[strongSwan] Unable to connect to client - no matching peer config found

Liong Kok Foo liong.kok.foo at revenue.com.my
Wed Jun 10 05:12:05 CEST 2020 

Hi Noel,

Thanks changed the rightid and it is going somewhere.

However, I am stuck in another error.

Jun 10 11:02:19 uatvpngateway charon[20200]: 11[IKE] retransmit 3 of 
request with message ID 0
Jun 10 11:02:19 uatvpngateway charon[20200]: 11[NET] sending packet: 
from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] received packet: 
from 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] parsed IKE_SA_INIT 
request 0 [ SA KE No N(FRAG_SUP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[CFG] looking for an 
IKEv2 config for 10.15.66.10...1.2.3.4
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found 
for 10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] generating 
IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] sending packet: 
from 10.15.66.10[500] to 1.2.3.4[500] (36 bytes)
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[IKE] retransmit 4 of 
request with message ID 0
Jun 10 11:02:43 uatvpngateway charon[20200]: 14[NET] sending packet: 
from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)

You see, the client have their VPN setup such that we MUST connect to 
them from IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the 
reason why we had to use Strongswan and NAT to do this.

Because we are using a cloud server, our IP is eth0 10.15.66.10 and I 
created an alias eth0:0 192.168.40.34 for this server.

So now, I have changed the config a bit as below. Not sure what is the 
problem now. I have also enable debug-cfg 2.

conn net-net
#        left=10.15.66.10
         left=192.168.40.34
#        leftsubnet=10.15.66.0/24
         leftsubnet=192.168.40.32/30 (also tried 0.0.0.0/0)
         leftid=@rh
         leftfirewall=yes
         right=1.2.3.4
         rightsubnet=192.168.118.0/24
         rightid=1.2.3.4
         ike=aes256-sha2_256-modp2048!
         esp=aes256-sha2_256-modp2048!
         auto=start


ike should be correct as per requested from client's side:

IKE Group  	Group 14
IKE Encryption  	AES-256
IKE Authentication 	SHA2-256

Thanks

On 9/6/2020 6:30 pm, Noel Kuntze wrote:
> Hi Liong,
>
>> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
> rightid=1.2.3.4
>
> Kind regards
>
> Noel
>
> Am 09.06.20 um 11:27 schrieb Liong Kok Foo:
>> Hi,
>>
>> I am new to strongswan and have not had much experience setting up VPN connection.
>>
>> I need to setup a new VPN connection to a client but just cannot seems to get it working.
>>
>> Here are the information provided by client:
>>
>> IKEv2 (Phase 1) Proposal
>> Available for ping (Yes/No) 	No
>> IKE Mode (Aggressive/Main) 	Main
>> IKE Authentication method 	Pre-shared key
>> IKE Pre-shared key 	xxxxxx
>> IKE Group  	Group 14
>> IKE Encryption  	AES-256
>> IKE Authentication 	SHA2-256
>> IKE Lifetime (seconds) 	86400
>> Life Time (KB) 	86400
>>   IPsec (Phase 2) Proposal
>> IPsec Group  	Group 14
>> IPsec Protocol 	ESP
>> IPsec Encryption  	AES-256
>> IPsec Authentication 	SHA2-256
>> IPsec Lifetime (seconds) 	3600
>> Life Time (KB) 	28800
>> Enable Perfect Forward Secrecy 	Yes
>> PFS / DH-group 	Yes/Gp-14
>> Encapsulation Mode 	Tunnel
>> IP addresses carried in tunnel (Private IP address, IP range assigned by client) Crypto ACL
>> Source (Encryption Domain) 	192.168.40.33/30(DR)
>> 192.168.40.34/30(UAT)
>> Port 	Any
>> VPN DPD always enabled 	Enabled
>> To disable monitoring ICMP echo requests (or pings) à by right to determine if a VPN tunnel is up however for this case it’s dropping the VPN connections. 	Disabled
>> To disable a proxy-ID negotiation, it is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. 	Disabled
>> NAT traversal (TCP4500) 	Disabled
>>
>>
>> Here is my configuration file:
>>
>> IPsec.conf
>>
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>>
>> conn %default
>>          ikelifetime=1440m
>>          keylife=60m
>>          rekeymargin=3m
>>          keyingtries=1
>>          authby=secret
>>          keyexchange=ikev2
>>          mobike=no
>>
>> conn net-net
>>          left=10.15.66.10
>>          leftsubnet=10.15.66.0/24
>>          leftid=@me
>>          leftfirewall=yes
>>          right=1.2.3.4 (client public IP changed)
>>          rightsubnet=192.168.118.0/24
>>          rightid=@client
>>          ike=aes256-sha2_256-modp2048!
>>          esp=aes256-sha2_256-modp2048!
>>          auto=start
>>
>>
>> ipsec.secrets:
>>
>> # ipsec.secrets - strongSwan IPsec secrets file
>> @me @client : PSK "xxxxxx"
>>
>>
>> Here is a part of the message log:
>>
>> Jun  9 17:14:32 uatvpngateway charon: 06[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
>> Jun  9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) ]
>> Jun  9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an IKE_SA
>> Jun  9 17:14:32 uatvpngateway charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>> Jun  9 17:14:32 uatvpngateway charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(MULT_AUTH) ]
>> Jun  9 17:14:32 uatvpngateway charon: 06[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (392 bytes)
>> Jun  9 17:14:32 uatvpngateway charon: 07[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (448 bytes)
>> Jun  9 17:14:32 uatvpngateway charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
>> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
>> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] no matching peer config found
>> Jun  9 17:14:32 uatvpngateway charon: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> Jun  9 17:14:32 uatvpngateway charon: 07[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (80 bytes)
>>
>> Would appreciate if anyone can help to provide guidance on getting this working.
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon> 	Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
>>
>> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

-- 
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

More information about the Users mailing list