On 11.03.2017 00:05, Daniel wrote: > I have continue testing and i can set manually ip address on Windows but > server assign any from dhcp pool > > Mar 11 00:04:25 900333e2e8f1 charon[29393]: 12[IKE] peer requested virtual IP > 10.8.0.112 > Mar 11 00:04:25 900333e2e8f1 charon[29393]: 12[CFG] assigning new lease to > 'dottas' > Mar 11 00:04:25 900333e2e8f1 charon[29393]: 12[IKE] assigning virtual IP > 10.8.0.1 to peer 'dottas'
That's not DHCP. > > Is possible force to use requested virtual IP? As I wrote, use an sql backed IP pool. See the documentation about `ipsec pools`[1] [1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool > > Thanks > >> El 10 mar 2017, a las 8:46, Daniel <[email protected] >> <mailto:[email protected]>> escribió: >> >>> >>> El 9 mar 2017, a las 12:16, Noel Kuntze <[email protected] >>> <mailto:[email protected]>> escribió: >>> >>> iOS: >>>> Mar 09 11:38:08 900333e2e8f1 charon[18975]: 12[ENC] parsed INFORMATIONAL >>>> request 6 [ D ] >>> >>> Unrelated to virtual IPs. Check log on iOS for information. Maybe iOS >>> doesn't trust certificates that are issued by Let's Encrypt for IPsec? >>> >>> windows: >>> >>>> Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] looking for peer >>>> configs matching 176.31.13.185[%any]...79.153.142.222[192.168.222.130] >>>> Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] no matching peer >>>> config found >>> >>> It's because the ID "192.168.222.130" is not configured in any of your two >>> conns, where the IDs are specified. >>> Don't specify the IDs. Just use a conn for your roadwarriors and add a pool >>> with the leases you need. >>> >>> You can't make this work for Windows (or Mac OSX) with static IDs, because >>> those hosts send their LAN IP as initiator IDs >>> by default and they're hence unpredictable and unrelated to their actual >>> usernames that are used during EAP authentication. >> >> Would it be possible if I created a single certificate for each Windows? >> >>> On 09.03.2017 11:58, Daniel wrote: >>>> Hi, i have uploaded my logs with your considerations (without sql >>>> database) when strongswan starts and example of ios device connection and >>>> windows device error connection. >>>> >>>> strongswan_log_load.log -> https://paste.ee/p/GBEJ7 >>>> working_ios_connection.log -> https://paste.ee/p/cibrx >>>> windows_cant_connnect.log -> https://paste.ee/p/AnTsJ >>>> >>>> Thaks for your help. >>>> >>>>> El 8 mar 2017, a las 14:22, Noel Kuntze <[email protected] >>>>> <mailto:[email protected]> <mailto:[email protected]>> escribió: >>>>> >>>>> Logs, please. >>>>> >>>>> On 08.03.2017 08:49, Daniel wrote: >>>>>> >>>>>> I made the change (auto=add) and it still does not work. I'm going to >>>>>> try integrating pools into sqlite and tell them the result. >>>>>> >>>>>> Thank you >>>>>> >>>>>>> El 8 mar 2017, a las 0:32, Noel Kuntze <[email protected] >>>>>>> <mailto:[email protected]> <mailto:[email protected]> >>>>>>> <mailto:[email protected]>> escribió: >>>>>>> >>>>>>> Move the "auto=add" out of conn %default into each individual conn you >>>>>>> actually need. >>>>>>> The way you're doing it makesno sense. >>>>>>> The proper way to do this is to use a static IP pool backed by an >>>>>>> sqlite file or a MySQL server >>>>>>> and to assign the leases based on the identity there. >>>>>>> >>>>>>> The proper way to do this is to >>>>>>> On 07.03.2017 21:56, Daniel wrote: >>>>>>>> Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server >>>>>>>> to iOS devices and Windows 10 laptops. >>>>>>>> >>>>>>>> I will try to explain the problem: >>>>>>>> >>>>>>>> I have ipsec.secrets with user/password EAP auth ex: >>>>>>>> >>>>>>>>> # This file holds shared secrets or RSA private keys for >>>>>>>>> authentication. >>>>>>>>> >>>>>>>>> # This is private key located at /etc/ipsec.d/private/ >>>>>>>>> : RSA privkey.pem >>>>>>>>> >>>>>>>>> # VPN users >>>>>>>>> strike : EAP "12341234" >>>>>>>>> dottas : EAP "45645645" >>>>>>>> >>>>>>>> I have my ipsec.conf assign static ip config to users based on rightid: >>>>>>>> >>>>>>>>> config setup >>>>>>>>> charondebug = ike 3, cfg 3 >>>>>>>>> >>>>>>>>> conn %default >>>>>>>>> >>>>>>>>> dpdaction=clear >>>>>>>>> dpddelay=550s >>>>>>>>> dpdtimeout=72000s >>>>>>>>> keyexchange=ikev2 >>>>>>>>> auto=add >>>>>>>>> rekey=no >>>>>>>>> reauth=no >>>>>>>>> fragmentation=yes >>>>>>>>> compress=yes >>>>>>>>> >>>>>>>>> # left - local (server) side >>>>>>>>> leftcert=fullchain.pem# Filename of certificate located at >>>>>>>>> /etc/ipsec.d/certs/ >>>>>>>>> leftsendcert=always >>>>>>>>> # Routes pushed to clients. If you don't have ipv6 then remove ::/0 >>>>>>>>> leftsubnet=0.0.0.0/0 >>>>>>>>> >>>>>>>>> # right - remote (client) side >>>>>>>>> eap_identity=%identity >>>>>>>>> # ipv4 subnets that assigns to clients. >>>>>>>>> rightsourceip=10.8.0.0/24 >>>>>>>>> rightdns=8.8.8.8 >>>>>>>>> >>>>>>>>> # Windows Auth CFG >>>>>>>>> conn ikev2-mschapv2 >>>>>>>>> rightauth=eap-mschapv2 >>>>>>>>> >>>>>>>>> # Apple Auth CFG >>>>>>>>> conn ikev2-mschapv2-apple >>>>>>>>> rightauth=eap-mschapv2 >>>>>>>>> leftid=mydomain.com <http://mydomain.com/> <http://mydomain.com/> >>>>>>>>> <http://mydomain.com/> <http://mydomain.com >>>>>>>>> <http://mydomain.com/><http://mydomain.com/> <http://mydomain.com/>> >>>>>>>>> >>>>>>>>> # Static IP configs >>>>>>>>> >>>>>>>>> conn static-ip-for-strike >>>>>>>>> also="ikev2-mschapv2-apple" >>>>>>>>> right=%any >>>>>>>>> rightid=strike >>>>>>>>> rightsourceip=10.8.0.100/32 >>>>>>>>> auto=add >>>>>>>>> >>>>>>>>> conn static-ip-for-dottas >>>>>>>>> also="ikev2-mschapv2" >>>>>>>>> right=%any >>>>>>>>> rightid=dottas >>>>>>>>> rightsourceip=10.8.0.33/32 >>>>>>>>> auto=add >>>>>>>> >>>>>>>> All iOS clients connect fine and take static IP but Windows always get >>>>>>>> an IP address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 >>>>>>>> field Windows dont recibe any IP address and dont connect. >>>>>>>> >>>>>>>> Some log outputs: >>>>>>>> >>>>>>>> ipsec leases >>>>>>>> >>>>>>>>> >>>>>>>>> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online >>>>>>>>> no matching leases found >>>>>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>>>>>>> no matching leases found >>>>>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>>>>>>> no matching leases found >>>>>>>>> ... >>>>>>>> >>>>>>>> journalctl -f -u strongswan >>>>>>>> >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA >>>>>>>>> ikev2-mschapv2[1] state change: CONNECTING => ESTABLISHED >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested >>>>>>>>> virtual IP %any >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new >>>>>>>>> lease to 'dottas' >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual >>>>>>>>> IP 10.8.0.1 to peer 'dottas' >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested >>>>>>>>> virtual IP %any6 >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP >>>>>>>>> found for %any6 requested by 'dottas' >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building >>>>>>>>> INTERNAL_IP4_DNS attribute >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a >>>>>>>>> child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>>>>>>> selectors for us: >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 0.0.0.0/0 >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>>>>>>> selectors for other: >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 10.8.0.1/32 >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] candidate >>>>>>>>> "ikev2-mschapv2" with prio 10+2 >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching >>>>>>>>> child config "ikev2-mschapv2" with prio 12 >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>>>>> ENCRYPTION_ALGORITHM found >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>>>>> ENCRYPTION_ALGORITHM found >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>>>>> ENCRYPTION_ALGORITHM found >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposal matches >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received >>>>>>>>> proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured >>>>>>>>> proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>>>>> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: >>>>>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>>>>>>> selectors for us: >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: >>>>>>>>> 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0 >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: >>>>>>>>> 0.0.0.0/0, received: ::/0 => no match >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>>>>>>> selectors for other: >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: >>>>>>>>> 10.8.0.1/32, received: 0.0.0.0/0 => match: 10.8.0.1/32 >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: >>>>>>>>> 10.8.0.1/32, received: ::/0 => no match >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>>>>>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>>>>>>> 0.0.0.0/0 === 10.8.0.1/32 >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>>>>>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>>>>>>> 0.0.0.0/0 === 10.8.0.1/32 >>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating >>>>>>>>> IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) >>>>>>>>> N(ADD_4_ADDR) N(ADD_4_ADDR) ] >>>>>>>>> ... >>>>>>>> >>>>>>>> ipsec leases >>>>>>>> >>>>>>>>> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online >>>>>>>>> 10.8.0.1 online 'dottas' >>>>>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>>>>>>> no matching leases found >>>>>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>>>>>>> no matching leases found >>>>>>>>> ... >>>>>>>> >>>>>>>> >>>>>>>> Any idea to assign static ip address to windows clients? >>>>>>>> >>>>>>>> Thank you. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Users mailing list >>>>>>>> [email protected] <mailto:[email protected]> >>>>>>>> <mailto:[email protected]> <mailto:[email protected]> >>>>>>>> https://lists.strongswan.org/mailman/listinfo/users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Mit freundlichen Grüßen/Kind Regards, >>>>>>> Noel Kuntze >>>>>>> >>>>>>> GPG Key ID: 0x63EC6658 >>>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> [email protected] <mailto:[email protected]> >>>>>> <mailto:[email protected]> >>>>>> https://lists.strongswan.org/mailman/listinfo/users >>>>>> >>>>> >>>>> -- >>>>> >>>>> Mit freundlichen Grüßen/Kind Regards, >>>>> Noel Kuntze >>>>> >>>>> GPG Key ID: 0x63EC6658 >>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>>> >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] <mailto:[email protected]> >>>> https://lists.strongswan.org/mailman/listinfo/users >>>> >>> >>> -- >>> >>> Mit freundlichen Grüßen/Kind Regards, >>> Noel Kuntze >>> >>> GPG Key ID: 0x63EC6658 >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> _______________________________________________ >> Users mailing list >> [email protected] <mailto:[email protected]> >> https://lists.strongswan.org/mailman/listinfo/users > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
