[strongSwan] Not Able to Connect
andreas.steffen at strongswan.org
Thu Mar 29 19:21:58 CEST 2018
yes you can fully integrate a remote host into a LAN by using the
farp and dhcp plugins on the VPN gateway so that the gateway
acts as an ARP proxy for the remote clients. Have a look at the
following example scenario based on swanctl:
use pools = dhcp and in strongswan.conf
define the DCHP server to be used.
On 29.03.2018 18:57, Info wrote:
> True. Although I infer that 'pools' might be address pools (as with
> DHCP), I can find no evidence of this. And I now notice the 'pools'
> definition further down.
> But I'd like this VPN to be 'transparent'. IOW I'd like my remote
> machines and LAN members to use the same IP as they do in the LAN. If
> possible I'd like to avoid virtual IPs. Is there any way to do this?
> And I gather that in the IPSec gateway for the LAN, I can define
> different definitions for different remote machines, but I can't work
> out how this would be structured with swanctl. I'd actually prefer to
> keep the same definition for all remote initiators, but things may not
> always work out like we want.
> Side question: I'm also in the process of transitioning the LAN to
> IPV6. As my ISP will not foreseeably have IPV6 (Frontier Comm) I'll
> need to use a tunnel broker. Will this be a problem with Strongswan,
> and can the Android app do IPV6?
> On 03/28/2018 02:35 PM, Andreas Steffen wrote:
>> The connection setup gets now very far but finally fails because
>> the pools defined by
>> pools = primary-pool-ipv4, primary-pool-ipv6
>> don't seem be defined (have you added a pools section in swanctl.conf?)
>> and therefore no virtual IP can be allocated to the initiator
>> Wed, 2018-03-28 08:31 15[IKE] <ikev2-pubkey|1>
>> peer requested virtual IP %any
>> no virtual IP found for %any requested by 'C=US, O=Quantum
>> peer requested virtual IP %any6
>> no virtual IP found for %any6 requested by 'C=US, O=Quantum
>> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
>> On 28.03.2018 17:37, Info wrote:
>>> I have no way of interpreting the syntax of these proposals as there's
>>> no definitive description. Maybe '-' separates different options in a
>>> category and ',' separates categories? But it also doesn't explain
>>> "classic and combined-mode algos" nor not to mix them. I can't know
>>> these things by instinct.
>>> Something else is wrong with the example. I copied it -exactly- (except
>>> I used your esp_proposals), and the error log is attached.
>>> On 03/28/2018 02:21 AM, Andreas Steffen wrote:
>>>> as your log explicitly says:
>>>>> Tue, 2018-03-27 15:13 15[CFG] classic and combined-mode (AEAD)
>>>>> encryption algorithms can't be contained in the same IKE proposal
>>>> Thus instead of
>>>> esp_proposals =
>>>> you must define
>>>> esp_proposals =
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users