[strongSwan] Tunnels with dynamic IP and another route issue

Dusan Ilic dusan at comhem.se
Fri Apr 28 08:08:29 CEST 2017


Thank you

Well for starters, I can paste the logs i had in an earlier thread. Are 
you saying that site-2-site with PSK must use certificates when using 
dynamic hostnames?
What about if only one side of the tunnel has a dynamic IP and dynamic 
DNS (my side)? I have two remote peers, one using dynamic hostname 
(Fortigate, supports dynamic hostnames for remote peer in GUI 
configuration) and one with static IP (UniFi gateway, using Strongswan)

left=%hostname is working for one of my tunnels below, but not the 
other. See
below.

The working:
sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt
Authority X3"
authentication of 'hostname' (myself) with pre-shared key
establishing CHILD_SA Azure
generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr
N(EAP_ONLY) ]
sending packet: from 85.24 <tel:85.24>.x.x[500] to 137.135 
<tel:137.135>.x.x[500] (380 bytes)
received packet: from 137.135 <tel:137.135>.x.x[500] to 85.24 
<tel:85.24>.x.x[500] (204 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
authentication of '137.135 <tel:137.135>.x.x' with pre-shared key successful
IKE_SA Azure[2] established between
85.24 <tel:85.24>.x.x[hostname]...137.135.x.x[137.135.x.x]
scheduling reauthentication in 27923 <tel:27923>s
maximum IKE_SA lifetime 28463 <tel:28463>s
connection 'Azure' established successfully

The non-working:
sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt
Authority X3"
authentication of 'hostname' (myself) with pre-shared key
establishing CHILD_SA Wesafe
generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 85.24 <tel:85.24>.x.x[500] to 94.254 
<tel:94.254>.x.x[500] (380 bytes)
received packet: from 94.254 <tel:94.254>.x.x[500] to 85.24 
<tel:85.24>.x.x[500] (76 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'Wesafe' failed

ipsec.secrets <http://ipsec.secrets>
%hostname 137.135 <tel:137.135>.x.x : PSK "xxxx"
%hostname 94.254 <tel:94.254>.x.x : PSK "xxxxx"

"hostname" is my side of the tunnel and is a dynamic DNS hostname 
resolving to my public IP.


Den 2017-04-27 kl. 22:57, skrev Noel Kuntze:
>
> On 27.04.2017 22:38, Dusan Ilic wrote:
>> I would really appreciate some help with below also, Im having a Hard time understanding how Strongswan chooses connection definitions and ipsec secrets.
> Based on IPs, identities and authentication methods.
>> For example, how can I setup an ikev2 psk tunnel between two hosts with dynamic dns?
> Look at the "site-2-dynamic-ip" example at the UsableExamples page[1] for a configuration that uses
> certificates for authentication. Read the text at the beginning of the page.
>> Can I have several ip secrets or connections with %any?
> No. One secret per identity.
>> Ive tried with %dyndns but seem to get some errors about constraints and such. If someone would give me an explanation that would be great!
> You need to paste logs to get help.
>
> [1]https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170428/b2c6f774/attachment.html>


More information about the Users mailing list