[strongSwan] Problem with static ip on Windows IKEv2

Noel Kuntze noel at familie-kuntze.de
Wed Mar 8 00:32:57 CET 2017 

Move the "auto=add" out of conn %default into each individual conn you actually need.
The way you're doing it makesno sense.
The proper way to do this is to use a static IP pool backed by an sqlite file or a MySQL server
and to assign the leases based on the identity there.

The proper way to do this is to 
On 07.03.2017 21:56, Daniel wrote:
> Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to iOS devices and Windows 10 laptops.
> 
> I will try to explain the problem:
> 
> I have ipsec.secrets with user/password EAP auth ex: 
> 
>> # This file holds shared secrets or RSA private keys for authentication.
>>
>> # This is private key located at /etc/ipsec.d/private/
>> : RSA privkey.pem
>>
>> # VPN users
>> strike : EAP "12341234"
>> dottas : EAP "45645645"
> 
> I have my ipsec.conf assign static ip config to users based on rightid:
> 
>> config setup
>>     charondebug = ike 3, cfg 3
>>
>> conn %default
>>
>>     dpdaction=clear
>>     dpddelay=550s
>>     dpdtimeout=72000s
>>     keyexchange=ikev2
>>     auto=add
>>     rekey=no
>>     reauth=no
>>     fragmentation=yes
>>     compress=yes
>>
>>     # left - local (server) side
>>     leftcert=fullchain.pem# Filename of certificate located at /etc/ipsec.d/certs/
>>     leftsendcert=always
>>     # Routes pushed to clients. If you don't have ipv6 then remove ::/0
>>     leftsubnet=0.0.0.0/0
>>
>>     # right - remote (client) side
>>     eap_identity=%identity
>>     # ipv4 subnets that assigns to clients.
>>     rightsourceip=10.8.0.0/24
>>     rightdns=8.8.8.8
>>
>> # Windows Auth CFG
>> conn ikev2-mschapv2
>>     rightauth=eap-mschapv2
>>
>> # Apple Auth CFG
>> conn ikev2-mschapv2-apple
>>     rightauth=eap-mschapv2
>>     leftid=mydomain.com <http://mydomain.com>
>>
>> # Static IP configs
>>
>> conn static-ip-for-strike
>>     also="ikev2-mschapv2-apple"
>>     right=%any
>>     rightid=strike
>>     rightsourceip=10.8.0.100/32
>>     auto=add
>>
>> conn static-ip-for-dottas
>>     also="ikev2-mschapv2"
>>     right=%any
>>     rightid=dottas
>>     rightsourceip=10.8.0.33/32
>>     auto=add
> 
> All iOS clients connect fine and take static IP but Windows always get an IP address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field Windows dont recibe any IP address and dont connect.
> 
> Some log outputs:
> 
> ipsec leases
> 
>>
>> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online
>>   no matching leases found
>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
>>   no matching leases found
>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
>>   no matching leases found
>> ...
> 
> journalctl -f -u strongswan
> 
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA ikev2-mschapv2[1] state change: CONNECTING => ESTABLISHED
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP %any
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease to 'dottas'
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'dottas'
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP %any6
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found for %any6 requested by 'dottas'
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building INTERNAL_IP4_DNS attribute
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic selectors for us:
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  0.0.0.0/0
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic selectors for other:
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  10.8.0.1/32
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   candidate "ikev2-mschapv2" with prio 10+2
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child config "ikev2-mschapv2" with prio 12
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   proposal matches
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic selectors for us:
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 0.0.0.0/0, received: ::/0 => no match
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic selectors for other:
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 10.8.0.1/32, received: 0.0.0.0/0 => match: 10.8.0.1/32
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 10.8.0.1/32, received: ::/0 => no match
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>> ...
> 
> ipsec leases
> 
>> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online
>>          10.8.0.1   online   'dottas'
>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
>>   no matching leases found
>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
>>   no matching leases found
>> ...
> 
> 
> Any idea to assign static ip address to windows clients?
> 
> Thank you.
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170308/c27d1ccd/attachment.sig>

More information about the Users mailing list