Hi, i have uploaded my logs with your considerations (without sql database) when strongswan starts and example of ios device connection and windows device error connection.
strongswan_log_load.log -> https://paste.ee/p/GBEJ7 <https://paste.ee/p/GBEJ7> working_ios_connection.log -> https://paste.ee/p/cibrx <https://paste.ee/p/cibrx> windows_cant_connnect.log -> https://paste.ee/p/AnTsJ <https://paste.ee/p/AnTsJ> Thaks for your help. > El 8 mar 2017, a las 14:22, Noel Kuntze <[email protected]> escribió: > > Logs, please. > > On 08.03.2017 08:49, Daniel wrote: >> >> I made the change (auto=add) and it still does not work. I'm going to try >> integrating pools into sqlite and tell them the result. >> >> Thank you >> >>> El 8 mar 2017, a las 0:32, Noel Kuntze <[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>>> escribió: >>> >>> Move the "auto=add" out of conn %default into each individual conn you >>> actually need. >>> The way you're doing it makesno sense. >>> The proper way to do this is to use a static IP pool backed by an sqlite >>> file or a MySQL server >>> and to assign the leases based on the identity there. >>> >>> The proper way to do this is to >>> On 07.03.2017 21:56, Daniel wrote: >>>> Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to >>>> iOS devices and Windows 10 laptops. >>>> >>>> I will try to explain the problem: >>>> >>>> I have ipsec.secrets with user/password EAP auth ex: >>>> >>>>> # This file holds shared secrets or RSA private keys for authentication. >>>>> >>>>> # This is private key located at /etc/ipsec.d/private/ >>>>> : RSA privkey.pem >>>>> >>>>> # VPN users >>>>> strike : EAP "12341234" >>>>> dottas : EAP "45645645" >>>> >>>> I have my ipsec.conf assign static ip config to users based on rightid: >>>> >>>>> config setup >>>>> charondebug = ike 3, cfg 3 >>>>> >>>>> conn %default >>>>> >>>>> dpdaction=clear >>>>> dpddelay=550s >>>>> dpdtimeout=72000s >>>>> keyexchange=ikev2 >>>>> auto=add >>>>> rekey=no >>>>> reauth=no >>>>> fragmentation=yes >>>>> compress=yes >>>>> >>>>> # left - local (server) side >>>>> leftcert=fullchain.pem# Filename of certificate located at >>>>> /etc/ipsec.d/certs/ >>>>> leftsendcert=always >>>>> # Routes pushed to clients. If you don't have ipv6 then remove ::/0 >>>>> leftsubnet=0.0.0.0/0 >>>>> >>>>> # right - remote (client) side >>>>> eap_identity=%identity >>>>> # ipv4 subnets that assigns to clients. >>>>> rightsourceip=10.8.0.0/24 >>>>> rightdns=8.8.8.8 >>>>> >>>>> # Windows Auth CFG >>>>> conn ikev2-mschapv2 >>>>> rightauth=eap-mschapv2 >>>>> >>>>> # Apple Auth CFG >>>>> conn ikev2-mschapv2-apple >>>>> rightauth=eap-mschapv2 >>>>> leftid=mydomain.com <http://mydomain.com/> <http://mydomain.com/ >>>>> <http://mydomain.com/>> <http://mydomain.com <http://mydomain.com/> >>>>> <http://mydomain.com/ <http://mydomain.com/>>> >>>>> >>>>> # Static IP configs >>>>> >>>>> conn static-ip-for-strike >>>>> also="ikev2-mschapv2-apple" >>>>> right=%any >>>>> rightid=strike >>>>> rightsourceip=10.8.0.100/32 >>>>> auto=add >>>>> >>>>> conn static-ip-for-dottas >>>>> also="ikev2-mschapv2" >>>>> right=%any >>>>> rightid=dottas >>>>> rightsourceip=10.8.0.33/32 >>>>> auto=add >>>> >>>> All iOS clients connect fine and take static IP but Windows always get an >>>> IP address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field >>>> Windows dont recibe any IP address and dont connect. >>>> >>>> Some log outputs: >>>> >>>> ipsec leases >>>> >>>>> >>>>> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online >>>>> no matching leases found >>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>>> no matching leases found >>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>>> no matching leases found >>>>> ... >>>> >>>> journalctl -f -u strongswan >>>> >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA >>>>> ikev2-mschapv2[1] state change: CONNECTING => ESTABLISHED >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual >>>>> IP %any >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease to >>>>> 'dottas' >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP >>>>> 10.8.0.1 to peer 'dottas' >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual >>>>> IP %any6 >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found >>>>> for %any6 requested by 'dottas' >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building >>>>> INTERNAL_IP4_DNS attribute >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child >>>>> config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>>> selectors for us: >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 0.0.0.0/0 >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>>> selectors for other: >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 10.8.0.1/32 >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] candidate >>>>> "ikev2-mschapv2" with prio 10+2 >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child >>>>> config "ikev2-mschapv2" with prio 12 >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>> ENCRYPTION_ALGORITHM found >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>> ENCRYPTION_ALGORITHM found >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>> ENCRYPTION_ALGORITHM found >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposal matches >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: >>>>> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, >>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured proposals: >>>>> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, >>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, >>>>> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: >>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>>> selectors for us: >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>>>> received: 0.0.0.0/0 => match: 0.0.0.0/0 >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>>>> received: ::/0 => no match >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>>> selectors for other: >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, >>>>> received: 0.0.0.0/0 => match: 10.8.0.1/32 >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, >>>>> received: ::/0 => no match >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>>> 0.0.0.0/0 === 10.8.0.1/32 >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>>> 0.0.0.0/0 === 10.8.0.1/32 >>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH >>>>> response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) >>>>> N(ADD_4_ADDR) ] >>>>> ... >>>> >>>> ipsec leases >>>> >>>>> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online >>>>> 10.8.0.1 online 'dottas' >>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>>> no matching leases found >>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>>> no matching leases found >>>>> ... >>>> >>>> >>>> Any idea to assign static ip address to windows clients? >>>> >>>> Thank you. >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] <mailto:[email protected]> >>>> <mailto:[email protected] <mailto:[email protected]>> >>>> https://lists.strongswan.org/mailman/listinfo/users >>>> >>> >>> -- >>> >>> Mit freundlichen Grüßen/Kind Regards, >>> Noel Kuntze >>> >>> GPG Key ID: 0x63EC6658 >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users >> > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
