Hi i need help in amke site to site vpn using strongswan when i load my connection and run it i get this error?
root@OpenWrt:/etc/swanctl# swanctl --initiate --child myvpn
[IKE] unable to resolve %any, initiate aborted
initiate failed: establishing CHILD_SA 'myvpn' failed
Sir i have 2 routers of mikrotik i want to make site-to-site vpn
on router one i have br-wan ip is 1.1.1.1 and the br-lan ip 192.168.1.1 which is my subnet and i connect the device to br-lan and get the ip of device 1 is 192.168.1.140 as on second router br-wan ip is 1.1.1.2 and the br-lan ip 192.168.2.1 which is my subnet and i connect the device to br-lan and get the ip of device 2 is 192.168.2.196
Now can you tell me that how i implemented the strongswan vpn in this case ?? it is your kind gesture if yoy help me in this case...
#These are my settings
Router 2` - swanctl.conf
connections {
myvpn {
proposals = aes256-sha256-modp2048
local {
auth = psk
id = 1.1.1.2``
}
remote {
auth = psk
id = 1.1.1.1
}
children {
myvpn {
local_ts = 192.168.2.0/24
remote_ts = 192.168.1.0/24
esp_proposals = aes256-sha256-modp2048
dpd_action = restart
start_action = start
}
}
}
}
secrets {
ike-1 {
id-1 = 1.1.1.2
secret = "0987654321"
}
}
Router 1 - swanctl.conf
connections {
myvpn {
proposals = aes256-sha256-modp2048
local {
auth = psk
id = 1.1.1.1
}
remote {
auth = psk
id = 1.1.1.2
}
children {
myvpn {
local_ts = 192.168.1.0/24
remote_ts = 192.168.2.0/24
esp_proposals = aes256-sha256-modp2048
dpd_action = restart
start_action = start
}
}
}
}
secrets {
ike-1 {
id-1 = 1.1.1.1
secret = "0987654321"
}
}
swanctl --load-all
loaded ike secret 'ike-1'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'myvpn'
successfully loaded 1 connections, 0 unloaded
root@OpenWrt:/etc/swanctl# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.10, Linux 5.15.134, mips):
uptime: 27 minutes, since Jan 12 14:17:43 2024
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon gmpdh test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
192.168.1.1
fd4b:9707:9241::1
1.1.1.1
fd4b:9707:9241:10::1
Connections:
myvpn: %any...%any IKEv1/2
myvpn: local: [1.1.1.1] uses pre-shared key authentication
myvpn: remote: [1.1.1.2] uses pre-shared key authentication
myvpn: child: 192.168.1.0/24 === 192.168.2.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
none
kindly check this
swanctl --initiate --child myvpn
[IKE] unable to resolve %any, initiate aborted
initiate failed: establishing CHILD_SA 'myvpn' failed
Using public IP addresses even in a lab environment is not the best idea.
Specifying the remote address is mandatory to initiate a connection.
ā.
#Router 2 - swanctl.conf
connections {
myvpn {
remote_addrs = 1.1.1.1
proposals = aes256-sha256-modp2048
local {...
#Router 1 - swanctl.conf
connections {
myvpn {
remote_addrs = 1.1.1.2
proposals = aes256-sha256-modp2048
local {...
I'm sure you can find plenty of examples of how to create site-to-site connections by searching the internet.
https://docs.strongswan.org/docs/5.9/config/quickstart.html#_site_to_site_case
Thanks a lot bro i solve th problem by your feed.. thanks a lot
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.