[strongSwan] IKE modeconfig IP address assignment

Troy Telford ttelford.groups at gmail.com
Fri Sep 24 07:20:26 CEST 2010 

I must be a problem child... but I'm learning fast.

I'm mostly satisfied with L2TP (Save for my last tunnel/transport 
question), so I've moved on to the more secure 'pure' IPsec 
configurations.

I've been working on IP Address & DNS assignment setup via IKEv1 & IKEv2;

I've been following:
http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/
http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/

I have the ipsec pool configured properly, I believe; 'ipsec pool 
--status' shows the pool I'm expecting, at any rate.  However, with 
both IKEv1 (Racoon/OS X) and IKEv2 (Win 7), I'm unable to get IP 
addresses.

With IKEv1, I've got the OS X client so it is able to establish an 
IPsec SA.  It has the config option "mode_cfg on".  However, I'm not 
seeing any ModeCfg messages in 'auth.log | grep pluto'.

For IKEv2, the error is:
Sep 23 22:37:52 pilot charon: 13[IKE] peer requested virtual IP %any
Sep 23 22:37:52 pilot charon: 13[IKE] no virtual IP found, sending 
INTERNAL_ADDRESS_FAILURE

My network is as follows:
<something> - Dynamic address; I use DynDNS to resolve it to a host name.
192.168.1.1/24 (Main address space)
192.168.2.1/24 (DMZ address space; unused)
192.168.3.1/24 (Used for OpenVPN - for locations where ESP is blocked 
at the firewall)
192.168.4.1/26 (IPsec pool)

So I think a connection would be along the lines of:
(Int. network)     (Internet IP)        (RW ISP)     Road Warrior
192.168.0.0/21 -- ISP Assigned IP .. ISP Assigned IP -- NAT IP

My configuration (with L2TP removed, for clarity) is as follows:

config setup
    crlcheckinterval="600"
    cachecrls=yes
    nat_traversal=yes
    
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24,%v4:!192.168.4.0/24
 

   interfaces=%defaultroute

conn %default
    keyingtries=1
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyexchange=ikev2
    ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
    esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
    compress=yes
    left=%defaultroute
    right=%any
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    pfs=yes

conn rw-local-nat
    rightsubnet=vhost:%no,%priv
    also=rw-local

conn rw-local
    keyexchange=ikev1
    # Supposedly rekey can be no, because the client will ask for it...
    rekey=no
    leftsubnet=192.168.1.0/24
    rightsourceip=%hostpool
    also=rw

conn rw-charon
    leftsubnet=192.168.1.0/24
    # In case we want a different (volatile) pool
    # rightsourceip=192.168.4.64/26
    rightsourceip=%hostpool
    also=rw

conn rw
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    leftcert=pilotCert.pem
    leftid=@pilot.pariahzero.net
    rightid="C=US... CN=*, E=*"
    rightca=%same
    auto=add

$ ipsec pool --status
dns servers: 192.168.1.1
no nbns servers found.
    name           start             end  timeout   size      online    
   usage
hostpool     192.168.4.2    192.168.4.63   static     62     0 ( 0%)    
 0 ( 0%)

$ ipsec pool --statusattr
 type  description           pool        identity              value
    3  INTERNAL_IP4_DNS                                        192.168.1.1

$ ipsec pool --showattr
internal_ip4_netmask  --addr    (INTERNAL_IP4_NETMASK)
internal_ip6_netmask  --addr    (INTERNAL_IP6_NETMASK)
netmask               --addr    (INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK)
internal_ip4_dns      --addr    (INTERNAL_IP4_DNS)
internal_ip6_dns      --addr    (INTERNAL_IP6_DNS)
dns                   --addr    (INTERNAL_IP4_DNS, INTERNAL_IP6_DNS)
internal_ip4_nbns     --addr    (INTERNAL_IP4_NBNS)
internal_ip6_nbns     --addr    (INTERNAL_IP6_NBNS)
nbns                  --addr    (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)
wins                  --addr    (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)
internal_ip4_dhcp     --addr    (INTERNAL_IP4_DHCP)
internal_ip6_dhcp     --addr    (INTERNAL_IP6_DHCP)
dhcp                  --addr    (INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP)
internal_ip4_server   --addr    (INTERNAL_IP4_SERVER)
internal_ip6_server   --addr    (INTERNAL_IP6_SERVER)
server                --addr    (INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER)
application_version   --string  (APPLICATION_VERSION)
version               --string  (APPLICATION_VERSION)
unity_banner          --string  (UNITY_BANNER)
banner                --string  (UNITY_BANNER)
unity_def_domain      --string  (UNITY_DEF_DOMAIN)
unity_splitdns_name   --string  (UNITY_SPLITDNS_NAME)
unity_split_include   --subnet  (UNITY_SPLIT_INCLUDE)
unity_local_lan       --subnet  (UNITY_LOCAL_LAN)

So what do I need to do in order to get IP address assignment working?
-- 
Troy Telford

More information about the Users mailing list