[strongSwan] Choosing the left ip address automatically for charon.

Guru Shetty gurushettylists at gmail.com
Tue Oct 2 22:51:24 CEST 2012 

On 2 October 2012 00:51, Richard Andrews <richard.andrews at symstream.com> wrote:
> Maybe you are looking for left=%defaultroute ?
>
> IIRC this causes the left IP address to be the IP address of the
> interface which has the default route.
I did try this. But when I use %defaultroute, it seems to pick the
"default gateway" in the routing table instead of the interface from
which the destination is actually reachable.

As I wrote in a different mail, "left=%any" works in 4.6.4.

Thanks,
Guru

>
>
> On Tue, 2012-10-02 at 00:17 -0700, Guru Shetty wrote:
>> Hello All,
>>  I am using strongswan 4.5.2-1.2(charon) and PSK authentication.
>>  The problem I am facing is quite straight forward. I know the remote
>> IP(192.168.0.2) address to put in the ipsec.conf. But I do not know
>> the local IP address and want it to be automatically figured out.
>>
>> Looking at the ipsec.conf man page, says left=%any should do the job.
>> But it does not. Some handshaking messages are exchanged first, but
>> then it errors out with the following message in the log file:
>>
>> Oct  1 23:56:10 moon charon: 15[NET] sending packet: from
>> 192.168.0.1[4500] to 192.168.0.2[4500]
>> Oct  1 23:56:10 moon charon: 08[NET] received packet: from
>> 192.168.0.2[4500] to 192.168.0.1[4500]
>> Oct  1 23:56:10 moon charon: 08[ENC] parsed IKE_AUTH response 1 [
>> N(AUTH_FAILED) ]
>> Oct  1 23:56:10 moon charon: 08[IKE] received AUTHENTICATION_FAILED notify error
>>
>> I know that I am missing something. Searching the archives did not
>> give out a clear answer (I tried out setting a random leftid etc)
>>
>> My ipsec.secrets:
>> : PSK  "guru"
>>
>> I have also tried with
>> %any 192.168.0.2 : PSK "guru"
>>
>> Summary of my ipsec.conf
>> config setup
>>         nat_traversal=no
>>         charonstart=yes
>>         plutostart=no
>>
>> conn %default
>>         ikelifetime=60m
>>         keylife=20m
>>         rekeymargin=3m
>>         keyingtries=1
>>         authby=psk
>>         keyexchange=ikev2
>>         installpolicy=yes
>>
>> conn sample-self-signed
>>       ike=aes-sha1-modp1024,aes-md5-modp1024
>>       esp=aes128gcm16-modp2048,aes-sha1-modp1024,aes-md5-modp1024
>>       type=transport
>>       left=%any
>>       right=192.168.0.2
>>       auto=start
>>
>>
>> Replacing "%any" by 192.168.0.1 works fine. But that is not what I want.
>> Please help.
>>
>> Thanks,
>> Guru
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>

More information about the Users mailing list