[strongSwan] static virtual ips with pool

Banio aau at mncarpenters.net
Mon Dec 9 21:52:32 CET 2013 

Hello I'm trying to get static virtual ips with pool working, but I'm 
running into issues.  I'm getting: no virtual IP found for %any requested.

I added the addresses on the gateway like this:
# strongswan pool --replace vpnclients --addresses addresses2.txt

addresses2.txt:

172.16.44.1=quique.domain.com
172.16.44.2=eripley.domain.com

gateway ipsec.conf:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
     charondebug="ike 2, knl 3, cfg 0"

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev2

conn aosclient
     left=%defaultroute
     leftcert=vpngateway3.domain.com_cert.pem
     leftid=@vpngateway3.domain.com
     leftfirewall=yes
     leftsubnet=172.16.40.0/22
     right=%any
     rightsourceip=%vpnclients
     auto=route

client ipsec.conf:

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
         crlcheckinterval=180
     strictcrlpolicy=no
     plutostart=no

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev2

conn aosclient
     left=%defaultroute
     leftcert=quique.domain.com_cert.pem
     leftfirewall=yes
     leftid=@quique.domain.com
     leftsourceip=%config
     right=vpngateway3.domain.com
     rightid=@vpngateway3.domain.com
     rightsubnet=172.16.40.0/22
     auto=add

client log:

# ipsec up aosclient
initiating IKE_SA aosclient[1] to 176.23.75.135
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.38[500] to 176.23.75.135[500]
received packet: from 176.23.75.135[500] to 192.168.1.38[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
CERTREQ N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for "C=US, ST=IL, O=Company, OU=Platform IT, CN=MY CA"
sending cert request for "C=US, ST=IL, O=Company, OU=Platform IT, CN=MY CA"
authentication of 'quique.domain.com' (myself) with RSA signature successful
sending end entity cert "C=US, ST=IL, L=Chicago, O=Company, OU=Platform 
IT, CN=quique.domain.com"
establishing CHILD_SA aosclient
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr 
AUTH CP(ADDR DNS DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) 
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.38[4500] to 176.23.75.135[4500]
received packet: from 176.23.75.135[4500] to 192.168.1.38[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) 
N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
received end entity cert "C=US, ST=IL, L=Chicago, O=Company, 
OU=vpn_gateway, CN=vpngateway3.domain.com"
   using certificate "C=US, ST=IL, L=Chicago, O=Company, OU=vpn_gateway, 
CN=vpngateway3.domain.com"
   using trusted ca certificate "C=US, ST=IL, O=Company, OU=Platform IT, 
CN=MY CA"
checking certificate status of "C=US, ST=IL, L=Chicago, O=Company, 
OU=vpn_gateway, CN=vpngateway3.domain.com"
certificate status is not available
   reached self-signed root ca with a path length of 0
authentication of 'vpngateway3.domain.com' with RSA signature successful
IKE_SA aosclient[1] established between 
192.168.1.38[quique.domain.com]...176.23.75.135[vpngateway3.domain.com]
scheduling reauthentication in 3399s
maximum IKE_SA lifetime 3579s
received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built


server log:

Dec  9 10:23:42 15[NET] received packet: from 96.116.65.100[500] to 
172.16.42.10[500] (832 bytes)
Dec  9 10:23:42 15[IKE] 96.116.65.100 is initiating an IKE_SA
Dec  9 10:23:42 15[IKE] local host is behind NAT, sending keep alives
Dec  9 10:23:42 15[IKE] remote host is behind NAT
Dec  9 10:23:42 15[IKE] sending cert request for "C=US, ST=IL, 
O=Company, OU=Platform IT, CN=Company CA"
Dec  9 10:23:42 15[NET] sending packet: from 172.16.42.10[500] to 
96.116.65.100[500] (465 bytes)
Dec  9 10:23:42 16[NET] received packet: from 96.116.65.100[4500] to 
172.16.42.10[4500] (1788 bytes)
Dec  9 10:23:42 16[IKE] received cert request for "C=US, ST=IL, 
O=Company, OU=Platform IT, CN=Company CA"
Dec  9 10:23:42 16[IKE] received end entity cert "C=US, ST=IL, 
L=Chicago, O=Company, OU=Platform IT, CN=quique.domain.com"
Dec  9 10:23:42 16[IKE] authentication of 'quique.domain.com' with RSA 
signature successful
Dec  9 10:23:42 16[IKE] peer supports MOBIKE
Dec  9 10:23:42 16[IKE] authentication of 'vpngateway3.domain.com' 
(myself) with RSA signature successful
Dec  9 10:23:42 16[IKE] IKE_SA aosclient[1] established between 
172.16.42.10[vpngateway3.domain.com]...96.116.65.100[quique.domain.com]
Dec  9 10:23:42 16[IKE] scheduling reauthentication in 3249s
Dec  9 10:23:42 16[IKE] maximum IKE_SA lifetime 3429s
Dec  9 10:23:42 16[IKE] sending end entity cert "C=US, ST=IL, L=Chicago, 
O=Company, OU=vpn_gateway, CN=vpngateway3.domain.com"
Dec  9 10:23:42 16[IKE] peer requested virtual IP %any
Dec  9 10:23:42 16[IKE] no virtual IP found for %any requested by 
'quique.domain.com'
Dec  9 10:23:42 16[IKE] no virtual IP found, sending 
INTERNAL_ADDRESS_FAILURE
Dec  9 10:23:42 16[IKE] configuration payload negotiation failed, no 
CHILD_SA built
Dec  9 10:23:42 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Dec  9 10:23:42 16[NET] sending packet: from 172.16.42.10[4500] to 
96.116.65.100[4500] (1484 bytes)
Dec  9 10:24:02 01[IKE] sending keep alive to 96.116.65.100[4500]


Any help would be appreciated. Let me know if more info is needed.

More information about the Users mailing list