<div dir="ltr">Thanks for your answers.<br><div>It's very helpfull.</div><div><br></div><div>Is there any way for strongswan to create Virtual IP address which are not in mode config subnet ?</div><div><br></div><div>Cheers</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-30 0:17 GMT+02:00 Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
</span>Hello Jacques.<br>
<br>
First:<br>
The description of the "leftsourceip" option is the following:<br>
leftsourceip = %config4 | %config6 | <ip address><br>
Comma separated list of internal source IPs to use in a tunnel,<br>
also known as virtual IP. If the value is one of the synonyms<br>
%config, %cfg, %modeconfig, or %modecfg, an address (from the<br>
tunnel address family) is requested from the peer. With %config4<br>
and %config6 an address of the given address family will be<br>
requested explicitly. If an IP address is configured, it will<br>
be requested from the responder, which is free to respond with a<br>
different address.<br>
<br>
So as you can see, strongSwan always requests an IP address from the other side.<br>
If you want to use a static IP, add that IP to an interface and configure leftsubnet correctly.<br>
You cannot use leftsourceip then, as the responder will give you another IP.<br>
<br>
Second:<br>
<br>
How do you want to correctly close the tunnel (which requires interaction with the remote side), if<br>
there is no working communication path? You need to use dpd on both sides to handle that gracefully.<br>
auto=route should work in any case, where the remote subnet and endpoint is defined.<br>
<span class=""><br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
</span><span class="">Am 29.04.2015 um 10:54 schrieb Jacques Monin:<br>
> Thank you for your answers, I'll try to be more explicit about my needs.<br>
><br>
> I need to do two configurations :<br>
><br>
</span>> VPN Client: 172.16.0.3 - 1.1.1.1 - INTERNET - 2.2.2.2 - Firewall- <a href="http://172.16.1.0/24" target="_blank">172.16.1.0/24</a> <<a href="http://172.16.1.0/24" target="_blank">http://172.16.1.0/24</a>><br>
><br>
> Mode Config : 172.16.0.32-64 - 1.1.1.1 - INTERNET - 2.2.2.2 - Firewall - <a href="http://172.16.1.0/24" target="_blank">172.16.1.0/24</a> <<a href="http://172.16.1.0/24" target="_blank">http://172.16.1.0/24</a>><br>
<span class="">><br>
> Here my ipsec.conf :<br>
><br>
> config setup<br>
><br>
> conn %default<br>
> dpddelay=30<br>
> keyingtries=5<br>
> rekeymargin=120<br>
> dpdtimeout=15<br>
> keyexchange=ikev1<br>
> keylife=1h<br>
> ikelifetime=6h<br>
> authby=rsasig<br>
><br>
> conn normal<br>
> right=2.2.2.2<br>
</span><span class="">> rightsubnet=<a href="http://172.16.1.0/24" target="_blank">172.16.1.0/24</a> <<a href="http://172.16.1.0/24" target="_blank">http://172.16.1.0/24</a>><br>
> rightid=%any<br>
><br>
> left=%defaultroute<br>
> leftsubnet=<a href="http://172.16.0.3/32" target="_blank">172.16.0.3/32</a> <<a href="http://172.16.0.3/32" target="_blank">http://172.16.0.3/32</a>><br>
> leftsourceip=172.16.0.3<br>
> leftcert=cert.pem<br>
> leftca=cacert.pem<br>
> leftsendcert=always<br>
><br>
> auto=route<br>
> type=tunnel<br>
> ike=aes256-sha2_256-modp1536<br>
> esp=aes256-sha2_256-modp1024<br>
><br>
</span>> conn cfgconf<br>
> right=2.2.2.2<br>
<span class="">> rightsubnet=<a href="http://172.16.1.0/24" target="_blank">172.16.1.0/24</a> <<a href="http://172.16.1.0/24" target="_blank">http://172.16.1.0/24</a>><br>
> rightid=%any<br>
><br>
> left=%defaultroute<br>
</span><span class="">> leftsourceip=%modeconfig<br>
> leftcert=cert.pem<br>
> leftca=cacert.pem<br>
> leftrsasigkey=%cert<br>
> leftsendcert=always<br>
><br>
> auto=route<br>
> type=tunnel<br>
> ike=aes256-sha2_256-modp1536<br>
> esp=aes256-sha2_256-modp1024<br>
><br>
><br>
> strongswan.conf :<br>
><br>
> charon {<br>
> load_modular = yes<br>
> install_virtual_ip = yes<br>
> install_routes = yes<br>
> plugins {<br>
> include strongswan.d/charon/*.conf<br>
> }<br>
> }<br>
><br>
> include strongswan.d/*.conf<br>
><br>
> I have problems with these two configurations:<br>
><br>
> For the first:<br>
</span>> -Strongswan doesnt create a virtual IP address 172.16.0.3 but a virtual IP address in config mode subnet even if I remove the cfgconf from ipsec.conf. So when I do "ip a show eth1" I got 172.16.0.33 instead of 172.16.0.3 (but when I check my configuration with ipsec statusall It gives me : normal{1}: <a href="http://172.16.0.3/32" target="_blank">172.16.0.3/32</a> <<a href="http://172.16.0.3/32" target="_blank">http://172.16.0.3/32</a>> === <a href="http://172.16.1.0/24" target="_blank">172.16.1.0/24</a> <<a href="http://172.16.1.0/24" target="_blank">http://172.16.1.0/24</a>> . So, is strongswan supposed to make virtual IP address for non config connection ?<br>
<span class="">><br>
> For the second:<br>
> -All works fine if I don't want to use traffic detection mode. Indead, if I want my tunnel to be opened with traffic detection, I need to specify auto=route but my tunnel is in config mode so the routing doesn't seem to work (howover, when I open my tunnel with auto=start, all works fine). So, is there any way to pass throught this problem ? Is it possible tu use traffic detection without initial routing ?<br>
><br>
> For boths:<br>
> -I'm using virtual IP address because I do roadwarrior configurations, so when I unplug a network wire, these virtual IP addresses are erased, so I'd need either virtual addresses which are not erased when the wire is unpluged or tunnels to be closed when the wire is unpluged (in order to have the virtual IP address recreated after the wire to be replug).<br>
><br>
> Thanks for helping<br>
><br>
</span>> 2015-04-29 7:55 GMT+02:00 Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a> <mailto:<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>>>:<br>
<div><div class="h5">><br>
><br>
> Hello Jacques,<br>
><br>
> Do you have logs? I would like to see what strongSwan does and your operating system in particular,<br>
> as you do not use DPD, so a connection failure should not be detected and the policies and the tunnel state should remain up,<br>
> although no communication is possible. If this is wanted, is yours to decide.<br>
><br>
> Also, if your ultimate goal is to avoid leaking traffic, look at the "policy" match in iptables<br>
> and make creative use of it in *filter FORWARD.<br>
><br>
> Mit freundlichen Grüßen/Kind Regards,<br>
> Noel Kuntze<br>
><br>
> GPG Key ID: 0x63EC6658<br>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
><br>
> Am 28.04.2015 um 11:19 schrieb Jacques Monin:<br>
> > Hello,<br>
><br>
> > I'm trying to configurate strongswan in order to have automatic tunnel opening and routing.<br>
><br>
> > The tunnel opens well on traffic detection, the routes are created and all works well. But if a network wire is unpluged, the routing is erased and I have to restart strongswan.<br>
> > Is there any way to avoid this ?<br>
><br>
> > Is this possible to have the routing and the virtual addresse adding done while the opening of the tunnel ?<br>
> > By using leftupdown="ipsec _updown"<br>
><br>
> > It seems that the only option to have automatic tunnel opening is to specify auto=route in ipsec.conf (I was hoping auto=add had the same behaviour).<br>
> > So is there any way to have automatic tunnel opening without initial routing ?<br>
><br>
> > Here my configuration :<br>
><br>
> > config setup<br>
><br>
> > conn %default<br>
> > dpddelay=30<br>
> > keyingtries=5<br>
> > rekeymargin=120<br>
> > dpdtimeout=120<br>
> > keyexchange=ikev1<br>
> > keylife=1h<br>
> > ikelifetime=6h<br>
> > authby=rsasig<br>
><br>
> > conn Visio<br>
> > right=A.A.A.A<br>
</div></div>> > rightsubnet=<a href="http://172.16.1.0/24" target="_blank">172.16.1.0/24</a> <<a href="http://172.16.1.0/24" target="_blank">http://172.16.1.0/24</a>> <<a href="http://172.16.1.0/24" target="_blank">http://172.16.1.0/24</a>><br>
> > rightid=%any<br>
><br>
> > left=%defaultroute<br>
> > leftsubnet=<a href="http://172.16.0.3/32" target="_blank">172.16.0.3/32</a> <<a href="http://172.16.0.3/32" target="_blank">http://172.16.0.3/32</a>> <<a href="http://172.16.0.3/32" target="_blank">http://172.16.0.3/32</a>><br>
<span class="">> > leftsourceip=172.16.0.3<br>
> > leftcert=cert.pem<br>
> > leftca=cacert.pem<br>
> > leftsendcert=always<br>
><br>
> > auto=route<br>
> > type=tunnel<br>
> > ike=aes256-sha2_256-modp1536<br>
> > esp=aes256-sha2_256-modp1024<br>
><br>
> > Thanks for you help<br>
><br>
><br>
> > _______________________________________________<br>
> > Users mailing list<br>
</span>> > <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
> > <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
><br>
> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a> <mailto:<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>><br>
<span class="">> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
</span>iQIcBAEBCAAGBQJVQVhrAAoJEDg5KY9j7GZYkP4P/A8EAysFMtOna3V3vCbCjqCh<br>
9nmi97sdJryC9pZOvQgAx9VLVwaWwYVJfRqz5d03uQDlO6jSxwV0n3YM5wCZdoyg<br>
nh63d8Oz98K5KfAojcKgysgZeLTdDKfmWXZWju2LNStWzuD+rhZW6Dbd5W/5vVY/<br>
ySjFt4ALWI3MEE17Uh2NYipKj7gRcCvBFAu3i6WFYdwER856WhDoWIW6QyPAAG5a<br>
c6VC29dh61fKDEoamNGpnKjtpHlv31laYiPzEAd96HyL1n133cmDfTStEAOyNaRO<br>
IDl6X8i0Yd1BvSVuz8y45Apoj9z8WFz+NLumcmuOM7mzPmAjY+8CgNBx3zjmbGYx<br>
uxd3Thzyv17xPj8VK1UpZEnWRwzueTj3xqSWGh/gKdM599U7RipDpvQgBns/9qW3<br>
Ipx9EOfkcAhqYM4d1ToUa/KglRkoiy+72owpspHVddFYj46L0fR8Rdy5mGkNoSqz<br>
Vs08zDnGqgyGjx2uYvmFJy1nealrjq8Y0A4kpEyXB8bu9gr5CbO3ISlJ5tJI/jnQ<br>
pKPwhobyHpH9isV6D10R9OSktVl/nwkycToaTLuq5FEzscCY1UNXcXRpqPoXnOI3<br>
YEqesIx+EwvTc8mMvFpoCFsfYXqBTsMnE8tRru9UPuHlV/i8bNpk5uv2ZyfvGdEt<br>
Hr3clyYw35S8vp5Xe25Z<br>
=5QA1<br>
-----END PGP SIGNATURE-----<br>
<br>
<br>
</blockquote></div><br></div>