[strongSwan] S2S VPN with dynamic DNS

Dusan Ilic dusan at comhem.se
Mon Jun 19 08:51:29 CEST 2017


Yet again, the fortigate router reconnected to Strongswan on it's own 
without manual intervention 12 minutes after the other sides public IP 
changed... Strongswan won't connect even manually.


Den 2017-06-19 kl. 08:47, skrev Dusan Ilic:
>
> Okey, today it happened again, new IP on one end of tunnel and updated 
> in DNS. Pinging the new IP from both sides shows it resolves 
> correctly, restarting Strongswan on both sides and the same issue as 
> before. (last time it started to work on the evening same day)
>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 94.254.123.x[500] to 85.24.244.x[500]
> received packet: from 85.24.244.x[500] to 94.254.123.x[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> CERTREQ N(MULT_AUTH) ]
> received 1 cert requests for an unknown ca
> authentication of 'hostname' (myself) with pre-shared key
> no shared key found for 'hostname' - '85.24.244.x'
>
> Why isn't it working?
> What does the message "no shared key found for 'hostname' - 
> '85.24.244.x'" mean?
> This time the IP is correct and updated.
>
>
> Den 2017-06-14 kl. 15:23, skrev Dusan Ilic:
>>
>> Hi,
>>
>> I have a S2S IPsec tunnel setup that have problems now when one side 
>> of the tunnel have been assigned a new public IP. The hostname used 
>> have been immediately updated by way od dynamic DNS, and the TTL have 
>> expired two hours ago. When trying to up the tunnel on the side with 
>> the changed IP, Strongswan returns "received AUTHENTICATION_FAILED 
>> notify error", and when trying to do the same on the remote end the 
>> log looks like following.
>>
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from 94.254.123.x[500] to 85.24.242.x[500]
>> received packet: from 85.24.242.x[500] to 94.254.123.x[500]
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>> CERTREQ N(MULT_AUTH) ]
>> received 1 cert requests for an unknown ca
>> authentication of 'hostname' (myself) with pre-shared key
>> no shared key found for 'hostname' - '*85.24.240.x*'
>>
>> Now as you can see the packets are sent to the correct host (domain 
>> is correctly resolved), however on the last line it's the old IP. 
>> What's happening here? I have tried restartin Strongswan on both 
>> hosts, but it doesn't help.
>>
>> This is the first time since I setup the tunnel with dynamic DNS that 
>> one side of the tunnel have changed IP, how can I make either side of 
>> the tunnel to continue reconnecting until the hostname is properly 
>> resolving again?
>> I have another tunnel going to the same client, and it have 
>> succesfully reconnected again after it picked up the new IP. The 
>> client is a Fortigate router. So, how can I force Strongswan to retry ?
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170619/15fc5da1/attachment.html>


More information about the Users mailing list