[strongSwan] Unable to connect to client - no matching peer config found

Liong Kok Foo liong.kok.foo at revenue.com.my
Tue Jun 9 11:27:50 CEST 2020


Hi,

I am new to strongswan and have not had much experience setting up VPN 
connection.

I need to setup a new VPN connection to a client but just cannot seems 
to get it working.

Here are the information provided by client:

IKEv2 (Phase 1) Proposal
Available for ping (Yes/No) 	No
IKE Mode (Aggressive/Main) 	Main
IKE Authentication method 	Pre-shared key
IKE Pre-shared key 	xxxxxx
IKE Group	Group 14
IKE Encryption	AES-256
IKE Authentication 	SHA2-256
IKE Lifetime (seconds) 	86400
Life Time (KB) 	86400
IPsec (Phase 2) Proposal
IPsec Group	Group 14
IPsec Protocol 	ESP
IPsec Encryption	AES-256
IPsec Authentication 	SHA2-256
IPsec Lifetime (seconds) 	3600
Life Time (KB) 	28800
Enable Perfect Forward Secrecy 	Yes
PFS / DH-group 	Yes/Gp-14
Encapsulation Mode 	Tunnel
IP addresses carried in tunnel (Private IP address, IP range assigned by 
client) Crypto ACL
Source (Encryption Domain) 	192.168.40.33/30(DR)
192.168.40.34/30(UAT)
Port 	Any
VPN DPD always enabled 	Enabled
To disable monitoring ICMP echo requests (or pings) à by right to 
determine if a VPN tunnel is up however for this case it’s dropping the 
VPN connections. 	Disabled
To disable a proxy-ID negotiation, it is used during phase 2 of Internet 
Key Exchange (IKE) Virtual Private Network (VPN) negotiations. 	Disabled
NAT traversal (TCP4500) 	Disabled


Here is my configuration file:

IPsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

conn %default
         ikelifetime=1440m
         keylife=60m
         rekeymargin=3m
         keyingtries=1
         authby=secret
         keyexchange=ikev2
         mobike=no

conn net-net
         left=10.15.66.10
         leftsubnet=10.15.66.0/24
         leftid=@me
         leftfirewall=yes
         right=1.2.3.4 (client public IP changed)
         rightsubnet=192.168.118.0/24
         rightid=@client
         ike=aes256-sha2_256-modp2048!
         esp=aes256-sha2_256-modp2048!
         auto=start


ipsec.secrets:

# ipsec.secrets - strongSwan IPsec secrets file
@me @client : PSK "xxxxxx"


Here is a part of the message log:

Jun  9 17:14:32 uatvpngateway charon: 06[NET] received packet: from 
1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun  9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request 
0 [ SA KE No N(FRAG_SUP) ]
Jun  9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an 
IKE_SA
Jun  9 17:14:32 uatvpngateway charon: 06[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun  9 17:14:32 uatvpngateway charon: 06[ENC] generating IKE_SA_INIT 
response 0 [ SA KE No N(FRAG_SUP) N(MULT_AUTH) ]
Jun  9 17:14:32 uatvpngateway charon: 06[NET] sending packet: from 
10.15.66.10[500] to 1.2.3.4[500] (392 bytes)
Jun  9 17:14:32 uatvpngateway charon: 07[NET] received packet: from 
1.2.3.4[500] to 10.15.66.10[500] (448 bytes)
Jun  9 17:14:32 uatvpngateway charon: 07[ENC] parsed IKE_AUTH request 1 
[ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs 
matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
Jun  9 17:14:32 uatvpngateway charon: 07[CFG] no matching peer config found
Jun  9 17:14:32 uatvpngateway charon: 07[ENC] generating IKE_AUTH 
response 1 [ N(AUTH_FAILED) ]
Jun  9 17:14:32 uatvpngateway charon: 07[NET] sending packet: from 
10.15.66.10[500] to 1.2.3.4[500] (80 bytes)

Would appreciate if anyone can help to provide guidance on getting this 
working.

Thanks






























-- 
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200609/ba60f42a/attachment.html>


More information about the Users mailing list