Logs, please. On 08.03.2017 08:49, Daniel wrote: > > I made the change (auto=add) and it still does not work. I'm going to try > integrating pools into sqlite and tell them the result. > > Thank you > >> El 8 mar 2017, a las 0:32, Noel Kuntze <[email protected] >> <mailto:[email protected]>> escribió: >> >> Move the "auto=add" out of conn %default into each individual conn you >> actually need. >> The way you're doing it makesno sense. >> The proper way to do this is to use a static IP pool backed by an sqlite >> file or a MySQL server >> and to assign the leases based on the identity there. >> >> The proper way to do this is to >> On 07.03.2017 21:56, Daniel wrote: >>> Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to >>> iOS devices and Windows 10 laptops. >>> >>> I will try to explain the problem: >>> >>> I have ipsec.secrets with user/password EAP auth ex: >>> >>>> # This file holds shared secrets or RSA private keys for authentication. >>>> >>>> # This is private key located at /etc/ipsec.d/private/ >>>> : RSA privkey.pem >>>> >>>> # VPN users >>>> strike : EAP "12341234" >>>> dottas : EAP "45645645" >>> >>> I have my ipsec.conf assign static ip config to users based on rightid: >>> >>>> config setup >>>> charondebug = ike 3, cfg 3 >>>> >>>> conn %default >>>> >>>> dpdaction=clear >>>> dpddelay=550s >>>> dpdtimeout=72000s >>>> keyexchange=ikev2 >>>> auto=add >>>> rekey=no >>>> reauth=no >>>> fragmentation=yes >>>> compress=yes >>>> >>>> # left - local (server) side >>>> leftcert=fullchain.pem# Filename of certificate located at >>>> /etc/ipsec.d/certs/ >>>> leftsendcert=always >>>> # Routes pushed to clients. If you don't have ipv6 then remove ::/0 >>>> leftsubnet=0.0.0.0/0 >>>> >>>> # right - remote (client) side >>>> eap_identity=%identity >>>> # ipv4 subnets that assigns to clients. >>>> rightsourceip=10.8.0.0/24 >>>> rightdns=8.8.8.8 >>>> >>>> # Windows Auth CFG >>>> conn ikev2-mschapv2 >>>> rightauth=eap-mschapv2 >>>> >>>> # Apple Auth CFG >>>> conn ikev2-mschapv2-apple >>>> rightauth=eap-mschapv2 >>>> leftid=mydomain.com <http://mydomain.com/> <http://mydomain.com >>>> <http://mydomain.com/>> >>>> >>>> # Static IP configs >>>> >>>> conn static-ip-for-strike >>>> also="ikev2-mschapv2-apple" >>>> right=%any >>>> rightid=strike >>>> rightsourceip=10.8.0.100/32 >>>> auto=add >>>> >>>> conn static-ip-for-dottas >>>> also="ikev2-mschapv2" >>>> right=%any >>>> rightid=dottas >>>> rightsourceip=10.8.0.33/32 >>>> auto=add >>> >>> All iOS clients connect fine and take static IP but Windows always get an >>> IP address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field >>> Windows dont recibe any IP address and dont connect. >>> >>> Some log outputs: >>> >>> ipsec leases >>> >>>> >>>> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online >>>> no matching leases found >>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>> no matching leases found >>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>> no matching leases found >>>> ... >>> >>> journalctl -f -u strongswan >>> >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA >>>> ikev2-mschapv2[1] state change: CONNECTING => ESTABLISHED >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual >>>> IP %any >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease to >>>> 'dottas' >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP >>>> 10.8.0.1 to peer 'dottas' >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual >>>> IP %any6 >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found for >>>> %any6 requested by 'dottas' >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building >>>> INTERNAL_IP4_DNS attribute >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child >>>> config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>> selectors for us: >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 0.0.0.0/0 >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>> selectors for other: >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 10.8.0.1/32 >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] candidate >>>> "ikev2-mschapv2" with prio 10+2 >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child >>>> config "ikev2-mschapv2" with prio 12 >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>> ENCRYPTION_ALGORITHM found >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>> ENCRYPTION_ALGORITHM found >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>> ENCRYPTION_ALGORITHM found >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposal matches >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: >>>> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, >>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured proposals: >>>> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, >>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, >>>> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: >>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>> selectors for us: >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>>> received: 0.0.0.0/0 => match: 0.0.0.0/0 >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>>> received: ::/0 => no match >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>> selectors for other: >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, >>>> received: 0.0.0.0/0 => match: 10.8.0.1/32 >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, >>>> received: ::/0 => no match >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>> 0.0.0.0/0 === 10.8.0.1/32 >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>> 0.0.0.0/0 === 10.8.0.1/32 >>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH >>>> response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) >>>> N(ADD_4_ADDR) ] >>>> ... >>> >>> ipsec leases >>> >>>> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online >>>> 10.8.0.1 online 'dottas' >>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>> no matching leases found >>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>> no matching leases found >>>> ... >>> >>> >>> Any idea to assign static ip address to windows clients? >>> >>> Thank you. >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] <mailto:[email protected]> >>> https://lists.strongswan.org/mailman/listinfo/users >>> >> >> -- >> >> Mit freundlichen Grüßen/Kind Regards, >> Noel Kuntze >> >> GPG Key ID: 0x63EC6658 >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users >
-- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
