[strongSwan] Split tunneling
Claude Tompers
claude.tompers at restena.lu
Fri Oct 22 11:40:14 CEST 2010
I attached the Cisco log.
I think the interesting part starts at message 24.
kind regards,
Claude
On Friday 22 October 2010 11:27:24 Andreas Steffen wrote:
> Hmmm, it seems that the Cisco client doesn't like
> strongSwan's ModeCfg reply containing all these
> Cisco Unity attributes because it just keeps
> retransmitting the ModeCfg request. Could you
> find out what errors occur in the Cisco log?
>
> Regards
>
> Andreas
>
> On 22.10.2010 10:48, Claude Tompers wrote:
> > Hi Andreas,
> >
> > Setting the leftsubnet did not work.
> > You can find the pluto log attached.
> >
> > thank you
> > Claude
> >
> >
> > On Friday 22 October 2010 10:24:24 Andreas Steffen wrote:
> >> Hello Claude,
> >>
> >> could you provide some pluto logs with
> >>
> >> plutodebug=all
> >>
> >> set in ipsec.conf?
> >>
> >> Regards
> >>
> >> Andreas
> >>
> >> BTW On second thought leftsubnet on the strongSwan gateway
> >> should be set to the subnet communicated the Cisco
> >> client via the unity_split_include attribute since
> >> the client will probably used them during Quick Mode.
> >> I don't know if multiple subnets will cause several
> >> Quick Modes to be set up, though.
> >>
> >> Regards
> >>
> >> Andreas
> >>
> >> On 22.10.2010 09:55, Claude Tompers wrote:
> >>> Hello Andreas,
> >>>
> >>> Thank you for your quick reply. Sadly, it does not work, but I think we're on the right path.
> >>> The Cisco client tells me "Negotiating security policies" before it stops silently.
> >>> On the other side, I don't see much in the pluto logs.
> >>> Any ideas ?
> >>>
> >>> kind regards,
> >>> Claude
> >>>
> >>>
> >>> On Thursday 21 October 2010 12:22:56 Andreas Steffen wrote:
> >>>> Hello Claude,
> >>>>
> >>>> yes it should be possible with the Cisco_Unity functionality added
> >>>> to the attr-sql plugin with strongswan-4.4.1:
> >>>>
> >>>> - Enable the attr-sql and sqlite plugins
> >>>>
> >>>> ./configure ... --enable-sqlite --enable-attr-sql
> >>>>
> >>>> - Create an SQLite database:
> >>>>
> >>>> cat strongswan-4.4.1/testing/hosts/default/etc/ipsec.d/tables.sql |
> >>>> sqlite3 /etc/ipsec.d/ipsec.db
> >>>>
> >>>> - Define the path to the database in strongswan.conf
> >>>>
> >>>> libhydra {
> >>>> plugins {
> >>>> attr-sql {
> >>>> database = sqlite:///etc/ipsec.d/ipsec.db
> >>>> }
> >>>> }
> >>>> }
> >>>>
> >>>> - Create a virtual IP pool in the database using the ipsec pool tool
> >>>>
> >>>> ipsec pool -add mypool --start 10.3.0.1 --end 10.3.0.254 --timeout 48
> >>>>
> >>>> - Add internal DNS and WINS servers
> >>>>
> >>>> ipsec pool --addattr dns --server 10.1.0.10
> >>>> ipsec pool --addattr dns --server 10.1.1.10
> >>>> ipsec pool --addattr nbns --server 10.1.0.20
> >>>> ipsec pool --addattr nbns --server 10.1.1.20
> >>>>
> >>>> - Add default domain
> >>>>
> >>>> ipsec pool --addattr unity_def_domain --string "strongswan.org"
> >>>>
> >>>> - Add welcome banner
> >>>>
> >>>> ipsec pool --addattr banner --string "The network will be down from
> >>>> 6-8 pm"
> >>>>
> >>>> - Add split tunneling subnets !!!
> >>>>
> >>>> ipsec pool --addattr unity_split_include --subnet
> >>>> "10.1.0.0/255.255.0.0,10.3.5.0/255.255.255.0"
> >>>>
> >>>> - List all configured attributes
> >>>>
> >>>> ipsec pool --statusattr
> >>>>
> >>>> - Configure the pool in ipsec.conf
> >>>>
> >>>> conn rw-cisco
> >>>> right=%any
> >>>> rightsourceip=%mypool
> >>>> leftsubnet=0.0.0.0/0
> >>>>
> >>>> I haven't actually tested this with the Cisco VPN Client but it
> >>>> should work so that only traffic to the 10.1.0.0/16 and 10.3.5.0/24
> >>>> networks are tunneled.
> >>>>
> >>>> Regards
> >>>>
> >>>> Andreas
> >>>>
> >>>> On 21.10.2010 10:57, Claude Tompers wrote:
> >>>>> Hello,
> >>>>>
> >>>>> Is it possible to do split tunneling with CISCO VPN client and pluto
> >>>>> so that a road-warrior is still able to access i.e. printers in his
> >>>>> local network ?
> >>>>>
> >>>>> kind regards Claude
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
--
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
Cisco Systems VPN Client Version 5.0.05.0290
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
3 11:37:04.875 10/22/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 192.168.1.13.
4 11:37:04.890 10/22/10 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
5 11:37:04.890 10/22/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 192.168.1.13
6 11:37:04.937 10/22/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.1.13
7 11:37:04.937 10/22/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA, VID(?), VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T)) from 192.168.1.13
8 11:37:04.953 10/22/10 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
9 11:37:04.953 10/22/10 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
10 11:37:04.953 10/22/10 Sev=Info/5 IKE/0x63000001
Peer supports DPD
11 11:37:04.953 10/22/10 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
12 11:37:04.953 10/22/10 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
13 11:37:04.953 10/22/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to 192.168.1.13
14 11:37:05.078 10/22/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.1.13
15 11:37:05.078 10/22/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, NAT-D, NAT-D) from 192.168.1.13
16 11:37:05.265 10/22/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 192.168.1.13
17 11:37:05.578 10/22/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.1.13
18 11:37:05.578 10/22/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from 192.168.1.13
19 11:37:05.578 10/22/10 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xE6AC, Remote Port = 0x01F4
20 11:37:05.578 10/22/10 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
21 11:37:05.593 10/22/10 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
22 11:37:05.593 10/22/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.1.13
23 11:37:05.609 10/22/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.1.13
24 11:37:05.609 10/22/10 Sev=Warning/2 IKE/0xE300009B
Failed to populate attributes (Attributes:49)
25 11:37:05.609 10/22/10 Sev=Warning/2 IKE/0xE300009B
Failed to populate Attribute payload packet (PayloadAttr:96)
26 11:37:05.609 10/22/10 Sev=Warning/2 IKE/0xE300009B
Failed to process payload (PayloadList:153)
27 11:37:05.609 10/22/10 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x49D78896)
28 11:37:10.671 10/22/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
29 11:37:10.671 10/22/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 192.168.1.13
30 11:37:15.671 10/22/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 192.168.1.13
31 11:37:15.671 10/22/10 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 192.168.1.13, our seq# = 3865212230
32 11:37:15.671 10/22/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
33 11:37:15.671 10/22/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 192.168.1.13
34 11:37:15.671 10/22/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.1.13
35 11:37:15.671 10/22/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 192.168.1.13
36 11:37:15.671 10/22/10 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 192.168.1.13, seq# received = 3865212230, seq# expected = 3865212230
37 11:37:20.671 10/22/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
38 11:37:20.671 10/22/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to 192.168.1.13
39 11:37:25.671 10/22/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 192.168.1.13
40 11:37:25.671 10/22/10 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 192.168.1.13, our seq# = 3865212231
41 11:37:25.671 10/22/10 Sev=Info/4 IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=49D78896
42 11:37:25.671 10/22/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=6BFDF1FAA2DAF179 R_Cookie=4C1FEBE97DB586B4) reason = DEL_REASON_IKE_NEG_FAILED
43 11:37:25.671 10/22/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 192.168.1.13
44 11:37:25.671 10/22/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.1.13
45 11:37:25.671 10/22/10 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=6BFDF1FAA2DAF179 R_Cookie=4C1FEBE97DB586B4
46 11:37:25.671 10/22/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 192.168.1.13
47 11:37:25.671 10/22/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.1.13
48 11:37:25.687 10/22/10 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=6BFDF1FAA2DAF179 R_Cookie=4C1FEBE97DB586B4
49 11:37:25.687 10/22/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 192.168.1.13
50 11:37:28.671 10/22/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=6BFDF1FAA2DAF179 R_Cookie=4C1FEBE97DB586B4) reason = DEL_REASON_IKE_NEG_FAILED
51 11:37:29.671 10/22/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101022/a0b50e81/attachment.pgp>
More information about the Users
mailing list