[strongSwan] ISAKMP packet ignored with right=%any ?

Philippe Marrot pmarrot92 at gmail.com
Tue Apr 28 15:18:34 CEST 2020 

Hi everyone,

I'm struggling with a site to site IKEv2 tunnel for a peer using dynamic IP.
It seems that the first Ikev2 init packet is totally ignored. I don't know
why.
When using a static IP , all goes well.

*Config dynamic:*
I use the following ipsec.conf (ip and peer named changed):

conn peer1
        keyexchange=ikev2
        forceencaps=yes
        ike=aes256-sha1-modp1024,3des-sha1-modp1024!
        esp=aes256-sha1,3des-sha1!
        dpdaction=restart
        rekey=no
        authby=psk
        leftfirewall=yes
        left=<local_ip>
        leftid=<local_id>
        leftsubnet=192.168.7.0/24
        right=%any
        rightid=<peer_id>
        rightsubnet=192.168.4.0/24
        auto=route

ipsec.secrets:
<peer_id> : PSK "key"

When starting remote tunnel, I get this dump on strongswan side, that is a
single packet received, no response from strongswan:

15:01:15.113323 IP (tos 0x0, ttl 244, id 4358, offset 0, flags [none],
proto UDP (17), length 344)
    <peer1_ip>.500 > <local_ip>.500: [udp sum ok] isakmp 2.0 msgid 00000000
cookie 4e011e68b24ebe9e->0000000000000000: parent_sa ikev2_init[I]:
    (sa: len=44
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0100))
            (t: #2 type=integ id=hmac-sha )
            (t: #3 type=prf id=hmac-sha )
            (t: #4 type=dh id=modp1024 )))
    (v2ke: len=128 group=modp1024)
    (nonce: len=20 nonce=(247782749746e4aa5e04167b26e9e0c9f6fa53ba) )
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
    (v2vid: len=20 vid=*gu..*..|3..h....o..)

Now, indicating the current peer IP in ipsec.conf, the tunnel starts
immediatly (no other IPSEC parameter changed):

*Config static:*
conn peer1
        keyexchange=ikev2
        forceencaps=yes
        ike=aes256-sha1-modp1024,3des-sha1-modp1024!
        esp=aes256-sha1,3des-sha1!
        dpdaction=restart
        rekey=no
        authby=psk
        leftfirewall=yes
        left=<local_ip>
        leftid=<local_id>
        leftsubnet=192.168.7.0/24
        *right=<peer_ip>*
        rightid=<peer_id>
        rightsubnet=192.168.4.0/24
        *auto=start *

ipsec.secrets:
<local_id> <peer_id> : PSK "key"

I enabled various logging levels without finding any useful info.
Strongswan 5.8.2
Not firewall issue, I tried without and other static site to ste tunnels
are working.

Thank you for any hint ! Really...
PM.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200428/aa86e245/attachment.html>

More information about the Users mailing list