<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Miroslav, thank you, you got me going w/ a handle on the logs and
finding the uniqueness of the ids and that it was due to XAuthName.<br>
<br>
Just hoping to connect w/ someone is is really familiar with virtual
ip addressing and really get a handle on what the "id" is, docs
indicate it can be an address, a FQDN, a cert subject, and evidently
an XAuthName, etc. Why it changed between 5.0.2 and 5.3.0...<br>
<br>
That is a really important thing to have positive control over for
road warrior configs, so thought I might get educated, before
figuring out what direction to take it.<br>
<br>
thanks,<br>
andrew<br>
<br>
<div class="moz-cite-prefix">On 4/25/15 10:00 AM, Miroslav Svoboda
wrote:<br>
</div>
<blockquote
cite="mid:CAD6VQRLCZACC=YxNrG4xCKpnASvSVeVxTZRP8E+3Z3ONrR_KVQ@mail.gmail.com"
type="cite">
<div dir="ltr">Andrew,
<div><br>
</div>
<div>Sorry for misleading advice with "rightsubnet".</div>
<div>"rightsubnet" is a traffic selector and has no relation to
virtual IP pool.</div>
<div>Your configuration with "rightsourceip" is correct.<br>
</div>
<div><br>
</div>
<div>Are you able to find same scenario as yours among testcases
<a moz-do-not-send="true"
href="http://www.strongswan.org/testresults.html">here</a>
and compare setup and logfiles?</div>
<div>Without complete logfile, attached as a file, I am not able
to help you further.<br>
</div>
<div><br>
</div>
<div>Miroslav<br>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>Miroslav Svoboda | <a moz-do-not-send="true"
href="tel:%2B420%20608%20224%20486"
value="+420608224486" target="_blank">+420 608
224 486</a></div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On 25 April 2015 at 16:51, Andrew
Foss <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:afoss@actmobile.com" target="_blank">afoss@actmobile.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span> Miroslav,<br>
<br>
sorry my last response to you got blocked, but when I
use rightsubnet this is what occurs in the logs and
vpn doesn't connect, am I missing something?<br>
<br>
Apr 25 14:30:52 accel charon: 15[IKE] peer requested
virtual IP %any<br>
Apr 25 14:30:52 accel charon: 15[IKE] no virtual IP
found for %any requested by
'IDE-B1DA-3355-4C89-BA98-A580BD513292'<br>
<br>
A little further further analysis and I have it
working with uiqueids = yes, but raised more
questions, that I was not readily able to answer by
reviewing the code, but I am still coming up to speed
on the structure of the code.<br>
<br>
We were using XAuthName "actmobile", I have changed it
to the device id
'IDE-B1DA-3355-4C89-BA98-A580BD513292' and put a
wildcard '*' into the ipsec.secrets file and it is
working, thankfully we seem to allow a wildcard match
with '*" for the secrets, though I suspect someone
would file that as a bug.<br>
<br>
It appears the the ip address management may use the
XAuthName as the id, not the Cert subject as the docs
imply.<br>
<br>
Is that true? Is there any way to control that in the
config and assure sessions, SAs, etc. are tracked by
the cert subject name?<br>
<br>
Further, it appears that running version 5.0.2 it
behaves better and in 5.3.0 the clients don't appear
unique and all get the same ip address. I am not
convinced it was quite right in 5.0.2, but does seem
to behave differently.<br>
<br>
I am suspecting that to ensure positive control over
this I should do a radius server and modify the dhcp
plugin to really control the ip addresses, but I am
hoping to procrastinate doing anything major.<br>
<br>
I think the question is;<br>
<br>
Am I doing something wrong or unusual in the config or
can I control in the config to use the cert as the id
for the clients? It feels like something that has the
potential to bite back down the road, if I do
something odd.<br>
<br>
Also, is there anywhere this part of the system is
documented, that I coudl refer to as an assist while I
review the code and understand what it is doing?<br>
<br>
thanks,<br>
andrew<br>
<br>
</span> Here is the config I am using, with a <br>
<br>
* : XAUTH "actmobile" in /etc/ipsec.secrets<span><br>
<br>
conn
ios
<br>
keyexchange=ikev1
<br>
#esp=null-sha1!
<br>
authby=xauthrsasig
<br>
xauth=server
<br>
#left=%defaultroute
<br>
leftsubnet=<a moz-do-not-send="true"
href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>
<br>
</span>
leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
<br>
leftcert=serverCert.pem
<br>
rightsourceip=<a moz-do-not-send="true"
href="http://172.20.0.0/16" target="_blank">172.20.0.0/16</a>
<br>
<div>
<div>
auto=add
<br>
rekey=yes
<br>
fragmentation=yes
<br>
lifetime=24h
<br>
dpddelay=0
<br>
dpdtimeout=24h
<br>
compress=yes <br>
<br>
<div>On 4/25/15 2:26 AM, Group Manager wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>I replied on yours same question on users
list.</div>
<div>I believe that you need to use
"rightsubnet" instead of "rightsourceip" in
your conf.</div>
<div>M.</div>
<div><br>
</div>
<div>On Saturday, April 25, 2015 at 3:04:46 AM
UTC+2, Andrew Foss wrote:
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">It
appears that our ip addresses are being
assigned by the XAuthName <br>
'actmobile', unfortunately that is not
unique? <br>
<br>
On 4/24/15 5:28 PM, Andrew Foss wrote: <br>
> Here's our situation; <br>
> <br>
> ios ipsec clients, they each have a
certificate with a unique common <br>
> name. <br>
> <br>
> I want to configure strongswan to give
them a different ip address for <br>
> each client/CN, regardless of what
public ip address they may arrive <br>
> from at the moment, it is a road
warrior config. <br>
> <br>
> I am thinking I can write a plugin like
dhcp to do it for sure, but <br>
> seems like I may have something in the
config that is wrong. I have to <br>
> set uniqueids=no to get two clients to
connect, which makes me think I <br>
> am using something else for the id,
other than the cert subject name. <br>
> <br>
> This error line seems to indicate the
peer is referred to as 'actmobile' <br>
> <br>
> destroying duplicate IKE_SA for peer
'actmobile', received <br>
> INITIAL_CONTACT <br>
> <br>
> in the updown scripts the PLUTO_PEER_ID
does show up properly as <br>
> [C=US, O=strongSwan,
CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307] <br>
> <br>
> All my clients seem to get 172.20.0.1
as their ip address and ipsec <br>
> statusall shows just one SA even when I
have 3 dvices connected. <br>
> <br>
> here's the config; <br>
> <br>
> conn ios <br>
> keyexchange=ikev1 <br>
> #esp=null-sha1! <br>
> authby=xauthrsasig <br>
> xauth=server <br>
> #left=%defaultroute <br>
> leftsubnet=<a moz-do-not-send="true"
href="http://0.0.0.0/0" rel="nofollow"
target="_blank">0.0.0.0/0</a> <br>
> #leftsubnet=<a moz-do-not-send="true"
href="http://10.66.0.0/16" rel="nofollow"
target="_blank">10.66.0.0/16</a> <br>
> #leftfirewall=yes <br>
> #lefthostaccess=yes <br>
>
leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
<br>
> leftcert=serverCert.pem <br>
> #right=%any <br>
> rightsourceip=<a moz-do-not-send="true"
href="http://172.20.0.0/16" rel="nofollow"
target="_blank">172.20.0.0/16</a> <br>
> #rightsourceip=<a
moz-do-not-send="true"
href="http://10.100.255.0/28"
rel="nofollow" target="_blank">10.100.255.0/28</a>
<br>
> #rightcert=clientCert.pem <br>
> #pfs=no <br>
> auto=add <br>
> rekey=yes <br>
> fragmentation=yes <br>
> lifetime=24h <br>
> dpddelay=0 <br>
> dpdtimeout=24h <br>
> compress=yes <br>
> <br>
> here's the log output of clients
connecting; <br>
> <br>
> IKE_SA ios[6] established between
10.199.65.236[C=US, ST=California, <br>
> L=New York, O=Internet Widgits Pty Ltd,
OU=ActMobile, <br>
> CN=<a moz-do-not-send="true"
href="http://ipsec.corp.actmobile.com"
rel="nofollow" target="_blank">ipsec.corp.actmobile.com</a>,
<br>
> E=<a moz-do-not-send="true"
href="mailto:support@actmobile.com"
rel="nofollow" target="_blank">support@actmobile.com</a>]...50.197.174.157[C=US,
O=strongSwan, <br>
>
CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307] <br>
> Apr 25 00:12:43 accel charon: 12[IKE]
IKE_SA ios[6] state change: <br>
> CONNECTING => ESTABLISHED <br>
> Apr 25 00:12:43 accel charon: 12[IKE]
scheduling reauthentication in <br>
> 10094s <br>
> Apr 25 00:12:43 accel charon: 12[IKE]
maximum IKE_SA lifetime 10634s <br>
> Apr 25 00:12:43 accel charon: 12[IKE]
activating new tasks <br>
> Apr 25 00:12:43 accel charon: 12[IKE]
nothing to initiate <br>
> Apr 25 00:12:43 accel charon: 12[IKE]
destroying duplicate IKE_SA for <br>
> peer 'actmobile', received
INITIAL_CONTACT <br>
> Apr 25 00:12:43 accel charon: 12[IKE]
IKE_SA ios[5] state change: <br>
> ESTABLISHED => DESTROYING <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
deleting SAD entry with SPI <br>
> c1648e6d (mark 0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
deleted SAD entry with SPI <br>
> c1648e6d (mark 0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
deleting SAD entry with SPI <br>
> 0d133ab7 (mark 0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
deleted SAD entry with SPI <br>
> 0d133ab7 (mark 0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
deleting policy <a moz-do-not-send="true"
href="http://0.0.0.0/0" rel="nofollow"
target="_blank">0.0.0.0/0</a> === <br>
> <a moz-do-not-send="true"
href="http://172.20.0.1/32" rel="nofollow"
target="_blank">172.20.0.1/32</a> out
(mark 0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
policy still used by another <br>
> CHILD_SA, not removed <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
updating policy <a moz-do-not-send="true"
href="http://0.0.0.0/0" rel="nofollow"
target="_blank">0.0.0.0/0</a> === <br>
> <a moz-do-not-send="true"
href="http://172.20.0.1/32" rel="nofollow"
target="_blank">172.20.0.1/32</a> out
(mark 0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
deleting policy <a moz-do-not-send="true"
href="http://172.20.0.1/32" rel="nofollow"
target="_blank">172.20.0.1/32</a> <br>
> === <a moz-do-not-send="true"
href="http://0.0.0.0/0" rel="nofollow"
target="_blank">0.0.0.0/0</a> in (mark
0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
policy still used by another <br>
> CHILD_SA, not removed <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
updating policy <a moz-do-not-send="true"
href="http://172.20.0.1/32" rel="nofollow"
target="_blank">172.20.0.1/32</a> <br>
> === <a moz-do-not-send="true"
href="http://0.0.0.0/0" rel="nofollow"
target="_blank">0.0.0.0/0</a> in (mark
0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
deleting policy <a moz-do-not-send="true"
href="http://172.20.0.1/32" rel="nofollow"
target="_blank">172.20.0.1/32</a> <br>
> === <a moz-do-not-send="true"
href="http://0.0.0.0/0" rel="nofollow"
target="_blank">0.0.0.0/0</a> fwd (mark
0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
policy still used by another <br>
> CHILD_SA, not removed <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
updating policy <a moz-do-not-send="true"
href="http://172.20.0.1/32" rel="nofollow"
target="_blank">172.20.0.1/32</a> <br>
> === <a moz-do-not-send="true"
href="http://0.0.0.0/0" rel="nofollow"
target="_blank">0.0.0.0/0</a> fwd (mark
0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
getting a local address in <br>
> traffic selector <a
moz-do-not-send="true"
href="http://0.0.0.0/0" rel="nofollow"
target="_blank">0.0.0.0/0</a> <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
using host %any <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
using 10.199.65.193 as nexthop <br>
> to reach 166.170.42.208 <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
10.199.65.236 is on interface eth0 <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
deleting policy <a moz-do-not-send="true"
href="http://0.0.0.0/0" rel="nofollow"
target="_blank">0.0.0.0/0</a> === <br>
> <a moz-do-not-send="true"
href="http://172.20.0.1/32" rel="nofollow"
target="_blank">172.20.0.1/32</a> out
(mark 0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
deleting policy <a moz-do-not-send="true"
href="http://172.20.0.1/32" rel="nofollow"
target="_blank">172.20.0.1/32</a> <br>
> === <a moz-do-not-send="true"
href="http://0.0.0.0/0" rel="nofollow"
target="_blank">0.0.0.0/0</a> in (mark
0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
deleting policy <a moz-do-not-send="true"
href="http://172.20.0.1/32" rel="nofollow"
target="_blank">172.20.0.1/32</a> <br>
> === <a moz-do-not-send="true"
href="http://0.0.0.0/0" rel="nofollow"
target="_blank">0.0.0.0/0</a> fwd (mark
0/0x00000000) <br>
> Apr 25 00:12:43 accel charon: 12[KNL]
getting iface index for eth0 <br>
> Apr 25 00:12:43 accel charon: 12[CFG]
lease 172.20.0.1 by 'actmobile' <br>
> went offline <br>
>
_______________________________________________
<br>
> Dev mailing list <br>
> <a moz-do-not-send="true"
href="mailto:Dev@lists.strongswan.org"
rel="nofollow" target="_blank">Dev@lists.strongswan.org</a>
<br>
> <a moz-do-not-send="true"
href="https://lists.strongswan.org/mailman/listinfo/dev"
rel="nofollow" target="_blank">https://lists.strongswan.org/mailman/listinfo/dev</a>
<br>
<br>
_______________________________________________
<br>
Dev mailing list <br>
<a moz-do-not-send="true"
href="mailto:Dev@lists.strongswan.org"
rel="nofollow" target="_blank">Dev@lists.strongswan.org</a>
<br>
<a moz-do-not-send="true"
href="https://lists.strongswan.org/mailman/listinfo/dev"
rel="nofollow" target="_blank">https://lists.strongswan.org/mailman/listinfo/dev</a>
<br>
</blockquote>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>