Closed joshuadugie closed 7 years ago
Apologies for my tardiness, been on holiday leave with little Internet access and no Linux.
Will try and work on it tommorow and also think about it a bit more.
Thanks for the bug report.
No ID is used now in the temporarily generated ipsec.secrets
Thank you.
At issue is the "Gateway ID" field under the "IPsec Settings..." dialog for the VPN. If the VPN server is configured with
leftid
set to a FQDN, e.g.,vpn.example.com
, within itsipsec.conf
and is using IKEv1...If the Gateway ID field on the client is set to the same FQDN:
When bringing up the VPN connection,
/etc/ipsec.secrets
is replaced with the template of%any @vpn.example.com : PSK "The_VPN_PSK"
Unfortunately, strongSwan as documented here will not use the FQDN for identification:
Therefore, the following error is logged in syslog by strongSwan:
strongSwan is not using the FQDN as also indicated at https://wiki.strongswan.org/issues/981:
Alternatively, if the Gateway ID field is set to the global IP address of the server, or if the Gateway ID field unset, in which case the IP address is used instead, the following occurs:
/etc/ipsec.secrets
is replaced with the template of%any %any : PSK "The_VPN_PSK"
In both cases, the connection fails since the strongSwan client does not recognize the server's reported identity of the FQDN. This can be fixed by commenting out lines 994 to 1016 in order to make the overwritten
ipsec.secrets
file instead be the template of: PSK "The_VPN_PSK"
. In this case, strongSwan does use the global PSK for the server and the connection is established.To fix this, either this client could:
ipsec.secrets
: PSK "The_VPN_PSK"
template if "Gateway ID" is a FQDNipsec.secrets
, resulting in the correct template of: PSK "The_VPN_PSK"