Hello I need to configure a VPN server for road warriors devices RW establishes the tunnel and then a local process of the server hosting the stongswan must access to the rw device. RW config is preset, i can only change the VPN server IP @ to reach. My VPN server is behind my internet acces router with nat and Port forwarding of ports 500/4500 I must do a stupide error but I cannot make it run I looked at samples, i tried both ipsec.conf and swanctl.conf with Ipsec.conf , I always fail with no "matching peer config found" with swanwctl, I found a way to establish the tunnel, keep alive are exchanged but tunnel seems not be well configured (for that I must add my public IP in the local-ts local_ts = 192.168.1.55,XXX.XXX.166.2) I would appreciate your help
Peer1 - AccessRouter1wNAT ============== MyAccessRouterwithNAT =================== ServerStrongSwan @PUB1 My@Pub 192.168.1.1(Defgwy) 192.168.1.55 Port Foward (500,4500) =========================> <=========================================== HTTPS over Tunnel =================== ------------------------------------------------------------------------------------------------ # ipsec.conf - strongSwan IPsec configuration file config setup charondebug="all" conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret conn Peervpn right=%any rightsubnet=10.10.10.0/28 #My@PUB=XXX.XXX.166.2 # don't know what to do with my @ Pub left=192.168.1.55 leftfirewall=yes leftsubnet=192.168.1.0/24 ah=aes256-sha256-modp2048 esp=aes256-sha256-modp2048 ike=aes256-sha256-modp2048 auto=add ------------------------------------------------------------------------------------------------ ipsec.secrets: # This file holds shared secrets or RSA private keys for authentication. 10.10.10.1 : PSK myterriblesecretwithpeer1 myPeer1 : PSK myterriblesecretwithpeer1 ------------------------------------------------------------------------------------------------ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.19.66-v7+, armv7l): uptime: 6 seconds, since Mar 30 09:45:02 2020 malloc: sbrk 1216512, mmap 0, used 215368, free 1001144 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown Listening IP addresses: 192.168.1.55 2a01:cb10:593:cf00:137:62f2:f7e8:274c 10.6.0.1 Connections: Peervpn: 192.168.1.55...%any IKEv2 Peervpn: local: [192.168.1.55] uses pre-shared key authentication Peervpn: remote: uses pre-shared key authentication Peervpn: child: 192.168.1.0/24 === 10.10.10.0/28 TUNNEL Security Associations (0 up, 0 connecting): none ------------------------------------------------------------------------------------------------ sudo swanctl --log 10[NET] received packet: from 80.14.87.221[58694] to 192.168.1.55[500] (464 bytes) 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 10[IKE] 80.14.87.221 is initiating an IKE_SA 10[IKE] local host is behind NAT, sending keep alives 10[IKE] remote host is behind NAT 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] 10[NET] sending packet: from 192.168.1.55[500] to 80.14.87.221[58694] (464 bytes) 14[NET] received packet: from 80.14.87.221[58698] to 192.168.1.55[4500] (304 bytes) 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 14[CFG] looking for peer configs matching 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] 14[CFG] no matching peer config found 14[IKE] peer supports MOBIKE 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 14[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58698] (80 bytes) ------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------ Don't waste your time with this second syntaxe based on swanctl, if you found how to set the ipconf one When using Swanctl.conf with my PUB IP in local_ts, the tunnel seems to be established but not the routing Should i make it by hand in place of _updown script or is this tunnel badly set ? XXX.XXX.166.2 { RemotePeers { version = 2 proposals = aes256-sha256-modp2048 local_addrs = 192.168.1.55 pools = rw_pool local { # dont know why auth for local... auth = psk } remote { auth = psk } children { RemotePeersVPN { local_ts = 192.168.1.55,XXX.XXX.166.2 #local_ts = 192.168.1.55 # Dont know why cannot find it in /usr/local/libexec but found /usr/lib # updown = /usr/local/libexec/ipsec/_updown iptables updown = /usr/lib/ipsec/_updown iptables } } } } pools { rw_pool { addrs = 10.10.10.0/28 } } secrets { ike-remote-Peer1 { id = myPeer1 secret = myterriblesecretwithpeer1 } } ------------------------------------------------------------------------------------------------ sudo ipsec statusall XXX.XXX.166.2: RemotePeers: 192.168.1.55...%any IKEv2 RemotePeers: local: uses pre-shared key authentication RemotePeers: remote: uses pre-shared key authentication RemotePeersVPN: child: 192.168.1.55/32 XXX.XXX.166.2/32 === dynamic TUNNEL Security Associations (0 up, 0 connecting): none ------------------------------------------------------------------------------------------------ sudo swanctl --log 12[NET] received packet: from 80.14.87.221[58736] to 192.168.1.55[500] (464 bytes) 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 12[IKE] 80.14.87.221 is initiating an IKE_SA 12[IKE] local host is behind NAT, sending keep alives 12[IKE] remote host is behind NAT 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] 12[NET] sending packet: from 192.168.1.55[500] to 80.14.87.221[58736] (464 bytes) 10[NET] received packet: from 80.14.87.221[58737] to 192.168.1.55[4500] (304 bytes) 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 10[CFG] looking for peer configs matching 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] 10[CFG] selected peer config 'RemotePeers' 10[IKE] authentication of 'myPeer1' with pre-shared key successful 10[IKE] peer supports MOBIKE 10[IKE] authentication of 'XXX.XXX.166.2' (myself) with pre-shared key 10[IKE] IKE_SA RemotePeers[1] established between 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] 10[IKE] scheduling rekeying in 13593s 10[IKE] maximum IKE_SA lifetime 15033s 10[IKE] peer requested virtual IP %any 10[CFG] assigning new lease to 'myPeer1' 10[IKE] assigning virtual IP 10.10.10.1 to peer 'myPeer1' 10[IKE] CHILD_SA RemotePeersVPN{1} established with SPIs ca64039c_i c33dcf71_o and TS XXX.XXX.166.2/32 === 10.10.10.1/32 10[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ] 10[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58737] (288 bytes) 05[IKE] sending keep alive to 80.14.87.221[58737] 08[NET] received packet: from 80.14.87.221[58737] to 192.168.1.55[4500] (128 bytes) 08[ENC] parsed INFORMATIONAL request 2 [ N(NATD_S_IP) N(NATD_D_IP) ] 08[ENC] generating INFORMATIONAL response 2 [ N(NATD_S_IP) N(NATD_D_IP) ] 08[NET] sending packet: from 192.168.1.55[4500] to 80.14.87.221[58737] (128 bytes) ---------- Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.19.66-v7+, armv7l): XXX.XXX.166.2: RemotePeers: 192.168.1.55...%any IKEv2 RemotePeers: local: uses pre-shared key authentication RemotePeers: remote: uses pre-shared key authentication RemotePeersVPN: child: 192.168.1.55/32 XXX.XXX.166.2/32 === dynamic TUNNEL Security Associations (1 up, 0 connecting): RemotePeers[1]: ESTABLISHED 7 minutes ago, 192.168.1.55[XXX.XXX.166.2]...80.14.87.221[myPeer1] RemotePeers[1]: IKEv2 SPIs: 51aac4f5007e70b6_i 88876b56d5d9029d_r*, rekeying in 3 hours RemotePeers[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 RemotePeersVPN{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ca64039c_i c33dcf71_o RemotePeersVPN{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 47 minutes RemotePeersVPN{1}: XXX.XXX.166.2/32 === 10.10.10.1/32