<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Here is another example (dynamic DNS both sides), other side is
initiating.<br>
</p>
<p><br>
Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] x.x.x.200 is
initiating an IKE_SA<br>
Apr 28 07:49:06 R6250 authpriv.info charon: 12[IKE] x.x.x.200 is
initiating an IKE_SA<br>
Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] sending cert
request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"<br>
Apr 28 07:49:06 R6250 daemon.info charon: 12[ENC] generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]<br>
Apr 28 07:49:06 R6250 daemon.info charon: 12[NET] sending packet:
from x.x.x.96[500] to x.x.x.200[500] (337 bytes)<br>
Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] received packet:
from x.x.x.200[500] to x.x.x.96[500] (220 bytes)<br>
Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] parsed IKE_AUTH
request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr
]<br>
Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] looking for peer
configs matching x.x.x.96[%any]...x.x.x.200[x.x.x.200]<br>
Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] selected peer
config 'VPN'<br>
Apr 28 07:49:06 R6250 daemon.info charon: 15[IKE] no shared key
found for '%any' - 'x.x.x.200'<br>
Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] generating
IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] sending packet:
from x.x.x.96[500] to x.x.x.200[500] (76 bytes)<br>
</p>
<p>Peer config is the wrong one, below is the config and IPsec
secrets</p>
<p>conn test<br>
keylife=3600s<br>
ikelifetime=28800s<br>
left=%local.net<br>
leftsubnet=10.1.1.0/26<br>
right=%remote.net<br>
rightsubnet=192.168.18.0/24,10.0.0.0/24<br>
ike=aes128-sha1-modp1024<br>
esp=aes128-sha1-modp1024<br>
</p>
<p>IPsec secret</p>
<p>%local.net %remote.net : PSK "XXX"</p>
<p>In my understanding from the Strongswan documentation, if
hostname is prefixed with "%" it will do a DNS-lookup and use
those IP-adresses?</p>
<blockquote
cite="mid:dfce791c-987e-f146-f68b-49bdc66467f7@joksi.net"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">Den 2017-04-28 kl. 08:08, skrev Dusan
Ilic:<br>
</div>
<blockquote
cite="mid:64ae288c-1bf5-4027-6c1a-da90f625cdf3@comhem.se"
type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<p>Thank you</p>
<p>Well for starters, I can paste the logs i had in an earlier
thread. Are you saying that site-2-site with PSK must use
certificates when using dynamic hostnames?<br>
What about if only one side of the tunnel has a dynamic IP and
dynamic DNS (my side)? I have two remote peers, one using
dynamic hostname (Fortigate, supports dynamic hostnames for
remote peer in GUI configuration) and one with static IP
(UniFi gateway, using Strongswan)<br>
</p>
<p>left=%hostname is working for one of my tunnels below, but
not the other. See <br>
below.<br>
<br>
The working:<br>
sending cert request for "C=US, O=Let's Encrypt, CN=Let's
Encrypt <br>
Authority X3"<br>
authentication of 'hostname' (myself) with pre-shared key<br>
establishing CHILD_SA Azure<br>
generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi
TSr <br>
N(EAP_ONLY) ]<br>
sending packet: from <a moz-do-not-send="true"
href="tel:85.24">85.24</a>.x.x[500] to <a
moz-do-not-send="true" href="tel:137.135">137.135</a>.x.x[500]
(380 bytes)<br>
received packet: from <a moz-do-not-send="true"
href="tel:137.135">137.135</a>.x.x[500] to <a
moz-do-not-send="true" href="tel:85.24">85.24</a>.x.x[500]
(204 bytes)<br>
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]<br>
authentication of '<a moz-do-not-send="true"
href="tel:137.135">137.135</a>.x.x' with pre-shared key
successful<br>
IKE_SA Azure[2] established between <br>
<a moz-do-not-send="true" href="tel:85.24">85.24</a>.x.x[hostname]...137.135.x.x[137.135.x.x]<br>
scheduling reauthentication in <a moz-do-not-send="true"
href="tel:27923">27923</a>s<br>
maximum IKE_SA lifetime <a moz-do-not-send="true"
href="tel:28463">28463</a>s<br>
connection 'Azure' established successfully<br>
<br>
The non-working:<br>
sending cert request for "C=US, O=Let's Encrypt, CN=Let's
Encrypt <br>
Authority X3"<br>
authentication of 'hostname' (myself) with pre-shared key<br>
establishing CHILD_SA Wesafe<br>
generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi
TSr <br>
N(MULT_AUTH) N(EAP_ONLY) ]<br>
sending packet: from <a moz-do-not-send="true"
href="tel:85.24">85.24</a>.x.x[500] to <a
moz-do-not-send="true" href="tel:94.254">94.254</a>.x.x[500]
(380 bytes)<br>
received packet: from <a moz-do-not-send="true"
href="tel:94.254">94.254</a>.x.x[500] to <a
moz-do-not-send="true" href="tel:85.24">85.24</a>.x.x[500]
(76 bytes)<br>
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
received AUTHENTICATION_FAILED notify error<br>
establishing connection 'Wesafe' failed<br>
<br>
<a moz-do-not-send="true" href="http://ipsec.secrets">ipsec.secrets</a><br>
%hostname <a moz-do-not-send="true" href="tel:137.135">137.135</a>.x.x
: PSK "xxxx"<br>
%hostname <a moz-do-not-send="true" href="tel:94.254">94.254</a>.x.x
: PSK "xxxxx"</p>
<p>"hostname" is my side of the tunnel and is a dynamic DNS
hostname resolving to my public IP.<br>
</p>
<br>
<div class="moz-cite-prefix">Den 2017-04-27 kl. 22:57, skrev
Noel Kuntze:<br>
</div>
<blockquote
cite="mid:29e25d2d-1236-edca-111a-a7f52f1864c6@thermi.consulting"
type="cite">
<pre wrap="">On 27.04.2017 22:38, Dusan Ilic wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I would really appreciate some help with below also, Im having a Hard time understanding how Strongswan chooses connection definitions and ipsec secrets.
</pre>
</blockquote>
<pre wrap="">Based on IPs, identities and authentication methods.
</pre>
<blockquote type="cite">
<pre wrap="">For example, how can I setup an ikev2 psk tunnel between two hosts with dynamic dns?
</pre>
</blockquote>
<pre wrap="">Look at the "site-2-dynamic-ip" example at the UsableExamples page[1] for a configuration that uses
certificates for authentication. Read the text at the beginning of the page.
</pre>
<blockquote type="cite">
<pre wrap="">Can I have several ip secrets or connections with %any?
</pre>
</blockquote>
<pre wrap="">No. One secret per identity.
</pre>
<blockquote type="cite">
<pre wrap="">Ive tried with %dyndns but seem to get some errors about constraints and such. If someone would give me an explanation that would be great!
</pre>
</blockquote>
<pre wrap="">You need to paste logs to get help.
[1]<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario">https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>