[strongSwan] Unable to connect to client - no matching peer config found

Tue, 09 Jun 2020 02:28:09 -0700 

Hi,
I am new to strongswan and have not had much experience setting up VPN connection. 


I need to setup a new VPN connection to a client but just cannot seems 
to get it working.


Here are the information provided by client:

IKEv2 (Phase 1) Proposal
Available for ping (Yes/No)     No
IKE Mode (Aggressive/Main)      Main
IKE Authentication method       Pre-shared key
IKE Pre-shared key      xxxxxx
IKE Group       Group 14
IKE Encryption  AES-256
IKE Authentication      SHA2-256
IKE Lifetime (seconds)  86400
Life Time (KB)  86400
IPsec (Phase 2) Proposal
IPsec Group     Group 14
IPsec Protocol  ESP
IPsec Encryption        AES-256
IPsec Authentication    SHA2-256
IPsec Lifetime (seconds)        3600
Life Time (KB)  28800
Enable Perfect Forward Secrecy  Yes
PFS / DH-group  Yes/Gp-14
Encapsulation Mode      Tunnel

IP addresses carried in tunnel (Private IP address, IP range assigned by 
client) Crypto ACL

Source (Encryption Domain)      192.168.40.33/30(DR)
192.168.40.34/30(UAT)
Port    Any
VPN DPD always enabled  Enabled

To disable monitoring ICMP echo requests (or pings) à by right to 
determine if a VPN tunnel is up however for this case it’s dropping the 
VPN connections. 	Disabled
To disable a proxy-ID negotiation, it is used during phase 2 of Internet 
Key Exchange (IKE) Virtual Private Network (VPN) negotiations. 	Disabled

NAT traversal (TCP4500)         Disabled


Here is my configuration file:

IPsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev2
        mobike=no

conn net-net
        left=10.15.66.10
        leftsubnet=10.15.66.0/24
        leftid=@me
        leftfirewall=yes
        right=1.2.3.4 (client public IP changed)
        rightsubnet=192.168.118.0/24
        rightid=@client
        ike=aes256-sha2_256-modp2048!
        esp=aes256-sha2_256-modp2048!
        auto=start


ipsec.secrets:

# ipsec.secrets - strongSwan IPsec secrets file
@me @client : PSK "xxxxxx"


Here is a part of the message log:


Jun  9 17:14:32 uatvpngateway charon: 06[NET] received packet: from 
1.2.3.4[500] to 10.15.66.10[500] (384 bytes)
Jun  9 17:14:32 uatvpngateway charon: 06[ENC] parsed IKE_SA_INIT request 
0 [ SA KE No N(FRAG_SUP) ]
Jun  9 17:14:32 uatvpngateway charon: 06[IKE] 1.2.3.4 is initiating an 
IKE_SA
Jun  9 17:14:32 uatvpngateway charon: 06[CFG] selected proposal: 
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun  9 17:14:32 uatvpngateway charon: 06[ENC] generating IKE_SA_INIT 
response 0 [ SA KE No N(FRAG_SUP) N(MULT_AUTH) ]
Jun  9 17:14:32 uatvpngateway charon: 06[NET] sending packet: from 
10.15.66.10[500] to 1.2.3.4[500] (392 bytes)
Jun  9 17:14:32 uatvpngateway charon: 07[NET] received packet: from 
1.2.3.4[500] to 10.15.66.10[500] (448 bytes)
Jun  9 17:14:32 uatvpngateway charon: 07[ENC] parsed IKE_AUTH request 1 
[ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Jun  9 17:14:32 uatvpngateway charon: 07[CFG] looking for peer configs 
matching 10.15.66.10[%any]...1.2.3.4[1.2.3.4]

Jun  9 17:14:32 uatvpngateway charon: 07[CFG] no matching peer config found

Jun  9 17:14:32 uatvpngateway charon: 07[ENC] generating IKE_AUTH 
response 1 [ N(AUTH_FAILED) ]
Jun  9 17:14:32 uatvpngateway charon: 07[NET] sending packet: from 
10.15.66.10[500] to 1.2.3.4[500] (80 bytes)



Would appreciate if anyone can help to provide guidance on getting this 
working.


Thanks






























--
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus






















					Reply via email to