[strongSwan] Unable to connect to client - no matching peer config found

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Jun 9 12:30:55 CEST 2020 

Hi Liong,

> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]

rightid=1.2.3.4

Kind regards

Noel

Am 09.06.20 um 11:27 schrieb Liong Kok Foo:
> Hi,
> 
> I am new to strongswan and have not had much experience setting up VPN connection.
> 
> I need to setup a new VPN connection to a client but just cannot seems to get it working.
> 
> Here are the information provided by client:
> 
> IKEv2 (Phase 1) Proposal 
> Available for ping (Yes/No) 	No
> IKE Mode (Aggressive/Main) 	Main
> IKE Authentication method 	Pre-shared key
> IKE Pre-shared key 	xxxxxx
> IKE Group  	Group 14
> IKE Encryption  	AES-256
> IKE Authentication 	SHA2-256
> IKE Lifetime (seconds) 	86400
> Life Time (KB) 	86400
>  IPsec (Phase 2) Proposal 
> IPsec Group  	Group 14
> IPsec Protocol 	ESP
> IPsec Encryption  	AES-256
> IPsec Authentication 	SHA2-256
> IPsec Lifetime (seconds) 	3600
> Life Time (KB) 	28800
> Enable Perfect Forward Secrecy 	Yes
> PFS / DH-group 	Yes/Gp-14
> Encapsulation Mode 	Tunnel
> IP addresses carried in tunnel (Private IP address, IP range assigned by client) Crypto ACL
> Source (Encryption Domain) 	192.168.40.33/30(DR)
> 192.168.40.34/30(UAT)
> Port 	Any
> VPN DPD always enabled 	Enabled
> To disable monitoring ICMP echo requests (or pings) à by right to determine if a VPN tunnel is up however for this case it’s dropping the VPN connections. 	Disabled
> To disable a proxy-ID negotiation, it is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. 	Disabled
> NAT traversal (TCP4500) 	Disabled
> 
> 
> Here is my configuration file:
> 
> IPsec.conf
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
> 
> conn %default
>         ikelifetime=1440m
>         keylife=60m
>         rekeymargin=3m
>         keyingtries=1
>         authby=secret
>         keyexchange=ikev2
>         mobike=no
> 
> conn net-net
>         left=10.15.66.10
>         leftsubnet=10.15.66.0/24
>         leftid=@me
>         leftfirewall=yes
>         right=1.2.3.4 (client public IP changed)
>         rightsubnet=192.168.118.0/24
>         rightid=@client
>         ike=aes256-sha2_256-modp2048!
>         esp=aes256-sha2_256-modp2048!
>         auto=start
> 
> 
> ipsec.secrets:
> 
> # ipsec.secrets - strongSwan IPsec secrets file
> @me @client : PSK "xxxxxx"
> 
> 
> Here is a part of the message log:
> 
> Jun  9 17:14:32 uatvpngateway charon: 06[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
> Jun  9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) ]
> Jun  9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an IKE_SA
> Jun  9 17:14:32 uatvpngateway charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> Jun  9 17:14:32 uatvpngateway charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(MULT_AUTH) ]
> Jun  9 17:14:32 uatvpngateway charon: 06[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (392 bytes)
> Jun  9 17:14:32 uatvpngateway charon: 07[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (448 bytes)
> Jun  9 17:14:32 uatvpngateway charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] no matching peer config found
> Jun  9 17:14:32 uatvpngateway charon: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Jun  9 17:14:32 uatvpngateway charon: 07[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (80 bytes)
> 
> Would appreciate if anyone can help to provide guidance on getting this working.
> 
> Thanks
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon> 	Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
> 
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200609/ef9878d3/attachment.sig>

More information about the Users mailing list