[strongSwan] building groups in end-to-end scenario

johann badinger johannbadinger at gmx.de
Fri Sep 10 14:20:19 CEST 2010 

On 10.09.2010 13:45, Andreas Steffen wrote:
> Hello Johann,
>
> your setup doesn't work because right=%any is for passive responders
> only. As an initiator you must give the IP address of the peer you
> want to reach explicitly in the right= statement.
>
> Regards
>
> Andreas
>
> On 10.09.2010 12:25, johann badinger wrote:
>    
>> Hi,
>> I googled a lot before sending this mail, but found no answer.
>>
>> My question is:
>> how to configure charon for a group scenrio
>>
>> More details:
>>
>> for example:
>> I have three hosts, host1 has IP adress 192.168.56.1, second one host2
>> has IP adress 192.168.56.2 and the third has ip adress 192.168.56.3.
>> They are all in the subnet 192.168.56.0/32.
>>
>> I want to establish a VPN between all hosts. The problem is that the
>> hosts don't know the remote ip adresses. Only the subnet.
>>
>> Here my ipse.conf:
>>
>> host1
>>
>> config setup
>>       plutostart=no
>>        charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
>>
>> conn %default
>>       ikelifetime=60m
>>       keyexchange=ikev2
>>
>>
>> conn remote
>>           left=192.168.56.1
>>           leftcert=Host1-cert.pem
>>           right=%any
>>           rightsubnet=192.168.56.0/32
>>           auto=route
>>
>>
>> host2
>>
>> config setup
>>       plutostart=no
>>        charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
>>
>> conn %default
>>       ikelifetime=60m
>>       keyexchange=ikev2
>>
>>
>> conn remote
>>           left=192.168.56.2
>>           leftcert=Host2-cert.pem
>>           right=%any
>>           rightsubnet=192.168.56.0/32
>>           auto=route
>>
>> the starter shows:
>> Starting strongSwan 4.4.0 IPsec [starter]...
>> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.0)
>> 00[KNL] listening on interfaces:
>> 00[KNL]   eth0
>> 00[KNL]   eth1
>> 00[KNL]     192.168.1.3
>> 00[KNL]     fe80::7ae4:ff:fe33:5bbb
>> 00[KNL]   vboxnet0
>> 00[KNL]     192.168.56.1
>> 00[KNL]     fe80::800:27ff:fe00:0
>> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>> 00[CFG]   loaded ca certificate "C=DE, XX'
>> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>> 00[CFG] loading ocsp signer certificates from
>> '/usr/local/etc/ipsec.d/ocspcerts'
>> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
>> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>> 00[CFG]   loaded RSA private key from
>> '/usr/local/etc/ipsec.d/private/Host3-key.pem'
>> 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 pubkey pkcs1
>> pgp dnskey pem fips-prf xcbc hmac gmp attr kernel-netlink socket-raw
>> stroke updown resolve
>> 00[JOB] spawning 16 worker threads
>> 01[JOB] started worker thread, ID: 1
>> 04[JOB] started worker thread, ID: 4
>> 05[JOB] started worker thread, ID: 5
>> 14[JOB] started worker thread, ID: 14
>> 14[JOB] no events, waiting
>> 10[JOB] started worker thread, ID: 10
>> 08[JOB] started worker thread, ID: 8
>> 15[JOB] started worker thread, ID: 15
>> 11[JOB] started worker thread, ID: 11
>> 13[JOB] started worker thread, ID: 13
>> 09[JOB] started worker thread, ID: 9
>> 03[JOB] started worker thread, ID: 3
>> 07[JOB] started worker thread, ID: 7
>> 05[NET] waiting for data on raw sockets
>> 02[JOB] started worker thread, ID: 2
>> 06[JOB] started worker thread, ID: 6
>> 16[JOB] started worker thread, ID: 16
>> 12[JOB] started worker thread, ID: 12
>> charon (3820) started after 20 ms
>> 01[CFG] received stroke: add connection 'Host2'
>> 01[CFG] conn Host2
>> 01[CFG]   left=192.168.56.1
>> 01[CFG]   leftsubnet=(null)
>> 01[CFG]   leftsourceip=(null)
>> 01[CFG]   leftauth=(null)
>> 01[CFG]   leftauth2=(null)
>> 01[CFG]   leftid=(null)
>> 01[CFG]   leftid2=(null)
>> 01[CFG]   leftcert=Host1-cert.pem
>> 01[CFG]   leftcert2=(null)
>> 01[CFG]   leftca=(null)
>> 01[CFG]   leftca2=(null)
>> 01[CFG]   leftgroups=(null)
>> 01[CFG]   leftupdown=(null)
>> 01[CFG]   right=%any
>> 01[CFG]   rightsubnet=192.168.56.0/32
>> 01[CFG]   rightsourceip=(null)
>> 01[CFG]   rightauth=(null)
>> 01[CFG]   rightauth2=(null)
>> 01[CFG]   rightid=(null)
>> 01[CFG]   rightid2=(null)
>> 01[CFG]   rightcert=(null)
>> 01[CFG]   rightcert2=(null)
>> 01[CFG]   rightca=(null)
>> 01[CFG]   rightca2=(null)
>> 01[CFG]   rightgroups=(null)
>> 01[CFG]   rightupdown=(null)
>> 01[CFG]   eap_identity=(null)
>> 01[CFG]   ike=aes128-sha1-modp2048,3des-sha1-modp1536
>> 01[CFG]   esp=aes128-sha1,3des-sha1
>> 01[CFG]   mediation=no
>> 01[CFG]   mediated_by=(null)
>> 01[CFG]   me_peerid=(null)
>> 01[KNL] getting interface name for %any
>> 01[KNL] %any is not a local address
>> 01[KNL] getting interface name for 192.168.56.1
>> 01[KNL] 192.168.56.1 is on interface vboxnet0
>> 01[CFG]   loaded certificate "XXX'
>> 01[CFG]   id '192.168.56.1' not confirmed by certificate, defaulting to
>> 'XXX'
>> 01[CFG] added configuration 'Host2'
>> 01[CFG] received stroke: route 'Host2'
>> 01[CFG] proposing traffic selectors for us:
>> 01[CFG]  192.168.56.1/32 (derived from dynamic)
>> 01[CFG] proposing traffic selectors for other:
>> 01[CFG]  192.168.56.0/32 (derived from 192.168.56.0/32)
>> 01[KNL] adding policy 192.168.56.1/32 === 192.168.56.0/32 out
>> 01[KNL] adding policy 192.168.56.0/32 === 192.168.56.1/32 in
>> 01[KNL] adding policy 192.168.56.0/32 === 192.168.56.1/32 fwd
>> 01[KNL] getting a local address in traffic selector 192.168.56.1/32
>> 01[KNL] using host 192.168.56.1
>> 01[KNL] getting address to reach %any
>> 01[KNL] getting interface name for 192.168.56.1
>> 01[KNL] 192.168.56.1 is on interface vboxnet0
>> 01[KNL] getting iface index for vboxnet0
>> 01[KNL] received netlink error: No such process (3)
>> 01[KNL] unable to install source route for 192.168.56.1
>> configuration 'remote' routed
>>
>> when i ping the remote host it happens nothing. Have someone an other
>> proposal  for this scenario or what i do wrong?
>>
>> If I delete the rightsubnet parameter the starter shows after pinging
>> the remote host:
>> 02[KNL] received a XFRM_MSG_ACQUIRE
>> 02[KNL]   XFRMA_TMPL
>> 02[KNL] creating acquire job for policy 192.168.56.1/32[udp/35794] ===
>> 192.168.56.2/32[udp/1025] with reqid {1}
>> 13[IKE] unable to initiate to %any
>> 13[IKE] IKE_SA Host2[1] state change: CREATED =>  DESTROYING
>>      
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>    
Thanks for the quick response.
Have anyone some ideas how I can realize this group scenario.

host1=====host2====host3 --> group vpn with any hosts.

More information about the Users mailing list