[strongSwan] Problem with static ip on Windows IKEv2
Daniel
daniel at ghcrecemos.com
Thu Mar 9 11:58:32 CET 2017
Hi, i have uploaded my logs with your considerations (without sql database) when strongswan starts and example of ios device connection and windows device error connection.
strongswan_log_load.log -> https://paste.ee/p/GBEJ7 <https://paste.ee/p/GBEJ7>
working_ios_connection.log -> https://paste.ee/p/cibrx <https://paste.ee/p/cibrx>
windows_cant_connnect.log -> https://paste.ee/p/AnTsJ <https://paste.ee/p/AnTsJ>
Thaks for your help.
> El 8 mar 2017, a las 14:22, Noel Kuntze <noel at familie-kuntze.de> escribió:
>
> Logs, please.
>
> On 08.03.2017 08:49, Daniel wrote:
>>
>> I made the change (auto=add) and it still does not work. I'm going to try integrating pools into sqlite and tell them the result.
>>
>> Thank you
>>
>>> El 8 mar 2017, a las 0:32, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> escribió:
>>>
>>> Move the "auto=add" out of conn %default into each individual conn you actually need.
>>> The way you're doing it makesno sense.
>>> The proper way to do this is to use a static IP pool backed by an sqlite file or a MySQL server
>>> and to assign the leases based on the identity there.
>>>
>>> The proper way to do this is to
>>> On 07.03.2017 21:56, Daniel wrote:
>>>> Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to iOS devices and Windows 10 laptops.
>>>>
>>>> I will try to explain the problem:
>>>>
>>>> I have ipsec.secrets with user/password EAP auth ex:
>>>>
>>>>> # This file holds shared secrets or RSA private keys for authentication.
>>>>>
>>>>> # This is private key located at /etc/ipsec.d/private/
>>>>> : RSA privkey.pem
>>>>>
>>>>> # VPN users
>>>>> strike : EAP "12341234"
>>>>> dottas : EAP "45645645"
>>>>
>>>> I have my ipsec.conf assign static ip config to users based on rightid:
>>>>
>>>>> config setup
>>>>> charondebug = ike 3, cfg 3
>>>>>
>>>>> conn %default
>>>>>
>>>>> dpdaction=clear
>>>>> dpddelay=550s
>>>>> dpdtimeout=72000s
>>>>> keyexchange=ikev2
>>>>> auto=add
>>>>> rekey=no
>>>>> reauth=no
>>>>> fragmentation=yes
>>>>> compress=yes
>>>>>
>>>>> # left - local (server) side
>>>>> leftcert=fullchain.pem# Filename of certificate located at /etc/ipsec.d/certs/
>>>>> leftsendcert=always
>>>>> # Routes pushed to clients. If you don't have ipv6 then remove ::/0
>>>>> leftsubnet=0.0.0.0/0
>>>>>
>>>>> # right - remote (client) side
>>>>> eap_identity=%identity
>>>>> # ipv4 subnets that assigns to clients.
>>>>> rightsourceip=10.8.0.0/24
>>>>> rightdns=8.8.8.8
>>>>>
>>>>> # Windows Auth CFG
>>>>> conn ikev2-mschapv2
>>>>> rightauth=eap-mschapv2
>>>>>
>>>>> # Apple Auth CFG
>>>>> conn ikev2-mschapv2-apple
>>>>> rightauth=eap-mschapv2
>>>>> leftid=mydomain.com <http://mydomain.com/> <http://mydomain.com/ <http://mydomain.com/>> <http://mydomain.com <http://mydomain.com/> <http://mydomain.com/ <http://mydomain.com/>>>
>>>>>
>>>>> # Static IP configs
>>>>>
>>>>> conn static-ip-for-strike
>>>>> also="ikev2-mschapv2-apple"
>>>>> right=%any
>>>>> rightid=strike
>>>>> rightsourceip=10.8.0.100/32
>>>>> auto=add
>>>>>
>>>>> conn static-ip-for-dottas
>>>>> also="ikev2-mschapv2"
>>>>> right=%any
>>>>> rightid=dottas
>>>>> rightsourceip=10.8.0.33/32
>>>>> auto=add
>>>>
>>>> All iOS clients connect fine and take static IP but Windows always get an IP address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field Windows dont recibe any IP address and dont connect.
>>>>
>>>> Some log outputs:
>>>>
>>>> ipsec leases
>>>>
>>>>>
>>>>> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online
>>>>> no matching leases found
>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
>>>>> no matching leases found
>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
>>>>> no matching leases found
>>>>> ...
>>>>
>>>> journalctl -f -u strongswan
>>>>
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA ikev2-mschapv2[1] state change: CONNECTING => ESTABLISHED
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP %any
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease to 'dottas'
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'dottas'
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP %any6
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found for %any6 requested by 'dottas'
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building INTERNAL_IP4_DNS attribute
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic selectors for us:
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 0.0.0.0/0
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic selectors for other:
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] 10.8.0.1/32
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] candidate "ikev2-mschapv2" with prio 10+2
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child config "ikev2-mschapv2" with prio 12
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] no acceptable ENCRYPTION_ALGORITHM found
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposal matches
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic selectors for us:
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 0.0.0.0/0, received: ::/0 => no match
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic selectors for other:
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, received: 0.0.0.0/0 => match: 10.8.0.1/32
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] config: 10.8.0.1/32, received: ::/0 => no match
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>>>>> ...
>>>>
>>>> ipsec leases
>>>>
>>>>> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online
>>>>> 10.8.0.1 online 'dottas'
>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
>>>>> no matching leases found
>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
>>>>> no matching leases found
>>>>> ...
>>>>
>>>>
>>>> Any idea to assign static ip address to windows clients?
>>>>
>>>> Thank you.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>
>>> --
>>>
>>> Mit freundlichen Grüßen/Kind Regards,
>>> Noel Kuntze
>>>
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170309/82fe7c4c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170309/82fe7c4c/attachment-0001.sig>
More information about the Users
mailing list