On 10.03.2017 08:46, Daniel wrote: > >> El 9 mar 2017, a las 12:16, Noel Kuntze <[email protected] >> <mailto:[email protected]>> escribió: >> >> iOS: >>> Mar 09 11:38:08 900333e2e8f1 charon[18975]: 12[ENC] parsed INFORMATIONAL >>> request 6 [ D ] >> >> Unrelated to virtual IPs. Check log on iOS for information. Maybe iOS >> doesn't trust certificates that are issued by Let's Encrypt for IPsec? >> >> windows: >> >>> Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] looking for peer >>> configs matching 176.31.13.185[%any]...79.153.142.222[192.168.222.130] >>> Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] no matching peer config >>> found >> >> It's because the ID "192.168.222.130" is not configured in any of your two >> conns, where the IDs are specified. >> Don't specify the IDs. Just use a conn for your roadwarriors and add a pool >> with the leases you need. >> >> You can't make this work for Windows (or Mac OSX) with static IDs, because >> those hosts send their LAN IP as initiator IDs >> by default and they're hence unpredictable and unrelated to their actual >> usernames that are used during EAP authentication. > > Would it be possible if I created a single certificate for each Windows? >
Even then, you could not match the initiator's ID. >> On 09.03.2017 11:58, Daniel wrote: >>> Hi, i have uploaded my logs with your considerations (without sql database) >>> when strongswan starts and example of ios device connection and windows >>> device error connection. >>> >>> strongswan_log_load.log -> https://paste.ee/p/GBEJ7 >>> working_ios_connection.log -> https://paste.ee/p/cibrx >>> windows_cant_connnect.log -> https://paste.ee/p/AnTsJ >>> >>> Thaks for your help. >>> >>>> El 8 mar 2017, a las 14:22, Noel Kuntze <[email protected] >>>> <mailto:[email protected]> <mailto:[email protected]>> escribió: >>>> >>>> Logs, please. >>>> >>>> On 08.03.2017 08:49, Daniel wrote: >>>>> >>>>> I made the change (auto=add) and it still does not work. I'm going to try >>>>> integrating pools into sqlite and tell them the result. >>>>> >>>>> Thank you >>>>> >>>>>> El 8 mar 2017, a las 0:32, Noel Kuntze <[email protected] >>>>>> <mailto:[email protected]> <mailto:[email protected]> >>>>>> <mailto:[email protected]>> escribió: >>>>>> >>>>>> Move the "auto=add" out of conn %default into each individual conn you >>>>>> actually need. >>>>>> The way you're doing it makesno sense. >>>>>> The proper way to do this is to use a static IP pool backed by an sqlite >>>>>> file or a MySQL server >>>>>> and to assign the leases based on the identity there. >>>>>> >>>>>> The proper way to do this is to >>>>>> On 07.03.2017 21:56, Daniel wrote: >>>>>>> Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server >>>>>>> to iOS devices and Windows 10 laptops. >>>>>>> >>>>>>> I will try to explain the problem: >>>>>>> >>>>>>> I have ipsec.secrets with user/password EAP auth ex: >>>>>>> >>>>>>>> # This file holds shared secrets or RSA private keys for >>>>>>>> authentication. >>>>>>>> >>>>>>>> # This is private key located at /etc/ipsec.d/private/ >>>>>>>> : RSA privkey.pem >>>>>>>> >>>>>>>> # VPN users >>>>>>>> strike : EAP "12341234" >>>>>>>> dottas : EAP "45645645" >>>>>>> >>>>>>> I have my ipsec.conf assign static ip config to users based on rightid: >>>>>>> >>>>>>>> config setup >>>>>>>> charondebug = ike 3, cfg 3 >>>>>>>> >>>>>>>> conn %default >>>>>>>> >>>>>>>> dpdaction=clear >>>>>>>> dpddelay=550s >>>>>>>> dpdtimeout=72000s >>>>>>>> keyexchange=ikev2 >>>>>>>> auto=add >>>>>>>> rekey=no >>>>>>>> reauth=no >>>>>>>> fragmentation=yes >>>>>>>> compress=yes >>>>>>>> >>>>>>>> # left - local (server) side >>>>>>>> leftcert=fullchain.pem# Filename of certificate located at >>>>>>>> /etc/ipsec.d/certs/ >>>>>>>> leftsendcert=always >>>>>>>> # Routes pushed to clients. If you don't have ipv6 then remove ::/0 >>>>>>>> leftsubnet=0.0.0.0/0 >>>>>>>> >>>>>>>> # right - remote (client) side >>>>>>>> eap_identity=%identity >>>>>>>> # ipv4 subnets that assigns to clients. >>>>>>>> rightsourceip=10.8.0.0/24 >>>>>>>> rightdns=8.8.8.8 >>>>>>>> >>>>>>>> # Windows Auth CFG >>>>>>>> conn ikev2-mschapv2 >>>>>>>> rightauth=eap-mschapv2 >>>>>>>> >>>>>>>> # Apple Auth CFG >>>>>>>> conn ikev2-mschapv2-apple >>>>>>>> rightauth=eap-mschapv2 >>>>>>>> leftid=mydomain.com <http://mydomain.com/> <http://mydomain.com/> >>>>>>>> <http://mydomain.com/> <http://mydomain.com >>>>>>>> <http://mydomain.com/><http://mydomain.com/> <http://mydomain.com/>> >>>>>>>> >>>>>>>> # Static IP configs >>>>>>>> >>>>>>>> conn static-ip-for-strike >>>>>>>> also="ikev2-mschapv2-apple" >>>>>>>> right=%any >>>>>>>> rightid=strike >>>>>>>> rightsourceip=10.8.0.100/32 >>>>>>>> auto=add >>>>>>>> >>>>>>>> conn static-ip-for-dottas >>>>>>>> also="ikev2-mschapv2" >>>>>>>> right=%any >>>>>>>> rightid=dottas >>>>>>>> rightsourceip=10.8.0.33/32 >>>>>>>> auto=add >>>>>>> >>>>>>> All iOS clients connect fine and take static IP but Windows always get >>>>>>> an IP address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field >>>>>>> Windows dont recibe any IP address and dont connect. >>>>>>> >>>>>>> Some log outputs: >>>>>>> >>>>>>> ipsec leases >>>>>>> >>>>>>>> >>>>>>>> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online >>>>>>>> no matching leases found >>>>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>>>>>> no matching leases found >>>>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>>>>>> no matching leases found >>>>>>>> ... >>>>>>> >>>>>>> journalctl -f -u strongswan >>>>>>> >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA >>>>>>>> ikev2-mschapv2[1] state change: CONNECTING => ESTABLISHED >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested >>>>>>>> virtual IP %any >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease >>>>>>>> to 'dottas' >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual >>>>>>>> IP 10.8.0.1 to peer 'dottas' >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested >>>>>>>> virtual IP %any6 >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found >>>>>>>> for %any6 requested by 'dottas' >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building >>>>>>>> INTERNAL_IP4_DNS attribute >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child >>>>>>>> config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>>>>>> selectors for us: >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 0.0.0.0/0 >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic >>>>>>>> selectors for other: >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 10.8.0.1/32 >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] candidate >>>>>>>> "ikev2-mschapv2" with prio 10+2 >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching >>>>>>>> child config "ikev2-mschapv2" with prio 12 >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>>>> ENCRYPTION_ALGORITHM found >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>>>> ENCRYPTION_ALGORITHM found >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable >>>>>>>> ENCRYPTION_ALGORITHM found >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal: >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposal matches >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: >>>>>>>> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured >>>>>>>> proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, >>>>>>>> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: >>>>>>>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>>>>>> selectors for us: >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>>>>>>> received: 0.0.0.0/0 => match: 0.0.0.0/0 >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, >>>>>>>> received: ::/0 => no match >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic >>>>>>>> selectors for other: >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: >>>>>>>> 10.8.0.1/32, received: 0.0.0.0/0 => match: 10.8.0.1/32 >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: >>>>>>>> 10.8.0.1/32, received: ::/0 => no match >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>>>>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>>>>>> 0.0.0.0/0 === 10.8.0.1/32 >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA >>>>>>>> ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS >>>>>>>> 0.0.0.0/0 === 10.8.0.1/32 >>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH >>>>>>>> response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) >>>>>>>> N(ADD_4_ADDR) N(ADD_4_ADDR) ] >>>>>>>> ... >>>>>>> >>>>>>> ipsec leases >>>>>>> >>>>>>>> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online >>>>>>>> 10.8.0.1 online 'dottas' >>>>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online >>>>>>>> no matching leases found >>>>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online >>>>>>>> no matching leases found >>>>>>>> ... >>>>>>> >>>>>>> >>>>>>> Any idea to assign static ip address to windows clients? >>>>>>> >>>>>>> Thank you. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Users mailing list >>>>>>> [email protected] <mailto:[email protected]> >>>>>>> <mailto:[email protected]> <mailto:[email protected]> >>>>>>> https://lists.strongswan.org/mailman/listinfo/users >>>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Mit freundlichen Grüßen/Kind Regards, >>>>>> Noel Kuntze >>>>>> >>>>>> GPG Key ID: 0x63EC6658 >>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> [email protected] <mailto:[email protected]> >>>>> <mailto:[email protected]> >>>>> https://lists.strongswan.org/mailman/listinfo/users >>>>> >>>> >>>> -- >>>> >>>> Mit freundlichen Grüßen/Kind Regards, >>>> Noel Kuntze >>>> >>>> GPG Key ID: 0x63EC6658 >>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>> >>> >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] <mailto:[email protected]> >>> https://lists.strongswan.org/mailman/listinfo/users >>> >> >> -- >> >> Mit freundlichen Grüßen/Kind Regards, >> Noel Kuntze >> >> GPG Key ID: 0x63EC6658 >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
