<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; line-height: 15px; font: normal normal normal 18px/normal Consolas; ">Interestingly enough:</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; line-height: 15px; font: normal normal normal 18px/normal Consolas; min-height: 21px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; line-height: 15px; font: normal normal normal 18px/normal Consolas; ">I did simpify; oddly, though, if I had the L2TP connections listed before the rw-local or rw-local-nat connections, it wouldn't work.</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; line-height: 15px; font: normal normal normal 18px/normal Consolas; min-height: 21px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; line-height: 15px; font: normal normal normal 18px/normal Consolas; ">If, however, I had the L2TP connections listed after rw-local, IKEv2 address assignment worked fine.</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; line-height: 15px; font: normal normal normal 18px/normal Consolas; min-height: 21px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; line-height: 15px; font: normal normal normal 18px/normal Consolas; ">I think I may be a bit confused about IKEv1 & ModeCfg, though:</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; line-height: 15px; font: normal normal normal 18px/normal Consolas; ">I was expecting an 'internal' IP address to be assigned from the IP address pool; however this doesn't appear to be happening at all.  (As before, no ModeCfg messages in the pluto log).</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; line-height: 15px; font: normal normal normal 18px/normal Consolas; min-height: 21px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; line-height: 15px; font: normal normal normal 18px/normal Consolas; ">I'm not sure if that's very important, since I'm still able to connect to the network fine; but I'd certainly appreciate some enlightenment if my expectation is wrong for IKEv1 & ModeCfg.</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; line-height: 15px; font: normal normal normal 18px/normal Consolas; "><br></div><div><div>On Sep 24, 2010, at 12:30 PM, Andreas Steffen wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hi Troy,<br><br>everthing looks fine. Since the charon daemon is aware of the IKEv1<br>connection definitions it might settle on one without a pool<br>declaration. Could you remove all IKEv1 connections from your ipsec.conf<br>and try again just to make sure. Just model it as close to the<br><br><a href="http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/">http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/</a><br>scenario and if this works, start to expand your definitions.<br><br>Regards<br><br>Andreas<br><br>On 09/24/2010 05:37 PM, Troy Telford wrote:<br><blockquote type="cite"><blockquote type="cite">do pluto and charon both load the attr-sql and sqlite plugins?<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">ipsec statusall should enumerate them.<br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">For pluto:<br></blockquote><blockquote type="cite">000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey<br></blockquote><blockquote type="cite">pkcs1 pgp dnskey pem sqlite openssl hmac gmp xauth attr attr-sql resolve <br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">For charon:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1<br></blockquote><blockquote type="cite">pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr attr-sql<br></blockquote><blockquote type="cite">resolve kernel-netlink socket-raw farp stroke updown eap-identity<br></blockquote><blockquote type="cite">eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp <br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">(It looks like the answer is yes to both)<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">My ipsec.sql is imported from:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><a href="http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/moon.ipsec.sql">http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/moon.ipsec.sql</a><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">And, for the sake of thoroughness, my /etc/strongswan.conf:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">charon {<br></blockquote><blockquote type="cite">    threads = 16<br></blockquote><blockquote type="cite">    plugins {<br></blockquote><blockquote type="cite">        sql {<br></blockquote><blockquote type="cite">            loglevel = -1<br></blockquote><blockquote type="cite">            database = <a href="sqlite:///etc.ipsec.d/ipsec.db">sqlite:///etc.ipsec.d/ipsec.db</a><br></blockquote><blockquote type="cite">        }<br></blockquote><blockquote type="cite">    }<br></blockquote><blockquote type="cite">}<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">pluto {<br></blockquote><blockquote type="cite">}<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">libstrongswan {<br></blockquote><blockquote type="cite">}<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">libhydra {<br></blockquote><blockquote type="cite">    plugins {<br></blockquote><blockquote type="cite">        attr-sql {<br></blockquote><blockquote type="cite">            database = <a href="sqlite:///etc/ipsec.d/ipsec.db">sqlite:///etc/ipsec.d/ipsec.db</a><br></blockquote><blockquote type="cite">        }<br></blockquote><blockquote type="cite">    }<br></blockquote><blockquote type="cite">}<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">pool {<br></blockquote><blockquote type="cite">    load = sqlite<br></blockquote><blockquote type="cite">}<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Lastly, the output of ipsec statusall<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">000 Status of IKEv1 pluto daemon (strongSwan 4.4.1):<br></blockquote><blockquote type="cite">000 interface eth0/eth0 2001:1938:240::1:500<br></blockquote><blockquote type="cite">000 interface lo/lo ::1:500<br></blockquote><blockquote type="cite">000 interface sixxs/sixxs 2001:1938:81:a5::2:500<br></blockquote><blockquote type="cite">000 interface lo/lo 127.0.0.1:4500<br></blockquote><blockquote type="cite">000 interface lo/lo 127.0.0.1:500<br></blockquote><blockquote type="cite">000 interface eth2/eth2 192.168.2.1:4500<br></blockquote><blockquote type="cite">000 interface eth2/eth2 192.168.2.1:500<br></blockquote><blockquote type="cite">000 interface eth0/eth0 192.168.1.1:4500<br></blockquote><blockquote type="cite">000 interface eth0/eth0 192.168.1.1:500<br></blockquote><blockquote type="cite">000 interface eth1/eth1 76.27.20.26:4500<br></blockquote><blockquote type="cite">000 interface eth1/eth1 76.27.20.26:500<br></blockquote><blockquote type="cite">000 interface tun0/tun0 192.168.3.1:4500<br></blockquote><blockquote type="cite">000 interface tun0/tun0 192.168.3.1:500<br></blockquote><blockquote type="cite">000 %myid = '%any'<br></blockquote><blockquote type="cite">000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey<br></blockquote><blockquote type="cite">pkcs1 pgp dnskey pem sqlite openssl hmac gmp xauth attr attr-sql resolve <br></blockquote><blockquote type="cite">000 debug options: none<br></blockquote><blockquote type="cite">000 <br></blockquote><blockquote type="cite">000 "rw-dmz":<br></blockquote><blockquote type="cite">192.168.2.0/24===192.168.1.1[myhost.fdqn.net]---76.27.16.1...%any[C=US,<foo>,<br></blockquote><blockquote type="cite">CN=*, E=*]===%hostpool; unrouted; eroute owner: #0<br></blockquote><blockquote type="cite">000 "rw-dmz":   CAs: "C=US, <foo>"..."C=US, <foo>"<br></blockquote><blockquote type="cite">000 "rw-dmz":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;<br></blockquote><blockquote type="cite">rekey_fuzz: 100%; keyingtries: 1<br></blockquote><blockquote type="cite">000 "rw-dmz":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;<br></blockquote><blockquote type="cite">000 "rw-dmz":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY;<br></blockquote><blockquote type="cite">prio: 24,32; interface: eth0; <br></blockquote><blockquote type="cite">000 "rw-dmz":   newest ISAKMP SA: #0; newest IPsec SA: #0; <br></blockquote><blockquote type="cite">000 "rw-l2tp":<br></blockquote><blockquote type="cite">76.27.20.26[myhost.fdqn.net]:17/1701---76.27.16.1...%any[C=US,<foo>,<br></blockquote><blockquote type="cite">CN=*, E=*]:17/%any; unrouted; eroute owner: #0<br></blockquote><blockquote type="cite">000 "rw-l2tp":   CAs: "C=US, <foo>"..."C=US, <foo>"<br></blockquote><blockquote type="cite">000 "rw-l2tp":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;<br></blockquote><blockquote type="cite">rekey_fuzz: 100%; keyingtries: 1<br></blockquote><blockquote type="cite">000 "rw-l2tp":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;<br></blockquote><blockquote type="cite">000 "rw-l2tp":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32;<br></blockquote><blockquote type="cite">interface: eth1; <br></blockquote><blockquote type="cite">000 "rw-l2tp":   newest ISAKMP SA: #0; newest IPsec SA: #0; <br></blockquote><blockquote type="cite">000 "rw-l2tp-nat":<br></blockquote><blockquote type="cite">76.27.20.26[myhost.fdqn.net]:17/1701---76.27.16.1...%virtual[C=US,<foo>,<br></blockquote><blockquote type="cite">CN=*, E=*]:17/%any===?; unrouted; eroute owner: #0<br></blockquote><blockquote type="cite">000 "rw-l2tp-nat":   CAs: "C=US, <foo>"..."C=US, <foo>"<br></blockquote><blockquote type="cite">000 "rw-l2tp-nat":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:<br></blockquote><blockquote type="cite">180s; rekey_fuzz: 100%; keyingtries: 1<br></blockquote><blockquote type="cite">000 "rw-l2tp-nat":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;<br></blockquote><blockquote type="cite">000 "rw-l2tp-nat":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio:<br></blockquote><blockquote type="cite">32,32; interface: eth1; <br></blockquote><blockquote type="cite">000 "rw-l2tp-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0; <br></blockquote><blockquote type="cite">000 "rw-l2tp-psk":<br></blockquote><blockquote type="cite">76.27.20.26[76.27.20.26]:17/1701---76.27.16.1...%any[%any]:17/%any;<br></blockquote><blockquote type="cite">unrouted; eroute owner: #0<br></blockquote><blockquote type="cite">000 "rw-l2tp-psk":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:<br></blockquote><blockquote type="cite">180s; rekey_fuzz: 100%; keyingtries: 1<br></blockquote><blockquote type="cite">000 "rw-l2tp-psk":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;<br></blockquote><blockquote type="cite">000 "rw-l2tp-psk":   policy: PSK+ENCRYPT+COMPRESS; prio: 32,32;<br></blockquote><blockquote type="cite">interface: eth1; <br></blockquote><blockquote type="cite">000 "rw-l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0; <br></blockquote><blockquote type="cite">000 "rw-l2tp-psk-nat":<br></blockquote><blockquote type="cite">76.27.20.26[76.27.20.26]:17/1701---76.27.16.1...%virtual[%any]:17/%any===?;<br></blockquote><blockquote type="cite">unrouted; eroute owner: #0<br></blockquote><blockquote type="cite">000 "rw-l2tp-psk-nat":   ike_life: 3600s; ipsec_life: 1200s;<br></blockquote><blockquote type="cite">rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1<br></blockquote><blockquote type="cite">000 "rw-l2tp-psk-nat":   dpd_action: clear; dpd_delay: 30s; dpd_timeout:<br></blockquote><blockquote type="cite">120s;<br></blockquote><blockquote type="cite">000 "rw-l2tp-psk-nat":   policy: PSK+ENCRYPT+COMPRESS; prio: 32,32;<br></blockquote><blockquote type="cite">interface: eth1; <br></blockquote><blockquote type="cite">000 "rw-l2tp-psk-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0; <br></blockquote><blockquote type="cite">000 "rw-local":<br></blockquote><blockquote type="cite">192.168.1.0/24===76.27.20.26[myhost.fdqn.net]---76.27.16.1...%any[C=US,<foo>,<br></blockquote><blockquote type="cite">CN=*, E=*]===%hostpool; unrouted; eroute owner: #0<br></blockquote><blockquote type="cite">000 "rw-local":   CAs: "C=US, <foo>"..."C=US, <foo>"<br></blockquote><blockquote type="cite">000 "rw-local":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:<br></blockquote><blockquote type="cite">180s; rekey_fuzz: 100%; keyingtries: 1<br></blockquote><blockquote type="cite">000 "rw-local":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;<br></blockquote><blockquote type="cite">000 "rw-local":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY;<br></blockquote><blockquote type="cite">prio: 24,32; interface: eth1; <br></blockquote><blockquote type="cite">000 "rw-local":   newest ISAKMP SA: #0; newest IPsec SA: #0; <br></blockquote><blockquote type="cite">000 "rw-local-nat":<br></blockquote><blockquote type="cite">192.168.1.0/24===76.27.20.26[myhost.fdqn.net]---76.27.16.1...%virtual[C=US,<foo>,<br></blockquote><blockquote type="cite">CN=*, E=*]===?; unrouted; eroute owner: #0<br></blockquote><blockquote type="cite">000 "rw-local-nat":   CAs: "C=US, <foo>"..."C=US, <foo>"<br></blockquote><blockquote type="cite">000 "rw-local-nat":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:<br></blockquote><blockquote type="cite">180s; rekey_fuzz: 100%; keyingtries: 1<br></blockquote><blockquote type="cite">000 "rw-local-nat":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;<br></blockquote><blockquote type="cite">000 "rw-local-nat":   policy:<br></blockquote><blockquote type="cite">PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; prio: 24,32; interface: eth1; <br></blockquote><blockquote type="cite">000 "rw-local-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0; <br></blockquote><blockquote type="cite">000 <br></blockquote><blockquote type="cite">Status of IKEv2 charon daemon (strongSwan 4.4.1):<br></blockquote><blockquote type="cite">  uptime: 9 hours, since Sep 24 00:07:12 2010<br></blockquote><blockquote type="cite">  malloc: sbrk 516096, mmap 0, used 441552, free 74544<br></blockquote><blockquote type="cite">  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0<br></blockquote><blockquote type="cite">  loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey<br></blockquote><blockquote type="cite">pkcs1 pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr<br></blockquote><blockquote type="cite">attr-sql resolve kernel-netlink socket-raw farp stroke updown<br></blockquote><blockquote type="cite">eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp <br></blockquote><blockquote type="cite">Listening IP addresses:<br></blockquote><blockquote type="cite">  192.168.2.1<br></blockquote><blockquote type="cite">  192.168.1.1<br></blockquote><blockquote type="cite">  2001:1938:240::1<br></blockquote><blockquote type="cite">  76.27.20.26<br></blockquote><blockquote type="cite">  2001:1938:81:a5::2<br></blockquote><blockquote type="cite">  192.168.3.1<br></blockquote><blockquote type="cite">Connections:<br></blockquote><blockquote type="cite">rw-charon-mobike:  76.27.20.26...%any, dpddelay=30s<br></blockquote><blockquote type="cite">rw-charon-mobike:   local:  [myhost.fdqn.net <<a href="http://myhost.fdqn.net">http://myhost.fdqn.net</a>>]<br></blockquote><blockquote type="cite">uses public key authentication<br></blockquote><blockquote type="cite">rw-charon-mobike:    cert:  "C=US,<foo>, CN=myhost.fdqn.net,<br></blockquote><blockquote type="cite"><a href="mailto:E=root@myhost.fdqn.net">E=root@myhost.fdqn.net</a> <<a href="mailto:E=root@myhost.fdqn.net">mailto:E=root@myhost.fdqn.net</a>>"<br></blockquote><blockquote type="cite">rw-charon-mobike:   remote: [C=US,<foo>, CN=*, E=*] uses any authentication<br></blockquote><blockquote type="cite">rw-charon-mobike:   child:  192.168.1.0/24 === dynamic , dpdaction=clear<br></blockquote><blockquote type="cite">   rw-charon:   child:  192.168.1.0/24 === dynamic , dpdaction=clear<br></blockquote><blockquote type="cite">          rw:  76.27.20.26...%any, dpddelay=30s<br></blockquote><blockquote type="cite">          rw:   local:  [myhost.fdqn.net <<a href="http://myhost.fdqn.net">http://myhost.fdqn.net</a>>] uses<br></blockquote><blockquote type="cite">public key authentication<br></blockquote><blockquote type="cite">          rw:    cert:  "C=US,<foo>, CN=myhost.fdqn.net,<br></blockquote><blockquote type="cite"><a href="mailto:E=root@myhost.fdqn.net">E=root@myhost.fdqn.net</a> <<a href="mailto:E=root@myhost.fdqn.net">mailto:E=root@myhost.fdqn.net</a>>"<br></blockquote><blockquote type="cite">          rw:   remote: [C=US,<foo>, CN=*, E=*] uses any authentication<br></blockquote><blockquote type="cite">          rw:   child:  dynamic === dynamic , dpdaction=clear<br></blockquote><blockquote type="cite">Security Associations:<br></blockquote><blockquote type="cite">  none<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Thanks.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><blockquote type="cite">Regards<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Andreas<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">On 24.09.2010 07:20, Troy Telford wrote:<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I must be a problem child... but I'm learning fast.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I'm mostly satisfied with L2TP (Save for my last tunnel/transport<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">question), so I've moved on to the more secure 'pure' IPsec<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">configurations.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I've been working on IP Address & DNS assignment setup via IKEv1 & IKEv2;<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I've been following:<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/">http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><a href="http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/">http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/</a><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">I have the ipsec pool configured properly, I believe; 'ipsec pool<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">--status' shows the pool I'm expecting, at any rate.  However, with<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">both IKEv1 (Racoon/OS X) and IKEv2 (Win 7), I'm unable to get IP<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">addresses.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">With IKEv1, I've got the OS X client so it is able to establish an<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">IPsec SA.  It has the config option "mode_cfg on".  However, I'm not<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">seeing any ModeCfg messages in 'auth.log | grep pluto'.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">For IKEv2, the error is:<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Sep 23 22:37:52 pilot charon: 13[IKE] peer requested virtual IP %any<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">Sep 23 22:37:52 pilot charon: 13[IKE] no virtual IP found, sending<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">INTERNAL_ADDRESS_FAILURE<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">My network is as follows:<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><something> - Dynamic address; I use DynDNS to resolve it to a host name.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">192.168.1.1/24 (Main address space)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">192.168.2.1/24 (DMZ address space; unused)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">192.168.3.1/24 (Used for OpenVPN - for locations where ESP is blocked<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">at the firewall)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">192.168.4.1/26 (IPsec pool)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">So I think a connection would be along the lines of:<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">(Int. network)     (Internet IP)        (RW ISP)     Road Warrior<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">192.168.0.0/21 -- ISP Assigned IP .. ISP Assigned IP -- NAT IP<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">My configuration (with L2TP removed, for clarity) is as follows:<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">config setup<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   crlcheckinterval="600"<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   cachecrls=yes<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   nat_traversal=yes<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24,%v4:!192.168.4.0/24<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">  interfaces=%defaultroute<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">conn %default<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   keyingtries=1<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   ikelifetime=60m<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   keylife=20m<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   rekeymargin=3m<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   keyexchange=ikev2<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   compress=yes<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   left=%defaultroute<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   right=%any<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   dpddelay=30<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   dpdtimeout=120<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   dpdaction=clear<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   pfs=yes<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">conn rw-local-nat<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   rightsubnet=vhost:%no,%priv<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   also=rw-local<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">conn rw-local<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   keyexchange=ikev1<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   # Supposedly rekey can be no, because the client will ask for it...<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   rekey=no<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   leftsubnet=192.168.1.0/24<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   rightsourceip=%hostpool<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   also=rw<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">conn rw-charon<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   leftsubnet=192.168.1.0/24<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   # In case we want a different (volatile) pool<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   # rightsourceip=192.168.4.64/26<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   rightsourceip=%hostpool<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   also=rw<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">conn rw<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   authby=rsasig<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   leftrsasigkey=%cert<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   rightrsasigkey=%cert<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   leftcert=pilotCert.pem<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   <a href="mailto:leftid=@pilot.pariahzero.net">leftid=@pilot.pariahzero.net</a> <<a href="mailto:leftid=@pilot.pariahzero.net">mailto:leftid=@pilot.pariahzero.net</a>><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   rightid="C=US... CN=*, E=*"<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   rightca=%same<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   auto=add<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">$ ipsec pool --status<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">dns servers: 192.168.1.1<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">no nbns servers found.<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   name           start             end  timeout   size      online    <br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">  usage<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">hostpool     192.168.4.2    192.168.4.63   static     62     0 ( 0%)    <br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">0 ( 0%)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">$ ipsec pool --statusattr<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">type  description           pool        identity              value<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">   3  INTERNAL_IP4_DNS                                        192.168.1.1<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">$ ipsec pool --showattr<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">internal_ip4_netmask  --addr    (INTERNAL_IP4_NETMASK)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">internal_ip6_netmask  --addr    (INTERNAL_IP6_NETMASK)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">netmask               --addr    (INTERNAL_IP4_NETMASK,<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">INTERNAL_IP6_NETMASK)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">internal_ip4_dns      --addr    (INTERNAL_IP4_DNS)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">internal_ip6_dns      --addr    (INTERNAL_IP6_DNS)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">dns                   --addr    (INTERNAL_IP4_DNS, INTERNAL_IP6_DNS)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">internal_ip4_nbns     --addr    (INTERNAL_IP4_NBNS)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">internal_ip6_nbns     --addr    (INTERNAL_IP6_NBNS)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">nbns                  --addr    (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">wins                  --addr    (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">internal_ip4_dhcp     --addr    (INTERNAL_IP4_DHCP)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">internal_ip6_dhcp     --addr    (INTERNAL_IP6_DHCP)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">dhcp                  --addr    (INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">internal_ip4_server   --addr    (INTERNAL_IP4_SERVER)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">internal_ip6_server   --addr    (INTERNAL_IP6_SERVER)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">server                --addr    (INTERNAL_IP4_SERVER,<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">INTERNAL_IP6_SERVER)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">application_version   --string  (APPLICATION_VERSION)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">version               --string  (APPLICATION_VERSION)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">unity_banner          --string  (UNITY_BANNER)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">banner                --string  (UNITY_BANNER)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">unity_def_domain      --string  (UNITY_DEF_DOMAIN)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">unity_splitdns_name   --string  (UNITY_SPLITDNS_NAME)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">unity_split_include   --subnet  (UNITY_SPLIT_INCLUDE)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">unity_local_lan       --subnet  (UNITY_LOCAL_LAN)<br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite">So what do I need to do in order to get IP address assignment working?<br></blockquote></blockquote></blockquote><br>======================================================================<br>Andreas Steffen                         <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution!                <a href="http://www.strongswan.org">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></div></blockquote></div><br><div>
<span class="Apple-style-span" style="font-family: Helvetica; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>--</div><div>Troy Telford</div><div><a href="mailto:ttelford.groups@gmail.com">ttelford.groups@gmail.com</a></div></div></span>
</div>
<br></body></html>