On Thu, 25 Mar 2021, Blue Aquan wrote:
Server side. Replaced Server's public Ip with 1.2.3.4
conn MOBILE
left=1.2.3.4
leftsubnet=192.168.0.0/24
leftcert=europa.abc.com
[email protected]
leftrsasigkey=%cert
leftsendcert=always
right=%any
rightsubnet=0.0.0.0/0
here you use 0.0.0.0/0
Client side
conn EUROPA
left=%defaultroute
leftcert=ceres.xyz.com
leftid=%fromcert
leftrsasigkey=%cert
leftsubnet=10.10.128.0/24
Here you use 10.10.128.0/24
So on the MOBILE conn, specify rightsubnet=10.10.128.0/24
leftmodecfgclient=yes
right=1.2.3.4
rightsubnet=192.168.0.0/24
[email protected]
rightrsasigkey=%cert
ikev2=insist
rekey=yes
fragmentation=yes
narrowing=yes
mobike=yes
auto=add
On the client side when an attempt is made.
# ipsec auto --up EUROPA
181 "EUROPA"[2] 1.2.3.4 #5: initiating IKEv2 connection
181 "EUROPA"[2] 1.2.3.4 #5: sent IKE_SA_INIT request
182 "EUROPA"[2] 1.2.3.4 #5: sent IKE_AUTH request {auth=IKEv2
cipher=AES_GCM_16_256 integ=n/a
prf=HMAC_SHA2_512 group=MODP2048}
002 "EUROPA"[2] 1.2.3.4 #5: certificate verified OK: O=Europa,CN=europa.abc.com
002 "EUROPA"[2] 1.2.3.4 #5: IKEv2 mode peer ID is ID_FQDN: '@europa.abc.com'
003 "EUROPA"[2] 1.2.3.4 #5: authenticated using RSA with SHA2_512
003 "EUROPA"[2] 1.2.3.4 #6: missing v2CP reply, not attempting to setup child SA
That's strange because you do show that you have it configured. Can you
see if fixing the ip range solves this. If not, please send me the
client and matching server logs (privately) so I can have a look?
SK{IDi,CERT,IDr,AUTH,CP,SA,TSi,TSr,N}
Mar 25 20:18:03.452836: "MOBILE"[3] 6.7.8.9 #9: certificate verified OK:
O=Europa,CN=ceres.xyz.com
Mar 25 20:18:03.452857: "MOBILE"[3] 6.7.8.9 #9: certificate subjectAltName
extension does not match
ID_IPV4_ADDR '6.7.8.9'
Mar 25 20:18:03.452862: "MOBILE"[3] 6.7.8.9 #9: Peer CERT payload
SubjectAltName does not match peer
ID for this connection
Mar 25 20:18:03.452880: "MOBILE"[3] 6.7.8.9 #9: X509: connection failed due to
unmatched IKE ID in
certificate SAN
Did you put any subjectAltName in the certificate? Then use that as the
leftid= instead of %fromcert. If you have a recent libreswan, you can
disable this check using require-id-on-certificate=no
Mar 25 20:18:03.452964: "MOBILE"[4] 6.7.8.9 #9: IKEv2 mode peer ID is
ID_DER_ASN1_DN:
'CN=ceres.xyz.com, O=Europa'
Mar 25 20:18:03.453185: "MOBILE"[4] 6.7.8.9 #9: authenticated using RSA with
SHA2_512
weird that it succeeded later? Are you sure you weren't looking at older
logs from previous attempts?
Also, be aware that you have the exclude NAT for packets from
10.10.128.0/24 <-> 192.168.0.0/24 if these libreswan machines also do
NAT. Otherwise these packets will be SNAT'ed before the IPsec matching
for source/dest, and will no longer match the tunnel policy, and go out
SNAT'ed and in the clear.
eg something like:
iptables -I POSTROUTING -t nat -s 10.10.128.0/24 -d 192.168.0.0/24 -j return
iptables -I POSTROUTING -t nat -d 10.10.128.0/24 -s 192.168.0.0/24 -j return
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
