I'm trying to set up an IKEv2 site-to-site PSK vpn setup with legacy Strongswan
/etc/ipsec.conf
config setup
charondebug="all"
uniqueids=no
strictcrlpolicy=no
conn ikev2-vpn
auto=add
dpdaction=restart
compress=no
type=tunnel
keyexchange=ikev2
rekey=no
authby=secret
leftauth=psk
left=<PRIVATE_IP>
leftid=<PUBLIC_IP>
leftsubnet=<OUR_SUBNET>
rightauth=psk
right=<THEIR_PUBLIC_IP>
rightid=<THEIR_PUBLIC_IP>
rightsubnet=<THEIR_SUBNET>
I get as far as a responder identity failure which on the remote side is a Checkpoint server that gives an error "Auth exchange: Sending notification to peer: Traffic selectors unacceptable"
root@hostname:/home/sarajarjoura# ipsec up ikev2-vpn
initiating IKE_SA ikev2-vpn[1] to <THEIR_PUBLIC_IP>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from <PRIVATE_IP>[500] to <THEIR_PUBLIC_IP>[500] (464 bytes)
received packet: from <THEIR_PUBLIC_IP>[500] to <PRIVATE_IP>[500] (540 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) ]
local host is behind NAT, sending keep alives
authentication of '<PUBLIC_IP>' (myself) with pre-shared key
establishing CHILD_SA ikev2-vpn{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from <PRIVATE_IP>[4500] to <THEIR_PUBLIC_IP>[4500] (272 bytes)
received packet: from <THEIR_PUBLIC_IP>[4500] to <PRIVATE_IP>[4500] (96 bytes)
parsed IKE_AUTH response 1 [ N(TS_UNACCEPT) N(TS_UNACCEPT) ]
IDr payload missing
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from <PRIVATE_IP>[4500] to <THEIR_PUBLIC_IP>[4500] (80 bytes)
establishing connection 'ikev2-vpn' failed
/etc/ipsec.secrets
<PUBLIC_IP> <THEIR_PUBLIC_IP> : PSK "<SUPER_STRONG_PSK>"
How do I change the conf file to send the responder identity? This is the first time I've had to configure a vpn client so my knowledge is based on googling and trying to comprehend excerpts on the topic of IKEv2.
Resources I've found and that might be helpful for others who are stuck on the same issue:
IKE v2 https://www.rfc-editor.org/rfc/rfc7296
VPN troubleshooting https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-troubleshooting.html
Site to Site configuration with StrongSwan https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/
How to configure StrongSwan IKEv2 VPN with PSK (pre-shared key)?
Incidentally I've tried this with libreswan as well and I'm not opposed to switching around the client. At the same time I've tested this with a server under my control and I believe I'm not far off.