<div dir="ltr"><br><font><span style="font-size:10pt">Hi,<br>
<br>
I am facing issue with strongswan IKEv2 in establishing connection, when right=0.0.0.0 is configured.<br>
<br>
My setup like this:<br>
<br>
[ Initiator_1 ]<br>
[ Responder ] [ 10.63.53.206 ]<br>
[ 10.63.20.123]<br>
<br>
[ Initiator_2 ]<br>
[ 10.63.53.211 ] <br>
<br>
<br>
On responder side, only single connection is configured in ipsec.conf:<br>
left=10.63.20.123<br>
right=0.0.0.0<br>
leftsubnet=<a href="http://10.63.20.0/24">10.63.20.0/24</a><br>
rightsubnet=<a href="http://10.63.53.0/24">10.63.53.0/24</a><br>
<br>
<br>
Both initiators will send icmp requests to responder, and responder should send reply back.<br>
<br>
Initially when I start traffic from initiator_1, CHILD_SAs are established, and request/reply works fine.<br>
Now, when I start traffic from initiator_2, new CHILD_SAs are established, and request/reply works for initiator_2;<br>
but responder stops sending replies for initiator_1.<br>
i.e at a time responder is sending replay to only one initiator.<br>
<br>
I am sharing the ipsec.conf files used on all three nodes.<br>
Could you please help to check whether any parameter needs to be changed.<br>
Or, is this kind of configuration not supported?<br>
<br>
ipsec.conf files:<br>
=================<br>
<br>
Responder:<br>
----------<br>
config setup<br>
charonstart=yes<br>
plutostart=no<br>
uniqueids=no<br>
charondebug="knl 0,enc 0,net 0"<br>
conn %default<br>
auto=route<br>
keyexchange=ikev2<br>
reauth=no<br>
conn r1~v1<br>
rekeymargin=500<br>
rekeyfuzz=100%<br>
left=10.63.20.123<br>
right=0.0.0.0<br>
leftsubnet=<a href="http://10.63.20.0/24">10.63.20.0/24</a><br>
rightsubnet=<a href="http://10.63.53.0/24">10.63.53.0/24</a><br>
leftprotoport=1<br>
rightprotoport=1<br>
authby=secret<br>
leftid=10.63.20.123<br>
rightid=%any<br>
ike=aes128-sha1-modp768!<br>
esp=3des-md5!<br>
type=tunnel<br>
ikelifetime=10000s<br>
keylife=5000s<br>
mobike=no<br>
auto=route<br>
reauth=no<br>
encapdscp=yes<br>
<br>
<br>
Initiator_1:<br>
-----------<br>
config setup<br>
charonstart=yes<br>
plutostart=no<br>
uniqueids=no<br>
charondebug="knl 0,enc 0,net 0"<br>
conn %default<br>
auto=route<br>
keyexchange=ikev2<br>
reauth=no<br>
conn r1~v1<br>
rekeymargin=500<br>
rekeyfuzz=100%<br>
left=10.63.53.206<br>
right=10.63.20.123<br>
leftsubnet=<a href="http://10.63.53.0/24">10.63.53.0/24</a><br>
rightsubnet=<a href="http://10.63.20.0/24">10.63.20.0/24</a><br>
leftprotoport=1<br>
rightprotoport=1<br>
authby=secret<br>
leftid=10.63.53.206<br>
rightid=%any<br>
ike=aes128-sha1-modp768!<br>
esp=3des-md5!<br>
type=tunnel<br>
ikelifetime=10000s<br>
keylife=5000s<br>
mobike=no<br>
auto=route<br>
reauth=no<br>
encapdscp=yes<br>
<br>
Initiator_2:<br>
------------<br>
config setup<br>
charonstart=yes<br>
plutostart=no<br>
uniqueids=no<br>
charondebug="knl 0,enc 0,net 0"<br>
conn %default<br>
auto=route<br>
keyexchange=ikev2<br>
reauth=no<br>
conn r1~v1<br>
rekeymargin=500<br>
rekeyfuzz=100%<br>
left=10.63.53.211<br>
right=10.63.20.123<br>
leftsubnet=<a href="http://10.63.53.0/24">10.63.53.0/24</a><br>
rightsubnet=<a href="http://10.63.20.0/24">10.63.20.0/24</a><br>
leftprotoport=1<br>
rightprotoport=1<br>
authby=secret<br>
leftid=10.63.53.211<br>
rightid=%any<br>
ike=aes128-sha1-modp768!<br>
esp=3des-md5!<br>
type=tunnel<br>
ikelifetime=10000s<br>
keylife=5000s<br>
mobike=no<br>
auto=route<br>
reauth=no<br>
encapdscp=yes<br>
<br>
<br>
strongswan.conf (same for all 3 nodes)<br>
----------------<br>
charon {<br>
reuse_ikesa=no<br>
install_routes=no<br>
block_threshold=50<br>
cookie_threshold=100<br>
}<br>
<br>
Logs:<br>
=====<br>
<br>
# starter --nofork &<br>
[1] 24025<br>
Starting strongSwan 4.3.6 IPsec [starter]...<br>
[root@CFPU-0(BCNBlr34) /root]<br>
# 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)<br>
00[CFG] loading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'<br>
00[CFG] loading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'<br>
00[CFG] loading ocsp signer certificates from '/etc/ipsec/certs/ipsec.d/ocspcerts'<br>
00[CFG] loading attribute certificates from '/etc/ipsec/certs/ipsec.d/acerts'<br>
00[CFG] loading crls from '/etc/ipsec/certs/ipsec.d/crls'<br>
00[CFG] loading secrets from '/etc/ipsec.secrets'<br>
00[CFG] loaded IKE secret for %any<br>
00[DMN] loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc stroke kernel-netlink<br>
00[JOB] spawning 16 worker threads<br>
charon (24032) started after 40 ms<br>
02[CFG] received stroke: add connection 'r1~v1'<br>
02[CFG] added configuration 'r1~v1'<br>
08[CFG] rereading secrets<br>
08[CFG] loading secrets from '/etc/ipsec.secrets'<br>
08[CFG] loaded IKE secret for %any<br>
08[CFG] rereading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'<br>
08[CFG] rereading ocsp signer certificates from '/etc/ipsec/certs/ipsec.d/ocspcerts'<br>
08[CFG] rereading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'<br>
08[CFG] rereading attribute certificates from '/etc/ipsec/certs/ipsec.d/acerts'<br>
08[CFG] rereading crls from '/etc/ipsec/certs/ipsec.d/crls'<br>
09[CFG] received stroke: route 'r1~v1'<br>
configuration 'r1~v1' routed<br>
<br>
<br>
# ip xfrm policy<br>
<a href="http://10.63.53.0/24[0]">10.63.53.0/24[0]</a> <a href="http://10.63.20.0/24[0]">10.63.20.0/24[0]</a><br>
upspec 1 dev (none) uid 0<br>
in allow index 0x00000558 priority 2758 share any flags 0x00000000<br>
tmpl-1:<br>
0.0.0.0 10.63.20.123<br>
esp spi 0(0x00000000) reqid 1 tunnel<br>
level required share any algo-mask:E=32, A=32, C=32<br>
fpid 0x00000024<br>
policy type main<br>
<a href="http://10.63.20.0/24[0]">10.63.20.0/24[0]</a> <a href="http://10.63.53.0/24[0]">10.63.53.0/24[0]</a><br>
upspec 1 dev (none) uid 0<br>
out allow index 0x00000551 priority 2758 share any flags 0x00000000<br>
tmpl-1:<br>
10.63.20.123 0.0.0.0<br>
esp spi 0(0x00000000) reqid 1 tunnel<br>
level required share any algo-mask:E=32, A=32, C=32<br>
fpid 0x00000023<br>
policy type main<br>
<br>
# ip xfrm state<br>
# echo "starting traffic from initiator_1"<br>
starting traffic from initiator_1<br>
# 13[IKE] 10.63.53.206 is initiating an IKE_SA<br>
14[CFG] looking for peer configs matching 10.63.20.123[(vr*)%any]...10.63.53.206[(vr*)10.63.53.206]<br>
14[CFG] selected peer config 'r1~v1'<br>
14[IKE] authentication of '(vr*)10.63.53.206' with pre-shared key successful<br>
14[IKE] authentication of '(vr*)10.63.20.123' (myself) with pre-shared key<br>
14[IKE] IKE_SA r1~v1[1] established between 10.63.20.123[(vr*)10.63.20.123]...10.63.53.206[(vr*)10.63.53.206]<br>
14[IKE] scheduling rekeying in 9026s<br>
14[IKE] maximum IKE_SA lifetime 9526s<br>
14[IKE] CHILD_SA r1~v1{2} established with SPIs c82689f5_i ccf52265_o and TS <a href="http://10.63.20.0/24[icmp]">10.63.20.0/24[icmp]</a> === <a href="http://10.63.53.0/24[icmp]">10.63.53.0/24[icmp]</a><br>
<br>
# ip xfrm policy<br>
<a href="http://10.63.53.0/24[0]">10.63.53.0/24[0]</a> <a href="http://10.63.20.0/24[0]">10.63.20.0/24[0]</a><br>
upspec 1 dev (none) uid 0<br>
in allow index 0x00000558 priority 1758 share any flags 0x00000000<br>
tmpl-1:<br>
10.63.53.206 10.63.20.123<br>
esp spi 0(0x00000000) reqid 2 tunnel<br>
level required share any algo-mask:E=32, A=32, C=32<br>
fpid 0x00000024<br>
policy type main<br>
<a href="http://10.63.20.0/24[0]">10.63.20.0/24[0]</a> <a href="http://10.63.53.0/24[0]">10.63.53.0/24[0]</a><br>
upspec 1 dev (none) uid 0<br>
out allow index 0x00000551 priority 1758 share any flags 0x00000000<br>
tmpl-1:<br>
10.63.20.123 10.63.53.206<br>
esp spi 0(0x00000000) reqid 2 tunnel<br>
level required share any algo-mask:E=32, A=32, C=32<br>
fpid 0x00000023<br>
policy type main<br>
<br>
# ip xfrm state<br>
10.63.20.123 10.63.53.206<br>
esp spi 3438617189(0xccf52265) reqid 2 tunnel<br>
A:hmac(md5) 5e7978f 567189b ef99bdc f6574fa<br>
auth-trunc-len: 96<br>
E:cbc(des3_ede) 378b326 f1211d12 a991dab d94ed64f b6f5a1b3 66fde6a5<br>
fpid 0x000001a4<br>
fp_output_blade 1<br>
10.63.53.206 10.63.20.123<br>
esp spi 3357968885(0xc82689f5) reqid 2 tunnel<br>
A:hmac(md5) a793651a b1f11537 e8a634d6 71346779<br>
auth-trunc-len: 96<br>
E:cbc(des3_ede) 42dd3aa d3d38d32 a34ba5cb b6fc5e7e 93695117 e9ffdd7<br>
fpid 0x000001a3<br>
fp_output_blade 1<br>
<br>
# tcpdump -nni eth0 host 10.63.53.206 -c 5<br>
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes<br>
09:37:04.298926 IP 10.63.53.206 > <a href="http://10.63.20.123">10.63.20.123</a>: ESP(spi=0xc82689f5,seq=0x2a)<br>
09:37:04.298926 IP 10.63.53.206 > <a href="http://10.63.20.123">10.63.20.123</a>: icmp 64: echo request seq 43<br>
09:37:04.299128 IP 10.63.20.123 > <a href="http://10.63.53.206">10.63.53.206</a>: ESP(spi=0xccf52265,seq=0x22)<br>
09:37:06.298861 IP 10.63.53.206 > <a href="http://10.63.20.123">10.63.20.123</a>: ESP(spi=0xc82689f5,seq=0x2c)<br>
<br>
<br>
# echo "starting traffic from initiator_2"<br>
starting traffic from initiator_2<br>
# 01[IKE] 10.63.53.211 is initiating an IKE_SA<br>
07[CFG] looking for peer configs matching 10.63.20.123[(vr*)%any]...10.63.53.211[(vr*)10.63.53.211]<br>
07[CFG] selected peer config 'r1~v1'<br>
07[IKE] authentication of '(vr*)10.63.53.211' with pre-shared key successful<br>
07[IKE] authentication of '(vr*)10.63.20.123' (myself) with pre-shared key<br>
07[IKE] IKE_SA r1~v1[2] established between 10.63.20.123[(vr*)10.63.20.123]...10.63.53.211[(vr*)10.63.53.211]<br>
07[IKE] scheduling rekeying in 9171s<br>
07[IKE] maximum IKE_SA lifetime 9671s<br>
07[IKE] CHILD_SA r1~v1{3} established with SPIs c88a872f_i c8860ce1_o and TS <a href="http://10.63.20.0/24[icmp]">10.63.20.0/24[icmp]</a> === <a href="http://10.63.53.0/24[icmp]">10.63.53.0/24[icmp]</a><br>
<br>
<br>
# ip xfrm policy<br>
<a href="http://10.63.53.0/24[0]">10.63.53.0/24[0]</a> <a href="http://10.63.20.0/24[0]">10.63.20.0/24[0]</a><br>
upspec 1 dev (none) uid 0<br>
in allow index 0x00000558 priority 1758 share any flags 0x00000000<br>
tmpl-1:<br>
10.63.53.211 10.63.20.123<br>
esp spi 0(0x00000000) reqid 3 tunnel<br>
level required share any algo-mask:E=32, A=32, C=32<br>
fpid 0x00000024<br>
policy type main<br>
<a href="http://10.63.20.0/24[0]">10.63.20.0/24[0]</a> <a href="http://10.63.53.0/24[0]">10.63.53.0/24[0]</a><br>
upspec 1 dev (none) uid 0<br>
out allow index 0x00000551 priority 1758 share any flags 0x00000000<br>
tmpl-1:<br>
10.63.20.123 10.63.53.211<br>
esp spi 0(0x00000000) reqid 3 tunnel<br>
level required share any algo-mask:E=32, A=32, C=32<br>
fpid 0x00000023<br>
policy type main<br>
<br>
# ip xfrm state<br>
10.63.20.123 10.63.53.211<br>
esp spi 3364228321(0xc8860ce1) reqid 3 tunnel<br>
A:hmac(md5) 09afd5c d4c77bba 39f8385a c78e71b7<br>
auth-trunc-len: 96<br>
E:cbc(des3_ede) b2416051 52e2413c 38b4d739 f5f65dc2 f3cdfdb 30187da4<br>
fpid 0x000001a6<br>
fp_output_blade 1<br>
10.63.53.211 10.63.20.123<br>
esp spi 3364521775(0xc88a872f) reqid 3 tunnel<br>
A:hmac(md5) 5c54462 7afdd45a 945c9f1d 5d98f9b0<br>
auth-trunc-len: 96<br>
E:cbc(des3_ede) d0577f 9a15bc9a 4ae3f0a5 b159a334 761f3e17 53826c4<br>
fpid 0x000001a5<br>
fp_output_blade 1<br>
10.63.20.123 10.63.53.206<br>
esp spi 3438617189(0xccf52265) reqid 2 tunnel<br>
A:hmac(md5) 5e7978f 567189b ef99bdc f6574fa<br>
auth-trunc-len: 96<br>
E:cbc(des3_ede) 378b326 f1211d12 a991dab d94ed64f b6f5a1b3 66fde6a5<br>
fpid 0x000001a4<br>
fp_output_blade 1<br>
10.63.53.206 10.63.20.123<br>
esp spi 3357968885(0xc82689f5) reqid 2 tunnel<br>
A:hmac(md5) a793651a b1f11537 e8a634d6 71346779<br>
auth-trunc-len: 96<br>
E:cbc(des3_ede) 42dd3aa d3d38d32 a34ba5cb b6fc5e7e 93695117 e9ffdd7<br>
fpid 0x000001a3<br>
fp_output_blade 1<br>
<br>
# tcpdump -nni eth0 host 10.63.53.206 -c 5<br>
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes<br>
09:37:53.302254 IP 10.63.53.206 > <a href="http://10.63.20.123">10.63.20.123</a>: ESP(spi=0xc82689f5,seq=0x5b)<br>
09:37:53.302254 IP 10.63.53.206 > <a href="http://10.63.20.123">10.63.20.123</a>: icmp 64: echo request seq 92<br>
09:37:54.302243 IP 10.63.53.206 > <a href="http://10.63.20.123">10.63.20.123</a>: ESP(spi=0xc82689f5,seq=0x5c)<br>
09:37:54.302243 IP 10.63.53.206 > <a href="http://10.63.20.123">10.63.20.123</a>: icmp 64: echo request seq 93<br>
<br>
# tcpdump -nni eth0 host 10.63.53.211 -c 5<br>
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes<br>
09:38:12.843102 IP 10.63.53.211 > <a href="http://10.63.20.123">10.63.20.123</a>: ESP(spi=0xc88a872f,seq=0x28)<br>
09:38:12.843102 IP 10.63.53.211 > <a href="http://10.63.20.123">10.63.20.123</a>: icmp 64: echo request seq 41<br>
09:38:12.843327 IP 10.63.20.123 > <a href="http://10.63.53.211">10.63.53.211</a>: ESP(spi=0xc8860ce1,seq=0x20)<br>
09:38:13.843095 IP 10.63.53.211 > <a href="http://10.63.20.123">10.63.20.123</a>: ESP(spi=0xc88a872f,seq=0x29)<br>
#<br>
<br><br></span></font></div>