[strongSwan] Road Warrior Config Error: cannot initiate connection without knowing peer IP address
Raman, Anant
anant.raman at intel.com
Fri May 4 18:25:28 CEST 2012
I am unable to get the road warrior configuration working. It's giving me the 029 error cannot initiate connection with peer IP address.
I appreciate any help.
Thanks,
Anant Raman
I am using the road warrior configuration from the README documentation from strongSwan Version 4.5.3. I am using a shared secret, not certs.
Secure Network <--------------> VPN Gateway <-------------------> Road Warrior
10.2.115.0/24 10.2.115.132 ---143.182.89.37 143.182.89.0/24
The error in VPN Gateway:
029 "rw": cannot initiate connection without knowing peer IP address
The road warrior "ipsec up home" does not return, times out eventually
The ipsec.secrets file:
i143.182.89.37 143.182.89.137 : PSK "shared key"
Ipsec.conf at VPN Gateway:
# Add connections here.
conn %default
ikelifetime=60m
keylife=1m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
ike=aes128-sha-modp2048!
esp=aes128-sha1!
#conn host-host
# left=192.168.1.1
# leftfirewall=no
# rightfirewall=no
# right=192.168.1.2
# auto=start
# authby=secret
#conn net-net
# rightfirewall=no
# right=192.168.1.2
# rightsubnet=10.2.115.0/24
# left=192.168.1.1
# leftfirewall=no
# leftsubnet=143.182.89.0/24
# auto=start
# authby=secret
conn rw
left=143.182.89.37
leftsubnet=10.2.115.0/24
right=%any
rightfirewall=no
auto=add
authby=secret
ipsec.conf at the roadwarror
config setup
plutodebug=none
crlcheckinterval=180
strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=no
plutostart=yes
interfaces=eth3
conn %default
ikelifetime=60m
keylife=1m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
ike=aes128-sha-modp2048!
esp=aes128-sha1!
# Add connections here.
conn home
right=143.182.89.37
rightsubnet=10.2.115.0/24
left=%defaultroute
auto=start
authby=secret
The command line at the VPN Gateway:
[root at ll-ck1 etc]# ipsec start
Starting strongSwan 4.5.3 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
[root at ll-ck1 etc]# ipsec up rw
029 "rw": cannot initiate connection without knowing peer IP address
[root at ll-ck1 etc]# ipsec status
000 "rw": 10.2.115.0/24===143.182.89.37[143.182.89.37]...%any[%any]; unrouted; eroute owner: #0
000 "rw": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
[root at ll-ck1 etc]#
The command line output at the roadwarrior:
[root at ll-ck3 etc]# ipsec start
Starting strongSwan 4.5.3 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
[root at ll-ck3 etc]# ipsec up home
^C
[root at ll-ck3 etc]# ipsec status
000 "home": 143.182.89.137[143.182.89.137]---143.182.89.1...143.182.89.37[143.182.89.37]===10.2.115.0/24; unrouted; eroute owner: #0
000 "home": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #1: "home" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 8s
000 #1: pending Phase 2 for "home" replacing #0
000
[root at ll-ck3 etc]# ipsec up home
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120504/a4f00629/attachment.html>
More information about the Users
mailing list