[strongSwan] Rigthid diferent to right problem.
noel.kuntze+strongswan-users-ml at thermi.consulting
Fri May 26 16:45:03 CEST 2017
On 26.05.2017 07:49, Jordi Casanellas wrote:
> The problem I have is that the client has virtual vpbox with Movistar.
> In the 3 vpn the "rightid" is the same to sign
What is "vpbox" and "Movistar"?
rightid from whose perspective? For IPsec VPNs to work correctly, remote peers have to have distinct IDs.
> So to be able to lift the vpn I need to sign with a different ip than the
> one assigned.
How do you mean that? Which is assigned? Sign what? Do you mean to write "Sign in"?
> Currently I have it working in this way from the Cisco to the provider
> But I want to pass it on to strongswan
> In the file configuration file.conf is the following:
> ---START CONFIG ---
> config setup
> conn client
> left=220.127.116.11 <tel:18.104.22.168>
> leftsubnet=192.168.100.0/24 <http://192.168.100.0/24>
> leftid=22.214.171.124 <tel:126.96.36.199>
> rightid=188.8.131.52 (is necessary for sign)
> rightsubnet=192.168.202.0/24 <http://192.168.202.0/24>
That cipher suite is deprecated and insecure.
From the SecurityRecommendations page:
> Because of the attack called SWEET32 <https://sweet32.info/>, 3DES and BLOWFISH are now considered insecure.
> Use AES instead. 3DES and BLOWFISH use a block size of 64 bits. That enables birthday attacks on the encrypted data packets.
> AES uses a block size of 128 bits, which is secure.
(SWEET32 links to https://sweet32.info/)
> ----- END CONFIG ----
> I'm test with rightid=%any and not working
> I'm test with rightid same with right parameter its working but not work
> traffic and tunnel not up.
> Im found this plugin duplicheck
> https://wiki.strongswan.org/projects/strongswan/wiki/Duplicheck#Behavior <https://wiki.strongswan.org/projects/strongswan/wiki/Duplicheck#Behavior>
> But i'm need sign vpn with another ip.
> ----ERROR Syslog ---
> May 25 18:36:22 CL2017032010001 charon: 10[ENC] parsed INFORMATIONAL_V1
> request 2895156184 <tel:2895156184> [ HASH N((24576)) ]
> May 25 18:36:22 CL2017032010001 charon: 10[IKE] received (24576) notify
> May 25 18:36:22 CL2017032010001 charon: 11[NET] received packet: from
> xx.xx.xxx.xx to xx.xx.xx.xx (356 bytes)
> May 25 18:36:22 CL2017032010001 charon: 11[ENC] parsed INFORMATIONAL_V1
> request 1735012586 [ HASH N(INVAL_ID) ]
> May 25 18:36:22 CL2017032010001 charon: 11[IKE] received
> INVALID_ID_INFORMATION error notify
That means that the remote peer didn't like the left- and rightsubnet settings.
Read the logs of the remote peer. There is no more knowledge to gain in reading charon's logs.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Users