[strongSwan] Road Warrior Config Error: cannot initiate connection without knowing peer IP address

Andreas Steffen andreas.steffen at strongswan.org
Fri May 4 19:42:10 CEST 2012 

Hello Anant,

your problem is actually self-explaining. How do you want to
connect to a remote endpoint if with right=%any its IP address
is not known!!!

right=%any can only be used for passive reponders waiting for
endpoints to connect.

Regards

Andreas

On 05/04/2012 06:25 PM, Raman, Anant wrote:
> I am unable to get the road warrior configuration working. It’s giving
> me the 029 error cannot initiate connection with peer IP address.
>
> I appreciate any help.
>
> Thanks,
>
> Anant Raman
>
> I am using the road warrior configuration from the README documentation
> from strongSwan Version 4.5.3. I am using a shared secret, not certs.
>
> Secure Network ß----------à VPN Gateway ß---------------à Road Warrior
>
> 10.2.115.0/24 10.2.115.132 ---143.182.89.37 143.182.89.0/24
>
> The error in VPN Gateway:
>
> 029 "rw": cannot initiate connection without knowing peer IP address
>
> The road warrior “ipsec up home” does not return, times out eventually
>
> The ipsec.secrets file:
>
> i143.182.89.37 143.182.89.137 : PSK "shared key"
>
> Ipsec.conf at VPN Gateway:
>
> # Add connections here.
>
> conn %default
>
> ikelifetime=60m
>
> keylife=1m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev1
>
> ike=aes128-sha-modp2048!
>
> esp=aes128-sha1!
>
> #conn host-host
>
> # left=192.168.1.1
>
> # leftfirewall=no
>
> # rightfirewall=no
>
> # right=192.168.1.2
>
> # auto=start
>
> # authby=secret
>
> #conn net-net
>
> # rightfirewall=no
>
> # right=192.168.1.2
>
> # rightsubnet=10.2.115.0/24
>
> # left=192.168.1.1
>
> # leftfirewall=no
>
> # leftsubnet=143.182.89.0/24
>
> # auto=start
>
> # authby=secret
>
> conn rw
>
> left=143.182.89.37
>
> leftsubnet=10.2.115.0/24
>
> right=%any
>
> rightfirewall=no
>
> auto=add
>
> authby=secret
>
> ipsec.conf at the roadwarror
>
> config setup
>
> plutodebug=none
>
> crlcheckinterval=180
>
> strictcrlpolicy=no
>
> # cachecrls=yes
>
> # nat_traversal=yes
>
> charonstart=no
>
> plutostart=yes
>
> interfaces=eth3
>
> conn %default
>
> ikelifetime=60m
>
> keylife=1m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev1
>
> ike=aes128-sha-modp2048!
>
> esp=aes128-sha1!
>
> # Add connections here.
>
> conn home
>
> right=143.182.89.37
>
> rightsubnet=10.2.115.0/24
>
> left=%defaultroute
>
> auto=start
>
> authby=secret
>
> The command line at the VPN Gateway:
>
> [root at ll-ck1 etc]# ipsec start
>
> Starting strongSwan 4.5.3 IPsec [starter]...
>
> !! Your strongswan.conf contains manual plugin load options for
>
> !! pluto and/or charon. This is recommended for experts only, see
>
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>
> [root at ll-ck1 etc]# ipsec up rw
>
> 029 "rw": cannot initiate connection without knowing peer IP address
>
> [root at ll-ck1 etc]# ipsec status
>
> 000 "rw": 10.2.115.0/24===143.182.89.37[143.182.89.37]...%any[%any];
> unrouted; eroute owner: #0
>
> 000 "rw": newest ISAKMP SA: #0; newest IPsec SA: #0;
>
> 000
>
> [root at ll-ck1 etc]#
>
> The command line output at the roadwarrior:
>
> [root at ll-ck3 etc]# ipsec start
>
> Starting strongSwan 4.5.3 IPsec [starter]...
>
> !! Your strongswan.conf contains manual plugin load options for
>
> !! pluto and/or charon. This is recommended for experts only, see
>
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>
> [root at ll-ck3 etc]# ipsec up home
>
> ^C
>
> [root at ll-ck3 etc]# ipsec status
>
> 000 "home":
> 143.182.89.137[143.182.89.137]---143.182.89.1...143.182.89.37[143.182.89.37]===10.2.115.0/24;
> unrouted; eroute owner: #0
>
> 000 "home": newest ISAKMP SA: #0; newest IPsec SA: #0;
>
> 000
>
> 000 #1: "home" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT
> in 8s
>
> 000 #1: pending Phase 2 for "home" replacing #0
>
> 000
>
> [root at ll-ck3 etc]# ipsec up home
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list