<div dir="ltr"><br>Hi everyone,<br><br><div>I'm struggling with a site to site IKEv2 tunnel for a peer using dynamic IP.</div><div>It seems that the first Ikev2 init packet is totally ignored. I don't know why.</div><div>When using a static IP , all goes well.<br></div><div></div><div><br></div><div><b>Config dynamic:</b><br></div><div>I use the following ipsec.conf (ip and peer named changed):<br></div><div><br></div><div><span style="font-family:monospace">conn peer1<br>        keyexchange=ikev2<br>        forceencaps=yes<br>        ike=aes256-sha1-modp1024,3des-sha1-modp1024!<br>        esp=aes256-sha1,3des-sha1!<br>        dpdaction=restart<br>        rekey=no<br>        authby=psk<br>        leftfirewall=yes<br>        left=<local_ip><br>        leftid=<local_id><br>        leftsubnet=<a href="http://192.168.7.0/24">192.168.7.0/24</a><br>        right=%any<br>        rightid=<peer_id><br>        rightsubnet=<a href="http://192.168.4.0/24">192.168.4.0/24</a><br>        auto=route</span><br></div><div><br></div><div>ipsec.secrets:</div><div style="margin-left:40px"><span style="font-family:monospace"><peer_id> : PSK "key"</span></div><div><br></div><div>When starting remote tunnel, I get this dump on strongswan side, that is a single packet received, no response from strongswan:<br></div><div><br></div><span style="font-family:monospace">15:01:15.113323 IP (tos 0x0, ttl 244, id 4358, offset 0, flags [none], proto UDP (17), length 344)<br>    <peer1_ip>.500 > <local_ip>.500: [udp sum ok] isakmp 2.0 msgid 00000000 cookie 4e011e68b24ebe9e->0000000000000000: parent_sa ikev2_init[I]:<br>    (sa: len=44<br>        (p: #1 protoid=isakmp transform=4 len=44<br>            (t: #1 type=encr id=aes (type=keylen value=0100))<br>            (t: #2 type=integ id=hmac-sha )<br>            (t: #3 type=prf id=hmac-sha )<br>            (t: #4 type=dh id=modp1024 )))<br>    (v2ke: len=128 group=modp1024)<br>    (nonce: len=20 nonce=(247782749746e4aa5e04167b26e9e0c9f6fa53ba) )<br>    (n: prot_id=#0 type=16388(nat_detection_source_ip))<br>    (n: prot_id=#0 type=16389(nat_detection_destination_ip))<br>    (v2vid: len=20 vid=*gu..*..|3..h....o..)</span><br><div><br></div><div>Now, indicating the current peer IP in ipsec.conf, the tunnel starts immediatly (no other IPSEC parameter changed):<br></div><div><br></div><div><b>Config static:</b><br>
</div><div><span style="font-family:monospace">conn peer1<br>        keyexchange=ikev2<br>        forceencaps=yes<br>        ike=aes256-sha1-modp1024,3des-sha1-modp1024!<br>        esp=aes256-sha1,3des-sha1!<br>        dpdaction=restart<br>        rekey=no<br>        authby=psk<br>        leftfirewall=yes<br>        left=<local_ip><br>        leftid=<local_id><br>        leftsubnet=<a href="http://192.168.7.0/24">192.168.7.0/24</a><br>        <b>right=<peer_ip></b><br>        rightid=<peer_id><br>        rightsubnet=<a href="http://192.168.4.0/24">192.168.4.0/24</a><br>        <b>auto=start

</b></span></div><div><span style="font-family:monospace"><br></span></div><div><span style="font-family:monospace">ipsec.secrets:<br></span></div><div style="margin-left:40px"><span style="font-family:monospace"><local_id> <peer_id> : PSK "key"</span><br></div><div><br></div><div>I enabled various logging levels without finding any useful info. </div><div>
Strongswan 5.8.2 <br></div><div>Not firewall issue, I tried without and other static site to ste tunnels are working.</div><div><br></div><div>Thank you for any hint ! Really...<br></div><div>PM.</div><div><br></div><div><br></div><div><br></div><div><br></div></div>