<html><body><div style="color:#000; background-color:#fff; font-family:lucida console, sans-serif;font-size:12pt"><div></div><span><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Hi Martin,<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Thanks for yours response. <span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>In our topology , the traffic selectors for the would be 10.0.0.0/8
and 40.0.0.0/8, defining the two subnets that are to be connected by the IPSec
tunnel are not aware that their respective VPN gateways (Say A and B) with
external IP addresses 30.30.30.11 and 30.30.30.21 tunnel all traffic between
the subnets by encrypting them according to the IPsec Encapsulated Security
Payload (ESP). The clients <span style="mso-spacerun: yes;"> </span>which are
part of the 10.0.0.0/8 subnet hidden behind gateway A (acts as an IKE
Initiator) <span style="mso-spacerun: yes;"> </span>whereas some clients belong
to the 40.0.0.0/8 subnet located behind gateway B (acts as an IKE responder).<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>I configured initiator_tsr in strongswan.conf (at IKE
initiator) end and leftsubnet to 40.0.0.0/8 in ipsec.conf (at IKE responder)
and tested with five IPSec tunnels (using load-tester plugin). What I find from
the output of #ipsec statusall, it does allow restricting the IP address ranges
to only specific IP address (i.e., 40.0.0.0). Please see the below logs. Does IKEv2 Charon keying daemon
(IKE Responder) chooses subset of the traffic selector proposed by the initiator?
As a result, the traffics (UDP) sent by hosts/nodes on <span style="mso-spacerun: yes;"> </span>40.0.0.0/8 subnet behind gateway B are not
getting passed through the IPsec tunnel. <o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Connections:<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1:<span style="mso-spacerun: yes;"> </span>30.30.30.21...%any<span style="mso-spacerun: yes;"> </span>IKEv2<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1:<span style="mso-spacerun: yes;"> </span>local:<span style="mso-spacerun: yes;">
</span>[srv.strongswan.org] uses pre-shared key authentication<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1:<span style="mso-spacerun: yes;"> </span>remote: uses pre-shared key authentication<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1:<span style="mso-spacerun: yes;"> </span>child:<span style="mso-spacerun: yes;">
</span>40.0.0.0/8 === dynamic TUNNEL<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Security Associations (5 up, 0 connecting):<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[4]:
ESTABLISHED 8 seconds ago,
30.30.30.21[srv.strongswan.org]...30.30.30.11[c3-r1.strongswan.org]<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[4]: IKEv2
SPIs: 11d068db7fd9a986_i 5bded75e6a201c60_r*, pre-shared key reauthentication
in 7 hours<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>host1[4]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{1}:<span style="mso-spacerun: yes;"> </span>INSTALLED, TUNNEL, ESP SPIs: ce7dac8b_i
cf8aba7d_o<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{1}:<span style="mso-spacerun: yes;"> </span>AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0
bytes_o, rekeying in 5 hours<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{1}:<span style="mso-spacerun: yes;"> </span>40.0.0.0/8 === 10.0.0.1/32 <o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[5]:
ESTABLISHED 8 seconds ago,
30.30.30.21[srv.strongswan.org]...30.30.30.11[c4-r1.strongswan.org]<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[5]: IKEv2
SPIs: 0dcc0f4f567d0ac5_i 9c7eeb321be75a81_r*, pre-shared key reauthentication
in 7 hours<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[5]: IKE
proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{4}:<span style="mso-spacerun: yes;"> </span>INSTALLED, TUNNEL, ESP SPIs: c1c26829_i
c7626569_o<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{4}:<span style="mso-spacerun: yes;"> </span>AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0
bytes_o, rekeying in 5 hours<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{4}:<span style="mso-spacerun: yes;"> </span>40.0.0.0/8 === 10.0.0.4/32 <o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[2]:
ESTABLISHED 8 seconds ago,
30.30.30.21[srv.strongswan.org]...30.30.30.11[c1-r1.strongswan.org]<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[2]: IKEv2
SPIs: 8ac3036e0c76cf4e_i c56b5c5815d619a6_r*, pre-shared key reauthentication
in 7 hours<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[2]: IKE
proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{3}:<span style="mso-spacerun: yes;"> </span>INSTALLED, TUNNEL, ESP SPIs: c225d017_i
c126a6b4_o<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{3}:<span style="mso-spacerun: yes;"> </span>AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0
bytes_o, rekeying in 5 hours<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{3}:<span style="mso-spacerun: yes;"> </span>40.0.0.0/8 === 10.0.0.3/32 <o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[6]:
ESTABLISHED 8 seconds ago,
30.30.30.21[srv.strongswan.org]...30.30.30.11[c5-r1.strongswan.org]<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[6]: IKEv2
SPIs: 0205f7ce519a4119_i 3bd37c17bd073ec9_r*, pre-shared key reauthentication
in 7 hours<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>host1[6]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{2}:<span style="mso-spacerun: yes;"> </span>INSTALLED, TUNNEL, ESP SPIs: c7aa2737_i
c890e192_o<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{2}:<span style="mso-spacerun: yes;"> </span>AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0
bytes_o, rekeying in 5 hours<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{2}:<span style="mso-spacerun: yes;"> </span>40.0.0.0/8 === 10.0.0.2/32 <o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[3]:
ESTABLISHED 8 seconds ago,
30.30.30.21[srv.strongswan.org]...30.30.30.11[c2-r1.strongswan.org]<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[3]: IKEv2
SPIs: e0a523bdfa742f04_i 49dc42f7aba6388f_r*, pre-shared key reauthentication
in 7 hours<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1[3]: IKE
proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{5}:<span style="mso-spacerun: yes;"> </span>INSTALLED, TUNNEL, ESP SPIs: c0656cd8_i
c7166b80_o<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{5}:<span style="mso-spacerun: yes;"> </span>AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0
bytes_o, rekeying in 5 hours<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>host1{5}:<span style="mso-spacerun: yes;"> </span>40.0.0.0/8 === 10.0.0.5/32<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Can I <span style="mso-spacerun: yes;"> </span>tunnel all
traffic from subnet 40.* host address range (40.0.0.1 - 40.255.255.254) on the
responder's side to subnet 10.* & host address range (10.0.0.1 -
10.255.255.254) on the initiator's side using load-tester plugin (strongswan
5.0.4)?.<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Regards,<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div><div class="MsoNormal" style="margin: 0cm 0cm 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Chinmaya<o:p></o:p></span></div><div><font face="Times New Roman">
</font></div></span><div></div><div><br></div> <div style="font-family: lucida console, sans-serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <div class="hr" style="margin: 5px 0px; padding: 0px; border: 1px solid rgb(204, 204, 204); height: 0px; line-height: 0; font-size: 0px;" contenteditable="false" readonly="true"></div> <font face="Arial" size="2"> <b><span style="font-weight: bold;">From:</span></b> Martin Willi <martin@strongswan.org><br> <b><span style="font-weight: bold;">To:</span></b> Chinmaya Dwibedy <ckdwibedy@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, August 26, 2013 1:50 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] Issue with net-net scenario with load-tester
plugin (using strongSwan 5.0.4)<br> </font> </div> <div class="y_msg_container"><br>Hi,<br><br>> what I see with load-tester is that TSr is by default the remote IP <br>> address (as it is configured in strongswan.conf).<br><br>Yes.<br><br>> I need to send the traffic from host behind Y to host behind X and<br>> vice-versa via IPsec tunnels established between A and B.<br><br>Custom traffic selectors in load-tester are supported since 5.0.2, see<br>[1]. Use the initiator_tsr option to propose a custom TSr as initiator.<br><br>Regards<br>Martin<br><br>[1]<a href="http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests#Traffic-selectors" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests#Traffic-selectors</a><br><br><br><br><br></div> </div> </div> </div></body></html>