[strongSwan-dev] Strongswan and multihoming

Andreas Steffen andreas.steffen at strongswan.org
Tue Sep 28 11:35:54 CEST 2010 

Hello Daniel,

I successfully tested the following multihoming setup:

  10.1.0.10  10.1.0.1                 10.2.0.1  10.2.0.10
  +-------+    +------+            +-------+    +-------+
  | alice |----| moon |------------|  sun  |----|  bob  |
  +-------+    +------+            +-------+    +-------+
      |        192.168.0.1 192.168.0.2 |
      +--------------------------------+
  192.168.0.50

The VPN connection goes from client alice to gateway sun.
The traffic selectors are

    leftsubnet=192.168.0.50/32,10.1.0.10/32
    rightsubnet=10.2.0.0/16

on alice and

    leftsubnet=10.2.0.0/16
    rightsubnet=192.168.0.50/32,10.1.0.10/32

on sun. At the beginning both eth0 (10.1.0.10) and
eth1 (192.168.0.50) are active on alice and the IPsec
SA is established between 192.168.0.50 and 192.168.0.2.

Server bob can ping both 192.168.0.50 and 10.1.0.10
via the ESP tunnel. Als pings from alice to bob using
-I 192.168.0.50 and -I 10.1.0.10, respeĉtively use
the IPsec SA. I cannot detect any unencrypted packets.

When the 192.168.0.50 interface goes away, MOBIKE
switches the IPsec SA to 10.1.0.10 and bob can still
ping 10.1.0.10 via the ESP tunnel.

There is only one restriction:

In order for the MOBIKE switchover to succeed I had
to resign from the automatically installed src routes
on gateway sun with the strongswan.conf option

charon {
   install_routes = no
}

because the route

10.1.0.10 via 192.168.0.50 src 10.2.0.1

causes the INFORMATIONAL reply from sun to alice
to be sent to the non-existent interface 192.168.0.50.

Regards

Andreas

On 09/27/2010 04:44 PM, Daniel Migault wrote:
> HI,
>
> We have a problem using Strongswan and SCTP for multihoming scenarios.
>
> We have a client and a server connected using SCTP. The Client has two
> different network cards with one IP address on each card : IPclt1 and
> IPclt2. The server has one IP address. Multihoming with SCTP works as
> follows : the connection is first established with one IP address
> (IPclt1), and when IPclt1 is not available anymore the traffic switches
> to IPclt2.
>
> We want to secure the SCTP connection with IPsec. Thus we try the
> following configuration :
>
>     1. Using Traffic Selectors so that a CHILD SA can use
> simultaneously  IPclt1 AND IPclt2. When we look at the SAD, only one IP
> address of the client seems IPsec protected. When we perform the
> handover, on the other IP address by removing the link, the traffic is
> not anymore protected.
>
> We are wondering :
>       A) Why can't we see the two traffic selector in the SAD?
>       B) Is the IKE_SA able to consider multiple IP addresses?
>       C) If not, what should we expect from Strongswan when we perform
> the SCTP handover ?
>
>     2. Using two different IKE_SA for each network card. We configured
> two distinct connections, and proceed to ipsec start, ipsec up conn1,
> ipsec up conn2. It seems that ipsec up conn2 overwrite ipsec up conn1,
> and it looks we can only have one connection configured at a time.
>
> We would like to know :
>        A) How it is possible to configure two separate IKE_SA with their
> own CHILD_SA.
>
>
> Here is the configuration file we used :
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> plutostart=no
> charondebug="dmn 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl 4, net 4, enc
> 4, lib 4"
>
> conn %default
> auth=esp
> authby=rsasig
> ike=aes128-aes192-aes256-sha1-modp1536!
> ikelifetime=60m
> keylife=7d
> #keylife=10m
> reauth=no
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> mobike=yes
> mobikex=2
>
>
> conn ESP_tran_ENCRE_AES_CBC
> esp=aes128-aes192-aes256-sha1!
> leftsubnet=10.0.1.244/32,10.0.2.244/32 <http://10.0.1.244/32,10.0.2.244/32>
> #leftallowany=yes
>
> #leftsubnet=10.0.0.0/8 <http://10.0.0.0/8>
> leftid=@moon
> leftcert=moonCert.der
> right=10.1.2.244
> rightid=@sun
> rightcert=sunCert.der
> type=transport
> auto=route
>
>
>
> Regards,
> Daniel
>
>
> --
> Daniel Migault
> Orange Labs / Security Lab
> +33 (0) 1 45 29 60 52
> +33 (0) 6 70 72 69 58

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Dev mailing list