> El 9 mar 2017, a las 12:16, Noel Kuntze <[email protected]> escribió: > > iOS: >> Mar 09 11:38:08 900333e2e8f1 charon[18975]: 12[ENC] parsed INFORMATIONAL >> request 6 [ D ] > > Unrelated to virtual IPs. Check log on iOS for information. Maybe iOS doesn't > trust certificates that are issued by Let's Encrypt for IPsec? > > windows: > >> Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] looking for peer configs >> matching 176.31.13.185[%any]...79.153.142.222[192.168.222.130] >> Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] no matching peer config >> found > > It's because the ID "192.168.222.130" is not configured in any of your two > conns, where the IDs are specified. > Don't specify the IDs. Just use a conn for your roadwarriors and add a pool > with the leases you need. > > You can't make this work for Windows (or Mac OSX) with static IDs, because > those hosts send their LAN IP as initiator IDs > by default and they're hence unpredictable and unrelated to their actual > usernames that are used during EAP authentication.
Would it be possible if I created a single certificate for each Windows? > On 09.03.2017 11:58, Daniel wrote: >> Hi, i have uploaded my logs with your considerations (without sql database) >> when strongswan starts and example of ios device connection and windows >> device error connection. >> >> strongswan_log_load.log -> https://paste.ee/p/GBEJ7 >> <https://paste.ee/p/GBEJ7> >> working_ios_connection.log -> https://paste.ee/p/cibrx >> <https://paste.ee/p/cibrx> >> windows_cant_connnect.log -> https://paste.ee/p/AnTsJ >> <https://paste.ee/p/AnTsJ> >> >> Thaks for your help. >> >>> El 8 mar 2017, a las 14:22, Noel Kuntze <[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>>> escribió: >>> >>> Logs, please. >>> >>> On 08.03.2017 08:49, Daniel wrote: >>>> >>>> I made the change (auto=add) and it still does not work. I'm going to try >>>> integrating pools into sqlite and tell them the result. >>>> >>>> Thank you >>>> >>>>> El 8 mar 2017, a las 0:32, Noel Kuntze <[email protected] >>>>> <mailto:[email protected]> <mailto:[email protected] >>>>> <mailto:[email protected]>> <mailto:[email protected] >>>>> <mailto:[email protected]>>> escribió: >>>>> >>>>> Move the "auto=add" out of conn %default into each individual conn you >>>>> actually need. >>>>> The way you're doing it makesno sense. >>>>> The proper way to do this is to use a static IP pool backed by an sqlite >>>>> file or a MySQL server >>>>> and to assign the leases based on the identity there. >>>>> >>>>> The proper way to do this is to >>>>> On 07.03.2017 21:56, Daniel wrote: >>>>>> Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to >>>>>> iOS devices and Windows 10 laptops. >>>>>> >>>>>> I will try to explain the problem: >>>>>> >>>>>> I have ipsec.secrets with user/password EAP auth ex: >>>>>> >>>>>>> # This file holds shared secrets or RSA private keys for authentication. >>>>>>> >>>>>>> # This is private key located at /etc/ipsec.d/private/ >>>>>>> : RSA privkey.pem >>>>>>> >>>>>>> # VPN users >>>>>>> strike : EAP "12341234" >>>>>>> dottas : EAP "45645645" >>>>>> >>>>>> I have my ipsec.conf assign static ip config to users based on rightid: >>>>>> >>>>>>> config setup >>>>>>> charondebug = ike 3, cfg 3 >>>>>>> >>>>>>> conn %default >>>>>>> >>>>>>> dpdaction=clear >>>>>>> dpddelay=550s >>>>>>> dpdtimeout=72000s >>>>>>> keyexchange=ikev2 >>>>>>> auto=add >>>>>>> rekey=no >>>>>>> reauth=no >>>>>>> fragmentation=yes >>>>>>> compress=yes >>>>>>> >>>>>>> # left - local (server) side >>>>>>> leftcert=fullchain.pem# Filename of certificate located at >>>>>>> /etc/ipsec.d/certs/ >>>>>>> leftsendcert=always >>>>>>> # Routes pushed to clients. If you don't have ipv6 then remove ::/0 >>>>>>> leftsubnet=0.0.0.0/0 >>>>>>> >>>>>>> # right - remote (client) side >>>>>>> eap_identity=%identity >>>>>>> # ipv4 subnets that assigns to clients. >>>>>>> rightsourceip=10.8.0.0/24 >>>>>>> rightdns=8.8.8.8 >>>>>>> >>>>>>> # Windows Auth CFG >>>>>>> conn ikev2-mschapv2 >>>>>>> rightauth=eap-mschapv2 >>>>>>> >>>>>>> # Apple Auth CFG >>>>>>> conn ikev2-mschapv2-apple >>>>>>> rightauth=eap-mschapv2 >>>>>>> leftid=mydomain.com <http://mydomain.com/> <http://mydomain.com/ >>>>>>> <http://mydomain.com/>> <http://mydomain.com/ <http://mydomain.com/>> >>>>>>> <http://mydomain.com <http://mydomain.com/><http://mydomain.com/ >>>>>>> <http://mydomain.com/>> <http://mydomain.com/ <http://mydomain.com/>>> >>>>>>> >>>>>>> # Static IP configs >>>>>>> >>>>>>> conn static-ip-for-strike >>>>>>> also="ikev2-mschapv2-apple" >>>>>>> right=%any >>>>>>> rightid=strike >>>>>>> rightsourceip=10.8.0.100/32 >>>>>>> auto=add >>>>>>> >>>>>>> conn static-ip-for-dottas >>>>>>> also="ikev2-mschapv2" >>>>>>> right=%any >>>>>>> rightid=dottas >>>>>>> rightsourceip=10.8.0.33/32 >>>>>>> auto=add >>>>>> >>>>>> All iOS clients connect fine and take static IP but Windows always get >>>>>> an IP address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field >>>>>> Windows dont recibe any IP address and dont connect. >>>>>> >>>>>> Some log outputs: >>>>>> >>>>>> ipsec leases >>>>>> >>>>>>> >>>>>>> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online >>>>>>> no matching leases found >>>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>>>>> no matching leases found >>>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>>>>> no matching leases found >>>>>>> ... >>>>>> >>>>>> journalctl -f -u strongswan >>>>>> >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA >>>>>>> ikev2-mschapv2[1] state change: CONNECTING => ESTABLISHED >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested >>>>>>> virtual IP %any >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease >>>>>>> to 'dottas' >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP >>>>>>> 10.8.0.1 to peer 'dottas' >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested >>>>>>> virtual IP %any6 >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found >>>>>>> for %any6 requested by 'dottas' >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building >>>>>>> INTERNAL_IP4_DNS attribute >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child >>>>>>> config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>>>>> selectors for us: >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 0.0.0.0/0 >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>>>>> selectors for other: >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 10.8.0.1/32 >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] candidate >>>>>>> "ikev2-mschapv2" with prio 10+2 >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child >>>>>>> config "ikev2-mschapv2" with prio 12 >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>>> ENCRYPTION_ALGORITHM found >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>>> ENCRYPTION_ALGORITHM found >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>>> ENCRYPTION_ALGORITHM found >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposal matches >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: >>>>>>> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured >>>>>>> proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>>> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: >>>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>>>>> selectors for us: >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>>>>>> received: 0.0.0.0/0 => match: 0.0.0.0/0 >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>>>>>> received: ::/0 => no match >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>>>>> selectors for other: >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: >>>>>>> 10.8.0.1/32, received: 0.0.0.0/0 => match: 10.8.0.1/32 >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: >>>>>>> 10.8.0.1/32, received: ::/0 => no match >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>>>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>>>>> 0.0.0.0/0 === 10.8.0.1/32 >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>>>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>>>>> 0.0.0.0/0 === 10.8.0.1/32 >>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH >>>>>>> response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) >>>>>>> N(ADD_4_ADDR) ] >>>>>>> ... >>>>>> >>>>>> ipsec leases >>>>>> >>>>>>> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online >>>>>>> 10.8.0.1 online 'dottas' >>>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>>>>> no matching leases found >>>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>>>>> no matching leases found >>>>>>> ... >>>>>> >>>>>> >>>>>> Any idea to assign static ip address to windows clients? >>>>>> >>>>>> Thank you. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> [email protected] <mailto:[email protected]> >>>>>> <mailto:[email protected] <mailto:[email protected]>> >>>>>> <mailto:[email protected] <mailto:[email protected]>> >>>>>> https://lists.strongswan.org/mailman/listinfo/users >>>>>> <https://lists.strongswan.org/mailman/listinfo/users> >>>>>> >>>>> >>>>> -- >>>>> >>>>> Mit freundlichen Grüßen/Kind Regards, >>>>> Noel Kuntze >>>>> >>>>> GPG Key ID: 0x63EC6658 >>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>>> >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] <mailto:[email protected]> >>>> <mailto:[email protected] <mailto:[email protected]>> >>>> https://lists.strongswan.org/mailman/listinfo/users >>>> >>> >>> -- >>> >>> Mit freundlichen Grüßen/Kind Regards, >>> Noel Kuntze >>> >>> GPG Key ID: 0x63EC6658 >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users >> > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
