[strongSwan] Road Warrior Config Error: cannot initiate connection without knowing peer IP address

Raman, Anant anant.raman at intel.com
Fri May 4 19:53:57 CEST 2012


Hi  Andreas,

Thank you for a prompt response.  It's my first attempt to learn this SW, so pardon me for ignorance. -)

I need several road warriors in the 143.182.89.0 subnet to connect, each having an IPsec tunnel with VPN Gateway connecting through the 143.182.89.37 interface.  Currently, I have one computer 89.137.  Later I will have more, all DHCP addresses.

Now, given that, how should I configure the right?  Given that I need any of those road warriors to connect to that one interface.

Thank you!
Anant

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Friday, May 04, 2012 10:42 AM
To: Raman, Anant
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Road Warrior Config Error: cannot initiate connection without knowing peer IP address

Hello Anant,

your problem is actually self-explaining. How do you want to connect to a remote endpoint if with right=%any its IP address is not known!!!

right=%any can only be used for passive reponders waiting for endpoints to connect.

Regards

Andreas

On 05/04/2012 06:25 PM, Raman, Anant wrote:
> I am unable to get the road warrior configuration working. It's giving 
> me the 029 error cannot initiate connection with peer IP address.
>
> I appreciate any help.
>
> Thanks,
>
> Anant Raman
>
> I am using the road warrior configuration from the README 
> documentation from strongSwan Version 4.5.3. I am using a shared secret, not certs.
>
> Secure Network ß----------à VPN Gateway ß---------------à Road Warrior
>
> 10.2.115.0/24 10.2.115.132 ---143.182.89.37 143.182.89.0/24
>
> The error in VPN Gateway:
>
> 029 "rw": cannot initiate connection without knowing peer IP address
>
> The road warrior "ipsec up home" does not return, times out eventually
>
> The ipsec.secrets file:
>
> i143.182.89.37 143.182.89.137 : PSK "shared key"
>
> Ipsec.conf at VPN Gateway:
>
> # Add connections here.
>
> conn %default
>
> ikelifetime=60m
>
> keylife=1m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev1
>
> ike=aes128-sha-modp2048!
>
> esp=aes128-sha1!
>
> #conn host-host
>
> # left=192.168.1.1
>
> # leftfirewall=no
>
> # rightfirewall=no
>
> # right=192.168.1.2
>
> # auto=start
>
> # authby=secret
>
> #conn net-net
>
> # rightfirewall=no
>
> # right=192.168.1.2
>
> # rightsubnet=10.2.115.0/24
>
> # left=192.168.1.1
>
> # leftfirewall=no
>
> # leftsubnet=143.182.89.0/24
>
> # auto=start
>
> # authby=secret
>
> conn rw
>
> left=143.182.89.37
>
> leftsubnet=10.2.115.0/24
>
> right=%any
>
> rightfirewall=no
>
> auto=add
>
> authby=secret
>
> ipsec.conf at the roadwarror
>
> config setup
>
> plutodebug=none
>
> crlcheckinterval=180
>
> strictcrlpolicy=no
>
> # cachecrls=yes
>
> # nat_traversal=yes
>
> charonstart=no
>
> plutostart=yes
>
> interfaces=eth3
>
> conn %default
>
> ikelifetime=60m
>
> keylife=1m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev1
>
> ike=aes128-sha-modp2048!
>
> esp=aes128-sha1!
>
> # Add connections here.
>
> conn home
>
> right=143.182.89.37
>
> rightsubnet=10.2.115.0/24
>
> left=%defaultroute
>
> auto=start
>
> authby=secret
>
> The command line at the VPN Gateway:
>
> [root at ll-ck1 etc]# ipsec start
>
> Starting strongSwan 4.5.3 IPsec [starter]...
>
> !! Your strongswan.conf contains manual plugin load options for
>
> !! pluto and/or charon. This is recommended for experts only, see
>
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>
> [root at ll-ck1 etc]# ipsec up rw
>
> 029 "rw": cannot initiate connection without knowing peer IP address
>
> [root at ll-ck1 etc]# ipsec status
>
> 000 "rw": 10.2.115.0/24===143.182.89.37[143.182.89.37]...%any[%any];
> unrouted; eroute owner: #0
>
> 000 "rw": newest ISAKMP SA: #0; newest IPsec SA: #0;
>
> 000
>
> [root at ll-ck1 etc]#
>
> The command line output at the roadwarrior:
>
> [root at ll-ck3 etc]# ipsec start
>
> Starting strongSwan 4.5.3 IPsec [starter]...
>
> !! Your strongswan.conf contains manual plugin load options for
>
> !! pluto and/or charon. This is recommended for experts only, see
>
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>
> [root at ll-ck3 etc]# ipsec up home
>
> ^C
>
> [root at ll-ck3 etc]# ipsec status
>
> 000 "home":
> 143.182.89.137[143.182.89.137]---143.182.89.1...143.182.89.37[143.182.
> 89.37]===10.2.115.0/24;
> unrouted; eroute owner: #0
>
> 000 "home": newest ISAKMP SA: #0; newest IPsec SA: #0;
>
> 000
>
> 000 #1: "home" STATE_MAIN_I1 (sent MI1, expecting MR1); 
> EVENT_RETRANSMIT in 8s
>
> 000 #1: pending Phase 2 for "home" replacing #0
>
> 000
>
> [root at ll-ck3 etc]# ipsec up home
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


--
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list