[strongSwan] (no subject)

Andreas Steffen andreas.steffen at strongswan.org
Tue Jun 15 06:44:51 CEST 2010


Hello Peter,

have you tried to set

  right=r.dyndns.org
  rightallowany=yes

or more concise

  right=%r.dyndns.org

which will resolve the hostname r.dyndns.org during an ipsec update
allowing S to initiate the connection but will also accept any
changed IP address R as a responder. The rightallowany parameter
was introduced a couple of years ago to just cover this DynDNS
scenario.

Regards

Andreas

On 06/14/2010 10:20 PM, pdaum at gmx.de wrote:
> I am experiencing a problem connecting a Funkwerk EC VPN25 router
> (VPN Access 25 version V.7.4 Rev. 1 (Patch 11) with StrongSwan (Linux
> strongSwan U4.3.2/K2.6.32-22-generic) gateway.
> 
> The (StrongSwan) gateway "S" has a fixed IP address, the router "R"
> has a dynamic one, provided by DynDNS. After an "ipsec update" has
> been issued on S, S has the current address of R and the
> establishment of a VPN connection works in both directions, i.e. S as
> well as R can bring up a connection.
> 
> If the IP address of R changes (e.g. after re-establishment of the
> connection), S does not get aware of the new address. Accordingly, S
> cannot initiate a connection, as expected. However, R can still
> connect to S as the IP address of the latter has not changed.
> Unfortunately, R's connection request is refused by S with the error
> message "no connection has been authorized with policy=PUBKEY" (full
> log below). It seems that the first package of R does not give any
> indication of R's identity and is subsequently refused by S.
> 
> The strange thing is, that I have 2 other locations with Funkwerk
> routers (same config, same software version, albeit another model)
> where the scenario described above works perfectly.
> 
> I am now looking for a reason. As the two working locations are
> connected through another ISP (Colt), I am wondering if there is
> something special with the internet connection at the troubled
> location(green.ch). Could a too small MTU cause problems? Also, R is
> not directly connected to the internet, having a Zyxel ADSL modem
> between (as bridge).
> 
> Any ideas how to analyse (and eventually solve) the problem are
> appreciated.
> 
> Best regards Peter
> 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100615/f0878735/attachment.bin>


More information about the Users mailing list