[strongSwan] Fwd: Re: No conn has been authorized; was: (no subject)
Peter Daum
pdaum at gmx.de
Tue Jun 15 14:05:21 CEST 2010
-------- Original-Nachricht --------
Datum: Tue, 15 Jun 2010 14:04:47 +0200
Von: pdaum at gmx.de
An: Andreas Steffen <andreas.steffen at strongswan.org>
Betreff: Re: [strongSwan] No conn has been authorized; was: (no subject)
Hi Steffen
Yes, this is already case (sorry for not mentioning it in the first place).
Here is the according ipsec.conf snippet:
conn xazk
rightsubnet=172.25.14.0/24
rightid=@zh.vpn.abcdef.ch
right=abc.def.cx
rightallowany=yes
dpdaction=clear
ike=aes128-sha1-modp1536
esp=aes128-sha1
auto=add
The connection xazk is configured with the same parameters as the connections which work as described in my original mail.
Regards
Peter
-------- Original-Nachricht --------
> Datum: Tue, 15 Jun 2010 06:44:51 +0200
> Von: Andreas Steffen <andreas.steffen at strongswan.org>
> An: pdaum at gmx.de
> CC: users at lists.strongswan.org
> Betreff: Re: [strongSwan] (no subject)
> Hello Peter,
>
> have you tried to set
>
> right=r.dyndns.org
> rightallowany=yes
>
> or more concise
>
> right=%r.dyndns.org
>
> which will resolve the hostname r.dyndns.org during an ipsec update
> allowing S to initiate the connection but will also accept any
> changed IP address R as a responder. The rightallowany parameter
> was introduced a couple of years ago to just cover this DynDNS
> scenario.
>
> Regards
>
> Andreas
>
> On 06/14/2010 10:20 PM, pdaum at gmx.de wrote:
> > I am experiencing a problem connecting a Funkwerk EC VPN25 router
> > (VPN Access 25 version V.7.4 Rev. 1 (Patch 11) with StrongSwan (Linux
> > strongSwan U4.3.2/K2.6.32-22-generic) gateway.
> >
> > The (StrongSwan) gateway "S" has a fixed IP address, the router "R"
> > has a dynamic one, provided by DynDNS. After an "ipsec update" has
> > been issued on S, S has the current address of R and the
> > establishment of a VPN connection works in both directions, i.e. S as
> > well as R can bring up a connection.
> >
> > If the IP address of R changes (e.g. after re-establishment of the
> > connection), S does not get aware of the new address. Accordingly, S
> > cannot initiate a connection, as expected. However, R can still
> > connect to S as the IP address of the latter has not changed.
> > Unfortunately, R's connection request is refused by S with the error
> > message "no connection has been authorized with policy=PUBKEY" (full
> > log below). It seems that the first package of R does not give any
> > indication of R's identity and is subsequently refused by S.
> >
> > The strange thing is, that I have 2 other locations with Funkwerk
> > routers (same config, same software version, albeit another model)
> > where the scenario described above works perfectly.
> >
> > I am now looking for a reason. As the two working locations are
> > connected through another ISP (Colt), I am wondering if there is
> > something special with the internet connection at the troubled
> > location(green.ch). Could a too small MTU cause problems? Also, R is
> > not directly connected to the internet, having a Zyxel ADSL modem
> > between (as bridge).
> >
> > Any ideas how to analyse (and eventually solve) the problem are
> > appreciated.
> >
> > Best regards Peter
> >
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
More information about the Users
mailing list