[strongSwan] Configuration help request
Alexey Smirnov
ramyalexis at gmail.com
Thu Apr 7 14:42:54 CEST 2022
Hello.
Got two sites and simple configuration for route based VPN.
The problem is in first IKE Phase for authorisation.
Simple config:
connections {
gw {
local_addrs = x.x.x.x
remote_addrs = y.y.y.y
local {
auth = psk
id = key
}
remote {
auth = psk
id = key
}
children {
net-net {
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 86400
esp_proposals = aes192-sha1
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes128-sha256-modp1536
}
}
secrets {
ike-1 {
id-1 = key
secret = "zzz"
}
}
Some outputs:
swanctl --list-conns
servers_com-interxion: IKEv2, reauthentication every 10800s, no rekeying
local: x.x.x.x
remote: y.y.y.y
local pre-shared key authentication:
id: key
remote pre-shared key authentication:
id: key
net-net: TUNNEL, rekeying every 86400s
local: 0.0.0.0/0
remote: 0.0.0.0/0
Logs:
12[IKE] x.x.x.x is initiating an IKE_SA
12[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
12[NET] sending packet: from y.y.y.y[500] to x.x.x.x[500] (384 bytes)
07[NET] received packet: from x.x.x.x[500] to y.y.y.y[500] (256 bytes)
07[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(INIT_CONTACT)
N(SET_WINSIZE) ]
07[CFG] looking for peer configs matching
x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]
07[CFG] no matching peer config found
07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
07[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (80 bytes)
And the question is: why no matching peer found as peers and key is in
place?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220407/06de42bb/attachment.html>
More information about the Users
mailing list