I made the change (auto=add) and it still does not work. I'm going to try integrating pools into sqlite and tell them the result.
Thank you > El 8 mar 2017, a las 0:32, Noel Kuntze <[email protected]> escribió: > > Move the "auto=add" out of conn %default into each individual conn you > actually need. > The way you're doing it makesno sense. > The proper way to do this is to use a static IP pool backed by an sqlite file > or a MySQL server > and to assign the leases based on the identity there. > > The proper way to do this is to > On 07.03.2017 21:56, Daniel wrote: >> Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to iOS >> devices and Windows 10 laptops. >> >> I will try to explain the problem: >> >> I have ipsec.secrets with user/password EAP auth ex: >> >>> # This file holds shared secrets or RSA private keys for authentication. >>> >>> # This is private key located at /etc/ipsec.d/private/ >>> : RSA privkey.pem >>> >>> # VPN users >>> strike : EAP "12341234" >>> dottas : EAP "45645645" >> >> I have my ipsec.conf assign static ip config to users based on rightid: >> >>> config setup >>> charondebug = ike 3, cfg 3 >>> >>> conn %default >>> >>> dpdaction=clear >>> dpddelay=550s >>> dpdtimeout=72000s >>> keyexchange=ikev2 >>> auto=add >>> rekey=no >>> reauth=no >>> fragmentation=yes >>> compress=yes >>> >>> # left - local (server) side >>> leftcert=fullchain.pem# Filename of certificate located at >>> /etc/ipsec.d/certs/ >>> leftsendcert=always >>> # Routes pushed to clients. If you don't have ipv6 then remove ::/0 >>> leftsubnet=0.0.0.0/0 >>> >>> # right - remote (client) side >>> eap_identity=%identity >>> # ipv4 subnets that assigns to clients. >>> rightsourceip=10.8.0.0/24 >>> rightdns=8.8.8.8 >>> >>> # Windows Auth CFG >>> conn ikev2-mschapv2 >>> rightauth=eap-mschapv2 >>> >>> # Apple Auth CFG >>> conn ikev2-mschapv2-apple >>> rightauth=eap-mschapv2 >>> leftid=mydomain.com <http://mydomain.com/> <http://mydomain.com >>> <http://mydomain.com/>> >>> >>> # Static IP configs >>> >>> conn static-ip-for-strike >>> also="ikev2-mschapv2-apple" >>> right=%any >>> rightid=strike >>> rightsourceip=10.8.0.100/32 >>> auto=add >>> >>> conn static-ip-for-dottas >>> also="ikev2-mschapv2" >>> right=%any >>> rightid=dottas >>> rightsourceip=10.8.0.33/32 >>> auto=add >> >> All iOS clients connect fine and take static IP but Windows always get an IP >> address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field Windows >> dont recibe any IP address and dont connect. >> >> Some log outputs: >> >> ipsec leases >> >>> >>> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online >>> no matching leases found >>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>> no matching leases found >>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>> no matching leases found >>> ... >> >> journalctl -f -u strongswan >> >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA ikev2-mschapv2[1] >>> state change: CONNECTING => ESTABLISHED >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual >>> IP %any >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease to >>> 'dottas' >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP >>> 10.8.0.1 to peer 'dottas' >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual >>> IP %any6 >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found for >>> %any6 requested by 'dottas' >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building >>> INTERNAL_IP4_DNS attribute >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child >>> config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>> selectors for us: >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 0.0.0.0/0 >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>> selectors for other: >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 10.8.0.1/32 >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] candidate >>> "ikev2-mschapv2" with prio 10+2 >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child >>> config "ikev2-mschapv2" with prio 12 >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>> ENCRYPTION_ALGORITHM found >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>> ENCRYPTION_ALGORITHM found >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>> ENCRYPTION_ALGORITHM found >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposal matches >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: >>> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, >>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured proposals: >>> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, >>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, >>> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: >>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>> selectors for us: >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>> received: 0.0.0.0/0 => match: 0.0.0.0/0 >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>> received: ::/0 => no match >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>> selectors for other: >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, >>> received: 0.0.0.0/0 => match: 10.8.0.1/32 >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, >>> received: ::/0 => no match >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>> 0.0.0.0/0 === 10.8.0.1/32 >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>> 0.0.0.0/0 === 10.8.0.1/32 >>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH >>> response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) >>> N(ADD_4_ADDR) ] >>> ... >> >> ipsec leases >> >>> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online >>> 10.8.0.1 online 'dottas' >>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>> no matching leases found >>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>> no matching leases found >>> ... >> >> >> Any idea to assign static ip address to windows clients? >> >> Thank you. >> >> >> >> >> >> >> _______________________________________________ >> Users mailing list >> [email protected] <mailto:[email protected]> >> https://lists.strongswan.org/mailman/listinfo/users >> <https://lists.strongswan.org/mailman/listinfo/users> >> > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
