[strongSwan] Unable to connect to client - no matching peer config found
Liong Kok Foo
liong.kok.foo at revenue.com.my
Tue Jun 9 11:27:50 CEST 2020
Hi,
I am new to strongswan and have not had much experience setting up VPN
connection.
I need to setup a new VPN connection to a client but just cannot seems
to get it working.
Here are the information provided by client:
IKEv2 (Phase 1) Proposal
Available for ping (Yes/No) No
IKE Mode (Aggressive/Main) Main
IKE Authentication method Pre-shared key
IKE Pre-shared key xxxxxx
IKE Group Group 14
IKE Encryption AES-256
IKE Authentication SHA2-256
IKE Lifetime (seconds) 86400
Life Time (KB) 86400
IPsec (Phase 2) Proposal
IPsec Group Group 14
IPsec Protocol ESP
IPsec Encryption AES-256
IPsec Authentication SHA2-256
IPsec Lifetime (seconds) 3600
Life Time (KB) 28800
Enable Perfect Forward Secrecy Yes
PFS / DH-group Yes/Gp-14
Encapsulation Mode Tunnel
IP addresses carried in tunnel (Private IP address, IP range assigned by
client) Crypto ACL
Source (Encryption Domain) 192.168.40.33/30(DR)
192.168.40.34/30(UAT)
Port Any
VPN DPD always enabled Enabled
To disable monitoring ICMP echo requests (or pings) à by right to
determine if a VPN tunnel is up however for this case it’s dropping the
VPN connections. Disabled
To disable a proxy-ID negotiation, it is used during phase 2 of Internet
Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Disabled
NAT traversal (TCP4500) Disabled
Here is my configuration file:
IPsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn net-net
left=10.15.66.10
leftsubnet=10.15.66.0/24
leftid=@me
leftfirewall=yes
right=1.2.3.4 (client public IP changed)
rightsubnet=192.168.118.0/24
rightid=@client
ike=aes256-sha2_256-modp2048!
esp=aes256-sha2_256-modp2048!
auto=start
ipsec.secrets:
# ipsec.secrets - strongSwan IPsec secrets file
@me @client : PSK "xxxxxx"
Here is a part of the message log:
Jun 9 17:14:32 uatvpngateway charon: 06[NET] received packet: from
1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun 9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(FRAG_SUP) ]
Jun 9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an
IKE_SA
Jun 9 17:14:32 uatvpngateway charon: 06[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 9 17:14:32 uatvpngateway charon: 06[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(FRAG_SUP) N(MULT_AUTH) ]
Jun 9 17:14:32 uatvpngateway charon: 06[NET] sending packet: from
10.15.66.10[500] to 1.2.3.4[500] (392 bytes)
Jun 9 17:14:32 uatvpngateway charon: 07[NET] received packet: from
1.2.3.4[500] to 10.15.66.10[500] (448 bytes)
Jun 9 17:14:32 uatvpngateway charon: 07[ENC] parsed IKE_AUTH request 1
[ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Jun 9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs
matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
Jun 9 17:14:32 uatvpngateway charon: 07[CFG] no matching peer config found
Jun 9 17:14:32 uatvpngateway charon: 07[ENC] generating IKE_AUTH
response 1 [ N(AUTH_FAILED) ]
Jun 9 17:14:32 uatvpngateway charon: 07[NET] sending packet: from
10.15.66.10[500] to 1.2.3.4[500] (80 bytes)
Would appreciate if anyone can help to provide guidance on getting this
working.
Thanks
--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200609/ba60f42a/attachment.html>
More information about the Users
mailing list