[strongSwan] Problem with static ip on Windows IKEv2

Noel Kuntze noel at familie-kuntze.de
Sun Mar 12 01:23:13 CET 2017 

On 11.03.2017 00:05, Daniel wrote:
> I have continue testing and i can set manually ip address on Windows but server assign any from dhcp pool
> 
> Mar 11 00:04:25 900333e2e8f1 charon[29393]: 12[IKE] peer requested virtual IP 10.8.0.112
> Mar 11 00:04:25 900333e2e8f1 charon[29393]: 12[CFG] assigning new lease to 'dottas'
> Mar 11 00:04:25 900333e2e8f1 charon[29393]: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'dottas'

That's not DHCP.

> 
> Is possible force to use requested virtual IP?

As I wrote, use an sql backed IP pool. See the documentation about `ipsec pools`[1]

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPool

> 
> Thanks
> 
>> El 10 mar 2017, a las 8:46, Daniel <daniel at ghcrecemos.com <mailto:daniel at ghcrecemos.com>> escribió:
>>
>>>
>>> El 9 mar 2017, a las 12:16, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> escribió:
>>>
>>> iOS:
>>>> Mar 09 11:38:08 900333e2e8f1 charon[18975]: 12[ENC] parsed INFORMATIONAL request 6 [ D ]
>>>
>>> Unrelated to virtual IPs. Check log on iOS for information. Maybe iOS doesn't trust certificates that are issued by Let's Encrypt for IPsec?
>>>
>>> windows:
>>>
>>>> Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] looking for peer configs matching 176.31.13.185[%any]...79.153.142.222[192.168.222.130]
>>>> Mar 09 11:50:29 900333e2e8f1 charon[18975]: 13[CFG] no matching peer config found
>>>
>>> It's because the ID "192.168.222.130" is not configured in any of your two conns, where the IDs are specified.
>>> Don't specify the IDs. Just use a conn for your roadwarriors and add a pool with the leases you need.
>>>
>>> You can't make this work for Windows (or Mac OSX) with static IDs, because those hosts send their LAN IP as initiator IDs
>>> by default and they're hence unpredictable and unrelated to their actual usernames that are used during EAP authentication.
>>
>> Would it be possible if I created a single certificate for each Windows?
>>
>>> On 09.03.2017 11:58, Daniel wrote:
>>>> Hi, i have uploaded my logs with your considerations (without sql database) when strongswan starts and example of ios device connection and windows device error connection.
>>>>
>>>> strongswan_log_load.log -> https://paste.ee/p/GBEJ7
>>>> working_ios_connection.log -> https://paste.ee/p/cibrx
>>>> windows_cant_connnect.log -> https://paste.ee/p/AnTsJ
>>>>
>>>> Thaks for your help.
>>>>
>>>>> El 8 mar 2017, a las 14:22, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de>> escribió:
>>>>>
>>>>> Logs, please.
>>>>>
>>>>> On 08.03.2017 08:49, Daniel wrote:
>>>>>>
>>>>>> I made the change (auto=add) and it still does not work. I'm going to try integrating pools into sqlite and tell them the result.
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>>> El 8 mar 2017, a las 0:32, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de>> escribió:
>>>>>>>
>>>>>>> Move the "auto=add" out of conn %default into each individual conn you actually need.
>>>>>>> The way you're doing it makesno sense.
>>>>>>> The proper way to do this is to use a static IP pool backed by an sqlite file or a MySQL server
>>>>>>> and to assign the leases based on the identity there.
>>>>>>>
>>>>>>> The proper way to do this is to 
>>>>>>> On 07.03.2017 21:56, Daniel wrote:
>>>>>>>> Hi, I have a strongswan 5.3.5 on Ubuntu server. I use this VPN server to iOS devices and Windows 10 laptops.
>>>>>>>>
>>>>>>>> I will try to explain the problem:
>>>>>>>>
>>>>>>>> I have ipsec.secrets with user/password EAP auth ex: 
>>>>>>>>
>>>>>>>>> # This file holds shared secrets or RSA private keys for authentication.
>>>>>>>>>
>>>>>>>>> # This is private key located at /etc/ipsec.d/private/
>>>>>>>>> : RSA privkey.pem
>>>>>>>>>
>>>>>>>>> # VPN users
>>>>>>>>> strike : EAP "12341234"
>>>>>>>>> dottas : EAP "45645645"
>>>>>>>>
>>>>>>>> I have my ipsec.conf assign static ip config to users based on rightid:
>>>>>>>>
>>>>>>>>> config setup
>>>>>>>>>  charondebug = ike 3, cfg 3
>>>>>>>>>
>>>>>>>>> conn %default
>>>>>>>>>
>>>>>>>>>  dpdaction=clear
>>>>>>>>>  dpddelay=550s
>>>>>>>>>  dpdtimeout=72000s
>>>>>>>>>  keyexchange=ikev2
>>>>>>>>>  auto=add
>>>>>>>>>  rekey=no
>>>>>>>>>  reauth=no
>>>>>>>>>  fragmentation=yes
>>>>>>>>>  compress=yes
>>>>>>>>>
>>>>>>>>>  # left - local (server) side
>>>>>>>>>  leftcert=fullchain.pem# Filename of certificate located at /etc/ipsec.d/certs/
>>>>>>>>>  leftsendcert=always
>>>>>>>>>  # Routes pushed to clients. If you don't have ipv6 then remove ::/0
>>>>>>>>>  leftsubnet=0.0.0.0/0
>>>>>>>>>
>>>>>>>>>  # right - remote (client) side
>>>>>>>>>  eap_identity=%identity
>>>>>>>>>  # ipv4 subnets that assigns to clients.
>>>>>>>>>  rightsourceip=10.8.0.0/24
>>>>>>>>>  rightdns=8.8.8.8
>>>>>>>>>
>>>>>>>>> # Windows Auth CFG
>>>>>>>>> conn ikev2-mschapv2
>>>>>>>>>  rightauth=eap-mschapv2
>>>>>>>>>
>>>>>>>>> # Apple Auth CFG
>>>>>>>>> conn ikev2-mschapv2-apple
>>>>>>>>>  rightauth=eap-mschapv2
>>>>>>>>>  leftid=mydomain.com <http://mydomain.com/> <http://mydomain.com/> <http://mydomain.com/> <http://mydomain.com <http://mydomain.com/><http://mydomain.com/> <http://mydomain.com/>>
>>>>>>>>>
>>>>>>>>> # Static IP configs
>>>>>>>>>
>>>>>>>>> conn static-ip-for-strike
>>>>>>>>>  also="ikev2-mschapv2-apple"
>>>>>>>>>  right=%any
>>>>>>>>>  rightid=strike
>>>>>>>>>  rightsourceip=10.8.0.100/32
>>>>>>>>>  auto=add
>>>>>>>>>
>>>>>>>>> conn static-ip-for-dottas
>>>>>>>>>  also="ikev2-mschapv2"
>>>>>>>>>  right=%any
>>>>>>>>>  rightid=dottas
>>>>>>>>>  rightsourceip=10.8.0.33/32
>>>>>>>>>  auto=add
>>>>>>>>
>>>>>>>> All iOS clients connect fine and take static IP but Windows always get an IP address by DHCP pool. If I delete rightsourceip=10.8.0.0/24 field Windows dont recibe any IP address and dont connect.
>>>>>>>>
>>>>>>>> Some log outputs:
>>>>>>>>
>>>>>>>> ipsec leases
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Leases in pool '10.8.0.0/24', usage: 0/254, 0 online
>>>>>>>>> no matching leases found
>>>>>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
>>>>>>>>> no matching leases found
>>>>>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
>>>>>>>>> no matching leases found
>>>>>>>>> ...
>>>>>>>>
>>>>>>>> journalctl -f -u strongswan
>>>>>>>>
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] IKE_SA ikev2-mschapv2[1] state change: CONNECTING => ESTABLISHED
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP %any
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] assigning new lease to 'dottas'
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'dottas'
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] peer requested virtual IP %any6
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] no virtual IP found for %any6 requested by 'dottas'
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] building INTERNAL_IP4_DNS attribute
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic selectors for us:
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  0.0.0.0/0
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] proposing traffic selectors for other:
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  10.8.0.1/32
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   candidate "ikev2-mschapv2" with prio 10+2
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] found matching child config "ikev2-mschapv2" with prio 12
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   no acceptable ENCRYPTION_ALGORITHM found
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting proposal:
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]   proposal matches
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic selectors for us:
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 0.0.0.0/0, received: ::/0 => no match
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG] selecting traffic selectors for other:
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 10.8.0.1/32, received: 0.0.0.0/0 => match: 10.8.0.1/32
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[CFG]  config: 10.8.0.1/32, received: ::/0 => no match
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[IKE] CHILD_SA ikev2-mschapv2{1} established with SPIs ccd1079d_i 9a38f558_o and TS 0.0.0.0/0 === 10.8.0.1/32
>>>>>>>>> Mar 07 21:53:29 900333e2e8f1 charon[5111]: 12[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
>>>>>>>>> ...
>>>>>>>>
>>>>>>>> ipsec leases
>>>>>>>>
>>>>>>>>> Leases in pool '10.8.0.0/24', usage: 1/254, 0 online
>>>>>>>>>       10.8.0.1   online   'dottas'
>>>>>>>>> Leases in pool '10.8.0.33/32', usage: 0/1, 0 online
>>>>>>>>> no matching leases found
>>>>>>>>> Leases in pool '10.8.0.100/32', usage: 0/1, 0 online
>>>>>>>>> no matching leases found
>>>>>>>>> ...
>>>>>>>>
>>>>>>>>
>>>>>>>> Any idea to assign static ip address to windows clients?
>>>>>>>>
>>>>>>>> Thank you.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org>
>>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>>
>>>>>>> Mit freundlichen Grüßen/Kind Regards,
>>>>>>> Noel Kuntze
>>>>>>>
>>>>>>> GPG Key ID: 0x63EC6658
>>>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org>
>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>>
>>>>>
>>>>> -- 
>>>>>
>>>>> Mit freundlichen Grüßen/Kind Regards,
>>>>> Noel Kuntze
>>>>>
>>>>> GPG Key ID: 0x63EC6658
>>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>
>>> -- 
>>>
>>> Mit freundlichen Grüßen/Kind Regards,
>>> Noel Kuntze
>>>
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170312/de1d6cef/attachment.sig>

More information about the Users mailing list