Issue #1516
unable to resolve %any, initiate aborted after Debian upgrade to jessie
Description
I have the following road warrior setup
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default
keyexchange=ikev2
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
fragmentation=yes
left=%any
leftauth=pubkey
leftcert=serverCert.pem
leftid=courten.spdns.de
leftsubnet=10.1.0.1/24
leftfirewall=yes
leftsendcert=always
conn rw
right=%any
rightsourceip=10.1.0.1/24
auto=add
dpdtimeout = 5s
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
include /var/lib/strongswan/ipsec.conf.inc
i upgraded from debian wheezy to jessy
if i test the connection with
sudo /usr/sbin/ipsec up rw
I get the following error:
unable to resolve %any, initiate aborted tried to check-in and delete nonexisting IKE_SA establishing connection 'rw' failed
sudo /usr/sbin/ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.4.108-bananian, armv7l):
uptime: 64 minutes, since Jun 15 12:36:55 2016
malloc: sbrk 671744, mmap 0, used 122816, free 548928
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown
Virtual IP pools (size/online/offline):
10.1.0.0/24: 254/0/0
10.1.0.1/24: 254/0/0
Listening IP addresses:
192.168.178.23
10.1.0.1
Connections:
rw: %any...%any IKEv2
rw: local: [courten.spdns.de] uses public key authentication
rw: cert: "C=DE, O=xxx, CN=courten.spdns.de"
rw: remote: uses public key authentication
rw: child: 10.1.0.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
History
#1 Updated by Tobias Brunner about 9 years ago
- Description updated (diff)
- Category set to configuration
- Status changed from New to Feedback
The error message seems pretty clear to me, considering you configured right=%any. You might want to read IntroductionTostrongSwan.
#2 Updated by Felix de Courten about 9 years ago
I have read this page but also if commenting out right=%any an error arises
#3 Updated by Tobias Brunner about 9 years ago
I have read this page
But you seem to have missed something. This is a responder configuration, right? Why do you think you could start it with ipsec up? And to what peer would you expect the connection to get established?
#4 Updated by Felix de Courten about 9 years ago
Gateway is my banana pi
peers are my macbook and my iPhone with iOS 9. I expect the connection to get established to my iPhone
#5 Updated by Tobias Brunner about 9 years ago
Gateway is my banana pi
peers are my macbook and my iPhone with iOS 9. I expect the connection to get established to my iPhone
And how should the gateway be able to initiate a connection to your iPhone if it doesn't know that device's IP address or hostname (right=%any)? This is a classic roadwarrior scenario. So just initiate the connection from these devices.
#6 Updated by Noel Kuntze over 8 years ago
- Status changed from Feedback to Closed
- Resolution set to No change required