<div dir="ltr">Thanks! I think this helped. <div><br></div><div>Now it tells me that a new virtual IP was installed. The only thing I still need to figure out is how I can use this virtual IP as the external IP is still unchanged. </div><div><br></div><div>Any quick hints what I should read?</div><div><br></div><div>Best</div><div>Sebastian<br><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2017-06-20 18:00 GMT+02:00 Noel Kuntze <span dir="ltr"><<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" target="_blank">noel.kuntze+strongswan-users-ml@thermi.consulting</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
On 20.06.2017 17:22, Sebastian Bayer wrote:<br>
> Dear all,<br>
><br>
> I am very new to strongswan and quite excited about it: lot of interesting things to read and understand.<br>
> The reason why I'm writing is that I want to connect to my VPN service via IKEv2 from my notebook running Arch and have troubles initiating the connection.<br>
> As my VPN service only recently allowed for IKEv2, they do not have good Linux support yet, only mobile devices and Windows.<br>
><br>
> I tried my best to find a working configuration, but now I am stuck / confused.<br>
><br>
> According to the logs:<br>
><br>
> authentication of 'xxx' with EAP successful<br>
> IKE_SA vpn[17] established between 192.168.178.35[xxx]...xxx[xxx]<br>
><br>
><br>
> but at the same time:<br>
><br>
> establishing connection 'vpn' failed<br>
><br>
<br>
</span>You need to read further than the IKE_SA established. With `ipsec up`/`swanctl -i --child[...]`, you're telling the daemon to establish a CHILD_SA.<br>
Doing that fails, so the connection fails.<br>
<div><div class="h5"><br>
><br>
> Below, please find the relevant files and logs. Do you have a hint what to do or try next?<br>
><br>
> Regards<br>
> Sebastian<br>
><br>
><br>
> ### /etc/ipsec.secrets<br>
> xxx : EAP "xxx"<br>
><br>
> ###/etc/ipsec.conf<br>
><br>
> config setup<br>
> # charondebug="cfg 4, dmn 4, ike 4, net 4"<br>
> # strictcrlpolicy=yes<br>
> # uniqueids = no<br>
><br>
> conn vpn<br>
> # Key settings<br>
> keyexchange=ikev2<br>
> ike=aes128-sha1-modp1024!<br>
> auto=add<br>
><br>
> # Keep alive<br>
> dpdaction=clear<br>
> dpddelay=300s<br>
><br>
> # Local<br>
> eap_identity=xxx<br>
> leftid=xxx<br>
> leftauth=eap-mschapv2<br>
> # Remote<br>
> right=xxx<br>
> rightauth=pubkey<br>
</div></div>> rightsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>><br>
> rightid=%any<br>
> rightcert=cert.pem<br>
> type=tunnel<br>
That's redundant, because it's the default.<br>
<div><div class="h5">><br>
><br>
> ### log<br>
> [root@X230 sebastian]# ipsec up vpn<br>
> initiating IKE_SA vpn[17] to xxx<br>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]<br>
> sending packet: from 192.168.178.35[500] to xxx[500] (338 bytes)<br>
> received packet: from xxx[500] to 192.168.178.35[500] (336 bytes)<br>
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]<br>
> local host is behind NAT, sending keep alives<br>
> sending cert request for "xxx"<br>
> establishing CHILD_SA vpn<br>
> generating IKE_AUTH request 1 [ IDi CERTREQ SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]<br>
> sending packet: from 192.168.178.35[4500] to xxx[4500] (364 bytes)<br>
> received packet: from xxx[4500] to 192.168.178.35[4500] (1248 bytes)<br>
> parsed IKE_AUTH response 1 [ EF(1/2) ]<br>
> received fragment #1 of 2, waiting for complete IKE message<br>
> received packet: from xxx[4500] to 192.168.178.35[4500] (320 bytes)<br>
> parsed IKE_AUTH response 1 [ EF(2/2) ]<br>
> received fragment #2 of 2, reassembling fragmented IKE message<br>
> parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]<br>
> received end entity cert "xxx"<br>
> using certificate "xxx"<br>
> using trusted ca certificate "xxx"<br>
> checking certificate status of "xxx"<br>
> certificate status is not available<br>
> reached self-signed root ca with a path length of 0<br>
> authentication of 'xxx' with RSA_EMSA_PKCS1_SHA2_256 successful<br>
> server requested EAP_IDENTITY (id 0x00), sending 'xxx'<br>
> generating IKE_AUTH request 2 [ EAP/RES/ID ]<br>
> sending packet: from 192.168.178.35[4500] to xxx[4500] (92 bytes)<br>
> received packet: from xxx[4500] to 192.168.178.35[4500] (92 bytes)<br>
> parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]<br>
> server requested EAP_MD5 authentication (id 0x01)<br>
> requesting EAP_MSCHAPV2 authentication, sending EAP_NAK<br>
> generating IKE_AUTH request 3 [ EAP/RES/NAK ]<br>
> sending packet: from 192.168.178.35[4500] to xxx[4500] (76 bytes)<br>
> received packet: from xxx[4500] to 192.168.178.35[4500] (108 bytes)<br>
> parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]<br>
> server requested EAP_MSCHAPV2 authentication (id 0x02)<br>
> generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]<br>
> sending packet: from 192.168.178.35[4500] to xxx[4500] (140 bytes)<br>
> received packet: from xxx[4500] to 192.168.178.35[4500] (124 bytes)<br>
> parsed IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]<br>
> EAP-MS-CHAPv2 succeeded: '(null)'<br>
> generating IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]<br>
> sending packet: from 192.168.178.35[4500] to xxx[4500] (76 bytes)<br>
> received packet: from xxx[4500] to 192.168.178.35[4500] (76 bytes)<br>
> parsed IKE_AUTH response 5 [ EAP/SUCC ]<br>
> EAP method EAP_MSCHAPV2 succeeded, MSK established<br>
> authentication of 'xxx' (myself) with EAP<br>
> generating IKE_AUTH request 6 [ AUTH ]<br>
> sending packet: from 192.168.178.35[4500] to xxx[4500] (92 bytes)<br>
> received packet: from xxx[4500] to 192.168.178.35[4500] (220 bytes)<br>
> parsed IKE_AUTH response 6 [ AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]<br>
> authentication of 'xxx' with EAP successful<br>
> IKE_SA vpn[17] established between 192.168.178.35[xxx]...xxx[xxx]<br>
> scheduling reauthentication in 10243s<br>
> maximum IKE_SA lifetime 10783s<br>
> received FAILED_CP_REQUIRED notify, no CHILD_SA built<br>
</div></div>Add leftsourceip=%config4, %config6. That makes charon request an IP address from the peer.<br>
Right now, the peer complains about charon not doing that.<br>
<div class="HOEnZb"><div class="h5">> failed to establish CHILD_SA, keeping IKE_SA<br>
> establishing connection 'vpn' failed<br>
><br>
<br>
</div></div></blockquote></div><br></div>