,
if the client gets a virtual IP address then the traffic selector
will be <virtual IP>/32. Thus you cannot define
rightsubnet=192.168.26.0/24
if the pool is
rightsourceip=192.168.20.0/24
Regards
Andreas
Tito wrote:
> I have stumbled in the following problem when assigning an Virtual IP
> address to my road warrior behind traversal NAT configuration,
> described in strongswan web page “IKE2 confgiuration examples “RSA
> authentication with X.509 certificates” – NAT.
>
> When following parameter “leftsourceip=%config“ and
> “rightsourceip=192.168.20.0/24”are being entered in the config of my
> client and server correspondingly, the following message is being seen
> in the logs:
>
> “no acceptable traffic selectors found” It is not possible to ping
> anything behind the server! Without those two parameters the
> configuration is working but I have no virtual ip addresses assign to
> the clients!
>
> Dose someone have seen this before and if so can you point me to some
> Documentation what traffic selectors are and how they work! I have found
> this post, but still I could not get it what actually traffic selectors are!
>
>
>
> IKE_SA nat-t[1] established between 192.168.26.200[C=BG, ST=Plovdivska,
> O=Tnet, OU=Tito, [email protected]]...78.130.224.aaa[some.sytes.net]
> installing DNS server 89.25.0.253 to /var/run/strongswan/resolv.conf
> installing DNS server 192.168.0.101 to /var/run/strongswan/resolv.conf
> installing new virtual IP 192.168.20.1
> no acceptable traffic selectors found
>
>
>
> Jan 13 12:14:36 linux-a9id charon: 12[IKE] peer requested virtual IP %any
> Jan 13 12:14:36 linux-a9id charon: 12[CFG] reassigning offline lease to
> 'C=BG, ST=Plovdivska, O=Tnet, OU=Tito, [email protected]'
> Jan 13 12:14:36 linux-a9id charon: 12[IKE] assigning virtual IP
> 192.168.20.1 to peer
> Jan 13 12:14:36 linux-a9id vpn: + C=BG, ST=Plovdivska, O=Tnet, OU=Tito,
> [email protected] 192.168.26.0/24 == 79.245.26.BBB --
> 78.130.224.AAA == 192.168.25.0/24
> Jan 13 12:14:36 linux-a9id charon: 12[IKE] CHILD_SA nat-t{2} established
> with SPIs c8102dc9_i c9f61bbc_o and TS 192.168.25.0/24 === 192.168.26.0/24
> Jan 13 12:14:36 linux-a9id charon: 12[IKE] CHILD_SA nat-t{2} established
> with SPIs c8102dc9_i c9f61bbc_o and TS 192.168.25.0/24 === 192.168.26.0/24
> Jan 13 12:14:36 linux-a9id charon: 12[ENC] generating IKE_AUTH response
> 1 [ IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
> Jan 13 12:14:36 linux-a9id charon: 12[NET] sending packet: from
> 78.130.224.AAA[4500] to 79.245.26.BBB[4500]
>
>
> //roadwarior client
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> plutostart=no
> # charondebug="cfg 4"
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> leftsendcert=yes
>
> conn nat-t
> left=%defaultroute
> leftsourceip=%config
> leftcert=someCert.pem
> [email protected]
> leftfirewall=yes
> right=some.sytes.net
> [email protected]
> rightsubnet=192.168.25.0/24
> auto=add
>
>
> //server
> # ipsec.conf - strongSwan IPsec configuration file
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> plutostart=no
> # charondebug="cfg 4"
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> left=some.sytes.net
> leftcert=serverCert.pem
> [email protected]
> leftfirewall=yes
>
> conn net-net
> leftsubnet=192.168.25.0/24
> right=bartsimpson.sytes.net
> rightsubnet=192.168.26.0/24
> [email protected]
> auto=add
>
> conn host-host
> right=bartsimpson.sytes.net
> [email protected]
> auto=add
>
> conn nat-t
> leftsubnet=192.168.25.0/24
> right=%any
> rightsubnet=192.168.26.0/24
> rightsourceip=192.168.20.0/24
> auto=add
>
--
======================================================================
Andreas Steffen [email protected]
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
