[strongSwan] building groups in end-to-end scenario
johann badinger
johannbadinger at gmx.de
Fri Sep 10 14:20:19 CEST 2010
On 10.09.2010 13:45, Andreas Steffen wrote:
> Hello Johann,
>
> your setup doesn't work because right=%any is for passive responders
> only. As an initiator you must give the IP address of the peer you
> want to reach explicitly in the right= statement.
>
> Regards
>
> Andreas
>
> On 10.09.2010 12:25, johann badinger wrote:
>
>> Hi,
>> I googled a lot before sending this mail, but found no answer.
>>
>> My question is:
>> how to configure charon for a group scenrio
>>
>> More details:
>>
>> for example:
>> I have three hosts, host1 has IP adress 192.168.56.1, second one host2
>> has IP adress 192.168.56.2 and the third has ip adress 192.168.56.3.
>> They are all in the subnet 192.168.56.0/32.
>>
>> I want to establish a VPN between all hosts. The problem is that the
>> hosts don't know the remote ip adresses. Only the subnet.
>>
>> Here my ipse.conf:
>>
>> host1
>>
>> config setup
>> plutostart=no
>> charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
>>
>> conn %default
>> ikelifetime=60m
>> keyexchange=ikev2
>>
>>
>> conn remote
>> left=192.168.56.1
>> leftcert=Host1-cert.pem
>> right=%any
>> rightsubnet=192.168.56.0/32
>> auto=route
>>
>>
>> host2
>>
>> config setup
>> plutostart=no
>> charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
>>
>> conn %default
>> ikelifetime=60m
>> keyexchange=ikev2
>>
>>
>> conn remote
>> left=192.168.56.2
>> leftcert=Host2-cert.pem
>> right=%any
>> rightsubnet=192.168.56.0/32
>> auto=route
>>
>> the starter shows:
>> Starting strongSwan 4.4.0 IPsec [starter]...
>> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.4.0)
>> 00[KNL] listening on interfaces:
>> 00[KNL] eth0
>> 00[KNL] eth1
>> 00[KNL] 192.168.1.3
>> 00[KNL] fe80::7ae4:ff:fe33:5bbb
>> 00[KNL] vboxnet0
>> 00[KNL] 192.168.56.1
>> 00[KNL] fe80::800:27ff:fe00:0
>> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>> 00[CFG] loaded ca certificate "C=DE, XX'
>> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>> 00[CFG] loading ocsp signer certificates from
>> '/usr/local/etc/ipsec.d/ocspcerts'
>> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
>> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>> 00[CFG] loaded RSA private key from
>> '/usr/local/etc/ipsec.d/private/Host3-key.pem'
>> 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 pubkey pkcs1
>> pgp dnskey pem fips-prf xcbc hmac gmp attr kernel-netlink socket-raw
>> stroke updown resolve
>> 00[JOB] spawning 16 worker threads
>> 01[JOB] started worker thread, ID: 1
>> 04[JOB] started worker thread, ID: 4
>> 05[JOB] started worker thread, ID: 5
>> 14[JOB] started worker thread, ID: 14
>> 14[JOB] no events, waiting
>> 10[JOB] started worker thread, ID: 10
>> 08[JOB] started worker thread, ID: 8
>> 15[JOB] started worker thread, ID: 15
>> 11[JOB] started worker thread, ID: 11
>> 13[JOB] started worker thread, ID: 13
>> 09[JOB] started worker thread, ID: 9
>> 03[JOB] started worker thread, ID: 3
>> 07[JOB] started worker thread, ID: 7
>> 05[NET] waiting for data on raw sockets
>> 02[JOB] started worker thread, ID: 2
>> 06[JOB] started worker thread, ID: 6
>> 16[JOB] started worker thread, ID: 16
>> 12[JOB] started worker thread, ID: 12
>> charon (3820) started after 20 ms
>> 01[CFG] received stroke: add connection 'Host2'
>> 01[CFG] conn Host2
>> 01[CFG] left=192.168.56.1
>> 01[CFG] leftsubnet=(null)
>> 01[CFG] leftsourceip=(null)
>> 01[CFG] leftauth=(null)
>> 01[CFG] leftauth2=(null)
>> 01[CFG] leftid=(null)
>> 01[CFG] leftid2=(null)
>> 01[CFG] leftcert=Host1-cert.pem
>> 01[CFG] leftcert2=(null)
>> 01[CFG] leftca=(null)
>> 01[CFG] leftca2=(null)
>> 01[CFG] leftgroups=(null)
>> 01[CFG] leftupdown=(null)
>> 01[CFG] right=%any
>> 01[CFG] rightsubnet=192.168.56.0/32
>> 01[CFG] rightsourceip=(null)
>> 01[CFG] rightauth=(null)
>> 01[CFG] rightauth2=(null)
>> 01[CFG] rightid=(null)
>> 01[CFG] rightid2=(null)
>> 01[CFG] rightcert=(null)
>> 01[CFG] rightcert2=(null)
>> 01[CFG] rightca=(null)
>> 01[CFG] rightca2=(null)
>> 01[CFG] rightgroups=(null)
>> 01[CFG] rightupdown=(null)
>> 01[CFG] eap_identity=(null)
>> 01[CFG] ike=aes128-sha1-modp2048,3des-sha1-modp1536
>> 01[CFG] esp=aes128-sha1,3des-sha1
>> 01[CFG] mediation=no
>> 01[CFG] mediated_by=(null)
>> 01[CFG] me_peerid=(null)
>> 01[KNL] getting interface name for %any
>> 01[KNL] %any is not a local address
>> 01[KNL] getting interface name for 192.168.56.1
>> 01[KNL] 192.168.56.1 is on interface vboxnet0
>> 01[CFG] loaded certificate "XXX'
>> 01[CFG] id '192.168.56.1' not confirmed by certificate, defaulting to
>> 'XXX'
>> 01[CFG] added configuration 'Host2'
>> 01[CFG] received stroke: route 'Host2'
>> 01[CFG] proposing traffic selectors for us:
>> 01[CFG] 192.168.56.1/32 (derived from dynamic)
>> 01[CFG] proposing traffic selectors for other:
>> 01[CFG] 192.168.56.0/32 (derived from 192.168.56.0/32)
>> 01[KNL] adding policy 192.168.56.1/32 === 192.168.56.0/32 out
>> 01[KNL] adding policy 192.168.56.0/32 === 192.168.56.1/32 in
>> 01[KNL] adding policy 192.168.56.0/32 === 192.168.56.1/32 fwd
>> 01[KNL] getting a local address in traffic selector 192.168.56.1/32
>> 01[KNL] using host 192.168.56.1
>> 01[KNL] getting address to reach %any
>> 01[KNL] getting interface name for 192.168.56.1
>> 01[KNL] 192.168.56.1 is on interface vboxnet0
>> 01[KNL] getting iface index for vboxnet0
>> 01[KNL] received netlink error: No such process (3)
>> 01[KNL] unable to install source route for 192.168.56.1
>> configuration 'remote' routed
>>
>> when i ping the remote host it happens nothing. Have someone an other
>> proposal for this scenario or what i do wrong?
>>
>> If I delete the rightsubnet parameter the starter shows after pinging
>> the remote host:
>> 02[KNL] received a XFRM_MSG_ACQUIRE
>> 02[KNL] XFRMA_TMPL
>> 02[KNL] creating acquire job for policy 192.168.56.1/32[udp/35794] ===
>> 192.168.56.2/32[udp/1025] with reqid {1}
>> 13[IKE] unable to initiate to %any
>> 13[IKE] IKE_SA Host2[1] state change: CREATED => DESTROYING
>>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
Thanks for the quick response.
Have anyone some ideas how I can realize this group scenario.
host1=====host2====host3 --> group vpn with any hosts.
More information about the Users
mailing list