[strongSwan] Road Warrior Config Error: cannot initiate connection without knowing peer IP address

Raman, Anant anant.raman at intel.com
Fri May 4 18:25:28 CEST 2012


I am unable to get the road warrior configuration working.  It's giving me the 029 error cannot initiate connection with peer IP address.
I appreciate any help.

Thanks,
Anant Raman


I am using the road warrior configuration from the README documentation from strongSwan Version 4.5.3.  I am using a shared secret, not certs.

Secure Network  <-------------->                VPN Gateway                <-------------------> Road Warrior
10.2.115.0/24                                     10.2.115.132 ---143.182.89.37                                   143.182.89.0/24

The error in VPN Gateway:
029 "rw": cannot initiate connection without knowing peer IP address

The road warrior "ipsec up home" does not return, times out eventually
The ipsec.secrets file:
i143.182.89.37 143.182.89.137 : PSK "shared key"

Ipsec.conf at VPN Gateway:
# Add connections here.
conn %default
        ikelifetime=60m
        keylife=1m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        ike=aes128-sha-modp2048!
                esp=aes128-sha1!

#conn host-host
#             left=192.168.1.1
#             leftfirewall=no
#             rightfirewall=no
#        right=192.168.1.2
#             auto=start
#             authby=secret

#conn net-net
#             rightfirewall=no
#        right=192.168.1.2
#             rightsubnet=10.2.115.0/24
#             left=192.168.1.1
#             leftfirewall=no
#             leftsubnet=143.182.89.0/24
#             auto=start
#             authby=secret

conn rw
                left=143.182.89.37
                leftsubnet=10.2.115.0/24
                right=%any
        rightfirewall=no
        auto=add
                authby=secret

ipsec.conf at the roadwarror
config setup
                plutodebug=none
                crlcheckinterval=180
                strictcrlpolicy=no
                # cachecrls=yes
                # nat_traversal=yes
                charonstart=no
                plutostart=yes
                interfaces=eth3

conn %default
        ikelifetime=60m
        keylife=1m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        ike=aes128-sha-modp2048!
        esp=aes128-sha1!

# Add connections here.
conn home
                right=143.182.89.37
                rightsubnet=10.2.115.0/24
                left=%defaultroute
                auto=start
        authby=secret

The command line at the VPN Gateway:
[root at ll-ck1 etc]# ipsec start
Starting strongSwan 4.5.3 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
[root at ll-ck1 etc]# ipsec up rw
029 "rw": cannot initiate connection without knowing peer IP address
[root at ll-ck1 etc]# ipsec status
000 "rw": 10.2.115.0/24===143.182.89.37[143.182.89.37]...%any[%any]; unrouted; eroute owner: #0
000 "rw":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
[root at ll-ck1 etc]#

The command line output at the roadwarrior:

[root at ll-ck3 etc]# ipsec start
Starting strongSwan 4.5.3 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
[root at ll-ck3 etc]# ipsec up home
^C
[root at ll-ck3 etc]# ipsec status
000 "home": 143.182.89.137[143.182.89.137]---143.182.89.1...143.182.89.37[143.182.89.37]===10.2.115.0/24; unrouted; eroute owner: #0
000 "home":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #1: "home" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 8s
000 #1: pending Phase 2 for "home" replacing #0
000
[root at ll-ck3 etc]# ipsec up home
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120504/a4f00629/attachment.html>


More information about the Users mailing list