[strongSwan] building groups in end-to-end scenario

johann badinger johannbadinger at gmx.de
Fri Sep 10 12:25:32 CEST 2010

I googled a lot before sending this mail, but found no answer.

My question is:
how to configure charon for a group scenrio

More details:

for example:
I have three hosts, host1 has IP adress, second one host2 
has IP adress and the third has ip adress 
They are all in the subnet

I want to establish a VPN between all hosts. The problem is that the 
hosts don't know the remote ip adresses. Only the subnet.

Here my ipse.conf:


config setup
      charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"

conn %default

conn remote


config setup
      charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"

conn %default

conn remote

the starter shows:
Starting strongSwan 4.4.0 IPsec [starter]...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.0)
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL]   eth1
00[KNL]     fe80::7ae4:ff:fe33:5bbb
00[KNL]   vboxnet0
00[KNL]     fe80::800:27ff:fe00:0
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=DE, XX'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from 
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG]   loaded RSA private key from 
00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 pubkey pkcs1 
pgp dnskey pem fips-prf xcbc hmac gmp attr kernel-netlink socket-raw 
stroke updown resolve
00[JOB] spawning 16 worker threads
01[JOB] started worker thread, ID: 1
04[JOB] started worker thread, ID: 4
05[JOB] started worker thread, ID: 5
14[JOB] started worker thread, ID: 14
14[JOB] no events, waiting
10[JOB] started worker thread, ID: 10
08[JOB] started worker thread, ID: 8
15[JOB] started worker thread, ID: 15
11[JOB] started worker thread, ID: 11
13[JOB] started worker thread, ID: 13
09[JOB] started worker thread, ID: 9
03[JOB] started worker thread, ID: 3
07[JOB] started worker thread, ID: 7
05[NET] waiting for data on raw sockets
02[JOB] started worker thread, ID: 2
06[JOB] started worker thread, ID: 6
16[JOB] started worker thread, ID: 16
12[JOB] started worker thread, ID: 12
charon (3820) started after 20 ms
01[CFG] received stroke: add connection 'Host2'
01[CFG] conn Host2
01[CFG]   left=
01[CFG]   leftsubnet=(null)
01[CFG]   leftsourceip=(null)
01[CFG]   leftauth=(null)
01[CFG]   leftauth2=(null)
01[CFG]   leftid=(null)
01[CFG]   leftid2=(null)
01[CFG]   leftcert=Host1-cert.pem
01[CFG]   leftcert2=(null)
01[CFG]   leftca=(null)
01[CFG]   leftca2=(null)
01[CFG]   leftgroups=(null)
01[CFG]   leftupdown=(null)
01[CFG]   right=%any
01[CFG]   rightsubnet=
01[CFG]   rightsourceip=(null)
01[CFG]   rightauth=(null)
01[CFG]   rightauth2=(null)
01[CFG]   rightid=(null)
01[CFG]   rightid2=(null)
01[CFG]   rightcert=(null)
01[CFG]   rightcert2=(null)
01[CFG]   rightca=(null)
01[CFG]   rightca2=(null)
01[CFG]   rightgroups=(null)
01[CFG]   rightupdown=(null)
01[CFG]   eap_identity=(null)
01[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
01[CFG]   esp=aes128-sha1,3des-sha1
01[CFG]   mediation=no
01[CFG]   mediated_by=(null)
01[CFG]   me_peerid=(null)
01[KNL] getting interface name for %any
01[KNL] %any is not a local address
01[KNL] getting interface name for
01[KNL] is on interface vboxnet0
01[CFG]   loaded certificate "XXX'
01[CFG]   id '' not confirmed by certificate, defaulting to 
01[CFG] added configuration 'Host2'
01[CFG] received stroke: route 'Host2'
01[CFG] proposing traffic selectors for us:
01[CFG] (derived from dynamic)
01[CFG] proposing traffic selectors for other:
01[CFG] (derived from
01[KNL] adding policy === out
01[KNL] adding policy === in
01[KNL] adding policy === fwd
01[KNL] getting a local address in traffic selector
01[KNL] using host
01[KNL] getting address to reach %any
01[KNL] getting interface name for
01[KNL] is on interface vboxnet0
01[KNL] getting iface index for vboxnet0
01[KNL] received netlink error: No such process (3)
01[KNL] unable to install source route for
configuration 'remote' routed

when i ping the remote host it happens nothing. Have someone an other 
proposal  for this scenario or what i do wrong?

If I delete the rightsubnet parameter the starter shows after pinging 
the remote host:
02[KNL] received a XFRM_MSG_ACQUIRE
02[KNL] creating acquire job for policy[udp/35794] ===[udp/1025] with reqid {1}
13[IKE] unable to initiate to %any
13[IKE] IKE_SA Host2[1] state change: CREATED => DESTROYING

More information about the Users mailing list