[strongSwan] IKE modeconfig IP address assignment

Andreas Steffen andreas.steffen at strongswan.org
Fri Sep 24 10:48:59 CEST 2010 

Hello Troy,

do pluto and charon both load the attr-sql and sqlite plugins?
ipsec statusall should enumerate them.

Regards

Andreas

On 24.09.2010 07:20, Troy Telford wrote:
> I must be a problem child... but I'm learning fast.
> 
> I'm mostly satisfied with L2TP (Save for my last tunnel/transport 
> question), so I've moved on to the more secure 'pure' IPsec 
> configurations.
> 
> I've been working on IP Address & DNS assignment setup via IKEv1 & IKEv2;
> 
> I've been following:
> http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/
> http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
> 
> I have the ipsec pool configured properly, I believe; 'ipsec pool 
> --status' shows the pool I'm expecting, at any rate.  However, with 
> both IKEv1 (Racoon/OS X) and IKEv2 (Win 7), I'm unable to get IP 
> addresses.
> 
> With IKEv1, I've got the OS X client so it is able to establish an 
> IPsec SA.  It has the config option "mode_cfg on".  However, I'm not 
> seeing any ModeCfg messages in 'auth.log | grep pluto'.
> 
> For IKEv2, the error is:
> Sep 23 22:37:52 pilot charon: 13[IKE] peer requested virtual IP %any
> Sep 23 22:37:52 pilot charon: 13[IKE] no virtual IP found, sending 
> INTERNAL_ADDRESS_FAILURE
> 
> My network is as follows:
> <something> - Dynamic address; I use DynDNS to resolve it to a host name.
> 192.168.1.1/24 (Main address space)
> 192.168.2.1/24 (DMZ address space; unused)
> 192.168.3.1/24 (Used for OpenVPN - for locations where ESP is blocked 
> at the firewall)
> 192.168.4.1/26 (IPsec pool)
> 
> So I think a connection would be along the lines of:
> (Int. network)     (Internet IP)        (RW ISP)     Road Warrior
> 192.168.0.0/21 -- ISP Assigned IP .. ISP Assigned IP -- NAT IP
> 
> My configuration (with L2TP removed, for clarity) is as follows:
> 
> config setup
>     crlcheckinterval="600"
>     cachecrls=yes
>     nat_traversal=yes
>     
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24,%v4:!192.168.4.0/24
>  
> 
>    interfaces=%defaultroute
> 
> conn %default
>     keyingtries=1
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyexchange=ikev2
>     ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
>     esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
>     compress=yes
>     left=%defaultroute
>     right=%any
>     dpddelay=30
>     dpdtimeout=120
>     dpdaction=clear
>     pfs=yes
> 
> conn rw-local-nat
>     rightsubnet=vhost:%no,%priv
>     also=rw-local
> 
> conn rw-local
>     keyexchange=ikev1
>     # Supposedly rekey can be no, because the client will ask for it...
>     rekey=no
>     leftsubnet=192.168.1.0/24
>     rightsourceip=%hostpool
>     also=rw
> 
> conn rw-charon
>     leftsubnet=192.168.1.0/24
>     # In case we want a different (volatile) pool
>     # rightsourceip=192.168.4.64/26
>     rightsourceip=%hostpool
>     also=rw
> 
> conn rw
>     authby=rsasig
>     leftrsasigkey=%cert
>     rightrsasigkey=%cert
>     leftcert=pilotCert.pem
>     leftid=@pilot.pariahzero.net
>     rightid="C=US... CN=*, E=*"
>     rightca=%same
>     auto=add
> 
> $ ipsec pool --status
> dns servers: 192.168.1.1
> no nbns servers found.
>     name           start             end  timeout   size      online    
>    usage
> hostpool     192.168.4.2    192.168.4.63   static     62     0 ( 0%)    
>  0 ( 0%)
> 
> $ ipsec pool --statusattr
>  type  description           pool        identity              value
>     3  INTERNAL_IP4_DNS                                        192.168.1.1
> 
> $ ipsec pool --showattr
> internal_ip4_netmask  --addr    (INTERNAL_IP4_NETMASK)
> internal_ip6_netmask  --addr    (INTERNAL_IP6_NETMASK)
> netmask               --addr    (INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK)
> internal_ip4_dns      --addr    (INTERNAL_IP4_DNS)
> internal_ip6_dns      --addr    (INTERNAL_IP6_DNS)
> dns                   --addr    (INTERNAL_IP4_DNS, INTERNAL_IP6_DNS)
> internal_ip4_nbns     --addr    (INTERNAL_IP4_NBNS)
> internal_ip6_nbns     --addr    (INTERNAL_IP6_NBNS)
> nbns                  --addr    (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)
> wins                  --addr    (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)
> internal_ip4_dhcp     --addr    (INTERNAL_IP4_DHCP)
> internal_ip6_dhcp     --addr    (INTERNAL_IP6_DHCP)
> dhcp                  --addr    (INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP)
> internal_ip4_server   --addr    (INTERNAL_IP4_SERVER)
> internal_ip6_server   --addr    (INTERNAL_IP6_SERVER)
> server                --addr    (INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER)
> application_version   --string  (APPLICATION_VERSION)
> version               --string  (APPLICATION_VERSION)
> unity_banner          --string  (UNITY_BANNER)
> banner                --string  (UNITY_BANNER)
> unity_def_domain      --string  (UNITY_DEF_DOMAIN)
> unity_splitdns_name   --string  (UNITY_SPLITDNS_NAME)
> unity_split_include   --subnet  (UNITY_SPLIT_INCLUDE)
> unity_local_lan       --subnet  (UNITY_LOCAL_LAN)
> 
> So what do I need to do in order to get IP address assignment working?


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list