Here is another example (dynamic DNS both sides), other side is initiating.
Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] x.x.x.200 is
initiating an IKE_SA
Apr 28 07:49:06 R6250 authpriv.info charon: 12[IKE] x.x.x.200 is
initiating an IKE_SA
Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] sending cert request
for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Apr 28 07:49:06 R6250 daemon.info charon: 12[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 28 07:49:06 R6250 daemon.info charon: 12[NET] sending packet: from
x.x.x.96[500] to x.x.x.200[500] (337 bytes)
Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] received packet: from
x.x.x.200[500] to x.x.x.96[500] (220 bytes)
Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] parsed IKE_AUTH
request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] looking for peer
configs matching x.x.x.96[%any]...x.x.x.200[x.x.x.200]
Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] selected peer config 'VPN'
Apr 28 07:49:06 R6250 daemon.info charon: 15[IKE] no shared key found
for '%any' - 'x.x.x.200'
Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] generating IKE_AUTH
response 1 [ N(AUTH_FAILED) ]
Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] sending packet: from
x.x.x.96[500] to x.x.x.200[500] (76 bytes)
Peer config is the wrong one, below is the config and IPsec secrets
conn test
keylife=3600s
ikelifetime=28800s
left=%local.net
leftsubnet=10.1.1.0/26
right=%remote.net
rightsubnet=192.168.18.0/24,10.0.0.0/24
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
IPsec secret
%local.net %remote.net : PSK "XXX"
In my understanding from the Strongswan documentation, if hostname is
prefixed with "%" it will do a DNS-lookup and use those IP-adresses?
Den 2017-04-28 kl. 08:08, skrev Dusan Ilic:
Thank you
Well for starters, I can paste the logs i had in an earlier thread.
Are you saying that site-2-site with PSK must use certificates when
using dynamic hostnames?
What about if only one side of the tunnel has a dynamic IP and
dynamic DNS (my side)? I have two remote peers, one using dynamic
hostname (Fortigate, supports dynamic hostnames for remote peer in
GUI configuration) and one with static IP (UniFi gateway, using
Strongswan)
left=%hostname is working for one of my tunnels below, but not the
other. See
below.
The working:
sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt
Authority X3"
authentication of 'hostname' (myself) with pre-shared key
establishing CHILD_SA Azure
generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr
N(EAP_ONLY) ]
sending packet: from 85.24 <tel:85.24>.x.x[500] to 137.135
<tel:137.135>.x.x[500] (380 bytes)
received packet: from 137.135 <tel:137.135>.x.x[500] to 85.24
<tel:85.24>.x.x[500] (204 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
authentication of '137.135 <tel:137.135>.x.x' with pre-shared key
successful
IKE_SA Azure[2] established between
85.24 <tel:85.24>.x.x[hostname]...137.135.x.x[137.135.x.x]
scheduling reauthentication in 27923 <tel:27923>s
maximum IKE_SA lifetime 28463 <tel:28463>s
connection 'Azure' established successfully
The non-working:
sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt
Authority X3"
authentication of 'hostname' (myself) with pre-shared key
establishing CHILD_SA Wesafe
generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 85.24 <tel:85.24>.x.x[500] to 94.254
<tel:94.254>.x.x[500] (380 bytes)
received packet: from 94.254 <tel:94.254>.x.x[500] to 85.24
<tel:85.24>.x.x[500] (76 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'Wesafe' failed
ipsec.secrets <http://ipsec.secrets>
%hostname 137.135 <tel:137.135>.x.x : PSK "xxxx"
%hostname 94.254 <tel:94.254>.x.x : PSK "xxxxx"
"hostname" is my side of the tunnel and is a dynamic DNS hostname
resolving to my public IP.
Den 2017-04-27 kl. 22:57, skrev Noel Kuntze:
On 27.04.2017 22:38, Dusan Ilic wrote:
I would really appreciate some help with below also, Im having a Hard time
understanding how Strongswan chooses connection definitions and ipsec secrets.
Based on IPs, identities and authentication methods.
For example, how can I setup an ikev2 psk tunnel between two hosts with dynamic
dns?
Look at the "site-2-dynamic-ip" example at the UsableExamples page[1] for a
configuration that uses
certificates for authentication. Read the text at the beginning of the page.
Can I have several ip secrets or connections with %any?
No. One secret per identity.
Ive tried with %dyndns but seem to get some errors about constraints and such.
If someone would give me an explanation that would be great!
You need to paste logs to get help.
[1]https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
