[strongSwan] Not Able to Connect

Andreas Steffen andreas.steffen at strongswan.org
Thu Mar 29 19:21:58 CEST 2018


Hi,

yes you can fully integrate a remote host into a LAN by using the
farp and dhcp plugins on the VPN gateway so that the gateway
acts as an ARP proxy for the remote clients. Have a look at the
following example scenario based on swanctl:

  https://www.strongswan.org/testing/testresults/swanctl/dhcp-dynamic/

In swanctl.conf


https://www.strongswan.org/testing/testresults/swanctl/dhcp-dynamic/moon.swanctl.conf

use pools = dhcp and in strongswan.conf


https://www.strongswan.org/testing/testresults/swanctl/dhcp-dynamic/moon.strongswan.conf

define the DCHP server to be used.

Regards

Andreas

On 29.03.2018 18:57, Info wrote:
> True.  Although I infer that 'pools' might be address pools (as with
> DHCP), I can find no evidence of this.  And I now notice the 'pools'
> definition further down.
> 
> But I'd like this VPN to be 'transparent'.  IOW I'd like my remote
> machines and LAN members to use the same IP as they do in the LAN.  If
> possible I'd like to avoid virtual IPs.  Is there any way to do this?
> 
> And I gather that in the IPSec gateway for the LAN, I can define
> different definitions for different remote machines, but I can't work
> out how this would be structured with swanctl.  I'd actually prefer to
> keep the same definition for all remote initiators, but things may not
> always work out like we want.
> 
> Side question:  I'm also in the process of transitioning the LAN to
> IPV6.  As my ISP will not foreseeably have IPV6 (Frontier Comm)  I'll
> need to use a tunnel broker.  Will this be a problem with Strongswan,
> and can the Android app do IPV6?
> 
> 
> On 03/28/2018 02:35 PM, Andreas Steffen wrote:
>> The connection setup gets now very far but finally fails because
>> the pools defined by
>>
>>  pools = primary-pool-ipv4, primary-pool-ipv6
>>
>> don't seem be defined (have you added a pools section in swanctl.conf?)
>> and therefore no virtual IP can be allocated to the initiator
>>
>> Wed, 2018-03-28 08:31 15[IKE] <ikev2-pubkey|1>
>>   peer requested virtual IP %any
>>   no virtual IP found for %any requested by 'C=US, O=Quantum
>> CN=aries.darkmatter.org'
>>   peer requested virtual IP %any6
>>   no virtual IP found for %any6 requested by 'C=US, O=Quantum
>> CN=aries.darkmatter.org'
>>   no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
>>
>> Regards
>>
>> Andreas
>>
>> On 28.03.2018 17:37, Info wrote:
>>> I have no way of interpreting the syntax of these proposals as there's
>>> no definitive description.  Maybe '-' separates different options in a
>>> category and ',' separates categories?  But it also doesn't explain
>>> "classic and combined-mode algos" nor not to mix them.  I can't know
>>> these things by instinct.
>>>
>>> Something else is wrong with the example.  I copied it -exactly- (except
>>> I used your esp_proposals), and the error log is attached.
>>>
>>>
>>>
>>> On 03/28/2018 02:21 AM, Andreas Steffen wrote:
>>>> Hi,
>>>>
>>>> as your log explicitly says:
>>>>
>>>>> Tue, 2018-03-27 15:13 15[CFG] classic and combined-mode (AEAD)
>>>>> encryption algorithms can't be contained in the same IKE proposal
>>>> Thus instead of
>>>>
>>>> esp_proposals =
>>>>> aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default
>>>> you must define
>>>>
>>>> esp_proposals =
>>>>   aes192gcm16-aes128gcm16-ecp256,aes192-sha256-ecp256-modp3072,default
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
> 

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==


More information about the Users mailing list