<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Anyone...?<br>
I had to reboot the remote Strongswan gateway a couple of hours
later, then it came back up again.<br>
</p>
<br>
<div class="moz-cite-prefix">Den 2017-06-19 kl. 08:51, skrev Dusan
Ilic:<br>
</div>
<blockquote type="cite"
cite="mid:25c87099-c2c9-2805-b71d-e56daecbc4c0@comhem.se">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>Yet again, the fortigate router reconnected to Strongswan on
it's own without manual intervention 12 minutes after the other
sides public IP changed... Strongswan won't connect even
manually.<br>
</p>
<br>
<div class="moz-cite-prefix">Den 2017-06-19 kl. 08:47, skrev Dusan
Ilic:<br>
</div>
<blockquote type="cite"
cite="mid:d69ddd3e-7b38-4f5b-0083-a819cb77684d@comhem.se">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<p>Okey, today it happened again, new IP on one end of tunnel
and updated in DNS. Pinging the new IP from both sides shows
it resolves correctly, restarting Strongswan on both sides and
the same issue as before. (last time it started to work on the
evening same day)<br>
</p>
<p>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]<br>
sending packet: from 94.254.123.x[500] to 85.24.244.x[500]<br>
received packet: from 85.24.244.x[500] to 94.254.123.x[500]<br>
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>
received 1 cert requests for an unknown ca<br>
authentication of 'hostname' (myself) with pre-shared key<br>
no shared key found for 'hostname' - '85.24.244.x'<br>
<br>
Why isn't it working?<br>
What does the message "no shared key found for 'hostname' -
'85.24.244.x'" mean?<br>
This time the IP is correct and updated.<br>
</p>
<br>
<div class="moz-cite-prefix">Den 2017-06-14 kl. 15:23, skrev
Dusan Ilic:<br>
</div>
<blockquote type="cite"
cite="mid:97047b67-45c0-ea4e-667b-7073e4f791be@comhem.se">
<meta http-equiv="content-type" content="text/html;
charset=utf-8">
<p>Hi,<br>
<br>
I have a S2S IPsec tunnel setup that have problems now when
one side of the tunnel have been assigned a new public IP.
The hostname used have been immediately updated by way od
dynamic DNS, and the TTL have expired two hours ago. When
trying to up the tunnel on the side with the changed IP,
Strongswan returns "received AUTHENTICATION_FAILED notify
error", and when trying to do the same on the remote end the
log looks like following.</p>
<p>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]<br>
sending packet: from 94.254.123.x[500] to 85.24.242.x[500]<br>
received packet: from 85.24.242.x[500] to 94.254.123.x[500]<br>
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br>
received 1 cert requests for an unknown ca<br>
authentication of 'hostname' (myself) with pre-shared key<br>
no shared key found for 'hostname' - '<b>85.24.240.x</b>'</p>
<p>Now as you can see the packets are sent to the correct host
(domain is correctly resolved), however on the last line
it's the old IP. What's happening here? I have tried
restartin Strongswan on both hosts, but it doesn't help.<br>
<br>
This is the first time since I setup the tunnel with dynamic
DNS that one side of the tunnel have changed IP, how can I
make either side of the tunnel to continue reconnecting
until the hostname is properly resolving again?<br>
I have another tunnel going to the same client, and it have
succesfully reconnected again after it picked up the new IP.
The client is a Fortigate router. So, how can I force
Strongswan to retry ?<br>
<br>
</p>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>