01-08-2021 11:25 AM - edited 01-08-2021 11:25 AM
I just attempted to setup VPNs with multiple clients and got the same result as follows.
Created VPN from RV345P to RV45P.
When under remote group setup I set the "Remote Identifier Type" to "Remote WAN IP" the VPN connection is completed just fine.
When I set the "Remote Identifier Type" to "Remote FQDN", the VPN connection will not complete.
I have verified the FQDN addresses were translating to the correct IP addresses.
Here are the log results when trying to connect using "Remote FQDN":
2021-01-08T12:19:35-07:00 <info>charon: 12[NET] sending packet: from 67.177.25.114[500] to 67.182.254.50[500] (80 bytes)
2021-01-08T12:19:35-07:00 <info>charon: 12[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2021-01-08T12:19:35-07:00 <info>charon: 12[CFG] no matching peer config found
2021-01-08T12:19:35-07:00 <info>charon: 12[CFG] looking for peer configs matching 67.177.25.114[cornerstone.hopto.org]...67.182.254.50[67.182.254.50]
2021-01-08T12:19:35-07:00 <info>charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
2021-01-08T12:19:35-07:00 <info>charon: 12[NET] received packet: from 67.182.254.50[500] to 67.177.25.114[500] (288 bytes)
2021-01-08T12:19:35-07:00 <info>charon: 13[NET] sending packet: from 67.177.25.114[500] to 67.182.254.50[500] (400 bytes)
2021-01-08T12:19:35-07:00 <info>charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
2021-01-08T12:19:35-07:00 <info>charon: Last message '13[IKE] 67.182.254.5' repeated 1 times, supressed by syslog-ng on CHFW
2021-01-08T12:19:35-07:00 <info>charon: 13[IKE] 67.182.254.50 is initiating an IKE_SA
2021-01-08T12:19:35-07:00 <info>charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2021-01-08T12:19:35-07:00 <info>charon: 13[NET] received packet: from 67.182.254.50[500] to 67.177.25.114[500] (596 bytes)
2021-01-08T12:19:33-07:00 <info>charon: 06[NET] sending packet: from 67.177.25.114[500] to 67.182.254.50[500] (80 bytes)
2021-01-08T12:19:33-07:00 <info>charon: 06[ENC] generating INFORMATIONAL response 0 [ ]
2021-01-08T12:19:33-07:00 <info>charon: Last message '06[IKE] IKE_SA delet' repeated 1 times, supressed by syslog-ng on CHFW
2021-01-08T12:19:32-07:00 <info>charon: 06[IKE] IKE_SA deleted
2021-01-08T12:19:32-07:00 <info>charon: Last message '06[IKE] deleting IKE' repeated 1 times, supressed by syslog-ng on CHFW
2021-01-08T12:19:32-07:00 <info>charon: 06[IKE] deleting IKE_SA s2s_GBC[254] between 67.177.25.114[67.177.25.114]...67.182.254.50[67.182.254.50]
2021-01-08T12:19:32-07:00 <info>charon: 06[IKE] received DELETE for IKE_SA s2s_GBC[254]
2021-01-08T12:19:32-07:00 <info>charon: 06[ENC] parsed INFORMATIONAL request 0 [ D ]
2021-01-08T12:19:32-07:00 <info>charon: 06[NET] received packet: from 67.182.254.50[500] to 67.177.25.114[500] (80 bytes)
I doubt this is a configuration issue, more likely a bug. If I am wrong, I would appreciate any configuration help that can be provided.
01-25-2021 07:13 AM
2021-01-08T12:19:35-07:00 <info>charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
2021-01-08T12:19:35-07:00 <info>charon: Last message '13[IKE] 67.182.254.5' repeated 1 times, supressed by syslog-ng on CHFW
2021-01-08T12:19:35-07:00 <info>charon: 13[IKE] 67.182.254.50 is initiating an IKE_SA
there seems to be a zero missing in: '13[IKE] 67.182.254.5', so it does not match "67.182.254.50"
is this another IP-address on the same router ? => maybe you need to specify the source address used for the VPN
05-12-2021 03:00 PM
Hello NeoJedi
You should read and try to understand how the IKE-protocol (IKEv2 and/or IKEV1) negotiation works...refer to the RFC if possible
1. As part of the IKE negotiation between the 2 RV345P IPsec Peers, during the IKE-Auth negotitation, both the peers exchange the ID (Identifier) that are configured on each Peer (both LocalID and RemoteID). The ID values (IDi for initiator and IDr for responder) are exchanged in the ID-Payload of the IKE-Auth packet exchanges
2. Next point to note is that
a) By default if the user has explicitly NOT configured any IDs, then each of the PEERs ID will be the WAN-ipaddress...this by default
b) Else the User/administrator of the PeerGw can also configure other supported IDs such as FQDN (Fully-Qualified Domain Name), User-FQDN/UFQDN (which is always in the form of a email-id; for e.g rv345gw1@local.net and rv345gw2@remote.net)....these FQDNs/UFQDNs are NOT necessarily actual usable real fqdn/ufqdn/email-ids....its just the format...fqdn is just like a dns-name...rv345gw1.local.net/rv345gw2.remote.net
c) When using x509 RSA certs for authentication, the Local-ID/Remote-ID types with reference to Certificates would be
ASN1DN - in which case the value to provide would be the subject-field or the DistinguishedName/DN field in the respective certficate
FQDN: this would be in the subjectAltName of the Certificate in the form of a dns name (such as rv345gw1.local.net
UFQDN: this would again a email-id, in the subjectAltNamefield of the ceriticate in the form of admin@test.local, etc
3. So in your case in the first iteration when your s2s tunnel was working
a) Say on GW1 (with wanip: 67.177.25.114):
you had confgured as below:
Local-ID: Type-FQDN: cornerstone.hopto.org
RemoteID: Type-RemoteWanIP: 67.182.254.50
b) On GW2 (with wanip: 67.182.254.50):
you had correctly configured as below:
Local-ID: Type-IPAddress: 67.182.254.50
RemoteID: Type-FQDN: cornerstone.hopto.org
The IDs matched during the IKE negotiation and hence the tunnel was UP succesfully
4. Now what you have done is change the ID on ONLY GW1
a) On GW1 you have now configured as below by entering the dns-address of GW2, assuming that it will get resolved by the local-dns-server (configured on Gw1) to the the wan-ipaddress of the GW2 (67.182.254.50)
- say for example if your GW2 was represented by a dns-name such as "rv345gw2.europe.net"
Local-ID: Type-FQDN: cornerstone.hopto.org
RemoteID: Type-FQDN: rv345gw2.europe.net
- FYI, the FQDNs used in the IDs are never translated using dns...they are just used as string-values thats all...that is why i mentioned that the FQDN/UFQDN values used in this context need not be real values...only the type/format has to be followed...for e.g i could as well use a FQDN value such as "billgates.microsoft.net" or "president.whitehouse.us"....:-)
5. BUT you have NOT flipped/changed the IDs on the GW2 you are still configured on GW2 as below
Local-ID: Type-IPAddress: 67.182.254.50
RemoteID: Type-FQDN: cornerstone.hopto.org
- that is why you see on GW1 the below message after it has recieved a tunnel-initiation from GW2
2021-01-08T12:19:35-07:00 <info>charon: 12[CFG] looking for peer configs matching 67.177.25.114[cornerstone.hopto.org]...67.182.254.50[67.182.254.50]
The values in the square-brackets [] are the IDs that are set on the peers and sent in the ID-payload of IKE-protocol negotiation
6. So for your changes done on GW1 to work properly, on GW2, you have to configure as below:
Local-ID: Type-FQDN: rv345gw2.europe.net
RemoteID: Type-FQDN: cornerstone.hopto.org
-Br
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide