[strongSwan] Unable to connect to client - no matching peer config found

Liong Kok Foo liong.kok.foo at revenue.com.my
Wed Jun 10 06:20:15 CEST 2020


Hi Noel,

The client side is not allowing connection from my side as it is not 
using the IP they want. I have removed the alias and changed the 
leftid=192.168.40.34

Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] maximum IKE_SA 
lifetime 86298s
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] looking for a child 
config for 192.168.40.32/30 === 192.168.118.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] proposing traffic 
selectors for us:
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] 10.15.66.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] proposing traffic 
selectors for other:
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[CFG] 192.168.118.0/24
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] traffic selectors 
192.168.40.32/30 === 192.168.118.0/24 unacceptable
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[IKE] failed to establish 
CHILD_SA, keeping IKE_SA
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[ENC] generating IKE_AUTH 
response 1 [ IDr AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Jun 10 12:03:59 uatvpngateway charon[20916]: 06[NET] sending packet: 
from 10.15.66.10[500] to 1.2.3.4[500] (144 bytes)

Any idea? Or is this not possible to be done?


*Liong Kok Foo*
Team Lead, IT Infra

REVENUE GROUP OF COMPANIES
Email : liong.kok.foo at revenue.com.my <mailto:liong.kok.foo at revenue.com.my>
TEL : +60 3-9212 0505  (ext 1004)
FAX : +60 3-6242 8785
ADD : Wisma Revenue Group, No. 12, Jalan Udang Harimau 2, Kepong 
Business Park, 51200. Kuala Lumpur
WEB : www.revenue.com.my 
<http://www.revenue.com.my/> (http://www.revenue.com.my/)
WEB : www.revpay.com.my 
<http://www.revpay.com.my/> (http://www.revpay.com.my/)

On 10/6/2020 11:31 am, Noel Kuntze wrote:
> Hello Liong,
>
>>> You see, the client have their VPN setup such that we MUST connect to them from IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the reason why we had to use Strongswan and NAT to do this.
>>>
> Your host is behind NAT, so the other peer won't ever see it. Also, that IP address is probably not routed to you by the next hop router. That's why you don't get any response for packets sent from the IP address 192.168.40.34.
>
> You need to set leftid to the address. That will probably do it.
>
>>> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found for 10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN
> Yes, of course, because you sent left to 192.168.40.34, instead of the correct value of 10.15.66.10. Stop hitting yourself.
>
>> I created an alias eth0:0 192.168.40.34 for this server.
> That doesn't help you at all. Also, aliases are deprecated for > 20 years already. Aliases are a crutch for using ifconfig with several IP addresses per interface.
> ifconfig and route are deprecated for more than 20 years already, too.
>
> Kind regards
>
> Noel
>
> Am 10.06.20 um 05:12 schrieb Liong Kok Foo:
>> Hi Noel,
>>
>> Thanks changed the rightid and it is going somewhere.
>>
>> However, I am stuck in another error.
>>
>> Jun 10 11:02:19 uatvpngateway charon[20200]: 11[IKE] retransmit 3 of request with message ID 0
>> Jun 10 11:02:19 uatvpngateway charon[20200]: 11[NET] sending packet: from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
>> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
>> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) ]
>> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[CFG] looking for an IKEv2 config for 10.15.66.10...1.2.3.4
>> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[IKE] no IKE config found for 10.15.66.10...1.2.3.4, sending NO_PROPOSAL_CHOSEN
>> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
>> Jun 10 11:02:32 uatvpngateway charon[20200]: 13[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (36 bytes)
>> Jun 10 11:02:43 uatvpngateway charon[20200]: 14[IKE] retransmit 4 of request with message ID 0
>> Jun 10 11:02:43 uatvpngateway charon[20200]: 14[NET] sending packet: from 192.168.40.34[500] to 1.2.3.4[500] (464 bytes)
>>
>> You see, the client have their VPN setup such that we MUST connect to them from IP 192.168.40.34. Our network IP is 10.15.66.0/24. This is the reason why we had to use Strongswan and NAT to do this.
>>
>> Because we are using a cloud server, our IP is eth0 10.15.66.10 and I created an alias eth0:0 192.168.40.34 for this server.
>>
>> So now, I have changed the config a bit as below. Not sure what is the problem now. I have also enable debug-cfg 2.
>>
>> conn net-net
>> #        left=10.15.66.10
>>          left=192.168.40.34
>> #        leftsubnet=10.15.66.0/24
>>          leftsubnet=192.168.40.32/30 (also tried 0.0.0.0/0)
>>          leftid=@rh
>>          leftfirewall=yes
>>          right=1.2.3.4
>>          rightsubnet=192.168.118.0/24
>>          rightid=1.2.3.4
>>          ike=aes256-sha2_256-modp2048!
>>          esp=aes256-sha2_256-modp2048!
>>          auto=start
>>
>>
>> ike should be correct as per requested from client's side:
>>
>> IKE Group      Group 14
>> IKE Encryption      AES-256
>> IKE Authentication     SHA2-256
>>
>> Thanks
>>
>> On 9/6/2020 6:30 pm, Noel Kuntze wrote:
>>> Hi Liong,
>>>
>>>> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
>>> rightid=1.2.3.4
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> Am 09.06.20 um 11:27 schrieb Liong Kok Foo:
>>>> Hi,
>>>>
>>>> I am new to strongswan and have not had much experience setting up VPN connection.
>>>>
>>>> I need to setup a new VPN connection to a client but just cannot seems to get it working.
>>>>
>>>> Here are the information provided by client:
>>>>
>>>> IKEv2 (Phase 1) Proposal
>>>> Available for ping (Yes/No)     No
>>>> IKE Mode (Aggressive/Main)     Main
>>>> IKE Authentication method     Pre-shared key
>>>> IKE Pre-shared key     xxxxxx
>>>> IKE Group      Group 14
>>>> IKE Encryption      AES-256
>>>> IKE Authentication     SHA2-256
>>>> IKE Lifetime (seconds)     86400
>>>> Life Time (KB)     86400
>>>>    IPsec (Phase 2) Proposal
>>>> IPsec Group      Group 14
>>>> IPsec Protocol     ESP
>>>> IPsec Encryption      AES-256
>>>> IPsec Authentication     SHA2-256
>>>> IPsec Lifetime (seconds)     3600
>>>> Life Time (KB)     28800
>>>> Enable Perfect Forward Secrecy     Yes
>>>> PFS / DH-group     Yes/Gp-14
>>>> Encapsulation Mode     Tunnel
>>>> IP addresses carried in tunnel (Private IP address, IP range assigned by client) Crypto ACL
>>>> Source (Encryption Domain)     192.168.40.33/30(DR)
>>>> 192.168.40.34/30(UAT)
>>>> Port     Any
>>>> VPN DPD always enabled     Enabled
>>>> To disable monitoring ICMP echo requests (or pings) à by right to determine if a VPN tunnel is up however for this case it’s dropping the VPN connections.     Disabled
>>>> To disable a proxy-ID negotiation, it is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations.     Disabled
>>>> NAT traversal (TCP4500)     Disabled
>>>>
>>>>
>>>> Here is my configuration file:
>>>>
>>>> IPsec.conf
>>>>
>>>> # ipsec.conf - strongSwan IPsec configuration file
>>>>
>>>> # basic configuration
>>>>
>>>> config setup
>>>>
>>>> conn %default
>>>>           ikelifetime=1440m
>>>>           keylife=60m
>>>>           rekeymargin=3m
>>>>           keyingtries=1
>>>>           authby=secret
>>>>           keyexchange=ikev2
>>>>           mobike=no
>>>>
>>>> conn net-net
>>>>           left=10.15.66.10
>>>>           leftsubnet=10.15.66.0/24
>>>>           leftid=@me
>>>>           leftfirewall=yes
>>>>           right=1.2.3.4 (client public IP changed)
>>>>           rightsubnet=192.168.118.0/24
>>>>           rightid=@client
>>>>           ike=aes256-sha2_256-modp2048!
>>>>           esp=aes256-sha2_256-modp2048!
>>>>           auto=start
>>>>
>>>>
>>>> ipsec.secrets:
>>>>
>>>> # ipsec.secrets - strongSwan IPsec secrets file
>>>> @me @client : PSK "xxxxxx"
>>>>
>>>>
>>>> Here is a part of the message log:
>>>>
>>>> Jun  9 17:14:32 uatvpngateway charon: 06[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
>>>> Jun  9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) ]
>>>> Jun  9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an IKE_SA
>>>> Jun  9 17:14:32 uatvpngateway charon: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>>>> Jun  9 17:14:32 uatvpngateway charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(MULT_AUTH) ]
>>>> Jun  9 17:14:32 uatvpngateway charon: 06[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (392 bytes)
>>>> Jun  9 17:14:32 uatvpngateway charon: 07[NET] received packet: from 1.2.3.4[500] to 10.15.66.10[500] (448 bytes)
>>>> Jun  9 17:14:32 uatvpngateway charon: 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
>>>> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]
>>>> Jun  9 17:14:32 uatvpngateway charon: 07[CFG] no matching peer config found
>>>> Jun  9 17:14:32 uatvpngateway charon: 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>>> Jun  9 17:14:32 uatvpngateway charon: 07[NET] sending packet: from 10.15.66.10[500] to 1.2.3.4[500] (80 bytes)
>>>>
>>>> Would appreciate if anyone can help to provide guidance on getting this working.
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=icon>     Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient&utm_term=link>
>>>>
>>>> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>


-- 
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200610/ff243f2d/attachment-0001.html>


More information about the Users mailing list