Project

General

Profile

Issue #3668

Configuring the strongSwan Helm chart on openshift

Added by Jack Martin 9 months ago. Updated 9 months ago.

Status:
Feedback
Priority:
Normal
Category:
configuration
Affected version:
5.9.1
Resolution:

Description

Output of logs when trying to connect mac to VPN:

2021/01/07 11:20:29.977432 ESTABLISHED: map[k8s-conn[1]:01/07_11:20:29]
2021/01/07 11:20:29.977448 ipsec | 09[IKE] scheduling reauthentication in 9994s
2021/01/07 11:20:29.977456 ipsec | 09[IKE] maximum IKE_SA lifetime 10534s
2021/01/07 11:20:29.977464 ipsec | 09[IKE] peer requested virtual IP %any
2021/01/07 11:20:29.977471 ipsec | 09[IKE] no virtual IP found for %any requested by 'on-prem-test'
2021/01/07 11:20:29.977479 ipsec | 09[IKE] peer requested virtual IP %any6
2021/01/07 11:20:29.977487 ipsec | 09[IKE] no virtual IP found for %any6 requested by 'on-prem-test'
2021/01/07 11:20:29.977495 ipsec | 09[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
2021/01/07 11:20:29.977503 ipsec | 09[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
2021/01/07 11:20:29.977510 ipsec | 09[CFG] proposing traffic selectors for us:
2021/01/07 11:20:29.977519 ipsec | 09[CFG]  172.30.0.0/16
2021/01/07 11:20:29.977527 ipsec | 09[CFG]  172.21.0.0/16
2021/01/07 11:20:29.977535 ipsec | 09[CFG] proposing traffic selectors for other:
2021/01/07 11:20:29.977543 ipsec | 09[CFG]  192.168.0.0/24
2021/01/07 11:20:29.977550 ipsec | 09[CFG]   candidate "k8s-conn" with prio 4+2
2021/01/07 11:20:29.977558 ipsec | 09[CFG] found matching child config "k8s-conn" with prio 6
2021/01/07 11:20:29.977566 ipsec | 09[IKE] configuration payload negotiation failed, no CHILD_SA built
2021/01/07 11:20:29.977574 ipsec | 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
2021/01/07 11:20:29.977582 ipsec | 09[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(INT_ADDR_FAIL) ]

We have tried updating remote gateway to my IP address but get the same error.

test-config.yaml (1.1 KB) test-config.yaml Jack Martin, 07.01.2021 15:32

History

#1 Updated by Tobias Brunner 9 months ago

  • Status changed from New to Feedback
  • Resolution deleted (No feedback)

No idea what any of "Helm chart on openshift" means but apparently the virtual IP address config is incorrect/unavailable.

#2 Updated by Jack Martin 9 months ago

Tobias Brunner wrote:

No idea what any of "Helm chart on openshift" means but apparently the virtual IP address config is incorrect/unavailable.

These are the documents that we were using: https://cloud.ibm.com/docs/openshift?topic=openshift-vpn#vpn_configure

#3 Updated by Tobias Brunner 9 months ago

That doesn't mention anything about virtual IPs etc. so maybe you have to change the client config, so it doesn't request a virtual IP.

Also available in: Atom PDF