[strongSwan] Configuration help request

Alexey Smirnov ramyalexis at gmail.com
Thu Apr 7 21:37:07 CEST 2022


Got another question Tobias if you do not mind.
Got the same error as was in the thread: IPSec route based VPN - VTI
interface TX Errors NoRoute
So basically the tunnel is up. I use mar_in=mark_out=10 in VTI interface
(linux kernel is 3.10 so no modern interface)
The traffic looks like this:
>From tunnel remote - they are coming:
 net-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-192/HMAC_SHA1_96
    installed 1608s ago, rekeying in 78953s, expires in 93432s
    in  ca18b546 (0x0000000a),    672 bytes,     8 packets
    out 482a8752 (0x0000000a),      0 bytes,     0 packets
Not sure where they go next.
>From local they are NoRoute - outgoing and no incoming
ip -s tunnel show
vti0: ip/ip remote 10.255.255.25 local 10.255.255.26 ttl inherit key 10
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
    0          0            0      0        0        0
TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
    0          0            33     0        33       0
Route is simple - just the route for VTI interfaces itself
ip r
10.255.255.24/30 dev vti0 scope link
If i ping - the counter just increase and i got Destination unreachable as
in gude i tried to follow:
https://docs.strongswan.org/strongswan-docs/5.9/features/routeBasedVpn.html
I also consult examples again here
https://www.strongswan.org/testing/testresults/route-based/net2net-vti/ and
did not find any config statment i am missing in my configuration.

What direction should i dig for?
Thank you!


чт, 7 апр. 2022 г. в 16:17, Tobias Brunner <tobias at strongswan.org>:

> Hi Alexey,
>
> > 07[CFG] looking for peer configs matching
> > x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]
> > 07[CFG] no matching peer config found
> > 07[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > 07[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (80 bytes)
> >
> > And the question is: why no matching peer found as peers and key is in
> > place?
>
> The peer proposes the IP addresses as identities (it's what you see in
> [] in the "looking for peer configs matching ..." log message), which
> clearly don't match "key" (whatever that is exactly).  So just remove
> those `id = key` lines (the default identities are the IP addresses) and
> associate the secret with y.y.y.y (i.e. set `id-1 = y.y.y.y` there).
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220407/bc880271/attachment.html>


More information about the Users mailing list