Turris Omnia 4.0.3
I recently updated from 3.11 to 4.0 and trying to resurrect my previous configuration. Most of the things works fine, but I can’t setup strongswan sever. I followed Strongswan configuration recipe for Turris Omnia (which worked for me on 3.x), however my clients can’t get ip address thru DHCP:
Jan 18 10:05:53 turris : 09[IKE] scheduling reauthentication in 9856s
Jan 18 10:05:53 turris : 09[IKE] maximum IKE_SA lifetime 10396s
Jan 18 10:05:53 turris : 09[IKE] peer requested virtual IP %any
Jan 18 10:05:53 turris : 09[CFG] sending DHCP DISCOVER to 172.27.1.1
Jan 18 10:05:54 turris : 09[CFG] sending DHCP DISCOVER to 172.27.1.1
Jan 18 10:05:55 turris : 14[MGR] ignoring request with ID 4, already processing
Jan 18 10:05:56 turris : 09[CFG] sending DHCP DISCOVER to 172.27.1.1
Jan 18 10:05:58 turris : 11[MGR] ignoring request with ID 4, already processing
Jan 18 10:05:59 turris : 09[CFG] sending DHCP DISCOVER to 172.27.1.1
Jan 18 10:06:01 turris /usr/sbin/cron[12559]: (root) CMD (/usr/bin/rainbow_button_sync.sh)
Jan 18 10:06:02 turris : 10[MGR] ignoring request with ID 4, already processing
Jan 18 10:06:03 turris : 09[CFG] sending DHCP DISCOVER to 172.27.1.1
Jan 18 10:06:08 turris : 09[CFG] DHCP DISCOVER timed out
Jan 18 10:06:08 turris : 09[IKE] no virtual IP found for %any requested by 'nstepa'
Jan 18 10:06:08 turris : 09[IKE] peer requested virtual IP %any6
Jan 18 10:06:08 turris : 09[IKE] no virtual IP found for %any6 requested by 'nstepa'
Jan 18 10:06:08 turris : 09[IKE] no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
Jan 18 10:06:08 turris : 09[IKE] configuration payload negotiation failed, no CHILD_SA built
Jan 18 10:06:08 turris : 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
Configs
/etc/strongswan.conf
charon {
dns1 = 172.27.1.1
load_modular = yes
threads = 16
plugins {
include strongswan.d/charon/*.conf
dhcp {
load = yes
force_server_address = yes
server = 172.27.1.1
identity_lease = yes
}
}
}
include strongswan.d/*.conf
/etc/ipsec.conf
config setup
strictcrlpolicy=no
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
mobike=yes
left=%any
leftid=**example.com**
leftcert=**example.com.cer**
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=%dhcp
# rightsourceip=172.27.1.5 <<< with this line everything works
rightdns=172.27.1.1
rightsendcert=never
eap_identity=%identity
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-NAT'
option src 'wan'
option dest_port '4500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-AH'
option target 'ACCEPT'
option src 'wan'
option proto 'ah'
config include
option path '/etc/firewall.user'
config zone 'guest_turris'
option enabled '1'
option name 'guest_turris'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'guest_turris'
config forwarding 'guest_turris_forward_wan'
option enabled '1'
option name 'guest to wan forward'
option src 'guest_turris'
option dest 'wan'
config rule 'guest_turris_dns_rule'
option enabled '1'
option name 'guest dns rule'
option src 'guest_turris'
option proto 'tcpudp'
option dest_port '53'
option target 'ACCEPT'
config rule 'guest_turris_dhcp_rule'
option enabled '1'
option name 'guest dhcp rule'
option src 'guest_turris'
option proto 'udp'
option src_port '67-68'
option dest_port '67-68'
option target 'ACCEPT'
config rule 'wan_ssh_turris_rule'
option name 'wan_ssh_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '22'
option proto 'tcp'
option src 'wan'
config rule 'wan_http_turris_rule'
option name 'wan_http_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '80'
option proto 'tcp'
option src 'wan'
config rule 'wan_https_turris_rule'
option name 'wan_https_turris_rule'
option enabled '0'
option target 'ACCEPT'
option dest_port '443'
option proto 'tcp'
option src 'wan'
config rule 'turris_wan_6in4_rule'
option enabled '0'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'ipsec'
option output 'ACCEPT'
option name 'vpn'
option mtu_fix '1'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'wan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option port '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv6 'server'
option ra 'server'
option ignore '0'
option leasetime '43200'
list dhcp_option '6,172.27.1.1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest_turris'
option interface 'guest_turris'
option ignore '0'
option start '100'
option limit '150'
option leasetime '3600'
list dhcp_option '6,10.111.222.1'
Any ideas how this problem can be solved?