Hi Noel,
Okey, if I don't set "left" and initiate the connection it takes the
wrong route (multiple WAN-interfaces) and the remote peer don't expect
that source IP. Probably works better if the remote peer is initiating
connection instead.
If I set "left=%local.example" and "right" / "rightid" as you suggest I
get the following output n logfile:
Apr 29 00:10:51 R6250 daemon.info charon: 10[IKE] tried 1 shared key for
'local.example' - '137.135.x.x', but MAC mismatched
Apr 29 00:10:51 R6250 daemon.info charon: 10[ENC] generating
INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
If i fiddle in ipsec.secrets a bit, i get this instead:
authentication of '137.135.x.x' with pre-shared key successful
constraint check failed: identity 'remote.example' required
selected peer config 'site2site' inacceptable: constraint checking failed
no alternative config found
When remote peer tries to connect instead:
Apr 29 00:08:44 R6250 daemon.info charon: 06[CFG] looking for peer
configs matching 85.24.x.x[%any]...137.135.x.x[137.135.x.x]
Apr 29 00:08:44 R6250 daemon.info charon: 06[CFG] selected peer config 'vpn'
Apr 29 00:08:44 R6250 daemon.info charon: 06[IKE] no shared key found
for '%any' - '137.135.x.x'
Config 'vpn' is a completely different connection definition.
Den 2017-04-28 kl. 16:48, skrev Noel Kuntze:
Hello Dusan,
Don't set "left".
Set "right=%remoteDNSname" and "rightid="remoteDNSname". Use the following verbatim as
selector "remoteDNSname". DO NOT use %remoteDNSname".
Secrets are looked up based on the remote peer's ID, not the local one's.
There's no need to use IPs as IDs with IKEv2. The IDs can be read from the
packets without looking up the secret first and decrypting the packet..
It doesn't matter if the local peer has a changing IP, unless you restrict
IKE_SAs by the source IP, which you don't have to do at all and just
gives you more problems unless you really know what you're doing.
Kind regards,
Noel
On 28.04.2017 10:03, Dusan Ilic wrote:
Here is another example (dynamic DNS both sides), other side is initiating.
Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] x.x.x.200 is initiating an
IKE_SA
Apr 28 07:49:06 R6250 authpriv.info charon: 12[IKE] x.x.x.200 is initiating an
IKE_SA
Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] sending cert request for "C=US,
O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Apr 28 07:49:06 R6250 daemon.info charon: 12[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 28 07:49:06 R6250 daemon.info charon: 12[NET] sending packet: from
x.x.x.96[500] to x.x.x.200[500] (337 bytes)
Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] received packet: from
x.x.x.200[500] to x.x.x.96[500] (220 bytes)
Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] parsed IKE_AUTH request 1 [
IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] looking for peer configs
matching x.x.x.96[%any]...x.x.x.200[x.x.x.200]
Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] selected peer config 'VPN'
Apr 28 07:49:06 R6250 daemon.info charon: 15[IKE] no shared key found for
'%any' - 'x.x.x.200'
Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] generating IKE_AUTH response
1 [ N(AUTH_FAILED) ]
Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] sending packet: from
x.x.x.96[500] to x.x.x.200[500] (76 bytes)
Peer config is the wrong one, below is the config and IPsec secrets
conn test
keylife=3600s
ikelifetime=28800s
left=%local.net
leftsubnet=10.1.1.0/26
right=%remote.net
rightsubnet=192.168.18.0/24,10.0.0.0/24
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
IPsec secret
%local.net %remote.net : PSK "XXX"
In my understanding from the Strongswan documentation, if hostname is prefixed with
"%" it will do a DNS-lookup and use those IP-adresses?
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
