[strongSwan] Tunnels with dynamic IP and another route issue
dusan at comhem.se
Sat Apr 29 13:26:40 CEST 2017
no shared key found for 'local.example' - '137.135.x.x'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
The remote side is a Fortigate firewall, so I can't configure it the
same. I can just choose local interface (ie wan) and remote gateway IP
or Dynamic DNS, I have chosen Dynamic DNS.
It logs "peer SA proposal not match local policy".
If I change to IP adresses it works, but that won't work for very long
Den 2017-04-29 kl. 02:49, skrev Noel Kuntze:
> Hello Dusan,
> On 29.04.2017 02:25, Dusan Ilic wrote:
>> Hi Noel,
>> Okey, if I don't set "left" and initiate the connection it takes the wrong route (multiple WAN-interfaces) and the remote peer don't expect that source IP. Probably works better if the remote peer is initiating connection instead.
>> If I set "left=%local.example" and "right" / "rightid" as you suggest I get the following output n logfile:
>> Apr 29 00:10:51 R6250 daemon.info charon: 10[IKE] tried 1 shared key for 'local.example' - '137.135.x.x', but MAC mismatched
>> Apr 29 00:10:51 R6250 daemon.info charon: 10[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
>> If i fiddle in ipsec.secrets a bit, i get this instead:
>> authentication of '137.135.x.x' with pre-shared key successful
>> constraint check failed: identity 'remote.example' required
>> selected peer config 'site2site' inacceptable: constraint checking failed
>> no alternative config found
> Alright. Try the following
> remote.example : PSK "PSKGOESHERE"
> Do it vice versa on the remote peer.
> Kind regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users