Hello Troy, do pluto and charon both load the attr-sql and sqlite plugins? ipsec statusall should enumerate them.
Regards Andreas On 24.09.2010 07:20, Troy Telford wrote: > I must be a problem child... but I'm learning fast. > > I'm mostly satisfied with L2TP (Save for my last tunnel/transport > question), so I've moved on to the more secure 'pure' IPsec > configurations. > > I've been working on IP Address & DNS assignment setup via IKEv1 & IKEv2; > > I've been following: > http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/ > http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/ > > I have the ipsec pool configured properly, I believe; 'ipsec pool > --status' shows the pool I'm expecting, at any rate. However, with > both IKEv1 (Racoon/OS X) and IKEv2 (Win 7), I'm unable to get IP > addresses. > > With IKEv1, I've got the OS X client so it is able to establish an > IPsec SA. It has the config option "mode_cfg on". However, I'm not > seeing any ModeCfg messages in 'auth.log | grep pluto'. > > For IKEv2, the error is: > Sep 23 22:37:52 pilot charon: 13[IKE] peer requested virtual IP %any > Sep 23 22:37:52 pilot charon: 13[IKE] no virtual IP found, sending > INTERNAL_ADDRESS_FAILURE > > My network is as follows: > <something> - Dynamic address; I use DynDNS to resolve it to a host name. > 192.168.1.1/24 (Main address space) > 192.168.2.1/24 (DMZ address space; unused) > 192.168.3.1/24 (Used for OpenVPN - for locations where ESP is blocked > at the firewall) > 192.168.4.1/26 (IPsec pool) > > So I think a connection would be along the lines of: > (Int. network) (Internet IP) (RW ISP) Road Warrior > 192.168.0.0/21 -- ISP Assigned IP .. ISP Assigned IP -- NAT IP > > My configuration (with L2TP removed, for clarity) is as follows: > > config setup > crlcheckinterval="600" > cachecrls=yes > nat_traversal=yes > > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24,%v4:!192.168.4.0/24 > > > interfaces=%defaultroute > > conn %default > keyingtries=1 > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyexchange=ikev2 > ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536 > esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536 > compress=yes > left=%defaultroute > right=%any > dpddelay=30 > dpdtimeout=120 > dpdaction=clear > pfs=yes > > conn rw-local-nat > rightsubnet=vhost:%no,%priv > also=rw-local > > conn rw-local > keyexchange=ikev1 > # Supposedly rekey can be no, because the client will ask for it... > rekey=no > leftsubnet=192.168.1.0/24 > rightsourceip=%hostpool > also=rw > > conn rw-charon > leftsubnet=192.168.1.0/24 > # In case we want a different (volatile) pool > # rightsourceip=192.168.4.64/26 > rightsourceip=%hostpool > also=rw > > conn rw > authby=rsasig > leftrsasigkey=%cert > rightrsasigkey=%cert > leftcert=pilotCert.pem > [email protected] > rightid="C=US... CN=*, E=*" > rightca=%same > auto=add > > $ ipsec pool --status > dns servers: 192.168.1.1 > no nbns servers found. > name start end timeout size online > usage > hostpool 192.168.4.2 192.168.4.63 static 62 0 ( 0%) > 0 ( 0%) > > $ ipsec pool --statusattr > type description pool identity value > 3 INTERNAL_IP4_DNS 192.168.1.1 > > $ ipsec pool --showattr > internal_ip4_netmask --addr (INTERNAL_IP4_NETMASK) > internal_ip6_netmask --addr (INTERNAL_IP6_NETMASK) > netmask --addr (INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK) > internal_ip4_dns --addr (INTERNAL_IP4_DNS) > internal_ip6_dns --addr (INTERNAL_IP6_DNS) > dns --addr (INTERNAL_IP4_DNS, INTERNAL_IP6_DNS) > internal_ip4_nbns --addr (INTERNAL_IP4_NBNS) > internal_ip6_nbns --addr (INTERNAL_IP6_NBNS) > nbns --addr (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS) > wins --addr (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS) > internal_ip4_dhcp --addr (INTERNAL_IP4_DHCP) > internal_ip6_dhcp --addr (INTERNAL_IP6_DHCP) > dhcp --addr (INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP) > internal_ip4_server --addr (INTERNAL_IP4_SERVER) > internal_ip6_server --addr (INTERNAL_IP6_SERVER) > server --addr (INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER) > application_version --string (APPLICATION_VERSION) > version --string (APPLICATION_VERSION) > unity_banner --string (UNITY_BANNER) > banner --string (UNITY_BANNER) > unity_def_domain --string (UNITY_DEF_DOMAIN) > unity_splitdns_name --string (UNITY_SPLITDNS_NAME) > unity_split_include --subnet (UNITY_SPLIT_INCLUDE) > unity_local_lan --subnet (UNITY_LOCAL_LAN) > > So what do I need to do in order to get IP address assignment working? -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
