-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Michael,
the rightsubnet / leftsubnet settings default to the value of "right" or "left", if ommitted. If "right" or "left" and the corresponding subnet setting is set to %any or ommitted , charon takes the value of the layer three packet and takes it as configured value of left/rightsubnet. The value that is in the IKE packet differes from that, if NAT is used. That's the reason for it failing. Solution is to set left/rightsubnet to 0.0.0.0/0 and trust the client in what it does. Currently, strongSwan has no functionality to propose 0.0.0.0/0, but only accept a /32 subnet from a client. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 26.09.2014 um 00:16 schrieb Michael C. Cambria: > > Hi, > > I've been able to successfully set up subnet to subnet connections using > IKEv2 and a self signed cert. StrongSwan is used at both ends. > > Using the same systems, I'm having some problems getting host-to-subnet to > work in certain cases. Host-to-subnet is the desired configuration. > > Here is the host to host config which works: > > conn clinetnet > left=%defaultroute > lefthostaccess=yes > leftsubnet=192.168.1.0/24 > leftfirewall=yes > right=132.197.247.50 > rightsubnet=172.16.0.0/16 > auto=route > > conn srvnetnet > left=132.197.247.50 > leftsubnet=172.16.0.0/16 > leftfirewall=yes > right=%any > rightsubnet=192.168.1.0/24 > righthostaccess=yes > auto=route > > > I thought all I need to do is remove leftsubnet= from the "client" ipsec.conf > and rightsubnet= from the "server", but that works in one case and fails in > another. > > So I'd like to know if host-to-subnet is supposed to be configured this way > or not before digging any further. If it should work, it seems the failing > case uses NAT in the path between the two machines. NAT works for the > subnet-to-subnet configuration. The failure only happens with the > host-to-subnet config. > > In the failing case, the client receives: > > received TS_UNACCEPTABLE notify, no CHILD_SA built > > The server log shows (10.1.2.180 is the IPv4 address of the client): > > charon: 13[CFG] looking for a child config for 172.16.0.0/16 === 10.1.2.180/32 > charon: 09[CFG] proposing traffic selectors for us: > charon: 09[CFG] 172.16.0.0/16 > charon: 09[CFG] proposing traffic selectors for other: > charon: 09[CFG] <IPv4 address of NAT device>/32 > charon: 09[IKE] traffic selectors 172.16.0.0/16 === 10.1.2.180/32 inacceptable > charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA > > > In the working case, NAT isn't involved. The working case server log shows: > > charon: 13[CFG] looking for a child config for 172.16.0.0/16 === 10.1.2.180/32 > charon: 13[CFG] proposing traffic selectors for us: > charon: 13[CFG] 172.16.0.0/16 > charon: 13[CFG] proposing traffic selectors for other: > charon: 13[CFG] 10.1.2.180/32 > charon: 13[CFG] candidate "srvnetnet" with prio 5+5 > charon: 13[CFG] found matching child config "srvnetnet" with prio 10 > > Should this work? Is there more I need to configure? > > Thanks for any help, > MikeC > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUJrzOAAoJEDg5KY9j7GZYmccP/R3BmBX59rtYt7mMU4rsznJH IveIUwKOAk+H6e/41rtuASFWOJwuMoymNOphlxBWi832rn7qiEVZsJv3lyauZHTw fkCR/e2Fq+f9H55pVqyTIJ+wv+zRkocz7vjg196cDaHd+ys9KzkuiTOMUWCHNrJw pQPGW1MZN5t7FFFTCp75MSEdhq2rMPBd11c2BqLW6k+ncwGU0qlkIVZXonAmoH7B 8RF/8hZ7th/kN6sFXnDdQ9fm8Ya/e7EE5OJoExcgK2+KVjou9TnT4vmundjp+VqP 8zrLAPlnB/cX5wk+yr1Fz9Ym8X2G6lEi+D63O/pQAyuix2bLp6br52t8e2yCBJoL J69nFFZaaOWwnWaYkBrYUFThHv47XZdbw+yqB+EQL3XcQmxHe3yK/edwpiIp20Pe KLP1lu2lVqD4b3jXGFK8WPvU2SHlBaIP+sO1Iignuj1ctXQEgkn6A7NdP8ABvqim 9mJkEKueS0s+WhNfsXWnoZo5j1Gotl4uwpxbEcAI172DsGqDa0eMCSfW5O9nMI2O 6ZEBDYHh5J72ADy5YUQPpfVULR07u/xeVwGJhvdgdCDu6uhIgjB4aJqeaswMvrM3 RJgM4eC6ki4bKcdvAKJGhifLCAZf01JE7O+NbPWCVOhPIzEDvlLqRQWd0iMZh/rG ZrQvvKjpxnGmY7TXpG7x =0Zkz -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
