[strongSwan] host to subnet support

Michael C. Cambria mcc at fid4.com
Fri Sep 26 00:16:42 CEST 2014 

Hi,

I've been able to successfully set up subnet to subnet connections using 
IKEv2 and a self signed cert.  StrongSwan is used at both ends.

Using the same systems, I'm having some problems getting host-to-subnet 
to work in certain cases.  Host-to-subnet is the desired configuration.

Here is the host to host config which works:

conn clinetnet
         left=%defaultroute
         lefthostaccess=yes
         leftsubnet=192.168.1.0/24
         leftfirewall=yes
         right=132.197.247.50
         rightsubnet=172.16.0.0/16
         auto=route

conn srvnetnet
         left=132.197.247.50
         leftsubnet=172.16.0.0/16
         leftfirewall=yes
         right=%any
         rightsubnet=192.168.1.0/24
         righthostaccess=yes
         auto=route


I thought all I need to do is remove leftsubnet= from the "client" 
ipsec.conf and rightsubnet= from the "server", but that works in one 
case and fails in another.

So I'd like to know if host-to-subnet is supposed to be configured this 
way or not before digging any further.  If it should work, it seems the 
failing case uses NAT in the path between the two machines.  NAT works 
for the subnet-to-subnet configuration.  The failure only happens with 
the host-to-subnet config.

In the failing case, the client receives:

received TS_UNACCEPTABLE notify, no CHILD_SA built

The server log shows (10.1.2.180 is the IPv4 address of the client):

charon: 13[CFG] looking for a child config for 172.16.0.0/16 === 
10.1.2.180/32
charon: 09[CFG] proposing traffic selectors for us:
charon: 09[CFG]  172.16.0.0/16
charon: 09[CFG] proposing traffic selectors for other:
charon: 09[CFG]  <IPv4 address of NAT device>/32
charon: 09[IKE] traffic selectors 172.16.0.0/16 === 10.1.2.180/32 
inacceptable
charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA


In the working case, NAT isn't involved.  The working case server log shows:

charon: 13[CFG] looking for a child config for 172.16.0.0/16 === 
10.1.2.180/32
charon: 13[CFG] proposing traffic selectors for us:
charon: 13[CFG]  172.16.0.0/16
charon: 13[CFG] proposing traffic selectors for other:
charon: 13[CFG]  10.1.2.180/32
charon: 13[CFG]   candidate "srvnetnet" with prio 5+5
charon: 13[CFG] found matching child config "srvnetnet" with prio 10

Should this work?  Is there more I need to configure?

Thanks for any help,
MikeC

More information about the Users mailing list