[strongSwan] Unable to connect to client - no matching peer config found
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Jun 10 05:31:15 CEST 2020
Hello Liong,
>
>> You see, the client have their VPN setup such that we MUST connect to them from IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the reason why we had to use Strongswan and NAT to do this.
>>
Your host is behind NAT, so the other peer won't ever see it. Also, that IP address is probably not routed to you by the next hop router. That's why you don't get any response for packets sent from the IP address 192.168.40.34.
You need to set leftid to the address. That will probably do it.
>> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found for 10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN
Yes, of course, because you sent left to 192.168.40.34, instead of the correct value of 10.15.66.10. Stop hitting yourself.
> I created an alias eth0:0 192.168.40.34 for this server.
That doesn't help you at all. Also, aliases are deprecated for > 20 years already. Aliases are a crutch for using ifconfig with several IP addresses per interface.
ifconfig and route are deprecated for more than 20 years already, too.
Kind regards
Noel
Am 10.06.20 um 05:12 schrieb Liong Kok Foo:
> Hi Noel,
>
> Thanks changed the rightid and it is going somewhere.
>
> However, I am stuck in another error.
>
> Jun 10 11:02:19 uatvpngateway charon[20200]: 11[IKE] retransmit 3 of request with message ID 0
> Jun 10 11:02:19 uatvpngateway charon[20200]: 11[NET] sending packet: from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) ]
> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[CFG] looking for an IKEv2 config for 10.15.66.10...1.2.3.4
> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found for 10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN
> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (36 bytes)
> Jun 10 11:02:43 uatvpngateway charon[20200]: 14[IKE] retransmit 4 of request with message ID 0
> Jun 10 11:02:43 uatvpngateway charon[20200]: 14[NET] sending packet: from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
>
> You see, the client have their VPN setup such that we MUST connect to them from IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the reason why we had to use Strongswan and NAT to do this.
>
> Because we are using a cloud server, our IP is eth0 10.15.66.10 and I created an alias eth0:0 192.168.40.34 for this server.
>
> So now, I have changed the config a bit as below. Not sure what is the problem now. I have also enable debug-cfg 2.
>
> conn net-net
> # left=10.15.66.10
> left=192.168.40.34
> # leftsubnet=10.15.66.0/24
> leftsubnet=192.168.40.32/30 (also tried 0.0.0.0/0)
> leftid=@rh
> leftfirewall=yes
> right=1.2.3.4
> rightsubnet=192.168.118.0/24
> rightid=1.2.3.4
> ike=aes256-sha2_256-modp2048!
> esp=aes256-sha2_256-modp2048!
> auto=start
>
>
> ike should be correct as per requested from client's side:
>
> IKE Group Group 14
> IKE Encryption AES-256
> IKE Authentication SHA2-256
>
> Thanks
>
> On 9/6/2020 6:30 pm, Noel Kuntze wrote:
>> Hi Liong,
>>
>>> Jun 9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
>> rightid=1.2.3.4
>>
>> Kind regards
>>
>> Noel
>>
>> Am 09.06.20 um 11:27 schrieb Liong Kok Foo:
>>> Hi,
>>>
>>> I am new to strongswan and have not had much experience setting up VPN connection.
>>>
>>> I need to setup a new VPN connection to a client but just cannot seems to get it working.
>>>
>>> Here are the information provided by client:
>>>
>>> IKEv2 (Phase 1) Proposal
>>> Available for ping (Yes/No) No
>>> IKE Mode (Aggressive/Main) Main
>>> IKE Authentication method Pre-shared key
>>> IKE Pre-shared key xxxxxx
>>> IKE Group Group 14
>>> IKE Encryption AES-256
>>> IKE Authentication SHA2-256
>>> IKE Lifetime (seconds) 86400
>>> Life Time (KB) 86400
>>> IPsec (Phase 2) Proposal
>>> IPsec Group Group 14
>>> IPsec Protocol ESP
>>> IPsec Encryption AES-256
>>> IPsec Authentication SHA2-256
>>> IPsec Lifetime (seconds) 3600
>>> Life Time (KB) 28800
>>> Enable Perfect Forward Secrecy Yes
>>> PFS / DH-group Yes/Gp-14
>>> Encapsulation Mode Tunnel
>>> IP addresses carried in tunnel (Private IP address, IP range assigned by client) Crypto ACL
>>> Source (Encryption Domain) 192.168.40.33/30(DR)
>>> 192.168.40.34/30(UAT)
>>> Port Any
>>> VPN DPD always enabled Enabled
>>> To disable monitoring ICMP echo requests (or pings) à by right to determine if a VPN tunnel is up however for this case it’s dropping the VPN connections. Disabled
>>> To disable a proxy-ID negotiation, it is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Disabled
>>> NAT traversal (TCP4500) Disabled
>>>
>>>
>>> Here is my configuration file:
>>>
>>> IPsec.conf
>>>
>>> # ipsec.conf - strongSwan IPsec configuration file
>>>
>>> # basic configuration
>>>
>>> config setup
>>>
>>> conn %default
>>> ikelifetime=1440m
>>> keylife=60m
>>> rekeymargin=3m
>>> keyingtries=1
>>> authby=secret
>>> keyexchange=ikev2
>>> mobike=no
>>>
>>> conn net-net
>>> left=10.15.66.10
>>> leftsubnet=10.15.66.0/24
>>> leftid=@me
>>> leftfirewall=yes
>>> right=1.2.3.4 (client public IP changed)
>>> rightsubnet=192.168.118.0/24
>>> rightid=@client
>>> ike=aes256-sha2_256-modp2048!
>>> esp=aes256-sha2_256-modp2048!
>>> auto=start
>>>
>>>
>>> ipsec.secrets:
>>>
>>> # ipsec.secrets - strongSwan IPsec secrets file
>>> @me @client : PSK "xxxxxx"
>>>
>>>
>>> Here is a part of the message log:
>>>
>>> Jun 9 17:14:32 uatvpngateway charon: 06[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
>>> Jun 9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) ]
>>> Jun 9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an IKE_SA
>>> Jun 9 17:14:32 uatvpngateway charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>>> Jun 9 17:14:32 uatvpngateway charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(MULT_AUTH) ]
>>> Jun 9 17:14:32 uatvpngateway charon: 06[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (392 bytes)
>>> Jun 9 17:14:32 uatvpngateway charon: 07[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (448 bytes)
>>> Jun 9 17:14:32 uatvpngateway charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
>>> Jun 9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
>>> Jun 9 17:14:32 uatvpngateway charon: 07[CFG] no matching peer config found
>>> Jun 9 17:14:32 uatvpngateway charon: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>> Jun 9 17:14:32 uatvpngateway charon: 07[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (80 bytes)
>>>
>>> Would appreciate if anyone can help to provide guidance on getting this working.
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon> Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
>>>
>>> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200610/ee861063/attachment.sig>
More information about the Users
mailing list