Move the "auto=add" out of conn %default into each individual conn you actually need. The way you're doing it makesno sense. The proper way to do this is to use a static IP pool backed by an sqlite file or a MySQL server and to assign the leases based on the identity there.
The proper way to do this is to On 07.03.2017 21:56, Daniel wrote: > Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to iOS > devices and Windows 10 laptops. > > I will try to explain the problem: > > I have ipsec.secrets with user/password EAP auth ex: > >> # This file holds shared secrets or RSA private keys for authentication. >> >> # This is private key located at /etc/ipsec.d/private/ >> : RSA privkey.pem >> >> # VPN users >> strike : EAP "12341234" >> dottas : EAP "45645645" > > I have my ipsec.conf assign static ip config to users based on rightid: > >> config setup >> charondebug = ike 3, cfg 3 >> >> conn %default >> >> dpdaction=clear >> dpddelay=550s >> dpdtimeout=72000s >> keyexchange=ikev2 >> auto=add >> rekey=no >> reauth=no >> fragmentation=yes >> compress=yes >> >> # left - local (server) side >> leftcert=fullchain.pem# Filename of certificate located at >> /etc/ipsec.d/certs/ >> leftsendcert=always >> # Routes pushed to clients. If you don't have ipv6 then remove ::/0 >> leftsubnet=0.0.0.0/0 >> >> # right - remote (client) side >> eap_identity=%identity >> # ipv4 subnets that assigns to clients. >> rightsourceip=10.8.0.0/24 >> rightdns=8.8.8.8 >> >> # Windows Auth CFG >> conn ikev2-mschapv2 >> rightauth=eap-mschapv2 >> >> # Apple Auth CFG >> conn ikev2-mschapv2-apple >> rightauth=eap-mschapv2 >> leftid=mydomain.com <http://mydomain.com> >> >> # Static IP configs >> >> conn static-ip-for-strike >> also="ikev2-mschapv2-apple" >> right=%any >> rightid=strike >> rightsourceip=10.8.0.100/32 >> auto=add >> >> conn static-ip-for-dottas >> also="ikev2-mschapv2" >> right=%any >> rightid=dottas >> rightsourceip=10.8.0.33/32 >> auto=add > > All iOS clients connect fine and take static IP but Windows always get an IP > address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field Windows > dont recibe any IP address and dont connect. > > Some log outputs: > > ipsec leases > >> >> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online >> no matching leases found >> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >> no matching leases found >> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >> no matching leases found >> ... > > journalctl -f -u strongswan > >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA ikev2-mschapv2[1] >> state change: CONNECTING => ESTABLISHED >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP >> %any >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease to >> 'dottas' >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP >> 10.8.0.1 to peer 'dottas' >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP >> %any6 >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found for >> %any6 requested by 'dottas' >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building INTERNAL_IP4_DNS >> attribute >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child >> config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >> selectors for us: >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 0.0.0.0/0 >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >> selectors for other: >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 10.8.0.1/32 >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] candidate >> "ikev2-mschapv2" with prio 10+2 >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child >> config "ikev2-mschapv2" with prio 12 >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >> ENCRYPTION_ALGORITHM found >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >> ENCRYPTION_ALGORITHM found >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >> ENCRYPTION_ALGORITHM found >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposal matches >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: >> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured proposals: >> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, >> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, >> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: >> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >> selectors for us: >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >> received: 0.0.0.0/0 => match: 0.0.0.0/0 >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >> received: ::/0 => no match >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >> selectors for other: >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, >> received: 0.0.0.0/0 => match: 10.8.0.1/32 >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, >> received: ::/0 => no match >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >> 0.0.0.0/0 === 10.8.0.1/32 >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >> 0.0.0.0/0 === 10.8.0.1/32 >> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH >> response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) >> N(ADD_4_ADDR) ] >> ... > > ipsec leases > >> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online >> 10.8.0.1 online 'dottas' >> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >> no matching leases found >> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >> no matching leases found >> ... > > > Any idea to assign static ip address to windows clients? > > Thank you. > > > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
