[strongSwan] Tunnels with dynamic IP and another route issue

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Apr 29 02:49:48 CEST 2017


Hello Dusan,

On 29.04.2017 02:25, Dusan Ilic wrote:
> Hi Noel,
>
> Okey, if I don't set "left" and initiate the connection it takes the wrong route (multiple WAN-interfaces) and the remote peer don't expect that source IP. Probably works better if the remote peer is initiating connection instead.
>
> If I set "left=%local.example" and "right" / "rightid" as you suggest I get the following output n logfile:
>
> Apr 29 00:10:51 R6250 daemon.info charon: 10[IKE] tried 1 shared key for 'local.example' - '137.135.x.x', but MAC mismatched
> Apr 29 00:10:51 R6250 daemon.info charon: 10[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>
> If i fiddle in ipsec.secrets a bit, i get this instead:
>
> authentication of '137.135.x.x' with pre-shared key successful
> constraint check failed: identity 'remote.example' required
> selected peer config 'site2site' inacceptable: constraint checking failed
> no alternative config found
>
Alright. Try the following
left=%local.example
leftid=local.example
right=%remote.example
rightid=remote.example

remote.example : PSK "PSKGOESHERE"

Do it vice versa on the remote peer.

Kind regards,
Noel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170429/5b1635a9/attachment.sig>


More information about the Users mailing list