Issue #1516
Updated by Tobias Brunner about 9 years ago
I have the following road warrior setup
<pre>
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default
keyexchange=ikev2
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
fragmentation=yes
left=%any
leftauth=pubkey
leftcert=serverCert.pem
leftid=courten.spdns.de
leftsubnet=10.1.0.1/24
leftfirewall=yes
leftsendcert=always
conn rw
right=%any
rightsourceip=10.1.0.1/24
auto=add
dpdtimeout = 5s
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
include /var/lib/strongswan/ipsec.conf.inc
</pre>
i upgraded from debian wheezy to jessy
if i test the connection with
@sudo sudo /usr/sbin/ipsec up rw@ rw
I get the following error:
<pre>
unable to resolve %any, initiate aborted
tried to check-in and delete nonexisting IKE_SA
establishing connection 'rw' failed
</pre>
@sudo sudo /usr/sbin/ipsec statusall@ statusall
<pre>
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.4.108-bananian, armv7l):
uptime: 64 minutes, since Jun 15 12:36:55 2016
malloc: sbrk 671744, mmap 0, used 122816, free 548928
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown
Virtual IP pools (size/online/offline):
10.1.0.0/24: 254/0/0
10.1.0.1/24: 254/0/0
Listening IP addresses:
192.168.178.23
10.1.0.1
Connections:
rw: %any...%any IKEv2
rw: local: [courten.spdns.de] uses public key authentication
rw: cert: "C=DE, O=xxx, CN=courten.spdns.de"
rw: remote: uses public key authentication
rw: child: 10.1.0.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
</pre>
<pre>
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default
keyexchange=ikev2
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
fragmentation=yes
left=%any
leftauth=pubkey
leftcert=serverCert.pem
leftid=courten.spdns.de
leftsubnet=10.1.0.1/24
leftfirewall=yes
leftsendcert=always
conn rw
right=%any
rightsourceip=10.1.0.1/24
auto=add
dpdtimeout = 5s
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
include /var/lib/strongswan/ipsec.conf.inc
</pre>
i upgraded from debian wheezy to jessy
if i test the connection with
@sudo sudo /usr/sbin/ipsec up rw@ rw
I get the following error:
<pre>
unable to resolve %any, initiate aborted
tried to check-in and delete nonexisting IKE_SA
establishing connection 'rw' failed
</pre>
@sudo sudo /usr/sbin/ipsec statusall@ statusall
<pre>
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.4.108-bananian, armv7l):
uptime: 64 minutes, since Jun 15 12:36:55 2016
malloc: sbrk 671744, mmap 0, used 122816, free 548928
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown
Virtual IP pools (size/online/offline):
10.1.0.0/24: 254/0/0
10.1.0.1/24: 254/0/0
Listening IP addresses:
192.168.178.23
10.1.0.1
Connections:
rw: %any...%any IKEv2
rw: local: [courten.spdns.de] uses public key authentication
rw: cert: "C=DE, O=xxx, CN=courten.spdns.de"
rw: remote: uses public key authentication
rw: child: 10.1.0.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
</pre>