[strongSwan] building groups in end-to-end scenario

johann badinger johannbadinger at gmx.de
Fri Sep 10 12:25:32 CEST 2010 

Hi,
I googled a lot before sending this mail, but found no answer.

My question is:
how to configure charon for a group scenrio

More details:

for example:
I have three hosts, host1 has IP adress 192.168.56.1, second one host2 
has IP adress 192.168.56.2 and the third has ip adress 192.168.56.3. 
They are all in the subnet 192.168.56.0/32.

I want to establish a VPN between all hosts. The problem is that the 
hosts don't know the remote ip adresses. Only the subnet.

Here my ipse.conf:

host1

config setup
     plutostart=no
      charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"

conn %default
     ikelifetime=60m
     keyexchange=ikev2


conn remote
         left=192.168.56.1
         leftcert=Host1-cert.pem
         right=%any
         rightsubnet=192.168.56.0/32
         auto=route


host2

config setup
     plutostart=no
      charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"

conn %default
     ikelifetime=60m
     keyexchange=ikev2


conn remote
         left=192.168.56.2
         leftcert=Host2-cert.pem
         right=%any
         rightsubnet=192.168.56.0/32
         auto=route

the starter shows:
Starting strongSwan 4.4.0 IPsec [starter]...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.0)
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL]   eth1
00[KNL]     192.168.1.3
00[KNL]     fe80::7ae4:ff:fe33:5bbb
00[KNL]   vboxnet0
00[KNL]     192.168.56.1
00[KNL]     fe80::800:27ff:fe00:0
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=DE, XX'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from 
'/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG]   loaded RSA private key from 
'/usr/local/etc/ipsec.d/private/Host3-key.pem'
00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 pubkey pkcs1 
pgp dnskey pem fips-prf xcbc hmac gmp attr kernel-netlink socket-raw 
stroke updown resolve
00[JOB] spawning 16 worker threads
01[JOB] started worker thread, ID: 1
04[JOB] started worker thread, ID: 4
05[JOB] started worker thread, ID: 5
14[JOB] started worker thread, ID: 14
14[JOB] no events, waiting
10[JOB] started worker thread, ID: 10
08[JOB] started worker thread, ID: 8
15[JOB] started worker thread, ID: 15
11[JOB] started worker thread, ID: 11
13[JOB] started worker thread, ID: 13
09[JOB] started worker thread, ID: 9
03[JOB] started worker thread, ID: 3
07[JOB] started worker thread, ID: 7
05[NET] waiting for data on raw sockets
02[JOB] started worker thread, ID: 2
06[JOB] started worker thread, ID: 6
16[JOB] started worker thread, ID: 16
12[JOB] started worker thread, ID: 12
charon (3820) started after 20 ms
01[CFG] received stroke: add connection 'Host2'
01[CFG] conn Host2
01[CFG]   left=192.168.56.1
01[CFG]   leftsubnet=(null)
01[CFG]   leftsourceip=(null)
01[CFG]   leftauth=(null)
01[CFG]   leftauth2=(null)
01[CFG]   leftid=(null)
01[CFG]   leftid2=(null)
01[CFG]   leftcert=Host1-cert.pem
01[CFG]   leftcert2=(null)
01[CFG]   leftca=(null)
01[CFG]   leftca2=(null)
01[CFG]   leftgroups=(null)
01[CFG]   leftupdown=(null)
01[CFG]   right=%any
01[CFG]   rightsubnet=192.168.56.0/32
01[CFG]   rightsourceip=(null)
01[CFG]   rightauth=(null)
01[CFG]   rightauth2=(null)
01[CFG]   rightid=(null)
01[CFG]   rightid2=(null)
01[CFG]   rightcert=(null)
01[CFG]   rightcert2=(null)
01[CFG]   rightca=(null)
01[CFG]   rightca2=(null)
01[CFG]   rightgroups=(null)
01[CFG]   rightupdown=(null)
01[CFG]   eap_identity=(null)
01[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
01[CFG]   esp=aes128-sha1,3des-sha1
01[CFG]   mediation=no
01[CFG]   mediated_by=(null)
01[CFG]   me_peerid=(null)
01[KNL] getting interface name for %any
01[KNL] %any is not a local address
01[KNL] getting interface name for 192.168.56.1
01[KNL] 192.168.56.1 is on interface vboxnet0
01[CFG]   loaded certificate "XXX'
01[CFG]   id '192.168.56.1' not confirmed by certificate, defaulting to 
'XXX'
01[CFG] added configuration 'Host2'
01[CFG] received stroke: route 'Host2'
01[CFG] proposing traffic selectors for us:
01[CFG]  192.168.56.1/32 (derived from dynamic)
01[CFG] proposing traffic selectors for other:
01[CFG]  192.168.56.0/32 (derived from 192.168.56.0/32)
01[KNL] adding policy 192.168.56.1/32 === 192.168.56.0/32 out
01[KNL] adding policy 192.168.56.0/32 === 192.168.56.1/32 in
01[KNL] adding policy 192.168.56.0/32 === 192.168.56.1/32 fwd
01[KNL] getting a local address in traffic selector 192.168.56.1/32
01[KNL] using host 192.168.56.1
01[KNL] getting address to reach %any
01[KNL] getting interface name for 192.168.56.1
01[KNL] 192.168.56.1 is on interface vboxnet0
01[KNL] getting iface index for vboxnet0
01[KNL] received netlink error: No such process (3)
01[KNL] unable to install source route for 192.168.56.1
configuration 'remote' routed

when i ping the remote host it happens nothing. Have someone an other 
proposal  for this scenario or what i do wrong?

If I delete the rightsubnet parameter the starter shows after pinging 
the remote host:
02[KNL] received a XFRM_MSG_ACQUIRE
02[KNL]   XFRMA_TMPL
02[KNL] creating acquire job for policy 192.168.56.1/32[udp/35794] === 
192.168.56.2/32[udp/1025] with reqid {1}
13[IKE] unable to initiate to %any
13[IKE] IKE_SA Host2[1] state change: CREATED => DESTROYING

More information about the Users mailing list