[strongSwan] Tunnels with dynamic IP and another route issue

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Apr 28 16:48:23 CEST 2017


Hello Dusan,

Don't set "left".
Set "right=%remoteDNSname" and "rightid="remoteDNSname". Use the following verbatim as selector "remoteDNSname". DO NOT use %remoteDNSname".
Secrets are looked up based on the remote peer's ID, not the local one's. There's no need to use IPs as IDs with IKEv2. The IDs can be read from the
packets without looking up the secret first and decrypting the packet..

It doesn't matter if the local peer has a changing IP, unless you restrict IKE_SAs by the source IP, which you don't have to do at all and just
gives you more problems unless you really know what you're doing.

Kind regards,
Noel

On 28.04.2017 10:03, Dusan Ilic wrote:
>
> Here is another example (dynamic DNS both sides), other side is initiating.
>
>
> Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] x.x.x.200 is initiating an IKE_SA
> Apr 28 07:49:06 R6250 authpriv.info charon: 12[IKE] x.x.x.200 is initiating an IKE_SA
> Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
> Apr 28 07:49:06 R6250 daemon.info charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Apr 28 07:49:06 R6250 daemon.info charon: 12[NET] sending packet: from x.x.x.96[500] to x.x.x.200[500] (337 bytes)
> Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] received packet: from x.x.x.200[500] to x.x.x.96[500] (220 bytes)
> Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
> Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] looking for peer configs matching x.x.x.96[%any]...x.x.x.200[x.x.x.200]
> Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] selected peer config 'VPN'
> Apr 28 07:49:06 R6250 daemon.info charon: 15[IKE] no shared key found for '%any' - 'x.x.x.200'
> Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] sending packet: from x.x.x.96[500] to x.x.x.200[500] (76 bytes)
>
> Peer config is the wrong one, below is the config and IPsec secrets
>
> conn test
>         keylife=3600s
>         ikelifetime=28800s
>         left=%local.net
>         leftsubnet=10.1.1.0/26
>         right=%remote.net
>         rightsubnet=192.168.18.0/24,10.0.0.0/24
>         ike=aes128-sha1-modp1024
>         esp=aes128-sha1-modp1024
>
> IPsec secret
>
> %local.net %remote.net : PSK "XXX"
>
> In my understanding from the Strongswan documentation, if hostname is prefixed with "%" it will do a DNS-lookup and use those IP-adresses?
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170428/8ee178a6/attachment.sig>


More information about the Users mailing list