[strongSwan-dev] Trouble getting unique ip addresses from client pool....
Andrew Foss
afoss at actmobile.com
Sat Apr 25 02:28:14 CEST 2015
Here's our situation;
ios ipsec clients, they each have a certificate with a unique common name.
I want to configure strongswan to give them a different ip address for
each client/CN, regardless of what public ip address they may arrive
from at the moment, it is a road warrior config.
I am thinking I can write a plugin like dhcp to do it for sure, but
seems like I may have something in the config that is wrong. I have to
set uniqueids=no to get two clients to connect, which makes me think I
am using something else for the id, other than the cert subject name.
This error line seems to indicate the peer is referred to as 'actmobile'
destroying duplicate IKE_SA for peer 'actmobile', received INITIAL_CONTACT
in the updown scripts the PLUTO_PEER_ID does show up properly as [C=US,
O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]
All my clients seem to get 172.20.0.1 as their ip address and ipsec
statusall shows just one SA even when I have 3 dvices connected.
here's the config;
conn ios
keyexchange=ikev1
#esp=null-sha1!
authby=xauthrsasig
xauth=server
#left=%defaultroute
leftsubnet=0.0.0.0/0
#leftsubnet=10.66.0.0/16
#leftfirewall=yes
#lefthostaccess=yes
leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
leftcert=serverCert.pem
#right=%any
rightsourceip=172.20.0.0/16
#rightsourceip=10.100.255.0/28
#rightcert=clientCert.pem
#pfs=no
auto=add
rekey=yes
fragmentation=yes
lifetime=24h
dpddelay=0
dpdtimeout=24h
compress=yes
here's the log output of clients connecting;
IKE_SA ios[6] established between 10.199.65.236[C=US, ST=California,
L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile,
CN=ipsec.corp.actmobile.com,
E=support at actmobile.com]...50.197.174.157[C=US, O=strongSwan,
CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]
Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[6] state change:
CONNECTING => ESTABLISHED
Apr 25 00:12:43 accel charon: 12[IKE] scheduling reauthentication in 10094s
Apr 25 00:12:43 accel charon: 12[IKE] maximum IKE_SA lifetime 10634s
Apr 25 00:12:43 accel charon: 12[IKE] activating new tasks
Apr 25 00:12:43 accel charon: 12[IKE] nothing to initiate
Apr 25 00:12:43 accel charon: 12[IKE] destroying duplicate IKE_SA for
peer 'actmobile', received INITIAL_CONTACT
Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[5] state change:
ESTABLISHED => DESTROYING
Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI
c1648e6d (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI
c1648e6d (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI
0d133ab7 (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI
0d133ab7 (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0 ===
172.20.0.1/32 out (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another
CHILD_SA, not removed
Apr 25 00:12:43 accel charon: 12[KNL] updating policy 0.0.0.0/0 ===
172.20.0.1/32 out (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 ===
0.0.0.0/0 in (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another
CHILD_SA, not removed
Apr 25 00:12:43 accel charon: 12[KNL] updating policy 172.20.0.1/32 ===
0.0.0.0/0 in (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 ===
0.0.0.0/0 fwd (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another
CHILD_SA, not removed
Apr 25 00:12:43 accel charon: 12[KNL] updating policy 172.20.0.1/32 ===
0.0.0.0/0 fwd (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] getting a local address in traffic
selector 0.0.0.0/0
Apr 25 00:12:43 accel charon: 12[KNL] using host %any
Apr 25 00:12:43 accel charon: 12[KNL] using 10.199.65.193 as nexthop to
reach 166.170.42.208
Apr 25 00:12:43 accel charon: 12[KNL] 10.199.65.236 is on interface eth0
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0 ===
172.20.0.1/32 out (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 ===
0.0.0.0/0 in (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 ===
0.0.0.0/0 fwd (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] getting iface index for eth0
Apr 25 00:12:43 accel charon: 12[CFG] lease 172.20.0.1 by 'actmobile'
went offline
More information about the Dev
mailing list