<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-forward-container">It seems to me that strongswan is
perhaps failing to find a virtual ip for the client because it's
not finding a id match between the client and what it has in it's
database, so I have tried using the cert as id, which is really
what I want, but I am still getting: no virtual IP found for %any
requested.<br>
<br>
<font face="sans-serif">I added the addresses on the gateway like
this:
# strongswan pool --replace vpnclients --addresses
addresses2.txt</font><br>
<br>
cat addresses2.txt <br>
172.16.44.15=C=US,ST=IL,L=Chicago,O=Company,OU=test,CN=test4.domain.com<br>
172.16.44.14=C=US,ST=IL,L=Chicago,O=Company,OU=test,CN=test5.domain.com<br>
<br>
<font face="sans-serif">gateway ipsec.conf:
<br>
# /etc/ipsec.conf - strongSwan IPsec configuration file<br>
<br>
config setup<br>
charondebug="ike 2, knl 3, cfg 0"<br>
<br>
conn %default<br>
ikelifetime=60m<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=1<br>
keyexchange=ikev2<br>
<br>
conn aosclient<br>
left=%defaultroute<br>
leftcert=vpngateway3.domain.com_cert.pem<br>
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@vpngateway3.domain.com">leftid=@vpngateway3.domain.com</a><br>
leftfirewall=yes<br>
leftsubnet=172.16.40.0/22<br>
right=%any<br>
rightsourceip=%vpnclients<br>
auto=route<br>
</font><br>
<br>
gateway log:<br>
<br>
Dec 17 10:05:21 15[NET] received packet: from 96.116.65.100[500]
to 172.16.42.10[500] (832 bytes)<br>
Dec 17 10:05:21 15[IKE] 96.116.65.100 is initiating an IKE_SA<br>
Dec 17 10:05:21 15[IKE] local host is behind NAT, sending keep
alives<br>
Dec 17 10:05:21 15[IKE] remote host is behind NAT<br>
Dec 17 10:05:21 15[IKE] sending cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=MY CA"<br>
Dec 17 10:05:21 15[NET] sending packet: from 172.16.42.10[500] to
96.116.65.100[500] (465 bytes)<br>
Dec 17 10:05:22 16[NET] received packet: from 96.116.65.100[4500]
to 172.16.42.10[4500] (1868 bytes)<br>
Dec 17 10:05:22 16[IKE] received cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=MY CA"<br>
Dec 17 10:05:22 16[IKE] received end entity cert "C=US, ST=IL,
L=Chicago, O=Company, OU=test, CN=test4.domain.com"<br>
Dec 17 10:05:22 16[IKE] authentication of 'C=US, ST=IL, L=Chicago,
O=Company, OU=test, CN=test4.domain.com' with RSA signature
successful<br>
Dec 17 10:05:22 16[IKE] peer supports MOBIKE<br>
Dec 17 10:05:22 16[IKE] authentication of 'vpngateway3.domain.com'
(myself) with RSA signature successful<br>
Dec 17 10:05:22 16[IKE] IKE_SA aosclient[2] established between
172.16.42.10[vpngateway3.domain.com]...96.116.65.100[C=US, ST=IL,
L=Chicago, O=Company, OU=test, CN=test4.domain.com]<br>
Dec 17 10:05:22 16[IKE] scheduling reauthentication in 3397s<br>
Dec 17 10:05:22 16[IKE] maximum IKE_SA lifetime 3577s<br>
Dec 17 10:05:22 16[IKE] sending end entity cert "C=US, ST=IL,
L=Chicago, O=Company, OU=vpn_gateway, CN=vpngateway3.domain.com"<br>
Dec 17 10:05:22 16[IKE] peer requested virtual IP %any<br>
Dec 17 10:05:22 16[IKE] no virtual IP found for %any requested by
'C=US, ST=IL, L=Chicago, O=Company, OU=test, CN=test4.domain.com'<br>
Dec 17 10:05:22 16[IKE] no virtual IP found, sending
INTERNAL_ADDRESS_FAILURE<br>
Dec 17 10:05:22 16[IKE] configuration payload negotiation failed,
no CHILD_SA built<br>
Dec 17 10:05:22 16[IKE] failed to establish CHILD_SA, keeping
IKE_SA<br>
Dec 17 10:05:22 16[NET] sending packet: from 172.16.42.10[4500] to
96.116.65.100[4500] (1484 bytes)<br>
<br>
client log:<br>
<br>
Dec 17 11:13:35 14[IKE] initiating IKE_SA aosclient[1] to
176.23.75.135<br>
Dec 17 11:13:35 14[NET] sending packet: from 192.168.1.38[500] to
176.23.75.135[500]<br>
Dec 17 11:13:35 15[NET] received packet: from 176.23.75.135[500]
to 192.168.1.38[500]<br>
Dec 17 11:13:35 15[IKE] local host is behind NAT, sending keep
alives<br>
Dec 17 11:13:35 15[IKE] remote host is behind NAT<br>
Dec 17 11:13:35 15[IKE] received cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=MY CA"<br>
Dec 17 11:13:35 15[IKE] sending cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=MY CA"<br>
Dec 17 11:13:35 15[IKE] authentication of 'C=US, ST=IL, L=Chicago,
O=Company, OU=test, CN=test4.domain.com' (myself) with RSA
signature successful<br>
Dec 17 11:13:35 15[IKE] sending end entity cert "C=US, ST=IL,
L=Chicago, O=Company, OU=test, CN=test4.domain.com"<br>
Dec 17 11:13:35 15[IKE] establishing CHILD_SA aosclient<br>
Dec 17 11:13:35 15[KNL] getting SPI for reqid {1}<br>
Dec 17 11:13:35 15[KNL] sending XFRM_MSG_ALLOCSPI: => 248 bytes
@ 0x7fd725093770<br>
Dec 17 11:13:35 15[KNL] 0: F8 00 00 00 16 00 01 00 C9 00 00 00
0B 5B 00 00 .............[..<br>
Dec 17 11:13:35 15[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ................<br>
Dec 17 11:13:35 15[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ................<br>
Dec 17 11:13:35 15[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ................<br>
Dec 17 11:13:35 15[KNL] 64: 00 00 00 00 00 00 00 00 C0 A8 01 26
00 00 00 00 ...........&....<br>
Dec 17 11:13:35 15[KNL] 80: 00 00 00 00 00 00 00 00 00 00 00 00
32 00 00 00 ............2...<br>
Dec 17 11:13:35 15[KNL] 96: 36 D0 F1 C2 00 00 00 00 00 00 00 00
00 00 00 00 6...............<br>
Dec 17 11:13:35 15[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ................<br>
Dec 17 11:13:35 15[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ................<br>
Dec 17 11:13:35 15[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ................<br>
Dec 17 11:13:35 15[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ................<br>
Dec 17 11:13:35 15[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ................<br>
Dec 17 11:13:35 15[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ................<br>
Dec 17 11:13:35 15[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ................<br>
Dec 17 11:13:35 15[KNL] 224: 01 00 00 00 02 00 01 00 00 00 00 00
00 00 00 00 ................<br>
Dec 17 11:13:35 15[KNL] 240: 00 00 00 C0 FF FF FF
CF ........<br>
Dec 17 11:13:35 15[KNL] got SPI c50e4550 for reqid {1}<br>
Dec 17 11:13:35 15[NET] sending packet: from 192.168.1.38[4500] to
176.23.75.135[4500]<br>
<br>
<br>
gateway statusall<br>
# strongswan statusall <br>
Status of IKE charon daemon (strongSwan 5.0.4, Linux
2.6.32-431.el6.x86_64, x86_64):<br>
uptime: 80 seconds, since Dec 17 10:19:21 2013<br>
malloc: sbrk 540672, mmap 0, used 442912, free 97760<br>
worker threads: 6 of 16 idle, 9/1/0/0 working, job queue:
0/0/0/0, scheduled: 3<br>
loaded plugins: charon curl sqlite aes des sha1 sha2 md4 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp
dnskey pem openssl fips-prf gmp xcbc cmac hmac attr attr-sql
kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls
eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-imc tnc-imv
tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp<br>
Listening IP addresses:<br>
172.16.42.10<br>
Connections:<br>
aosclient: %any...%any IKEv2<br>
aosclient: local: [vpngateway3.domain.com] uses public key
authentication<br>
aosclient: cert: "C=US, ST=IL, L=Chicago, O=Company,
OU=vpn_gateway, CN=vpngateway3.domain.com"<br>
aosclient: remote: uses public key authentication<br>
aosclient: child: 172.16.40.0/22 === dynamic TUNNEL<br>
Security Associations (1 up, 0 connecting):<br>
aosclient[1]: ESTABLISHED 60 seconds ago,
172.16.42.10[vpngateway3.domain.com]...96.116.65.100[C=US, ST=IL,
L=Chicago, O=Company, OU=test, CN=test4.domain.com]<br>
aosclient[1]: IKEv2 SPIs: a864f84b3127c8ac_i
d828b50f563f6829_r*, public key reauthentication in 54 minutes<br>
aosclient[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
<br>
<br>
<br>
-------- Original Message --------
<table class="moz-email-headers-table" cellpadding="0"
cellspacing="0" border="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:
</th>
<td>static virtual ips with pool</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
<td>Mon, 09 Dec 2013 14:52:32 -0600</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>
<td>Banio <a class="moz-txt-link-rfc2396E" href="mailto:aau@mncarpenters.net"><aau@mncarpenters.net></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a></td>
</tr>
</tbody>
</table>
<br>
<br>
<pre>Hello I'm trying to get static virtual ips with pool working, but I'm
running into issues. I'm getting: no virtual IP found for %any requested.
I added the addresses on the gateway like this:
# strongswan pool --replace vpnclients --addresses addresses2.txt
addresses2.txt:
172.16.44.1=quique.domain.com
172.16.44.2=eripley.domain.com
gateway ipsec.conf:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 3, cfg 0"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn aosclient
left=%defaultroute
leftcert=vpngateway3.domain.com_cert.pem
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@vpngateway3.domain.com">leftid=@vpngateway3.domain.com</a>
leftfirewall=yes
leftsubnet=172.16.40.0/22
right=%any
rightsourceip=%vpnclients
auto=route
client ipsec.conf:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn aosclient
left=%defaultroute
leftcert=quique.domain.com_cert.pem
leftfirewall=yes
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@quique.domain.com">leftid=@quique.domain.com</a>
leftsourceip=%config
right=vpngateway3.domain.com
<a class="moz-txt-link-abbreviated" href="mailto:rightid=@vpngateway3.domain.com">rightid=@vpngateway3.domain.com</a>
rightsubnet=172.16.40.0/22
auto=add
client log:
# ipsec up aosclient
initiating IKE_SA aosclient[1] to 176.23.75.135
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.38[500] to 176.23.75.135[500]
received packet: from 176.23.75.135[500] to 192.168.1.38[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for "C=US, ST=IL, O=Company, OU=Platform IT, CN=MY CA"
sending cert request for "C=US, ST=IL, O=Company, OU=Platform IT, CN=MY CA"
authentication of 'quique.domain.com' (myself) with RSA signature successful
sending end entity cert "C=US, ST=IL, L=Chicago, O=Company, OU=Platform
IT, CN=quique.domain.com"
establishing CHILD_SA aosclient
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
AUTH CP(ADDR DNS DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.38[4500] to 176.23.75.135[4500]
received packet: from 176.23.75.135[4500] to 192.168.1.38[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
received end entity cert "C=US, ST=IL, L=Chicago, O=Company,
OU=vpn_gateway, CN=vpngateway3.domain.com"
using certificate "C=US, ST=IL, L=Chicago, O=Company, OU=vpn_gateway,
CN=vpngateway3.domain.com"
using trusted ca certificate "C=US, ST=IL, O=Company, OU=Platform IT,
CN=MY CA"
checking certificate status of "C=US, ST=IL, L=Chicago, O=Company,
OU=vpn_gateway, CN=vpngateway3.domain.com"
certificate status is not available
reached self-signed root ca with a path length of 0
authentication of 'vpngateway3.domain.com' with RSA signature successful
IKE_SA aosclient[1] established between
192.168.1.38[quique.domain.com]...176.23.75.135[vpngateway3.domain.com]
scheduling reauthentication in 3399s
maximum IKE_SA lifetime 3579s
received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built
server log:
Dec 9 10:23:42 15[NET] received packet: from 96.116.65.100[500] to
172.16.42.10[500] (832 bytes)
Dec 9 10:23:42 15[IKE] 96.116.65.100 is initiating an IKE_SA
Dec 9 10:23:42 15[IKE] local host is behind NAT, sending keep alives
Dec 9 10:23:42 15[IKE] remote host is behind NAT
Dec 9 10:23:42 15[IKE] sending cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=Company CA"
Dec 9 10:23:42 15[NET] sending packet: from 172.16.42.10[500] to
96.116.65.100[500] (465 bytes)
Dec 9 10:23:42 16[NET] received packet: from 96.116.65.100[4500] to
172.16.42.10[4500] (1788 bytes)
Dec 9 10:23:42 16[IKE] received cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=Company CA"
Dec 9 10:23:42 16[IKE] received end entity cert "C=US, ST=IL,
L=Chicago, O=Company, OU=Platform IT, CN=quique.domain.com"
Dec 9 10:23:42 16[IKE] authentication of 'quique.domain.com' with RSA
signature successful
Dec 9 10:23:42 16[IKE] peer supports MOBIKE
Dec 9 10:23:42 16[IKE] authentication of 'vpngateway3.domain.com'
(myself) with RSA signature successful
Dec 9 10:23:42 16[IKE] IKE_SA aosclient[1] established between
172.16.42.10[vpngateway3.domain.com]...96.116.65.100[quique.domain.com]
Dec 9 10:23:42 16[IKE] scheduling reauthentication in 3249s
Dec 9 10:23:42 16[IKE] maximum IKE_SA lifetime 3429s
Dec 9 10:23:42 16[IKE] sending end entity cert "C=US, ST=IL, L=Chicago,
O=Company, OU=vpn_gateway, CN=vpngateway3.domain.com"
Dec 9 10:23:42 16[IKE] peer requested virtual IP %any
Dec 9 10:23:42 16[IKE] no virtual IP found for %any requested by
'quique.domain.com'
Dec 9 10:23:42 16[IKE] no virtual IP found, sending
INTERNAL_ADDRESS_FAILURE
Dec 9 10:23:42 16[IKE] configuration payload negotiation failed, no
CHILD_SA built
Dec 9 10:23:42 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Dec 9 10:23:42 16[NET] sending packet: from 172.16.42.10[4500] to
96.116.65.100[4500] (1484 bytes)
Dec 9 10:24:02 01[IKE] sending keep alive to 96.116.65.100[4500]
Any help would be appreciated. Let me know if more info is needed.
</pre>
<br>
</div>
<br>
</body>
</html>