[strongSwan] Tunnels with dynamic IP and another route issue

Dusan Ilic dusan at comhem.se
Fri Apr 28 10:03:14 CEST 2017 

Here is another example (dynamic DNS both sides), other side is initiating.


Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] x.x.x.200 is 
initiating an IKE_SA
Apr 28 07:49:06 R6250 authpriv.info charon: 12[IKE] x.x.x.200 is 
initiating an IKE_SA
Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] sending cert request 
for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Apr 28 07:49:06 R6250 daemon.info charon: 12[ENC] generating IKE_SA_INIT 
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 28 07:49:06 R6250 daemon.info charon: 12[NET] sending packet: from 
x.x.x.96[500] to x.x.x.200[500] (337 bytes)
Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] received packet: from 
x.x.x.200[500] to x.x.x.96[500] (220 bytes)
Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] parsed IKE_AUTH 
request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] looking for peer 
configs matching x.x.x.96[%any]...x.x.x.200[x.x.x.200]
Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] selected peer config 'VPN'
Apr 28 07:49:06 R6250 daemon.info charon: 15[IKE] no shared key found 
for '%any' - 'x.x.x.200'
Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] generating IKE_AUTH 
response 1 [ N(AUTH_FAILED) ]
Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] sending packet: from 
x.x.x.96[500] to x.x.x.200[500] (76 bytes)

Peer config is the wrong one, below is the config and IPsec secrets

conn test
         keylife=3600s
         ikelifetime=28800s
         left=%local.net
         leftsubnet=10.1.1.0/26
         right=%remote.net
         rightsubnet=192.168.18.0/24,10.0.0.0/24
         ike=aes128-sha1-modp1024
         esp=aes128-sha1-modp1024

IPsec secret

%local.net %remote.net : PSK "XXX"

In my understanding from the Strongswan documentation, if hostname is 
prefixed with "%" it will do a DNS-lookup and use those IP-adresses?

> Den 2017-04-28 kl. 08:08, skrev Dusan Ilic:
>>
>> Thank you
>>
>> Well for starters, I can paste the logs i had in an earlier thread. 
>> Are you saying that site-2-site with PSK must use certificates when 
>> using dynamic hostnames?
>> What about if only one side of the tunnel has a dynamic IP and 
>> dynamic DNS (my side)? I have two remote peers, one using dynamic 
>> hostname (Fortigate, supports dynamic hostnames for remote peer in 
>> GUI configuration) and one with static IP (UniFi gateway, using 
>> Strongswan)
>>
>> left=%hostname is working for one of my tunnels below, but not the 
>> other. See
>> below.
>>
>> The working:
>> sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt
>> Authority X3"
>> authentication of 'hostname' (myself) with pre-shared key
>> establishing CHILD_SA Azure
>> generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr
>> N(EAP_ONLY) ]
>> sending packet: from 85.24 <tel:85.24>.x.x[500] to 137.135 
>> <tel:137.135>.x.x[500] (380 bytes)
>> received packet: from 137.135 <tel:137.135>.x.x[500] to 85.24 
>> <tel:85.24>.x.x[500] (204 bytes)
>> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
>> authentication of '137.135 <tel:137.135>.x.x' with pre-shared key 
>> successful
>> IKE_SA Azure[2] established between
>> 85.24 <tel:85.24>.x.x[hostname]...137.135.x.x[137.135.x.x]
>> scheduling reauthentication in 27923 <tel:27923>s
>> maximum IKE_SA lifetime 28463 <tel:28463>s
>> connection 'Azure' established successfully
>>
>> The non-working:
>> sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt
>> Authority X3"
>> authentication of 'hostname' (myself) with pre-shared key
>> establishing CHILD_SA Wesafe
>> generating IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr
>> N(MULT_AUTH) N(EAP_ONLY) ]
>> sending packet: from 85.24 <tel:85.24>.x.x[500] to 94.254 
>> <tel:94.254>.x.x[500] (380 bytes)
>> received packet: from 94.254 <tel:94.254>.x.x[500] to 85.24 
>> <tel:85.24>.x.x[500] (76 bytes)
>> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> received AUTHENTICATION_FAILED notify error
>> establishing connection 'Wesafe' failed
>>
>> ipsec.secrets <http://ipsec.secrets>
>> %hostname 137.135 <tel:137.135>.x.x : PSK "xxxx"
>> %hostname 94.254 <tel:94.254>.x.x : PSK "xxxxx"
>>
>> "hostname" is my side of the tunnel and is a dynamic DNS hostname 
>> resolving to my public IP.
>>
>>
>> Den 2017-04-27 kl. 22:57, skrev Noel Kuntze:
>>> On 27.04.2017 22:38, Dusan Ilic wrote:
>>>> I would really appreciate some help with below also, Im having a Hard time understanding how Strongswan chooses connection definitions and ipsec secrets.
>>> Based on IPs, identities and authentication methods.
>>>> For example, how can I setup an ikev2 psk tunnel between two hosts with dynamic dns?
>>> Look at the "site-2-dynamic-ip" example at the UsableExamples page[1] for a configuration that uses
>>> certificates for authentication. Read the text at the beginning of the page.
>>>> Can I have several ip secrets or connections with %any?
>>> No. One secret per identity.
>>>> Ive tried with %dyndns but seem to get some errors about constraints and such. If someone would give me an explanation that would be great!
>>> You need to paste logs to get help.
>>>
>>> [1]https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170428/0123776d/attachment-0001.html>

More information about the Users mailing list