I must be a problem child... but I'm learning fast. I'm mostly satisfied with L2TP (Save for my last tunnel/transport question), so I've moved on to the more secure 'pure' IPsec configurations.
I've been working on IP Address & DNS assignment setup via IKEv1 & IKEv2; I've been following: http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/ http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/ I have the ipsec pool configured properly, I believe; 'ipsec pool --status' shows the pool I'm expecting, at any rate. However, with both IKEv1 (Racoon/OS X) and IKEv2 (Win 7), I'm unable to get IP addresses. With IKEv1, I've got the OS X client so it is able to establish an IPsec SA. It has the config option "mode_cfg on". However, I'm not seeing any ModeCfg messages in 'auth.log | grep pluto'. For IKEv2, the error is: Sep 23 22:37:52 pilot charon: 13[IKE] peer requested virtual IP %any Sep 23 22:37:52 pilot charon: 13[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE My network is as follows: <something> - Dynamic address; I use DynDNS to resolve it to a host name. 192.168.1.1/24 (Main address space) 192.168.2.1/24 (DMZ address space; unused) 192.168.3.1/24 (Used for OpenVPN - for locations where ESP is blocked at the firewall) 192.168.4.1/26 (IPsec pool) So I think a connection would be along the lines of: (Int. network) (Internet IP) (RW ISP) Road Warrior 192.168.0.0/21 -- ISP Assigned IP .. ISP Assigned IP -- NAT IP My configuration (with L2TP removed, for clarity) is as follows: config setup crlcheckinterval="600" cachecrls=yes nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24,%v4:!192.168.4.0/24 interfaces=%defaultroute conn %default keyingtries=1 ikelifetime=60m keylife=20m rekeymargin=3m keyexchange=ikev2 ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536 esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536 compress=yes left=%defaultroute right=%any dpddelay=30 dpdtimeout=120 dpdaction=clear pfs=yes conn rw-local-nat rightsubnet=vhost:%no,%priv also=rw-local conn rw-local keyexchange=ikev1 # Supposedly rekey can be no, because the client will ask for it... rekey=no leftsubnet=192.168.1.0/24 rightsourceip=%hostpool also=rw conn rw-charon leftsubnet=192.168.1.0/24 # In case we want a different (volatile) pool # rightsourceip=192.168.4.64/26 rightsourceip=%hostpool also=rw conn rw authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert leftcert=pilotCert.pem [email protected] rightid="C=US... CN=*, E=*" rightca=%same auto=add $ ipsec pool --status dns servers: 192.168.1.1 no nbns servers found. name start end timeout size online usage hostpool 192.168.4.2 192.168.4.63 static 62 0 ( 0%) 0 ( 0%) $ ipsec pool --statusattr type description pool identity value 3 INTERNAL_IP4_DNS 192.168.1.1 $ ipsec pool --showattr internal_ip4_netmask --addr (INTERNAL_IP4_NETMASK) internal_ip6_netmask --addr (INTERNAL_IP6_NETMASK) netmask --addr (INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK) internal_ip4_dns --addr (INTERNAL_IP4_DNS) internal_ip6_dns --addr (INTERNAL_IP6_DNS) dns --addr (INTERNAL_IP4_DNS, INTERNAL_IP6_DNS) internal_ip4_nbns --addr (INTERNAL_IP4_NBNS) internal_ip6_nbns --addr (INTERNAL_IP6_NBNS) nbns --addr (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS) wins --addr (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS) internal_ip4_dhcp --addr (INTERNAL_IP4_DHCP) internal_ip6_dhcp --addr (INTERNAL_IP6_DHCP) dhcp --addr (INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP) internal_ip4_server --addr (INTERNAL_IP4_SERVER) internal_ip6_server --addr (INTERNAL_IP6_SERVER) server --addr (INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER) application_version --string (APPLICATION_VERSION) version --string (APPLICATION_VERSION) unity_banner --string (UNITY_BANNER) banner --string (UNITY_BANNER) unity_def_domain --string (UNITY_DEF_DOMAIN) unity_splitdns_name --string (UNITY_SPLITDNS_NAME) unity_split_include --subnet (UNITY_SPLIT_INCLUDE) unity_local_lan --subnet (UNITY_LOCAL_LAN) So what do I need to do in order to get IP address assignment working? -- Troy Telford _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
