[strongSwan] S2S VPN with dynamic DNS

Dusan Ilic dusan at comhem.se
Tue Jun 27 00:05:51 CEST 2017


Anyone...?
I had to reboot the remote Strongswan gateway a couple of hours later, 
then it came back up again.


Den 2017-06-19 kl. 08:51, skrev Dusan Ilic:
>
> Yet again, the fortigate router reconnected to Strongswan on it's own 
> without manual intervention 12 minutes after the other sides public IP 
> changed... Strongswan won't connect even manually.
>
>
> Den 2017-06-19 kl. 08:47, skrev Dusan Ilic:
>>
>> Okey, today it happened again, new IP on one end of tunnel and 
>> updated in DNS. Pinging the new IP from both sides shows it resolves 
>> correctly, restarting Strongswan on both sides and the same issue as 
>> before. (last time it started to work on the evening same day)
>>
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> sending packet: from 94.254.123.x[500] to 85.24.244.x[500]
>> received packet: from 85.24.244.x[500] to 94.254.123.x[500]
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>> CERTREQ N(MULT_AUTH) ]
>> received 1 cert requests for an unknown ca
>> authentication of 'hostname' (myself) with pre-shared key
>> no shared key found for 'hostname' - '85.24.244.x'
>>
>> Why isn't it working?
>> What does the message "no shared key found for 'hostname' - 
>> '85.24.244.x'" mean?
>> This time the IP is correct and updated.
>>
>>
>> Den 2017-06-14 kl. 15:23, skrev Dusan Ilic:
>>>
>>> Hi,
>>>
>>> I have a S2S IPsec tunnel setup that have problems now when one side 
>>> of the tunnel have been assigned a new public IP. The hostname used 
>>> have been immediately updated by way od dynamic DNS, and the TTL 
>>> have expired two hours ago. When trying to up the tunnel on the side 
>>> with the changed IP, Strongswan returns "received 
>>> AUTHENTICATION_FAILED notify error", and when trying to do the same 
>>> on the remote end the log looks like following.
>>>
>>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>> sending packet: from 94.254.123.x[500] to 85.24.242.x[500]
>>> received packet: from 85.24.242.x[500] to 94.254.123.x[500]
>>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>>> CERTREQ N(MULT_AUTH) ]
>>> received 1 cert requests for an unknown ca
>>> authentication of 'hostname' (myself) with pre-shared key
>>> no shared key found for 'hostname' - '*85.24.240.x*'
>>>
>>> Now as you can see the packets are sent to the correct host (domain 
>>> is correctly resolved), however on the last line it's the old IP. 
>>> What's happening here? I have tried restartin Strongswan on both 
>>> hosts, but it doesn't help.
>>>
>>> This is the first time since I setup the tunnel with dynamic DNS 
>>> that one side of the tunnel have changed IP, how can I make either 
>>> side of the tunnel to continue reconnecting until the hostname is 
>>> properly resolving again?
>>> I have another tunnel going to the same client, and it have 
>>> succesfully reconnected again after it picked up the new IP. The 
>>> client is a Fortigate router. So, how can I force Strongswan to retry ?
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170627/1b614a91/attachment-0001.html>


More information about the Users mailing list