iOS: > Mar 09 11:38:08 900333e2e8f1 charon[18975]: 12[ENC] parsed INFORMATIONAL > request 6 [ D ]
Unrelated to virtual IPs. Check log on iOS for information. Maybe iOS doesn't trust certificates that are issued by Let's Encrypt for IPsec? windows: > Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] looking for peer configs > matching 176.31.13.185[%any]...79.153.142.222[192.168.222.130] > Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] no matching peer config > found It's because the ID "192.168.222.130" is not configured in any of your two conns, where the IDs are specified. Don't specify the IDs. Just use a conn for your roadwarriors and add a pool with the leases you need. You can't make this work for Windows (or Mac OSX) with static IDs, because those hosts send their LAN IP as initiator IDs by default and they're hence unpredictable and unrelated to their actual usernames that are used during EAP authentication. On 09.03.2017 11:58, Daniel wrote: > Hi, i have uploaded my logs with your considerations (without sql database) > when strongswan starts and example of ios device connection and windows > device error connection. > > strongswan_log_load.log -> https://paste.ee/p/GBEJ7 > working_ios_connection.log -> https://paste.ee/p/cibrx > windows_cant_connnect.log -> https://paste.ee/p/AnTsJ > > Thaks for your help. > >> El 8 mar 2017, a las 14:22, Noel Kuntze <[email protected] >> <mailto:[email protected]>> escribió: >> >> Logs, please. >> >> On 08.03.2017 08:49, Daniel wrote: >>> >>> I made the change (auto=add) and it still does not work. I'm going to try >>> integrating pools into sqlite and tell them the result. >>> >>> Thank you >>> >>>> El 8 mar 2017, a las 0:32, Noel Kuntze <[email protected] >>>> <mailto:[email protected]> <mailto:[email protected]>> escribió: >>>> >>>> Move the "auto=add" out of conn %default into each individual conn you >>>> actually need. >>>> The way you're doing it makesno sense. >>>> The proper way to do this is to use a static IP pool backed by an sqlite >>>> file or a MySQL server >>>> and to assign the leases based on the identity there. >>>> >>>> The proper way to do this is to >>>> On 07.03.2017 21:56, Daniel wrote: >>>>> Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to >>>>> iOS devices and Windows 10 laptops. >>>>> >>>>> I will try to explain the problem: >>>>> >>>>> I have ipsec.secrets with user/password EAP auth ex: >>>>> >>>>>> # This file holds shared secrets or RSA private keys for authentication. >>>>>> >>>>>> # This is private key located at /etc/ipsec.d/private/ >>>>>> : RSA privkey.pem >>>>>> >>>>>> # VPN users >>>>>> strike : EAP "12341234" >>>>>> dottas : EAP "45645645" >>>>> >>>>> I have my ipsec.conf assign static ip config to users based on rightid: >>>>> >>>>>> config setup >>>>>> charondebug = ike 3, cfg 3 >>>>>> >>>>>> conn %default >>>>>> >>>>>> dpdaction=clear >>>>>> dpddelay=550s >>>>>> dpdtimeout=72000s >>>>>> keyexchange=ikev2 >>>>>> auto=add >>>>>> rekey=no >>>>>> reauth=no >>>>>> fragmentation=yes >>>>>> compress=yes >>>>>> >>>>>> # left - local (server) side >>>>>> leftcert=fullchain.pem# Filename of certificate located at >>>>>> /etc/ipsec.d/certs/ >>>>>> leftsendcert=always >>>>>> # Routes pushed to clients. If you don't have ipv6 then remove ::/0 >>>>>> leftsubnet=0.0.0.0/0 >>>>>> >>>>>> # right - remote (client) side >>>>>> eap_identity=%identity >>>>>> # ipv4 subnets that assigns to clients. >>>>>> rightsourceip=10.8.0.0/24 >>>>>> rightdns=8.8.8.8 >>>>>> >>>>>> # Windows Auth CFG >>>>>> conn ikev2-mschapv2 >>>>>> rightauth=eap-mschapv2 >>>>>> >>>>>> # Apple Auth CFG >>>>>> conn ikev2-mschapv2-apple >>>>>> rightauth=eap-mschapv2 >>>>>> leftid=mydomain.com <http://mydomain.com/> <http://mydomain.com/> >>>>>> <http://mydomain.com <http://mydomain.com/> <http://mydomain.com/>> >>>>>> >>>>>> # Static IP configs >>>>>> >>>>>> conn static-ip-for-strike >>>>>> also="ikev2-mschapv2-apple" >>>>>> right=%any >>>>>> rightid=strike >>>>>> rightsourceip=10.8.0.100/32 >>>>>> auto=add >>>>>> >>>>>> conn static-ip-for-dottas >>>>>> also="ikev2-mschapv2" >>>>>> right=%any >>>>>> rightid=dottas >>>>>> rightsourceip=10.8.0.33/32 >>>>>> auto=add >>>>> >>>>> All iOS clients connect fine and take static IP but Windows always get an >>>>> IP address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field >>>>> Windows dont recibe any IP address and dont connect. >>>>> >>>>> Some log outputs: >>>>> >>>>> ipsec leases >>>>> >>>>>> >>>>>> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online >>>>>> no matching leases found >>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>>>> no matching leases found >>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>>>> no matching leases found >>>>>> ... >>>>> >>>>> journalctl -f -u strongswan >>>>> >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA >>>>>> ikev2-mschapv2[1] state change: CONNECTING => ESTABLISHED >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested >>>>>> virtual IP %any >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease >>>>>> to 'dottas' >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP >>>>>> 10.8.0.1 to peer 'dottas' >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested >>>>>> virtual IP %any6 >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found >>>>>> for %any6 requested by 'dottas' >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building >>>>>> INTERNAL_IP4_DNS attribute >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child >>>>>> config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>>>> selectors for us: >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 0.0.0.0/0 >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>>>> selectors for other: >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 10.8.0.1/32 >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] candidate >>>>>> "ikev2-mschapv2" with prio 10+2 >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child >>>>>> config "ikev2-mschapv2" with prio 12 >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>> ENCRYPTION_ALGORITHM found >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>> ENCRYPTION_ALGORITHM found >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>> ENCRYPTION_ALGORITHM found >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposal matches >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: >>>>>> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured proposals: >>>>>> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: >>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>>>> selectors for us: >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>>>>> received: 0.0.0.0/0 => match: 0.0.0.0/0 >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>>>>> received: ::/0 => no match >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>>>> selectors for other: >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, >>>>>> received: 0.0.0.0/0 => match: 10.8.0.1/32 >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, >>>>>> received: ::/0 => no match >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>>>> 0.0.0.0/0 === 10.8.0.1/32 >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>>>> 0.0.0.0/0 === 10.8.0.1/32 >>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH >>>>>> response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) >>>>>> N(ADD_4_ADDR) ] >>>>>> ... >>>>> >>>>> ipsec leases >>>>> >>>>>> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online >>>>>> 10.8.0.1 online 'dottas' >>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>>>> no matching leases found >>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>>>> no matching leases found >>>>>> ... >>>>> >>>>> >>>>> Any idea to assign static ip address to windows clients? >>>>> >>>>> Thank you. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> [email protected] <mailto:[email protected]> >>>>> <mailto:[email protected]> >>>>> https://lists.strongswan.org/mailman/listinfo/users >>>>> >>>> >>>> -- >>>> >>>> Mit freundlichen Grüßen/Kind Regards, >>>> Noel Kuntze >>>> >>>> GPG Key ID: 0x63EC6658 >>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>> >>> >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] <mailto:[email protected]> >>> https://lists.strongswan.org/mailman/listinfo/users >>> >> >> -- >> >> Mit freundlichen Grüßen/Kind Regards, >> Noel Kuntze >> >> GPG Key ID: 0x63EC6658 >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
