[strongSwan] building groups in end-to-end scenario

Andreas Steffen andreas.steffen at strongswan.org
Fri Sep 10 13:45:49 CEST 2010 

Hello Johann,

your setup doesn't work because right=%any is for passive responders
only. As an initiator you must give the IP address of the peer you
want to reach explicitly in the right= statement.

Regards

Andreas

On 10.09.2010 12:25, johann badinger wrote:
> Hi,
> I googled a lot before sending this mail, but found no answer.
> 
> My question is:
> how to configure charon for a group scenrio
> 
> More details:
> 
> for example:
> I have three hosts, host1 has IP adress 192.168.56.1, second one host2 
> has IP adress 192.168.56.2 and the third has ip adress 192.168.56.3. 
> They are all in the subnet 192.168.56.0/32.
> 
> I want to establish a VPN between all hosts. The problem is that the 
> hosts don't know the remote ip adresses. Only the subnet.
> 
> Here my ipse.conf:
> 
> host1
> 
> config setup
>      plutostart=no
>       charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
> 
> conn %default
>      ikelifetime=60m
>      keyexchange=ikev2
> 
> 
> conn remote
>          left=192.168.56.1
>          leftcert=Host1-cert.pem
>          right=%any
>          rightsubnet=192.168.56.0/32
>          auto=route
> 
> 
> host2
> 
> config setup
>      plutostart=no
>       charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
> 
> conn %default
>      ikelifetime=60m
>      keyexchange=ikev2
> 
> 
> conn remote
>          left=192.168.56.2
>          leftcert=Host2-cert.pem
>          right=%any
>          rightsubnet=192.168.56.0/32
>          auto=route
> 
> the starter shows:
> Starting strongSwan 4.4.0 IPsec [starter]...
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.0)
> 00[KNL] listening on interfaces:
> 00[KNL]   eth0
> 00[KNL]   eth1
> 00[KNL]     192.168.1.3
> 00[KNL]     fe80::7ae4:ff:fe33:5bbb
> 00[KNL]   vboxnet0
> 00[KNL]     192.168.56.1
> 00[KNL]     fe80::800:27ff:fe00:0
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "C=DE, XX'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from 
> '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG]   loaded RSA private key from 
> '/usr/local/etc/ipsec.d/private/Host3-key.pem'
> 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 pubkey pkcs1 
> pgp dnskey pem fips-prf xcbc hmac gmp attr kernel-netlink socket-raw 
> stroke updown resolve
> 00[JOB] spawning 16 worker threads
> 01[JOB] started worker thread, ID: 1
> 04[JOB] started worker thread, ID: 4
> 05[JOB] started worker thread, ID: 5
> 14[JOB] started worker thread, ID: 14
> 14[JOB] no events, waiting
> 10[JOB] started worker thread, ID: 10
> 08[JOB] started worker thread, ID: 8
> 15[JOB] started worker thread, ID: 15
> 11[JOB] started worker thread, ID: 11
> 13[JOB] started worker thread, ID: 13
> 09[JOB] started worker thread, ID: 9
> 03[JOB] started worker thread, ID: 3
> 07[JOB] started worker thread, ID: 7
> 05[NET] waiting for data on raw sockets
> 02[JOB] started worker thread, ID: 2
> 06[JOB] started worker thread, ID: 6
> 16[JOB] started worker thread, ID: 16
> 12[JOB] started worker thread, ID: 12
> charon (3820) started after 20 ms
> 01[CFG] received stroke: add connection 'Host2'
> 01[CFG] conn Host2
> 01[CFG]   left=192.168.56.1
> 01[CFG]   leftsubnet=(null)
> 01[CFG]   leftsourceip=(null)
> 01[CFG]   leftauth=(null)
> 01[CFG]   leftauth2=(null)
> 01[CFG]   leftid=(null)
> 01[CFG]   leftid2=(null)
> 01[CFG]   leftcert=Host1-cert.pem
> 01[CFG]   leftcert2=(null)
> 01[CFG]   leftca=(null)
> 01[CFG]   leftca2=(null)
> 01[CFG]   leftgroups=(null)
> 01[CFG]   leftupdown=(null)
> 01[CFG]   right=%any
> 01[CFG]   rightsubnet=192.168.56.0/32
> 01[CFG]   rightsourceip=(null)
> 01[CFG]   rightauth=(null)
> 01[CFG]   rightauth2=(null)
> 01[CFG]   rightid=(null)
> 01[CFG]   rightid2=(null)
> 01[CFG]   rightcert=(null)
> 01[CFG]   rightcert2=(null)
> 01[CFG]   rightca=(null)
> 01[CFG]   rightca2=(null)
> 01[CFG]   rightgroups=(null)
> 01[CFG]   rightupdown=(null)
> 01[CFG]   eap_identity=(null)
> 01[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
> 01[CFG]   esp=aes128-sha1,3des-sha1
> 01[CFG]   mediation=no
> 01[CFG]   mediated_by=(null)
> 01[CFG]   me_peerid=(null)
> 01[KNL] getting interface name for %any
> 01[KNL] %any is not a local address
> 01[KNL] getting interface name for 192.168.56.1
> 01[KNL] 192.168.56.1 is on interface vboxnet0
> 01[CFG]   loaded certificate "XXX'
> 01[CFG]   id '192.168.56.1' not confirmed by certificate, defaulting to 
> 'XXX'
> 01[CFG] added configuration 'Host2'
> 01[CFG] received stroke: route 'Host2'
> 01[CFG] proposing traffic selectors for us:
> 01[CFG]  192.168.56.1/32 (derived from dynamic)
> 01[CFG] proposing traffic selectors for other:
> 01[CFG]  192.168.56.0/32 (derived from 192.168.56.0/32)
> 01[KNL] adding policy 192.168.56.1/32 === 192.168.56.0/32 out
> 01[KNL] adding policy 192.168.56.0/32 === 192.168.56.1/32 in
> 01[KNL] adding policy 192.168.56.0/32 === 192.168.56.1/32 fwd
> 01[KNL] getting a local address in traffic selector 192.168.56.1/32
> 01[KNL] using host 192.168.56.1
> 01[KNL] getting address to reach %any
> 01[KNL] getting interface name for 192.168.56.1
> 01[KNL] 192.168.56.1 is on interface vboxnet0
> 01[KNL] getting iface index for vboxnet0
> 01[KNL] received netlink error: No such process (3)
> 01[KNL] unable to install source route for 192.168.56.1
> configuration 'remote' routed
> 
> when i ping the remote host it happens nothing. Have someone an other 
> proposal  for this scenario or what i do wrong?
> 
> If I delete the rightsubnet parameter the starter shows after pinging 
> the remote host:
> 02[KNL] received a XFRM_MSG_ACQUIRE
> 02[KNL]   XFRMA_TMPL
> 02[KNL] creating acquire job for policy 192.168.56.1/32[udp/35794] === 
> 192.168.56.2/32[udp/1025] with reqid {1}
> 13[IKE] unable to initiate to %any
> 13[IKE] IKE_SA Host2[1] state change: CREATED => DESTROYING

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list