Hello!
I trying to connect from windos 10 to Centos7 with IKEv2 and RSA-keys.
But I get "INTERNAL_ADDRESS_FAILURE" error.
I tried to set IP-address on windos's VPN-connection manually with no
success.
Any suggestions?
Strongswan version is 5.7.2
swanctl.conf
=================================swanctl.conf==============================
authorities {
main {
cacert = /etc/strongswan/swanctl/x509ca/cacert.pem
}
}
default-ike2 {
version = 2
proposals = aes256-sha1-ecp256, aes128-sha1-ecp256,
aes128-sha1-prfsha256-modp3072, aes256-sha1-modp2048,
aes256-sha256-modp2048, aes256-sha384-modp2048, aes256-sha1-modp1024,
aes256-sha256-modp1024, aes256-sha384-modp1024
# remote_addrs = 1.1.1.3,1.1.2.2,1.1.3.2,1.1.4.2
dpd_delay = 30
dpd_timeout = 10
rekey_time = 120
local0 {
# relative to x509 dir
auth = pubkey
certs = ns1cert.pem
# ?? need? pubkeys = key.pub,key2.pub
}
}
default-eap {
}
default-windos {
rekey_time = 0
pools = windos-pool
}
connections {
nix-conn : default-ike2,default-eap {
children {
g6 {
local_ts = 192.168.4.3
remote_ts = 192.168.8.1
dpd_action = clear
}
}
}
win10 : default-ike2,default-eap,default-windos {
version = 2
proposals = aes256-sha1-modp2048,
aes256-sha256-modp2048, aes256-sha384-modp2048, aes256-sha1-modp1024,
aes256-sha256-modp1024, aes256-sha384-modp1024
children {
winx {
local_ts = 192.168.4.0/22, 192.168.8.0/22
rekey_time = 0
}
}
}
}
pools {
windos-pool {
addrs = 172.16.2.11-172.16.2.19
dns = 8.8.8.8
}
}
=================================END
swanctl.conf==============================
=================================/var/log/messages==============================
Jul 22 20:26:06 ns1 charon: 09[CFG] loaded RSA private key
Jul 22 20:26:06 ns1 charon: 11[CFG] loaded RSA private key
Jul 22 20:26:06 ns1 charon: 13[CFG] added vici pool windos-pool:
172.16.2.11, 9 entries
Jul 22 20:26:06 ns1 charon: 12[CFG] id not specified, defaulting to
cert subject 'C=RU, O=YOGURT, CN=ns1.nuts.ru'
Jul 22 20:26:06 ns1 charon: 12[CFG] added vici connection: nix-conn
Jul 22 20:26:06 ns1 charon: 10[CFG] id not specified, defaulting to
cert subject 'C=RU, O=YOGURT, CN=ns1.nuts.ru'
Jul 22 20:26:06 ns1 charon: 10[CFG] added vici connection: win10
Jul 22 20:26:15 ns1 charon: 11[NET] received packet: from
10.145.2.7[500] to 1.1.2.2[500] (624 bytes)
Jul 22 20:26:15 ns1 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul 22 20:26:15 ns1 charon: 11[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
Jul 22 20:26:15 ns1 charon: 11[IKE] received MS-Negotiation Discovery
Capable vendor ID
Jul 22 20:26:15 ns1 charon: 11[IKE] received Vid-Initial-Contact vendor ID
Jul 22 20:26:15 ns1 charon: 11[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul 22 20:26:15 ns1 charon: 11[IKE] 10.145.2.7 is initiating an IKE_SA
Jul 22 20:26:15 ns1 charon: 11[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 22 20:26:15 ns1 charon: 11[IKE] faking NAT situation to enforce UDP
encapsulation
Jul 22 20:26:15 ns1 charon: 11[IKE] sending cert request for "C=RU,
O=YOGURT, CN=CA Authority"
Jul 22 20:26:15 ns1 charon: 11[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) V ]
Jul 22 20:26:15 ns1 charon: 11[NET] sending packet: from 1.1.2.2[500] to
10.145.2.7[500] (365 bytes)
Jul 22 20:26:15 ns1 charon: 13[NET] received packet: from
10.145.2.7[4500] to 1.1.2.2[4500] (576 bytes)
Jul 22 20:26:15 ns1 charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(1/5) ]
Jul 22 20:26:15 ns1 charon: 13[ENC] received fragment #1 of 5, waiting
for complete IKE message
Jul 22 20:26:15 ns1 charon: 13[NET] received packet: from
10.145.2.7[4500] to 1.1.2.2[4500] (576 bytes)
Jul 22 20:26:15 ns1 charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(2/5) ]
Jul 22 20:26:15 ns1 charon: 13[ENC] received fragment #2 of 5, waiting
for complete IKE message
Jul 22 20:26:15 ns1 charon: 13[NET] received packet: from
10.145.2.7[4500] to 1.1.2.2[4500] (576 bytes)
Jul 22 20:26:15 ns1 charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(3/5) ]
Jul 22 20:26:15 ns1 charon: 13[ENC] received fragment #3 of 5, waiting
for complete IKE message
Jul 22 20:26:15 ns1 charon: 13[NET] received packet: from
10.145.2.7[4500] to 1.1.2.2[4500] (576 bytes)
Jul 22 20:26:15 ns1 charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(4/5) ]
Jul 22 20:26:15 ns1 charon: 13[ENC] received fragment #4 of 5, waiting
for complete IKE message
Jul 22 20:26:15 ns1 charon: 13[NET] received packet: from
10.145.2.7[4500] to 1.1.2.2[4500] (144 bytes)
Jul 22 20:26:15 ns1 charon: 13[ENC] parsed IKE_AUTH request 1 [ EF(5/5) ]
Jul 22 20:26:15 ns1 charon: 13[ENC] received fragment #5 of 5,
reassembled fragmented IKE message (2124 bytes)
Jul 22 20:26:15 ns1 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT
CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Jul 22 20:26:15 ns1 charon: 13[IKE] received cert request for "C=RU,
O=YOGURT, CN=CA Authority"
Jul 22 20:26:15 ns1 charon: 13[IKE] received cert request for "C=RU,
O=YOGURT, CN=w10.1"
Jul 22 20:26:15 ns1 charon: 13[IKE] received 32 cert requests for an
unknown ca
Jul 22 20:26:15 ns1 charon: 13[IKE] received end entity cert "C=RU,
O=YOGURT, CN=w10.1"
Jul 22 20:26:15 ns1 charon: 13[CFG] looking for peer configs matching
1.1.2.2[%any]...10.145.2.7[C=RU, O=YOGURT, CN=w10.1]
Jul 22 20:26:15 ns1 charon: 13[CFG] selected peer config 'nix-conn'
Jul 22 20:26:15 ns1 charon: 13[CFG] using trusted ca certificate
"C=RU, O=YOGURT, CN=CA Authority"
Jul 22 20:26:15 ns1 charon: 13[CFG] checking certificate status of
"C=RU, O=YOGURT, CN=w10.1"
Jul 22 20:26:15 ns1 charon: 13[CFG] certificate status is not available
Jul 22 20:26:15 ns1 charon: 13[CFG] reached self-signed root ca with a
path length of 0
Jul 22 20:26:15 ns1 charon: 13[CFG] using trusted certificate "C=RU,
O=YOGURT, CN=w10.1"
Jul 22 20:26:15 ns1 charon: 13[IKE] authentication of 'C=RU, O=YOGURT,
CN=w10.1' with RSA signature successful
Jul 22 20:26:15 ns1 charon: 13[IKE] peer supports MOBIKE
Jul 22 20:26:15 ns1 charon: 13[IKE] authentication of 'C=RU, O=YOGURT,
CN=ns1.nuts.ru' (myself) with RSA signature successful
Jul 22 20:26:15 ns1 charon: 13[IKE] IKE_SA nix-conn[1] established
between 1.1.2.2[C=RU, O=YOGURT, CN=ns1.nuts.ru]...10.145.2.7[C=RU,
O=YOGURT, CN=w10.1]
Jul 22 20:26:15 ns1 charon: 13[IKE] scheduling rekeying in 118s
Jul 22 20:26:15 ns1 charon: 13[IKE] maximum IKE_SA lifetime 130s
Jul 22 20:26:15 ns1 charon: 13[IKE] sending end entity cert "C=RU,
O=YOGURT, CN=ns1.nuts.ru"
Jul 22 20:26:15 ns1 charon: 13[IKE] peer requested virtual IP 172.16.2.11
Jul 22 20:26:15 ns1 charon: 13[IKE] no virtual IP found for 172.16.2.11
requested by 'C=RU, O=YOGURT, CN=w10.1'
Jul 22 20:26:15 ns1 charon: 13[IKE] no virtual IP found, sending
INTERNAL_ADDRESS_FAILURE
Jul 22 20:26:15 ns1 charon: 13[IKE] configuration payload negotiation
failed, no CHILD_SA built
Jul 22 20:26:15 ns1 charon: 13[IKE] failed to establish CHILD_SA,
keeping IKE_SA
Jul 22 20:26:15 ns1 charon: 13[ENC] generating IKE_AUTH response 1 [ IDr
CERT AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(INT_ADDR_FAIL) ]
Jul 22 20:26:15 ns1 charon: 13[ENC] splitting IKE message (1276 bytes)
into 2 fragments
Jul 22 20:26:15 ns1 charon: 13[ENC] generating IKE_AUTH response 1 [
EF(1/2) ]
Jul 22 20:26:15 ns1 charon: 13[ENC] generating IKE_AUTH response 1 [
EF(2/2) ]
Jul 22 20:26:15 ns1 charon: 13[NET] sending packet: from 1.1.2.2[4500]
to 10.145.2.7[4500] (1248 bytes)
Jul 22 20:26:15 ns1 charon: 13[NET] sending packet: from 1.1.2.2[4500]
to 10.145.2.7[4500] (96 bytes)
Jul 22 20:26:45 ns1 charon: 14[IKE] sending DPD request
Jul 22 20:26:45 ns1 charon: 14[ENC] generating INFORMATIONAL request 0 [ ]
Jul 22 20:26:45 ns1 charon: 14[NET] sending packet: from 1.1.2.2[4500]
to 10.145.2.7[4500] (76 bytes)
==============================END/var/log/messages==============================
