[strongSwan] Tunnels with dynamic IP and another route issue

Dusan Ilic dusan at comhem.se
Sat Apr 29 02:25:08 CEST 2017


Hi Noel,

Okey, if I don't set "left" and initiate the connection it takes the 
wrong route (multiple WAN-interfaces) and the remote peer don't expect 
that source IP. Probably works better if the remote peer is initiating 
connection instead.

If I set "left=%local.example" and "right" / "rightid" as you suggest I 
get the following output n logfile:

Apr 29 00:10:51 R6250 daemon.info charon: 10[IKE] tried 1 shared key for 
'local.example' - '137.135.x.x', but MAC mismatched
Apr 29 00:10:51 R6250 daemon.info charon: 10[ENC] generating 
INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

If i fiddle in ipsec.secrets a bit, i get this instead:

authentication of '137.135.x.x' with pre-shared key successful
constraint check failed: identity 'remote.example' required
selected peer config 'site2site' inacceptable: constraint checking failed
no alternative config found

When remote peer tries to connect instead:


Apr 29 00:08:44 R6250 daemon.info charon: 06[CFG] looking for peer 
configs matching 85.24.x.x[%any]...137.135.x.x[137.135.x.x]
Apr 29 00:08:44 R6250 daemon.info charon: 06[CFG] selected peer config 'vpn'
Apr 29 00:08:44 R6250 daemon.info charon: 06[IKE] no shared key found 
for '%any' - '137.135.x.x'

Config 'vpn' is a completely different connection definition.


Den 2017-04-28 kl. 16:48, skrev Noel Kuntze:
> Hello Dusan,
>
> Don't set "left".
> Set "right=%remoteDNSname" and "rightid="remoteDNSname". Use the following verbatim as selector "remoteDNSname". DO NOT use %remoteDNSname".
> Secrets are looked up based on the remote peer's ID, not the local one's. There's no need to use IPs as IDs with IKEv2. The IDs can be read from the
> packets without looking up the secret first and decrypting the packet..
>
> It doesn't matter if the local peer has a changing IP, unless you restrict IKE_SAs by the source IP, which you don't have to do at all and just
> gives you more problems unless you really know what you're doing.
>
> Kind regards,
> Noel
>
> On 28.04.2017 10:03, Dusan Ilic wrote:
>> Here is another example (dynamic DNS both sides), other side is initiating.
>>
>>
>> Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] x.x.x.200 is initiating an IKE_SA
>> Apr 28 07:49:06 R6250 authpriv.info charon: 12[IKE] x.x.x.200 is initiating an IKE_SA
>> Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
>> Apr 28 07:49:06 R6250 daemon.info charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> Apr 28 07:49:06 R6250 daemon.info charon: 12[NET] sending packet: from x.x.x.96[500] to x.x.x.200[500] (337 bytes)
>> Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] received packet: from x.x.x.200[500] to x.x.x.96[500] (220 bytes)
>> Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
>> Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] looking for peer configs matching x.x.x.96[%any]...x.x.x.200[x.x.x.200]
>> Apr 28 07:49:06 R6250 daemon.info charon: 15[CFG] selected peer config 'VPN'
>> Apr 28 07:49:06 R6250 daemon.info charon: 15[IKE] no shared key found for '%any' - 'x.x.x.200'
>> Apr 28 07:49:06 R6250 daemon.info charon: 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> Apr 28 07:49:06 R6250 daemon.info charon: 15[NET] sending packet: from x.x.x.96[500] to x.x.x.200[500] (76 bytes)
>>
>> Peer config is the wrong one, below is the config and IPsec secrets
>>
>> conn test
>>          keylife=3600s
>>          ikelifetime=28800s
>>          left=%local.net
>>          leftsubnet=10.1.1.0/26
>>          right=%remote.net
>>          rightsubnet=192.168.18.0/24,10.0.0.0/24
>>          ike=aes128-sha1-modp1024
>>          esp=aes128-sha1-modp1024
>>
>> IPsec secret
>>
>> %local.net %remote.net : PSK "XXX"
>>
>> In my understanding from the Strongswan documentation, if hostname is prefixed with "%" it will do a DNS-lookup and use those IP-adresses?
>>
>



More information about the Users mailing list