[strongSwan] Dynamic IP Gateway

Noel Kuntze noel at familie-kuntze.de
Tue Nov 25 22:32:08 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Bjoern,

You might want to try using simple strings as IDs on both sides and setting right=%any on the responder.
E.g.:

client config:

[...]
right=myGateway
rightid=myGatewaysomethingsomething
leftid=myClientomethingsomething
[...]

gateway config:
[...]
right=%any
rightid=myClientsomethingsomething
leftid=myGatewaysomethingsomething
[...]

Keep in mind that you have to set matching selectors in ipsec.secrets for your PSKs,
so strongSwan knows what secrets to use!

Example:

ipsec.secrets on client:

myGatewaysomethingsomething : PSK "foobar"

ipsec.secrets on gateway

myClientsomethingsomething : PSK "foobar"

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 25.11.2014 um 22:27 schrieb bjoern wahl:
> Hello!
>
> I want to connect a Pidora Gateway with a dynamic ip adress to a static
> gateway in my company.
> When i enter the fix ip-address to both sides everything works find. But
> i just do not get the point, how to do that with a
> dynamic ip address at one side.
>
> I found the examples at [1] but i still do not get it working.
>
> At the GW with the static ip the config looks like this:
>
> ================================================
> conn pidora
>         keyexchange=ikev1
>         closeaction=restart
>         compress=no
>         authby=secret
>         leftid=FIX-IP-OF-THE-ONE-GW
>         left=FIX-IP-OF-THE-ONE-GW
>         leftsubnet=x.x.x.x/xx
>         rightid=DYN-IP-OF-THE-OTHER-GW
>         right=DYN-IP-OF-THE-OTHER-GW
>         rightsubnet=yyy.yy.yy.0/24
>         ike=aes256-sha-modp1024
>         esp=aes256-sha1
>         auto=add
>
> ================================================
>
> So for me it is all about the rightid which does not work if i give it a
> name like "rightid=pidora". And it also does not work
> if I do "rigth=%any".
>
> The strongswan versions are not the same btw. The GW with the fix ip is
> Linux strongSwan U5.1.1 and the version on the pidora is a
> newer version.
> Actually I can not enter the client now, so i can not tell you the exact
> version we use there, sorry.
>
> I also read something about nameresolution via dyndns. So I have the
> question if this is needed. I understand that in any other way
> the GW with the fix IP would never be able to open the connection as
> this side does not know the ip, but does it ever have to ?
>
> In my mind i think of the GW with the dynamic IP always initiating the
> connection, is this working ?
> How would a configuration look like ?
>
> I did saw [1] which seems to me to be the exact same thing i want, but i
> did not work out for me with this config. I do not want to
> user certs and I used no xy at test.com as the rightid, would that be the
> reason why it did not work ?
>
> Thanks for any idea.
>
> björn
>
> [1] https://www.strongswan.org/testresults4.html
>
>
> ----------------------------------------------------------------------------------------------------
> Klinikverbund Westmünsterland gGmbH
>  Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken
>  Registergericht Coesfeld, HRB Nr. 8983
>  Ust.-Id.Nr.: DE 222740345
>  Geschäftsführer: Christoph Bröcker, Ludger Hellmann
> 
>  Diese E-Mail enthält vertrauliche oder rechtlich geschützte
> Informationen. Wenn Sie nicht der beabsichtige Empfänger sind,
> informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail.
> 
>  Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
> enthaltenen Informationen ist nicht gestattet.
> 
>  Dem Klinikverbund Westmünsterland sind fünf Krankenhäuser mit 1.332
> Planbetten und mehrere Einrichtungen der Altenhilfe angeschlossen. Mehr
> als 50 Fachbereiche orientieren sich an neusten medizinischen Standards
> und erfüllen die hohen Anforderungen einer qualifizierten und
> zertifizierten Versorgung. Rund 50.000 Patienten werden jährlich in den
> Krankenhäusern stationär behandelt. Mit über 3.800 Mitarbeitern gehört
> der Verbund zu den größten Arbeitgebern der Region.
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUdPVYAAoJEDg5KY9j7GZYGe4P+weJEVfRZ9D31lYvtLSa9tDQ
M0jJvs0U0XfkDsIhDHV0rvtKiSFn/s+vKJPNCbKLU30hgFv0GlS3t8qwV9yusCqO
/jFPM0Jey68bhiilsqXvCkf/o3MKHneqopTqlZTapTzOTEATmJ/UOFEaGgIAjWHD
LBqEnZSDFPnEDIdzvtV2rxDXHHgeuS+XmewTD8Wn1Y3owYYYESLbYj8VyBqDgfuM
P6TmlsajpBgnTgvQ4U6hqDslBQAD0MTzyfHpbyT42bV0fbichqg4cMP1Lc/vf6xS
6T8/DEU/n7cPeOT8nHiNwsFmn70CPDmkp4qh+uWZHUpDOXTD+2GVSIg9LCJdBn5o
kRdPvx0MHnU2mG71Wk/kpsjP/qGnFZm9bUOEBlVmoQy9I9lv5RRELlioyZph0j+U
jpsc1fJ99rPS0F0kTCSFb3GLQ1YssSwJojbIZt413Kp51wGj8RnJk89W3vpYXrfO
Zi3sFFcsaajbRgvKBNbWvI5jTsC+sAq73vQIc6FTqyxvctZrrphXFvqaZW3ZA8hO
Un45koI0+i0hnQMcSWFKT904QxSHobTpOrF1Q1XLXJi9cjw0jOfnmCMqD4nfCNNd
JaWFq+yhWyahYbOOoVFFdfKgteYs9sqg8MKoxqgs5eBTV8o36tD70xGCN8my9et/
g6uI8X4O3rxjnYulG79I
=aQZc
-----END PGP SIGNATURE-----



More information about the Users mailing list