[strongSwan] strange case with dynamic dyndns tunnels
Omar Armas
omar.armas at gmail.com
Wed Dec 22 09:03:39 CET 2010
Hi, I have a central Linux VPN gateway with Debian 5 and
Strongswan 4.2.4-5+lenny3 default package(using a fixed IP). I'm trying to
connect remote dynamic site-to-site tunnels, using Sonicwall devices behind
and adsl router. My problem is that I can only establish one tunnel, after
that, the second, third and so on fail to work. This is what I have:
LAN: 192.168.110.1 <--This tunnel always work
[Sonicwall TZ 100] dyndnsclient, reporting the WAN IP of the adsl router --
host1.dyndns.org
WAN:192.168.1.1
|
LAN:192.168.1.254
[ADSL Router]
WAN: Z.Z.Z.Z
|
|
[Strongswan Fixed IP] WAN: 189.X.X.66 LAN: 192.168.100.3
|
|
WAN: Y.Y.Y.Y
[ADSL Router]
LAN:192.168.1.254
|
WAN:192.168.1.1
[Sonicwall TZ 100] dyndnsclient, reporting the WAN IP of the adsl router
-- host2.dyndns.org
LAN: 192.168.101.1
(here I represent 2, but will have about 20 remote dynamic sites)
This is my ipsec.conf:
-------------------
config setup
plutodebug=all
klipsdebug=all
charondebug=all
nat_traversal=yes
charonstart=yes
plutostart=yes
conn %default
type=tunnel
leftsubnet=192.168.100.0/24
left=189.X.X.66
leftnexthop=189.X.X.65
leftid=189.X.X.66
keyexchange=ikev1
authby=secret
leftsourceip=192.168.100.3
conn to-one
auth=esp
ike=3des-sha1-modp1024,3des-md5-modp1024
keyexchange=ikev1
ikelifetime=28800s
esp=null-sha1
pfs=no
keyingtries=1
authby=secret
right=host1.dyndns.org
rightsubnet=192.168.110.0/24
rightid=@host1.dyndns.org
auto=add
conn to-two
auth=esp
ike=3des-sha1-modp1024,3des-md5-modp1024
keyexchange=ikev1
ikelifetime=28800s
esp=null-sha1
pfs=no
authby=secret
right=host2.dyndns.org
rightsubnet=192.168.101.0/24
rightid=@host2.dyndns.org
auto=add
--------------------
(i know I shouldn't use null-sha1, i just left it like that in my last
attempt, the same error happens with other algorithms)
And my ipsec.secrets:
--------
@host1.dyndns.org 189.X.X.66 : PSK "mypsk"
@host2.dyndns.org 189.X.X.66 : PSK "mypsk"
--------
Always the tunnel "to-one" works well, it get's established with no problem,
but for the other tunnels I get something like:
-------------
Dec 22 01:40:41 vpngdl pluto[3339]: packet from 187.X.X.32:61362: ignoring
Vendor ID payload [5b362bc820f60007] <--This ip is from tunnel "to-two"
Dec 22 01:40:41 vpngdl pluto[3339]: packet from 187.X.X.32:61362: received
Vendor ID payload [RFC 3947]
Dec 22 01:40:41 vpngdl pluto[3339]: packet from 187.X.X.32:61362: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Dec 22 01:40:41 vpngdl pluto[3339]: packet from 187.X.X.32:61362: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Dec 22 01:40:41 vpngdl pluto[3339]: | ****parse IPsec DOI SIT:
Dec 22 01:40:41 vpngdl pluto[3339]: | IPsec DOI SIT: SIT_IDENTITY_ONLY
Dec 22 01:40:41 vpngdl pluto[3339]: | ****parse ISAKMP Proposal Payload:
Dec 22 01:40:41 vpngdl pluto[3339]: | next payload type: ISAKMP_NEXT_NONE
Dec 22 01:40:41 vpngdl pluto[3339]: | length: 40
Dec 22 01:40:41 vpngdl pluto[3339]: | proposal number: 1
Dec 22 01:40:41 vpngdl pluto[3339]: | protocol ID: PROTO_ISAKMP
Dec 22 01:40:41 vpngdl pluto[3339]: | SPI size: 0
Dec 22 01:40:41 vpngdl pluto[3339]: | number of transforms: 1
[snip]
Dec 22 01:40:41 vpngdl pluto[3339]: packet from 187.X.X.32:61362: initial
Main Mode message received on 189.X.X.66:500 but no connection has been
authorized with policy=PSK
---------
Sounds like it isn't detecting my configuration, but when I restart ipsec
both tunnels seems to load correctly:
-----------
Dec 22 01:39:27 vpngdl pluto[3339]: added connection description "to-one"
Dec 22 01:39:27 vpngdl pluto[3339]: |
192.168.100.0/24===189.X.X.66---189.X.X.65...187.X.X.95[@host1.dyndns.org]===192.168.110.0/24
Dec 22 01:39:27 vpngdl pluto[3339]: | ike_life: 28800s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; policy:
PSK+ENCRYPT+TUNNEL
Dec 22 01:39:27 vpngdl pluto[3339]: | next event EVENT_REINIT_SECRET in 3599
seconds
[snip]
Dec 22 01:39:27 vpngdl pluto[3339]: added connection description "to-two"
Dec 22 01:39:27 vpngdl pluto[3339]: |
192.168.100.0/24===189.X.X.66---189.X.X.65...187.Z.Z.32[@host2.dyndns.org]===192.168.101.0/24
Dec 22 01:39:27 vpngdl pluto[3339]: | ike_life: 28800s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3; policy:
PSK+ENCRYPT+TUNNEL
Dec 22 01:39:27 vpngdl pluto[3339]: | next event EVENT_REINIT_SECRET in 3599
seconds
------------
And no matter what order I use in ipsec.conf and ipsec.secrets, tunnel one
always works and the others don't, even restarting the strongswan server.
The VPN options in the sonicwall side is configured identical (changing
hosts and left/right, of course) in all remote/dynamic points. I've tried
with 3 remote sites with similar setup, but always tunnel one is established
and the rest don't.
Can the problem be that all the adsl routers use the same lan class to
connect to the firewall? (192.168.1.x)
Any idea about what can be happening or how to solve it?
Regards
Omar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101222/54da5afb/attachment.html>
More information about the Users
mailing list