<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Tom,</p>
<p>I'm using similar configuration, but without keyingtries. Give it
a chance without this parameter.</p>
<p>And try to set local_addr = 10.17.0.3 in connections.VPN01 due to
the following:</p>
<p>
<blockquote type="cite">10[CFG] looking for peer configs matching
10.17.0.3[%any]...81.xxx.yyy.zzz[81.xxx.yyy.zzz]<br>
10[CFG] no matching peer config found</blockquote>
</p>
<p>May be this'll help.<br>
</p>
<div class="moz-cite-prefix">On 02.10.2020 19:18, Tom Cannaerts
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFtzWQY41KuQtTu+Du8e2V2_e7=O0MKuDB3fOWBWhdec35bnSw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">I'm trying to setup a connection between a
StrongSwan behind NAT and a directly connected Fortigate but I
just can't get the connection up.
<div><br>
</div>
<div>This is the relevant config:</div>
<div><br>
</div>
<div># 10.17.0.3 is the private IP of StrongSwan</div>
<div># 83.aaa.bbb.ccc is the public IP of StrongSwan where port
500 and 4500 are NAT'd to the private</div>
<div># 81.xxx.yyy.zzz is the public IP of the Fortigate</div>
<div># <a href="http://10.16.0.0/24" moz-do-not-send="true">10.16.0.0/24</a>
is the subnet at the StrongSwan side that I'm trying to tunnel</div>
<div># <a href="http://10.40.0.0/24" moz-do-not-send="true">10.40.0.0/24</a>
is the subnet at the Fortigate sida that I'm trying to tunnel</div>
<div><br>
</div>
<div>connections {<br>
VPN01 {<br>
version=2<br>
proposals = aes256-sha256-modp2048<br>
keyingtries = 0<br>
remote_addrs = 81.xxx.yyy.zzz<br>
local {<br>
id = 83.aaa.bbb.ccc<br>
auth = psk<br>
}<br>
remote {<br>
id = 81.xxx.yyy.zzz<br>
auth = psk<br>
}<br>
children {<br>
VPN01-MAIN {<br>
start_action = start<br>
esp_proposals =
aes256-sha256-modp2048<br>
local_ts = <a
href="http://10.16.0.0/24" moz-do-not-send="true">10.16.0.0/24</a><br>
remote_ts = <a
href="http://10.40.0.0/24" moz-do-not-send="true">10.40.0.0/24</a><br>
}<br>
}<br>
}<br>
}<br>
<br>
secrets {<br>
ike1 {<br>
id = 81.xxx.yyy.zzz<br>
secret = secret-goes-here<br>
}<br>
}<br>
</div>
<div><br>
</div>
<div>When loading this config, following entries appear in the
log:</div>
<div><br>
</div>
<div>07[NET] received packet: from 81.xxx.yyy.zzz[500] to
10.17.0.3[500] (360 bytes)<br>
07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No ]<br>
07[IKE] 81.xxx.yyy.zzz is initiating an IKE_SA<br>
07[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048<br>
07[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(CHDLESS_SUP) N(MULT_AUTH) ]<br>
07[NET] sending packet: from 10.17.0.3[500] to
81.xxx.yyy.zzz[500] (392 bytes)<br>
10[NET] received packet: from 81.xxx.yyy.zzz[500] to
10.17.0.3[500] (240 bytes)<br>
10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH
SA TSi TSr ]<br>
10[CFG] looking for peer configs matching
10.17.0.3[%any]...81.xxx.yyy.zzz[81.xxx.yyy.zzz]<br>
10[CFG] no matching peer config found<br>
10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
</div>
<div><br>
</div>
<div>I believe the N(AUTH_FAILED) is because he can't match the
config, not because of an actual PSK error. I've re-entered
the PSK multiple times and even tried using a very simple PSK.</div>
<div><br>
</div>
<div>So for some reason it can't find a peer config for
81.xxx.yyy.zzz. Is that because it's using the internal IP
address for the matching? The strange thing is that I have
another tunnel/connection setup with a WatchGuard in another
office in pretty much the exactly the same way, and that's
working just fine.</div>
<div><br>
</div>
<div>Anyone an idea on what I can still check?</div>
<div><br>
</div>
<div>Thanks!</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>