That does indeed work, thank you! I have been following the "VPN server for remote clients using IKEv2" config from [0]. There they only configure the "rightsubnet=" on the client, but not on the server like I was doing.
Should this be considered a bug on that document? [0] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 Regards, *Brady Johnson* [email protected] On Tue, Mar 29, 2022 at 2:28 PM Tuomo Soini <[email protected]> wrote: > On Tue, 29 Mar 2022 13:43:58 +0200 > Brady Johnson <[email protected]> wrote: > > > The pluto.log in the server doesnt provide any more information. Why > > do I get the TS_UNACCEPTABLE error? > > Right. That means your configurations don't match which is very obvious > when looking at your configs below: > > > > > Server and Client configurations: > > > > conn vpn_server_tunnel > > left=10.10.8.8 > > [email protected] > > leftsubnet=10.10.10.0/24 > > leftrsasigkey=%cert > > leftcert=vpnserver08.lab.com > > leftsendcert=always > > > > right=%any > > rightrsasigkey=%cert > > rightid=%fromcert > > rightca=%same > > > > dpddelay=30 > > dpdtimeout=120 > > dpdaction=clear > > auto=add > > ikev2=insist > > rekey=no > > fragmentation=yes > > ike=aes256-sha2 > > esp=aes256-sha2_512-dh14 > > authby=rsa-sha2_512 > > ikelifetime=86400s > > salifetime=3600s > > Note: rightsubnet= is missing from this config. add > rightsubnet=10.10.50.0/24 and it should work. Likely you also need > rightsourceip=<select-one-ip-from 10.10.50.0/24 subnet> if you want to > communicate over the tunnel from IPsec endpoint. > > -- > Tuomo Soini <[email protected]> > Foobar Linux services > +358 40 5240030 > Foobar Oy <https://foobar.fi/> > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan > >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
