[strongSwan] Not Able to Connect

Info infosec at quantum-equities.com
Thu Mar 29 18:57:52 CEST 2018 

True.  Although I infer that 'pools' might be address pools (as with
DHCP), I can find no evidence of this.  And I now notice the 'pools'
definition further down.

But I'd like this VPN to be 'transparent'.  IOW I'd like my remote
machines and LAN members to use the same IP as they do in the LAN.  If
possible I'd like to avoid virtual IPs.  Is there any way to do this?

And I gather that in the IPSec gateway for the LAN, I can define
different definitions for different remote machines, but I can't work
out how this would be structured with swanctl.  I'd actually prefer to
keep the same definition for all remote initiators, but things may not
always work out like we want.

Side question:  I'm also in the process of transitioning the LAN to
IPV6.  As my ISP will not foreseeably have IPV6 (Frontier Comm)  I'll
need to use a tunnel broker.  Will this be a problem with Strongswan,
and can the Android app do IPV6?


On 03/28/2018 02:35 PM, Andreas Steffen wrote:
> The connection setup gets now very far but finally fails because
> the pools defined by
>
>  pools = primary-pool-ipv4, primary-pool-ipv6
>
> don't seem be defined (have you added a pools section in swanctl.conf?)
> and therefore no virtual IP can be allocated to the initiator
>
> Wed, 2018-03-28 08:31 15[IKE] <ikev2-pubkey|1>
>   peer requested virtual IP %any
>   no virtual IP found for %any requested by 'C=US, O=Quantum
> CN=aries.darkmatter.org'
>   peer requested virtual IP %any6
>   no virtual IP found for %any6 requested by 'C=US, O=Quantum
> CN=aries.darkmatter.org'
>   no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
>
> Regards
>
> Andreas
>
> On 28.03.2018 17:37, Info wrote:
>> I have no way of interpreting the syntax of these proposals as there's
>> no definitive description.  Maybe '-' separates different options in a
>> category and ',' separates categories?  But it also doesn't explain
>> "classic and combined-mode algos" nor not to mix them.  I can't know
>> these things by instinct.
>>
>> Something else is wrong with the example.  I copied it -exactly- (except
>> I used your esp_proposals), and the error log is attached.
>>
>>
>>
>> On 03/28/2018 02:21 AM, Andreas Steffen wrote:
>>> Hi,
>>>
>>> as your log explicitly says:
>>>
>>>> Tue, 2018-03-27 15:13 15[CFG] classic and combined-mode (AEAD)
>>>> encryption algorithms can't be contained in the same IKE proposal
>>> Thus instead of
>>>
>>> esp_proposals =
>>>> aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
>>> you must define
>>>
>>> esp_proposals =
>>>   aes192gcm16-aes128gcm16-ecp256,aes192-sha256-ecp256-modp3072,default
>>>
>>> Regards
>>>
>>> Andreas
>>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180329/75c92f46/attachment.html>

More information about the Users mailing list