Re: [strongSwan] Fwd: [strongSwan-dev] config w/ multiple ios devices on a network...

Fri, 24 Apr 2015 13:33:42 -0700 

No joy, w/ rightsubnet=10.255.0.0/16 <http://10.255.0.0/16>

results in

Apr 24 20:28:44 accel charon: 06[IKE] peer requested virtual IP %any
Apr 24 20:28:44 accel charon: 06[IKE] no virtual IP found for %any requested by 'actmobile'
The odd thing is running 5.0.2 strongswan that same config using rightsourceip=10.255.0.0/16 <http://10.255.0.0/16>, the clients do get different addresses from the pool, but on 5.3.0, they are all getting the same? 

On 4/24/15 12:20 PM, Miroslav Svoboda wrote:
This is not good. Possibly, what we solved was just a result, not the root cause. Before, I overlooked the configuration issue; maybe you will want to enable uniqueids again once fixed. 

Instead of:
rightsourceip=10.255.0.0/16 <http://10.255.0.0/16>
there should be:
rightsubnet=10.255.0.0/16 <http://10.255.0.0/16>
Logs will be even better if you include directive in "charon-logging.conf": 
ike_name = yes

M.

Miroslav Svoboda | +420 608 224 486 <tel:%2B420%20608%20224%20486>
On 24 April 2015 at 21:02, Andrew Foss <[email protected] <mailto:[email protected]>> wrote: 

    Miroslav,

    thank you, that did it! Wow, did I log some hours trying different
    combinations, but didn't get that one and you also helped by
    suggesting I turn off enc logging, now my logs are more helpful,
    before they always ended in "dropped rate-limiting" so really
    weren't telling me much.

    Interestingly, both the connected devices now have the same
    virtual ip 10.254.0.1/32 <http://10.254.0.1/32>, but both seem to
    be working fine and the 2 devices never need to talk directly to
    one another, so maybe all the devices can use/assign the same ip
    address for the client's tunnel? Is that a common way to run?

    andrew

    On 4/24/15 11:36 AM, Miroslav Svoboda wrote:

    This is the problem:
    Apr 24 17:21:43 accel charon: 10[IKE] deleting duplicate IKE_SA
    for peer 'actmobile' due to uniqueness policy

    Look for config option "uniqueids" here:
    https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection

    M.

    Miroslav Svoboda | +420 608 224 486 <tel:%2B420%20608%20224%20486>





_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users



_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to