[strongSwan] Tunnels with dynamic IP and another route issue
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Apr 29 18:44:06 CEST 2017
Hello Dusan,
On 29.04.2017 18:34, Dusan Ilic wrote:
> It works! I found a hidden setting under Phase 1 in Fortigate where i could add the local ID. Added it's dynamic dns hostname and now it connects.
Great!
>
> However, I still have issues with another endpoint I'm testing. My local endpoint have Strongswan 5.5.1 and the remote endpoint have 4.5.2. Would that present any issues or incompatibilites? Unfortunately it's not possible to upgrade the remote endpoint (Strongswan).
Pluto resolves IDs that are FQDNs. I think there was a hack, where you add the at-character in front of the FQDN in the ID settings and that stops it from doing that.
Might apply to charon, too in such a low version number. Try the hack.
>
> I tried below, per your suggestion
>
> left=%local.example
> leftid=local.example
> right=%remote.example
> rightid=remote.example
>
> remote.example : PSK "PSKGOESHERE"
>
> Log when local sides initiates connection:
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
You need to read the remote logs when the remote side sends you an error message.
>
> Log when remote side initiates connection:
> Apr 29 16:32:20 R6250 daemon.info charon: 10[CFG] looking for peer configs matching 85.24.x.x[85.24.x.x]...94.254.x.x[94.254.x.x]
> Apr 29 16:32:20 R6250 daemon.info charon: 10[CFG] no matching peer config found
>
> It looks like the same issue, the remote endpoint doesnt send the configured ID?
Yes.
>
> And another question, when using dynamic hostnames instead of IP's as "right", how often does Strongswan make a new DNS-lookup? How does Strongswan handle the situation where let's say the remote endpoint suddenly receives a new IP? Or if the local side receives a new IP during established connection?
strongSwan does a DNS lookup whenever it tries to select a configuration. Well, depends on if mobike is used or no and if the peer who's IP changed can't send any traffic anymore.
Mobike and connectivity: IKE_SA and CHILD_SAs are migrated
No mobike and connectivity: Don't know. Maybe a new IKE_SA is negotiated, because the one peer knows the local address has vanished (and the CHILD_SAs migrated?).
No mobike and no connectivity: Timeout, if DPD is used. Otherwise the IKE_SA and CHILD_SAs remain until the remote peer connects again.
Mobike and no connectivity: Timeout, if DPD is used. Otherwise the IKE_SA and CHILD_SAs remain until the remote peer connects again.
Kind regards,
Noel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170429/87c6b3b2/attachment.sig>
More information about the Users
mailing list