Hi folks, I have to connect a Kyocera ECOSYS M8130 printer (running in a foreign environment behind a NAT) to my local network via our road warrior IPsec gateway. Strongswan 5.6.2. rightsourceip is %dhcp, as for the road warriors.
The printer has built-in IKEv2 and IPsec support. Problem: Authentication via PSK or certificate (not shown here) succeeds, but then the printer and strongswan seem to disagree about the further steps. Logfile: Jul 13 13:35:57 10[NET] <2100> received packet: from 192.168.142.13[52583] to 192.168.142.17[500] (432 bytes) Jul 13 13:35:57 10[ENC] <2100> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jul 13 13:35:57 10[IKE] <2100> 192.168.142.13 is initiating an IKE_SA Jul 13 13:35:57 10[IKE] <2100> remote host is behind NAT Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..." Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..." Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..." Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..." Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..." Jul 13 13:35:57 10[IKE] <2100> sending cert request for "..." Jul 13 13:35:57 10[ENC] <2100> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) V ] Jul 13 13:35:57 10[NET] <2100> sending packet: from 192.168.142.17[500] to 192.168.142.13[52583] (585 bytes) Jul 13 13:35:57 16[NET] <2100> received packet: from 192.168.142.13[60908] to 192.168.142.17[4500] (288 bytes) Jul 13 13:35:57 16[ENC] <2100> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] Jul 13 13:35:57 16[CFG] <2100> looking for peer configs matching 192.168.142.17[gate.example.com]...192.168.142.13[prn17.red.example.de] Jul 13 13:35:57 16[CFG] <prn17-ikev2|2100> selected peer config 'prn17-ikev2' Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> authentication of 'prn17.red.example.de' with pre-shared key successful Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> authentication of 'gate.example.com' (myself) with pre-shared key Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> IKE_SA prn17-ikev2[2100] established between 192.168.142.17[gate.example.com]...192.168.142.13[prn17.red.example.de] Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> scheduling reauthentication in 86135s Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> maximum IKE_SA lifetime 86315s Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> expected a virtual IP request, sending FAILED_CP_REQUIRED Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> traffic selectors 0.0.0.0/0 === 10.100.0.17/32 inacceptable Jul 13 13:35:57 16[IKE] <prn17-ikev2|2100> failed to establish CHILD_SA, keeping IKE_SA Jul 13 13:35:57 16[ENC] <prn17-ikev2|2100> generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(FAIL_CP_REQ) N(TS_UNACCEPT) ] Jul 13 13:35:57 16[NET] <prn17-ikev2|2100> sending packet: from 192.168.142.17[4500] to 192.168.142.13[60908] (160 bytes) : : Jul 13 13:36:27 29[IKE] <prn17-ikev2|2100> sending DPD request Jul 13 13:36:27 29[ENC] <prn17-ikev2|2100> generating INFORMATIONAL request 0 [ ] Jul 13 13:36:27 29[NET] <prn17-ikev2|2100> sending packet: from 192.168.142.17[4500] to 192.168.142.13[60908] (80 bytes) Jul 13 13:36:27 14[NET] <prn17-ikev2|2100> received packet: from 192.168.142.13[60908] to 192.168.142.17[4500] (80 bytes) Jul 13 13:36:27 14[ENC] <prn17-ikev2|2100> parsed INFORMATIONAL response 0 [ ] : Please note the "expected a virtual IP request". Unfortunately the printer does not provide any logging, AFAICT. Every helpful comment is highly appreciated Harri ----------------------------------------------------------------------------- ipsec.conf: conn %default # left=%any left = gate.example.com fragmentation = yes leftsubnet = 172.16.96.0/19 leftfirewall = no ikelifetime = 1d lifetime = 8h rekey = yes dpdaction = none # default: no dead peer detection dpddelay = 30s # default: 30s dpdtimeout = 150s # default: 150s, used for IKEv1 only # # IKEv2 using RSA authentication conn IPSec-IKEv2 keyexchange = ikev2 leftcert = gate.example.com_3.pem also = roadwarrior ike = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024! esp = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256,aes256-sha1,aes128-sha1! right = %any rightca = "C=DE, O=example, OU=Certificate Authority, CN=root-CA" rightauth = pubkey rightsendcert = ifasked rightsourceip = %dhcp auto = add # # connection to prn17 conn prn17-ikev2 # left=%any left = gate.example.com leftid = @gate.example.com leftfirewall = no right = 5.145.142.13 rightid = @prn17.red.example.de rightsourceip = %dhcp authby = secret keyexchange = ikev2 ike = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024! esp = aes256-sha256-modp2048,aes256-sha1-modp1024,aes128-sha1-modp1024,aes256-sha256,aes256-sha1,aes128-sha1! ikelifetime = 1d lifetime = 1h rekey = yes rekeymargin = 3m keyingtries = 1 auto = add dpdaction = hold dpddelay = 30s