Hello Dusan, Don't set "left". Set "right=%remoteDNSname" and "rightid="remoteDNSname". Use the following verbatim as selector "remoteDNSname". DO NOT use %remoteDNSname". Secrets are looked up based on the remote peer's ID, not the local one's. There's no need to use IPs as IDs with IKEv2. The IDs can be read from the packets without looking up the secret first and decrypting the packet..
It doesn't matter if the local peer has a changing IP, unless you restrict IKE_SAs by the source IP, which you don't have to do at all and just gives you more problems unless you really know what you're doing. Kind regards, Noel On 28.04.2017 10:03, Dusan Ilic wrote: > > Here is another example (dynamic DNS both sides), other side is initiating. > > > Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] x.x.x.200 is initiating an > IKE_SA > Apr 28 07:49:06 R6250 authpriv.info charon: 12[IKE] x.x.x.200 is initiating > an IKE_SA > Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] sending cert request for > "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" > Apr 28 07:49:06 R6250 daemon.info charon: 12[ENC] generating IKE_SA_INIT > response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] > Apr 28 07:49:06 R6250 daemon.info charon: 12[NET] sending packet: from > x.x.x.96[500] to x.x.x.200[500] (337 bytes) > Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] received packet: from > x.x.x.200[500] to x.x.x.96[500] (220 bytes) > Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] parsed IKE_AUTH request 1 [ > IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ] > Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] looking for peer configs > matching x.x.x.96[%any]...x.x.x.200[x.x.x.200] > Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] selected peer config 'VPN' > Apr 28 07:49:06 R6250 daemon.info charon: 15[IKE] no shared key found for > '%any' - 'x.x.x.200' > Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] generating IKE_AUTH > response 1 [ N(AUTH_FAILED) ] > Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] sending packet: from > x.x.x.96[500] to x.x.x.200[500] (76 bytes) > > Peer config is the wrong one, below is the config and IPsec secrets > > conn test > keylife=3600s > ikelifetime=28800s > left=%local.net > leftsubnet=10.1.1.0/26 > right=%remote.net > rightsubnet=192.168.18.0/24,10.0.0.0/24 > ike=aes128-sha1-modp1024 > esp=aes128-sha1-modp1024 > > IPsec secret > > %local.net %remote.net : PSK "XXX" > > In my understanding from the Strongswan documentation, if hostname is > prefixed with "%" it will do a DNS-lookup and use those IP-adresses? >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
