Hello Dusan, On 29.04.2017 18:34, Dusan Ilic wrote: > It works! I found a hidden setting under Phase 1 in Fortigate where i could > add the local ID. Added it's dynamic dns hostname and now it connects.
Great! > > However, I still have issues with another endpoint I'm testing. My local > endpoint have Strongswan 5.5.1 and the remote endpoint have 4.5.2. Would that > present any issues or incompatibilites? Unfortunately it's not possible to > upgrade the remote endpoint (Strongswan). Pluto resolves IDs that are FQDNs. I think there was a hack, where you add the at-character in front of the FQDN in the ID settings and that stops it from doing that. Might apply to charon, too in such a low version number. Try the hack. > > I tried below, per your suggestion > > left=%local.example > leftid=local.example > right=%remote.example > rightid=remote.example > > remote.example : PSK "PSKGOESHERE" > > Log when local sides initiates connection: > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] > received AUTHENTICATION_FAILED notify error You need to read the remote logs when the remote side sends you an error message. > > Log when remote side initiates connection: > Apr 29 16:32:20 R6250 daemon.info charon: 10[CFG] looking for peer configs > matching 85.24.x.x[85.24.x.x]...94.254.x.x[94.254.x.x] > Apr 29 16:32:20 R6250 daemon.info charon: 10[CFG] no matching peer config > found > > It looks like the same issue, the remote endpoint doesnt send the configured > ID? Yes. > > And another question, when using dynamic hostnames instead of IP's as > "right", how often does Strongswan make a new DNS-lookup? How does Strongswan > handle the situation where let's say the remote endpoint suddenly receives a > new IP? Or if the local side receives a new IP during established connection? strongSwan does a DNS lookup whenever it tries to select a configuration. Well, depends on if mobike is used or no and if the peer who's IP changed can't send any traffic anymore. Mobike and connectivity: IKE_SA and CHILD_SAs are migrated No mobike and connectivity: Don't know. Maybe a new IKE_SA is negotiated, because the one peer knows the local address has vanished (and the CHILD_SAs migrated?). No mobike and no connectivity: Timeout, if DPD is used. Otherwise the IKE_SA and CHILD_SAs remain until the remote peer connects again. Mobike and no connectivity: Timeout, if DPD is used. Otherwise the IKE_SA and CHILD_SAs remain until the remote peer connects again. Kind regards, Noel
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
