[strongSwan] Microsoft Azure Virtual Network?

John Connett jrc at skylon.demon.co.uk
Tue Aug 7 13:42:04 CEST 2012


On Tue, 07 Aug 2012 12:04:25 +0100, John Connett <jrc at skylon.demon.co.uk>  
wrote:

> On Mon, 06 Aug 2012 11:55:02 +0100, John Connett  
> <jrc at skylon.demon.co.uk> wrote:
>> On Fri, 03 Aug 2012 10:14:01 +0100, Martin Willi <martin at strongswan.org>
>> wrote:
>>>> > 10[CFG] <2> looking for pre-shared key peer configs matching
>>>> > 192.168.199.10...168.63.60.212[10.4.1.4]
>>>> > 10[IKE] <2> no peer config found
>>>>
>>>> Is this an artifact of the charon / pluto merge in strongSwan 5?  Or  
>>>> is
>>>> "keyexchange=ikev2" not sufficient to cause IKEv2 to be used?
>>>
>>> The keyexchange parameter is connection specific, so your connection
>>> will use IKEv2.
>>>
>>> Your peer, however, seems to initiate with IKEv1. You don't have a
>>> matching connection for IKEv1, hence the negotiation fails with "no  
>>> peer
>>> config found".
>>>
>> I have added:
>>    keyexchange=ikev1
>> so both initiator and responder should now be using IKEv1.
> [text removed]
>> Will continue to investigate ...
>
> I have rebuilt strongswan-5.0.0 without "-O2" in CFLAGS and have
> attached gdb to charon as described in
> http://wiki.strongswan.org/issues/198.
>
> On entry to the select_config function in libcharon/sa/ikev1/phase1.c
> this->peer_cfg is NULL (so there is no attempt to find an alternative
> config).
>
> The body of the while loop over the enumerator is not entered.
>
> This is consistent with the logging messages seen.
>
> What I need to do to ensure that a suitable peer config is available?

Increased logging to "cfg=3" in strongswan.conf and obtained the
following:

16[CFG] <2> looking for pre-shared key peer configs matching  
192.168.199.10...168.63.60.212[10.4.1.5]
16[CFG] <2> peer config match local: 1 (ID_ANY)
16[CFG] <2> peer config match remote: 0 (ID_IPV4_ADDR -> 0a:04:01:05)
16[CFG] <2> ike config match: 12 (192.168.199.10 168.63.60.212)
16[IKE] <2> no peer config found

So 10.4.1.5 is ID_MATCH_NONE (0) ...

Unfortunately, I don't think the remote private IP address is fixed,
just chosen from 10.4.1.0/24.

Any help?
--
John Connett




More information about the Users mailing list