Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to iOS devices and Windows 10 laptops.
I will try to explain the problem:
I have ipsec.secrets with user/password EAP auth ex:
> # This file holds shared secrets or RSA private keys for authentication.
>
> # This is private key located at /etc/ipsec.d/private/
> : RSA privkey.pem
>
> # VPN users
> strike : EAP "12341234"
> dottas : EAP "45645645"
I have my ipsec.conf assign static ip config to users based on rightid:
> config setup
> charondebug = ike 3, cfg 3
>
> conn %default
>
> dpdaction=clear
> dpddelay=550s
> dpdtimeout=72000s
> keyexchange=ikev2
> auto=add
> rekey=no
> reauth=no
> fragmentation=yes
> compress=yes
>
> # left - local (server) side
> leftcert=fullchain.pem # Filename of certificate located at
> /etc/ipsec.d/certs/
> leftsendcert=always
> # Routes pushed to clients. If you don't have ipv6 then remove ::/0
> leftsubnet=0.0.0.0/0
>
> # right - remote (client) side
> eap_identity=%identity
> # ipv4 subnets that assigns to clients.
> rightsourceip=10.8.0.0/24
> rightdns=8.8.8.8
>
> # Windows Auth CFG
> conn ikev2-mschapv2
> rightauth=eap-mschapv2
>
> # Apple Auth CFG
> conn ikev2-mschapv2-apple
> rightauth=eap-mschapv2
> leftid=mydomain.com
>
> # Static IP configs
>
> conn static-ip-for-strike
> also="ikev2-mschapv2-apple"
> right=%any
> rightid=strike
> rightsourceip=10.8.0.100/32
> auto=add
>
> conn static-ip-for-dottas
> also="ikev2-mschapv2"
> right=%any
> rightid=dottas
> rightsourceip=10.8.0.33/32
> auto=add
All iOS clients connect fine and take static IP but Windows always get an IP
address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field Windows dont
recibe any IP address and dont connect.
Some log outputs:
ipsec leases
>
> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online
> no matching leases found
> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
> no matching leases found
> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
> no matching leases found
> ...
journalctl -f -u strongswan
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA ikev2-mschapv2[1]
> state change: CONNECTING => ESTABLISHED
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP
> %any
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease to
> 'dottas'
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP
> 10.8.0.1 to peer 'dottas'
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP
> %any6
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found for
> %any6 requested by 'dottas'
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building INTERNAL_IP4_DNS
> attribute
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child config
> for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic
> selectors for us:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 0.0.0.0/0
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic
> selectors for other:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 10.8.0.1/32
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] candidate
> "ikev2-mschapv2" with prio 10+2
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child
> config "ikev2-mschapv2" with prio 12
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable
> ENCRYPTION_ALGORITHM found
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposal matches
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals:
> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured proposals:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal:
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic
> selectors for us:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0,
> received: 0.0.0.0/0 => match: 0.0.0.0/0
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0,
> received: ::/0 => no match
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic
> selectors for other:
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32,
> received: 0.0.0.0/0 => match: 10.8.0.1/32
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32,
> received: ::/0 => no match
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1}
> established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1}
> established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH
> response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(ADD_4_ADDR) ]
> ...
ipsec leases
> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online
> 10.8.0.1 online 'dottas'
> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
> no matching leases found
> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
> no matching leases found
> ...
Any idea to assign static ip address to windows clients?
Thank you.
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
