<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Miroslav, thank you, you got me going w/ a handle on the logs and
    finding the uniqueness of the ids and that it was due to XAuthName.<br>
    <br>
    Just hoping to connect w/ someone is is really familiar with virtual
    ip addressing and really get a handle on what the "id" is, docs
    indicate it can be an address, a FQDN, a cert subject, and evidently
    an XAuthName, etc. Why it changed between 5.0.2 and 5.3.0...<br>
    <br>
    That is a really important thing to have positive control over for
    road warrior configs, so thought I might get educated, before
    figuring out what direction to take it.<br>
    <br>
    thanks,<br>
    andrew<br>
    <br>
    <div class="moz-cite-prefix">On 4/25/15 10:00 AM, Miroslav Svoboda
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAD6VQRLCZACC=YxNrG4xCKpnASvSVeVxTZRP8E+3Z3ONrR_KVQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">Andrew,
        <div><br>
        </div>
        <div>Sorry for misleading advice with "rightsubnet".</div>
        <div>"rightsubnet" is a traffic selector and has no relation to
          virtual IP pool.</div>
        <div>Your configuration with "rightsourceip" is correct.<br>
        </div>
        <div><br>
        </div>
        <div>Are you able to find same scenario as yours among testcases
          <a moz-do-not-send="true"
            href="http://www.strongswan.org/testresults.html">here</a>
          and compare setup and logfiles?</div>
        <div>Without complete logfile, attached as a file, I am not able
          to help you further.<br>
        </div>
        <div><br>
        </div>
        <div>Miroslav<br>
        </div>
        <div class="gmail_extra"><br clear="all">
          <div>
            <div>
              <div dir="ltr">
                <div>
                  <div dir="ltr">
                    <div>Miroslav Svoboda | <a moz-do-not-send="true"
                        href="tel:%2B420%20608%20224%20486"
                        value="+420608224486" target="_blank">+420 608
                        224 486</a></div>
                    <div><br>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
          <br>
          <div class="gmail_quote">On 25 April 2015 at 16:51, Andrew
            Foss <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:afoss@actmobile.com" target="_blank">afoss@actmobile.com</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
              <div bgcolor="#FFFFFF" text="#000000"><span> Miroslav,<br>
                  <br>
                  sorry my last response to you got blocked, but when I
                  use rightsubnet this is what occurs in the logs and
                  vpn doesn't connect, am I missing something?<br>
                  <br>
                  Apr 25 14:30:52 accel charon: 15[IKE] peer requested
                  virtual IP %any<br>
                  Apr 25 14:30:52 accel charon: 15[IKE] no virtual IP
                  found for %any requested by
                  'IDE-B1DA-3355-4C89-BA98-A580BD513292'<br>
                  <br>
                  A little further further analysis and I have it
                  working with uiqueids = yes, but raised more
                  questions, that I was not readily able to answer by
                  reviewing the code, but I am still coming up to speed
                  on the structure of the code.<br>
                  <br>
                  We were using XAuthName "actmobile", I have changed it
                  to the device id
                  'IDE-B1DA-3355-4C89-BA98-A580BD513292' and put a
                  wildcard '*' into the ipsec.secrets file and it is
                  working, thankfully we seem to allow a wildcard match
                  with '*" for the secrets, though I suspect someone
                  would file that as a bug.<br>
                  <br>
                  It appears the the ip address management may use the
                  XAuthName as the id, not the Cert subject as the docs
                  imply.<br>
                  <br>
                  Is that true? Is there any way to control that in the
                  config and assure sessions, SAs, etc. are tracked by
                  the cert subject name?<br>
                  <br>
                  Further, it appears that running version 5.0.2 it
                  behaves better and in 5.3.0 the clients don't appear
                  unique and all get the same ip address. I am not
                  convinced it was quite right in 5.0.2, but does seem
                  to behave differently.<br>
                  <br>
                  I am suspecting that to ensure positive control over
                  this I should do a radius server and modify the dhcp
                  plugin to really control the ip addresses, but I am
                  hoping to procrastinate doing anything major.<br>
                  <br>
                  I think the question is;<br>
                  <br>
                  Am I doing something wrong or unusual in the config or
                  can I control in the config to use the cert as the id
                  for the clients? It feels like something that has the
                  potential to bite back down the road, if I do
                  something odd.<br>
                  <br>
                  Also, is there anywhere this part of the system is
                  documented, that I coudl refer to as an assist while I
                  review the code and understand what it is doing?<br>
                  <br>
                  thanks,<br>
                  andrew<br>
                  <br>
                </span> Here is the config I am using, with a <br>
                <br>
                * : XAUTH "actmobile" in /etc/ipsec.secrets<span><br>
                  <br>
                  conn
                  ios                                                                                    

                  <br>
                     
                  keyexchange=ikev1                                                                       

                  <br>
                     
                  #esp=null-sha1!                                                                         

                  <br>
                     
                  authby=xauthrsasig                                                                      

                  <br>
                     
                  xauth=server                                                                            

                  <br>
                     
                  #left=%defaultroute                                                                     

                  <br>
                      leftsubnet=<a moz-do-not-send="true"
                    href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>                                                                    

                                                                                     

                  <br>
                </span>    
                leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown                            

                <br>
                   
                leftcert=serverCert.pem                                                                 

                                                                                        

                <br>
                    rightsourceip=<a moz-do-not-send="true"
                  href="http://172.20.0.0/16" target="_blank">172.20.0.0/16</a>                                                          

                                                                                             

                <br>
                <div>
                  <div>    
                    auto=add                                                                             

                    <br>
                       
                    rekey=yes                                                                            

                    <br>
                       
                    fragmentation=yes                                                                    

                    <br>
                       
                    lifetime=24h                                                                         

                    <br>
                       
                    dpddelay=0                                                                           

                    <br>
                       
                    dpdtimeout=24h                                                                       

                    <br>
                        compress=yes  <br>
                    <br>
                    <div>On 4/25/15 2:26 AM, Group Manager wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div>I replied on yours same question on users
                          list.</div>
                        <div>I believe that you need to use
                          "rightsubnet" instead of "rightsourceip" in
                          your conf.</div>
                        <div>M.</div>
                        <div><br>
                        </div>
                        <div>On Saturday, April 25, 2015 at 3:04:46 AM
                          UTC+2, Andrew Foss wrote:
                          <blockquote class="gmail_quote"
                            style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">It

                            appears that our ip addresses are being
                            assigned by the XAuthName <br>
                            'actmobile', unfortunately that is not
                            unique? <br>
                            <br>
                            On 4/24/15 5:28 PM, Andrew Foss wrote: <br>
                            > Here's our situation; <br>
                            > <br>
                            > ios ipsec clients, they each have a
                            certificate with a unique common <br>
                            > name. <br>
                            > <br>
                            > I want to configure strongswan to give
                            them a different ip address for <br>
                            > each client/CN, regardless of what
                            public ip address they may arrive <br>
                            > from at the moment, it is a road
                            warrior config. <br>
                            > <br>
                            > I am thinking I can write a plugin like
                            dhcp to do it for sure, but <br>
                            > seems like I may have something in the
                            config that is wrong. I have to <br>
                            > set uniqueids=no to get two clients to
                            connect, which makes me think I <br>
                            > am using something else for the id,
                            other than the cert subject name. <br>
                            > <br>
                            > This error line seems to indicate the
                            peer is referred to as 'actmobile' <br>
                            > <br>
                            > destroying duplicate IKE_SA for peer
                            'actmobile', received <br>
                            > INITIAL_CONTACT <br>
                            > <br>
                            > in the updown scripts the PLUTO_PEER_ID
                            does show up properly as <br>
                            > [C=US, O=strongSwan,
                            CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307] <br>
                            > <br>
                            > All my clients seem to get 172.20.0.1
                            as their ip address and ipsec <br>
                            > statusall shows just one SA even when I
                            have 3 dvices connected. <br>
                            > <br>
                            > here's the config; <br>
                            > <br>
                            > conn ios <br>
                            > keyexchange=ikev1 <br>
                            > #esp=null-sha1! <br>
                            > authby=xauthrsasig <br>
                            > xauth=server <br>
                            > #left=%defaultroute <br>
                            > leftsubnet=<a moz-do-not-send="true"
                              href="http://0.0.0.0/0" rel="nofollow"
                              target="_blank">0.0.0.0/0</a> <br>
                            > #leftsubnet=<a moz-do-not-send="true"
                              href="http://10.66.0.0/16" rel="nofollow"
                              target="_blank">10.66.0.0/16</a> <br>
                            > #leftfirewall=yes <br>
                            > #lefthostaccess=yes <br>
                            >
                            leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
                            <br>
                            > leftcert=serverCert.pem <br>
                            > #right=%any <br>
                            > rightsourceip=<a moz-do-not-send="true"
                              href="http://172.20.0.0/16" rel="nofollow"
                              target="_blank">172.20.0.0/16</a> <br>
                            > #rightsourceip=<a
                              moz-do-not-send="true"
                              href="http://10.100.255.0/28"
                              rel="nofollow" target="_blank">10.100.255.0/28</a>
                            <br>
                            > #rightcert=clientCert.pem <br>
                            > #pfs=no <br>
                            > auto=add <br>
                            > rekey=yes <br>
                            > fragmentation=yes <br>
                            > lifetime=24h <br>
                            > dpddelay=0 <br>
                            > dpdtimeout=24h <br>
                            >     compress=yes <br>
                            > <br>
                            > here's the log output of clients
                            connecting; <br>
                            > <br>
                            > IKE_SA ios[6] established between
                            10.199.65.236[C=US, ST=California, <br>
                            > L=New York, O=Internet Widgits Pty Ltd,
                            OU=ActMobile, <br>
                            > CN=<a moz-do-not-send="true"
                              href="http://ipsec.corp.actmobile.com"
                              rel="nofollow" target="_blank">ipsec.corp.actmobile.com</a>,
                            <br>
                            > E=<a moz-do-not-send="true"
                              href="mailto:support@actmobile.com"
                              rel="nofollow" target="_blank">support@actmobile.com</a>]...50.197.174.157[C=US,


                            O=strongSwan, <br>
                            >
                            CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307] <br>
                            > Apr 25 00:12:43 accel charon: 12[IKE]
                            IKE_SA ios[6] state change: <br>
                            > CONNECTING => ESTABLISHED <br>
                            > Apr 25 00:12:43 accel charon: 12[IKE]
                            scheduling reauthentication in <br>
                            > 10094s <br>
                            > Apr 25 00:12:43 accel charon: 12[IKE]
                            maximum IKE_SA lifetime 10634s <br>
                            > Apr 25 00:12:43 accel charon: 12[IKE]
                            activating new tasks <br>
                            > Apr 25 00:12:43 accel charon: 12[IKE]
                            nothing to initiate <br>
                            > Apr 25 00:12:43 accel charon: 12[IKE]
                            destroying duplicate IKE_SA for <br>
                            > peer 'actmobile', received
                            INITIAL_CONTACT <br>
                            > Apr 25 00:12:43 accel charon: 12[IKE]
                            IKE_SA ios[5] state change: <br>
                            > ESTABLISHED => DESTROYING <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            deleting SAD entry with SPI <br>
                            > c1648e6d  (mark 0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            deleted SAD entry with SPI <br>
                            > c1648e6d (mark 0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            deleting SAD entry with SPI <br>
                            > 0d133ab7  (mark 0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            deleted SAD entry with SPI <br>
                            > 0d133ab7 (mark 0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            deleting policy <a moz-do-not-send="true"
                              href="http://0.0.0.0/0" rel="nofollow"
                              target="_blank">0.0.0.0/0</a> === <br>
                            > <a moz-do-not-send="true"
                              href="http://172.20.0.1/32" rel="nofollow"
                              target="_blank">172.20.0.1/32</a> out
                             (mark 0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            policy still used by another <br>
                            > CHILD_SA, not removed <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            updating policy <a moz-do-not-send="true"
                              href="http://0.0.0.0/0" rel="nofollow"
                              target="_blank">0.0.0.0/0</a> === <br>
                            > <a moz-do-not-send="true"
                              href="http://172.20.0.1/32" rel="nofollow"
                              target="_blank">172.20.0.1/32</a> out
                             (mark 0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            deleting policy <a moz-do-not-send="true"
                              href="http://172.20.0.1/32" rel="nofollow"
                              target="_blank">172.20.0.1/32</a> <br>
                            > === <a moz-do-not-send="true"
                              href="http://0.0.0.0/0" rel="nofollow"
                              target="_blank">0.0.0.0/0</a> in  (mark
                            0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            policy still used by another <br>
                            > CHILD_SA, not removed <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            updating policy <a moz-do-not-send="true"
                              href="http://172.20.0.1/32" rel="nofollow"
                              target="_blank">172.20.0.1/32</a> <br>
                            > === <a moz-do-not-send="true"
                              href="http://0.0.0.0/0" rel="nofollow"
                              target="_blank">0.0.0.0/0</a> in  (mark
                            0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            deleting policy <a moz-do-not-send="true"
                              href="http://172.20.0.1/32" rel="nofollow"
                              target="_blank">172.20.0.1/32</a> <br>
                            > === <a moz-do-not-send="true"
                              href="http://0.0.0.0/0" rel="nofollow"
                              target="_blank">0.0.0.0/0</a> fwd  (mark
                            0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            policy still used by another <br>
                            > CHILD_SA, not removed <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            updating policy <a moz-do-not-send="true"
                              href="http://172.20.0.1/32" rel="nofollow"
                              target="_blank">172.20.0.1/32</a> <br>
                            > === <a moz-do-not-send="true"
                              href="http://0.0.0.0/0" rel="nofollow"
                              target="_blank">0.0.0.0/0</a> fwd  (mark
                            0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            getting a local address in <br>
                            > traffic selector <a
                              moz-do-not-send="true"
                              href="http://0.0.0.0/0" rel="nofollow"
                              target="_blank">0.0.0.0/0</a> <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            using host %any <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            using 10.199.65.193 as nexthop <br>
                            > to reach 166.170.42.208 <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            10.199.65.236 is on interface eth0 <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            deleting policy <a moz-do-not-send="true"
                              href="http://0.0.0.0/0" rel="nofollow"
                              target="_blank">0.0.0.0/0</a> === <br>
                            > <a moz-do-not-send="true"
                              href="http://172.20.0.1/32" rel="nofollow"
                              target="_blank">172.20.0.1/32</a> out
                             (mark 0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            deleting policy <a moz-do-not-send="true"
                              href="http://172.20.0.1/32" rel="nofollow"
                              target="_blank">172.20.0.1/32</a> <br>
                            > === <a moz-do-not-send="true"
                              href="http://0.0.0.0/0" rel="nofollow"
                              target="_blank">0.0.0.0/0</a> in  (mark
                            0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            deleting policy <a moz-do-not-send="true"
                              href="http://172.20.0.1/32" rel="nofollow"
                              target="_blank">172.20.0.1/32</a> <br>
                            > === <a moz-do-not-send="true"
                              href="http://0.0.0.0/0" rel="nofollow"
                              target="_blank">0.0.0.0/0</a> fwd  (mark
                            0/0x00000000) <br>
                            > Apr 25 00:12:43 accel charon: 12[KNL]
                            getting iface index for eth0 <br>
                            > Apr 25 00:12:43 accel charon: 12[CFG]
                            lease 172.20.0.1 by 'actmobile' <br>
                            > went offline <br>
                            >
                            _______________________________________________
                            <br>
                            > Dev mailing list <br>
                            > <a moz-do-not-send="true"
                              href="mailto:Dev@lists.strongswan.org"
                              rel="nofollow" target="_blank">Dev@lists.strongswan.org</a>
                            <br>
                            > <a moz-do-not-send="true"
                              href="https://lists.strongswan.org/mailman/listinfo/dev"
                              rel="nofollow" target="_blank">https://lists.strongswan.org/mailman/listinfo/dev</a>
                            <br>
                            <br>
                            _______________________________________________
                            <br>
                            Dev mailing list <br>
                            <a moz-do-not-send="true"
                              href="mailto:Dev@lists.strongswan.org"
                              rel="nofollow" target="_blank">Dev@lists.strongswan.org</a>
                            <br>
                            <a moz-do-not-send="true"
                              href="https://lists.strongswan.org/mailman/listinfo/dev"
                              rel="nofollow" target="_blank">https://lists.strongswan.org/mailman/listinfo/dev</a>
                            <br>
                          </blockquote>
                        </div>
                      </div>
                    </blockquote>
                    <br>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>