[strongSwan] INTERNAL_ADDRESS_FAILURE on StrongSwan Windows Server

Ling Wyh lwyh at protonmail.ch
Sat Dec 22 15:34:03 CET 2018


That takes me one step further, thank you. The IPv4 address pool loads. The client authenticates okay. Then an error occurs, "installing route for policy 0.0.0.0/0 === 10.9.0.1/32 failed."

The intention in this scenario is that the client should connect to the entire Internet via the StrongSwan Windows server. StrongSwan version is 5.7.1, and Windows Server is version 2016.

The file swanctl.conf looks like this:

connections {
ikev2-eap-mschapv2 {
version = 2
proposals = aes256-sha256-modp2048,aes256-sha256-modp1536,aes128-sha1-modp1024,default
rekey_time = 0s
pools = primary_pool_ipv4
fragmentation = yes
dpd_delay = 30s
local {
certs = server.crt
id = [vpn.example.org](http://vpn.example.org/)
}
remote {
auth = eap-mschapv2
eap_id = %any
}
children {
ikev2-eap-mschapv2 {
local_ts = 0.0.0.0/0
rekey_time = 0s
dpd_action = clear
esp_proposals = aes256-sha256,aes256-sha1,aes128-sha1,default
}
}
}
}
pools {
primary_pool_ipv4 {
addrs = 10.9.0.0/24
dns = 1.1.1.1, 1.0.0.1}
}
secrets {
eap-xxxx {
id = xxxx
secret = "yyyyyyyy"
}
}

Is that "local_ts = 0.0.0.0/0" not correct for this scenario?

The StrongSwan Windows Server log looks like this:

03[NET] received packet: from 11.22.33.44[49972] to 55.66.77.88[4500] (112 bytes)
03[ENC] parsed IKE_AUTH request 5 [ AUTH ]
03[IKE] authentication of 'xxxx' with EAP successful
03[IKE] authentication of '[vpn.example.org](http://vpn.example.org/)' (myself) with EAP
03[IKE] IKE_SA ikev2-eap-mschapv2[4] established between 55.66.77.88[[vpn.example.org](http://vpn.example.org/)]...11.22.33.44[xxxx]
03[IKE] peer requested virtual IP %any
03[CFG] assigning new lease to 'xxxx'
03[IKE] assigning virtual IP 10.9.0.1 to peer 'xxxx'
03[IKE] peer requested virtual IP %any6
03[IKE] no virtual IP found for %any6 requested by 'xxxx'
03[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
03[KNL] installing route for policy 0.0.0.0/0 === 10.9.0.1/32 failed
03[KNL] setting WFP SA SPI failed: 0x80320035
03[IKE] unable to install IPsec policies (SPD) in kernel
03[IKE] failed to establish CHILD_SA, keeping IKE_SA

​Sent with ProtonMail Secure Email.​

Sent from ProtonMail Mobile

On Fri, Dec 21, 2018 at 2:31 AM, Tobias Brunner <tobias at strongswan.org> wrote:

> Hi,
>
>> This produce an error INTERNAL_ADDRESS_FAILURE (identities anonymized):
>> ...
>> Do you know what I need to correct to prevent this error?
>
> Did you load the address pool with swanctl --load-pools? (Using
> --load-all also works.) Check with --list-pools if the pool is loaded.
>
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181222/60299d5b/attachment.html>


More information about the Users mailing list