[strongSwan-dev] config w/ multiple ios devices on a network...

Andrew Foss afoss at actmobile.com
Fri Apr 24 17:22:36 CEST 2015


Miroslav,

thank you for responding, I believe the second device connecting is 
getting the same IP address as the first;

Here's a log I spit out of updown scripts, both devices get 
10.255.0.1/32, the intent it to have 10.255.0.0/16 as a pool of 
addresses for the connecting devices.

up-client C=US, O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 
bytes in '0'  out '0' packets in '0'  out '0'
up-client eth0 0 10.255.0.1/32  10.199.65.236  -m policy --pol ipsec 
--proto esp --reqid 7 --dir in
down-client C=US, O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 
bytes in '1478'  out '5161' packets in '17'  out '14'
up-client C=US, O=strongSwan, CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E 
bytes in '0'  out '0' packets in '0'  out '0'
up-client eth0 0 10.255.0.1/32  10.199.65.236  -m policy --pol ipsec 
--proto esp --reqid 8 --dir in
down-client C=US, O=strongSwan, CN=IDE-0DF5-9A4B-47B0-829E-245DDF715C4E 
bytes in '3937'  out '9212' packets in '28'  out '23'
up-client C=US, O=strongSwan, CN=IDE-B1DA-3355-4C89-BA98-A580BD513292 
bytes in '0'  out '0' packets in '0'  out '0'
up-client eth0 0 10.255.0.1/32  10.199.65.236  -m policy --pol ipsec 
--proto esp --reqid 9 --dir in

and the route
ip route list table 220
10.255.0.1 via 10.199.65.193 dev eth0  proto static

statusall only shows the first device to connect
Status of IKE charon daemon (strongSwan 5.3.0, Linux 3.2.0-54-virtual, 
x86_64):
   uptime: 18 minutes, since Apr 24 15:04:24 2015
   malloc: sbrk 2555904, mmap 0, used 473168, free 2082736
   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 23
   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
pem fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve 
socket-default stroke updown xauth-generic
Virtual IP pools (size/online/offline):
   10.255.0.0/16: 65534/1/0
Listening IP addresses:
   10.199.65.236
   10.0.0.116
   10.0.1.10
   10.0.1.12
   10.0.0.242
   10.0.0.120
   10.0.0.122
   10.0.0.238
Connections:
          ios:  %any,0.0.0.0/0,::/0...%any  IKEv1
          ios:   local:  [C=US, ST=California, L=New York, O=Internet 
Widgits Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com, 
E=support at actmobile.com] uses public key authentication
          ios:    cert:  "C=US, ST=California, L=New York, O=Internet 
Widgits Pty Ltd, OU=ActMobile, CN=ipsec.corp.actmobile.com, 
E=support at actmobile.com"
          ios:   remote: uses public key authentication
          ios:   remote: uses XAuth authentication: any
          ios:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
          ios[12]: ESTABLISHED 2 minutes ago, 10.199.65.236[C=US, 
ST=California, L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, 
CN=ipsec.corp.actmobile.com, 
E=support at actmobile.com]...166.170.42.208[C=US, O=strongSwan, 
CN=IDE-B1DA-3355-4C89-BA98-A580BD513292]
          ios[12]: Remote XAuth identity: actmobile
          ios[12]: IKEv1 SPIs: 387433cc7c4e0cf7_i b7f0e6ff754ca158_r*, 
public key reauthentication in 2 hours
          ios[12]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
          ios{11}:  INSTALLED, TUNNEL, reqid 11, ESP in UDP SPIs: 
cca21352_i 0ef3c1ab_o
          ios{11}:  AES_CBC_128/HMAC_SHA1_96, 1534 bytes_i (18 pkts, 
104s ago), 5393 bytes_o (15 pkts, 104s ago), rekeying in 23 hours
          ios{11}:   0.0.0.0/0 === 10.255.0.1/32

Here's the conn from ipsec.conf, do I really need to setup a dhcp 
service instead?

conn ios
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%any
leftsubnet=0.0.0.0/0
     leftsourceip = %modeconfig
     leftallowany = yes
lefthostaccess=yes
leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
leftcert=serverCert.pem
right=%any
rightsourceip=10.255.0.0/16

rightfirewall=yes
righthostaccess=yes
auto=start
rekey=yes
fragmentation=yes
lifetime=24h
dpddelay=0
     dpdtimeout=24h

On 4/24/15 12:51 AM, Miroslav Svoboda wrote:
> Please can you provide:
> - log with default loglevel set to 2, showing start of both iPhones 
> connection
> - output of command "strongswan statusall" at the time both iphone are 
> connected
> - route table and iptables rules (tables filter, nat, mangle)
>
> I believe this question would be next time better fit for users list 
> and even might get answered quicker there.
>
> Miroslav
>
> On Thursday, April 23, 2015 at 4:40:15 PM UTC+2, Andrew Foss wrote:
>
>     I am bringing up an ipsec server for our ios users and suspect my
>     "left"
>     parameters aren't quite right, but so far my changes have made it not
>     work at all and I am not fully understanding the descriptions. I am
>     running 5.3.0, our ifupdown scripts open iptables rules to allow
>     access
>     to dns and the servers.
>
>     What is see is first device on a network connects and works fine.
>     Second
>     device connects and neither works, second device gets
>     disconnected, as
>     if the routing/nat handling is sending packets down the wrong tunnel.
>
>     Here's my config, I suspect leftsubnet should be 0/0, these are just
>     devices connecting for themselves, not another vpn gateway
>     connecting a
>     network. Any pointers?
>
>     conn ios
>          keyexchange=ikev1
>          #esp=null-sha1!
>          authby=xauthrsasig
>          xauth=server
>          left=%defaultroute
>          leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>          #leftsubnet=10.66.0.0/16 <http://10.66.0.0/16>
>          #leftfirewall=yes
>          leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
>          leftcert=serverCert.pem
>          right=%any
>          rightsourceip=10.0.0.0/16 <http://10.0.0.0/16>
>          #rightsourceip=10.100.255.0/28 <http://10.100.255.0/28>
>          #rightcert=clientCert.pem
>          #pfs=no
>          auto=start
>          rekey=yes
>          fragmentation=yes
>          lifetime=24h
>          dpddelay=0
>          dpdtimeout=24h
>     actmobile at accel:~-u
>
>     thanks,
>     andrew
>     _______________________________________________
>     Dev mailing list
>     Dev at lists.strongswan.org <mailto:Dev at lists.strongswan.org>
>     https://lists.strongswan.org/mailman/listinfo/dev
>     <https://lists.strongswan.org/mailman/listinfo/dev>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150424/0e2e54c1/attachment.html>


More information about the Dev mailing list