Issue #3668
Configuring the strongSwan Helm chart on openshift
Affected version:
5.9.1
Resolution:
Description
Output of logs when trying to connect mac to VPN:
2021/01/07 11:20:29.977432 ESTABLISHED: map[k8s-conn[1]:01/07_11:20:29] 2021/01/07 11:20:29.977448 ipsec | 09[IKE] scheduling reauthentication in 9994s 2021/01/07 11:20:29.977456 ipsec | 09[IKE] maximum IKE_SA lifetime 10534s 2021/01/07 11:20:29.977464 ipsec | 09[IKE] peer requested virtual IP %any 2021/01/07 11:20:29.977471 ipsec | 09[IKE] no virtual IP found for %any requested by 'on-prem-test' 2021/01/07 11:20:29.977479 ipsec | 09[IKE] peer requested virtual IP %any6 2021/01/07 11:20:29.977487 ipsec | 09[IKE] no virtual IP found for %any6 requested by 'on-prem-test' 2021/01/07 11:20:29.977495 ipsec | 09[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE 2021/01/07 11:20:29.977503 ipsec | 09[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 2021/01/07 11:20:29.977510 ipsec | 09[CFG] proposing traffic selectors for us: 2021/01/07 11:20:29.977519 ipsec | 09[CFG] 172.30.0.0/16 2021/01/07 11:20:29.977527 ipsec | 09[CFG] 172.21.0.0/16 2021/01/07 11:20:29.977535 ipsec | 09[CFG] proposing traffic selectors for other: 2021/01/07 11:20:29.977543 ipsec | 09[CFG] 192.168.0.0/24 2021/01/07 11:20:29.977550 ipsec | 09[CFG] candidate "k8s-conn" with prio 4+2 2021/01/07 11:20:29.977558 ipsec | 09[CFG] found matching child config "k8s-conn" with prio 6 2021/01/07 11:20:29.977566 ipsec | 09[IKE] configuration payload negotiation failed, no CHILD_SA built 2021/01/07 11:20:29.977574 ipsec | 09[IKE] failed to establish CHILD_SA, keeping IKE_SA 2021/01/07 11:20:29.977582 ipsec | 09[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(INT_ADDR_FAIL) ]
We have tried updating remote gateway to my IP address but get the same error.
History
#1 Updated by Tobias Brunner 3 months ago
- Status changed from New to Feedback
- Resolution deleted (
No feedback)
No idea what any of "Helm chart on openshift" means but apparently the virtual IP address config is incorrect/unavailable.
#2 Updated by Jack Martin 3 months ago
Tobias Brunner wrote:
No idea what any of "Helm chart on openshift" means but apparently the virtual IP address config is incorrect/unavailable.
These are the documents that we were using: https://cloud.ibm.com/docs/openshift?topic=openshift-vpn#vpn_configure
#3 Updated by Tobias Brunner 3 months ago
That doesn't mention anything about virtual IPs etc. so maybe you have to change the client config, so it doesn't request a virtual IP.