[strongSwan] Choosing the left ip address automatically for charon.

Richard Andrews richard.andrews at symstream.com
Tue Oct 2 09:51:32 CEST 2012 

Maybe you are looking for left=%defaultroute ?

IIRC this causes the left IP address to be the IP address of the
interface which has the default route.


On Tue, 2012-10-02 at 00:17 -0700, Guru Shetty wrote:
> Hello All,
>  I am using strongswan 4.5.2-1.2(charon) and PSK authentication.
>  The problem I am facing is quite straight forward. I know the remote
> IP(192.168.0.2) address to put in the ipsec.conf. But I do not know
> the local IP address and want it to be automatically figured out.
> 
> Looking at the ipsec.conf man page, says left=%any should do the job.
> But it does not. Some handshaking messages are exchanged first, but
> then it errors out with the following message in the log file:
> 
> Oct  1 23:56:10 moon charon: 15[NET] sending packet: from
> 192.168.0.1[4500] to 192.168.0.2[4500]
> Oct  1 23:56:10 moon charon: 08[NET] received packet: from
> 192.168.0.2[4500] to 192.168.0.1[4500]
> Oct  1 23:56:10 moon charon: 08[ENC] parsed IKE_AUTH response 1 [
> N(AUTH_FAILED) ]
> Oct  1 23:56:10 moon charon: 08[IKE] received AUTHENTICATION_FAILED notify error
> 
> I know that I am missing something. Searching the archives did not
> give out a clear answer (I tried out setting a random leftid etc)
> 
> My ipsec.secrets:
> : PSK  "guru"
> 
> I have also tried with
> %any 192.168.0.2 : PSK "guru"
> 
> Summary of my ipsec.conf
> config setup
>         nat_traversal=no
>         charonstart=yes
>         plutostart=no
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         authby=psk
>         keyexchange=ikev2
>         installpolicy=yes
> 
> conn sample-self-signed
>       ike=aes-sha1-modp1024,aes-md5-modp1024
>       esp=aes128gcm16-modp2048,aes-sha1-modp1024,aes-md5-modp1024
>       type=transport
>       left=%any
>       right=192.168.0.2
>       auto=start
> 
> 
> Replacing "%any" by 192.168.0.1 works fine. But that is not what I want.
> Please help.
> 
> Thanks,
> Guru
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list