[strongSwan] Choosing the left ip address automatically for charon.
Guru Shetty
gurushettylists at gmail.com
Tue Oct 2 22:51:24 CEST 2012
On 2 October 2012 00:51, Richard Andrews <richard.andrews at symstream.com> wrote:
> Maybe you are looking for left=%defaultroute ?
>
> IIRC this causes the left IP address to be the IP address of the
> interface which has the default route.
I did try this. But when I use %defaultroute, it seems to pick the
"default gateway" in the routing table instead of the interface from
which the destination is actually reachable.
As I wrote in a different mail, "left=%any" works in 4.6.4.
Thanks,
Guru
>
>
> On Tue, 2012-10-02 at 00:17 -0700, Guru Shetty wrote:
>> Hello All,
>> I am using strongswan 4.5.2-1.2(charon) and PSK authentication.
>> The problem I am facing is quite straight forward. I know the remote
>> IP(192.168.0.2) address to put in the ipsec.conf. But I do not know
>> the local IP address and want it to be automatically figured out.
>>
>> Looking at the ipsec.conf man page, says left=%any should do the job.
>> But it does not. Some handshaking messages are exchanged first, but
>> then it errors out with the following message in the log file:
>>
>> Oct 1 23:56:10 moon charon: 15[NET] sending packet: from
>> 192.168.0.1[4500] to 192.168.0.2[4500]
>> Oct 1 23:56:10 moon charon: 08[NET] received packet: from
>> 192.168.0.2[4500] to 192.168.0.1[4500]
>> Oct 1 23:56:10 moon charon: 08[ENC] parsed IKE_AUTH response 1 [
>> N(AUTH_FAILED) ]
>> Oct 1 23:56:10 moon charon: 08[IKE] received AUTHENTICATION_FAILED notify error
>>
>> I know that I am missing something. Searching the archives did not
>> give out a clear answer (I tried out setting a random leftid etc)
>>
>> My ipsec.secrets:
>> : PSK "guru"
>>
>> I have also tried with
>> %any 192.168.0.2 : PSK "guru"
>>
>> Summary of my ipsec.conf
>> config setup
>> nat_traversal=no
>> charonstart=yes
>> plutostart=no
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> authby=psk
>> keyexchange=ikev2
>> installpolicy=yes
>>
>> conn sample-self-signed
>> ike=aes-sha1-modp1024,aes-md5-modp1024
>> esp=aes128gcm16-modp2048,aes-sha1-modp1024,aes-md5-modp1024
>> type=transport
>> left=%any
>> right=192.168.0.2
>> auto=start
>>
>>
>> Replacing "%any" by 192.168.0.1 works fine. But that is not what I want.
>> Please help.
>>
>> Thanks,
>> Guru
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
More information about the Users
mailing list