[strongSwan-dev] Trouble getting unique ip addresses from client pool....

Andrew Foss afoss at actmobile.com
Sat Apr 25 02:28:14 CEST 2015 

Here's our situation;

ios ipsec clients, they each have a certificate with a unique common name.

I want to configure strongswan to give them a different ip address for 
each client/CN, regardless of what public ip address they may arrive 
from at the moment, it is a road warrior config.

I am thinking I can write a plugin like dhcp to do it for sure, but 
seems like I may have something in the config that is wrong. I have to 
set uniqueids=no to get two clients to connect, which makes me think I 
am using something else for the id, other than the cert subject name.

This error line seems to indicate the peer is referred to as 'actmobile'

destroying duplicate IKE_SA for peer 'actmobile', received INITIAL_CONTACT

in the updown scripts the PLUTO_PEER_ID does show up properly as [C=US, 
O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]

All my clients seem to get 172.20.0.1 as their ip address and ipsec 
statusall shows just one SA even when I have 3 dvices connected.

here's the config;

conn ios
keyexchange=ikev1
#esp=null-sha1!
authby=xauthrsasig
xauth=server
#left=%defaultroute
leftsubnet=0.0.0.0/0
#leftsubnet=10.66.0.0/16
#leftfirewall=yes
#lefthostaccess=yes
leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
leftcert=serverCert.pem
#right=%any
rightsourceip=172.20.0.0/16
#rightsourceip=10.100.255.0/28
#rightcert=clientCert.pem
#pfs=no
auto=add
rekey=yes
fragmentation=yes
lifetime=24h
dpddelay=0
dpdtimeout=24h
     compress=yes

here's the log output of clients connecting;

IKE_SA ios[6] established between 10.199.65.236[C=US, ST=California, 
L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, 
CN=ipsec.corp.actmobile.com, 
E=support at actmobile.com]...50.197.174.157[C=US, O=strongSwan, 
CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]
Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[6] state change: 
CONNECTING => ESTABLISHED
Apr 25 00:12:43 accel charon: 12[IKE] scheduling reauthentication in 10094s
Apr 25 00:12:43 accel charon: 12[IKE] maximum IKE_SA lifetime 10634s
Apr 25 00:12:43 accel charon: 12[IKE] activating new tasks
Apr 25 00:12:43 accel charon: 12[IKE] nothing to initiate
Apr 25 00:12:43 accel charon: 12[IKE] destroying duplicate IKE_SA for 
peer 'actmobile', received INITIAL_CONTACT
Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[5] state change: 
ESTABLISHED => DESTROYING
Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI 
c1648e6d  (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI 
c1648e6d (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI 
0d133ab7  (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI 
0d133ab7 (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0 === 
172.20.0.1/32 out  (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another 
CHILD_SA, not removed
Apr 25 00:12:43 accel charon: 12[KNL] updating policy 0.0.0.0/0 === 
172.20.0.1/32 out  (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 === 
0.0.0.0/0 in  (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another 
CHILD_SA, not removed
Apr 25 00:12:43 accel charon: 12[KNL] updating policy 172.20.0.1/32 === 
0.0.0.0/0 in  (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 === 
0.0.0.0/0 fwd  (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another 
CHILD_SA, not removed
Apr 25 00:12:43 accel charon: 12[KNL] updating policy 172.20.0.1/32 === 
0.0.0.0/0 fwd  (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] getting a local address in traffic 
selector 0.0.0.0/0
Apr 25 00:12:43 accel charon: 12[KNL] using host %any
Apr 25 00:12:43 accel charon: 12[KNL] using 10.199.65.193 as nexthop to 
reach 166.170.42.208
Apr 25 00:12:43 accel charon: 12[KNL] 10.199.65.236 is on interface eth0
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0 === 
172.20.0.1/32 out  (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 === 
0.0.0.0/0 in  (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 === 
0.0.0.0/0 fwd  (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] getting iface index for eth0
Apr 25 00:12:43 accel charon: 12[CFG] lease 172.20.0.1 by 'actmobile' 
went offline

More information about the Dev mailing list