[strongSwan] IKE modeconfig IP address assignment

Andreas Steffen andreas.steffen at strongswan.org
Fri Sep 24 20:30:52 CEST 2010


Hi Troy,

everthing looks fine. Since the charon daemon is aware of the IKEv1
connection definitions it might settle on one without a pool
declaration. Could you remove all IKEv1 connections from your ipsec.conf
and try again just to make sure. Just model it as close to the

http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
scenario and if this works, start to expand your definitions.

Regards

Andreas

On 09/24/2010 05:37 PM, Troy Telford wrote:
>> do pluto and charon both load the attr-sql and sqlite plugins?
>> ipsec statusall should enumerate them.
> 
> For pluto:
> 000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
> pkcs1 pgp dnskey pem sqlite openssl hmac gmp xauth attr attr-sql resolve 
> 
> For charon:
> 
> loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1
> pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr attr-sql
> resolve kernel-netlink socket-raw farp stroke updown eap-identity
> eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp 
> 
> (It looks like the answer is yes to both)
> 
> My ipsec.sql is imported from:
> 
> http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/moon.ipsec.sql
> 
> And, for the sake of thoroughness, my /etc/strongswan.conf:
> 
> charon {
>     threads = 16
>     plugins {
>         sql {
>             loglevel = -1
>             database = sqlite:///etc.ipsec.d/ipsec.db
>         }
>     }
> }
> 
> pluto {
> }
> 
> libstrongswan {
> }
> 
> libhydra {
>     plugins {
>         attr-sql {
>             database = sqlite:///etc/ipsec.d/ipsec.db
>         }
>     }
> }
> 
> pool {
>     load = sqlite
> }
> 
> Lastly, the output of ipsec statusall
> 
> 000 Status of IKEv1 pluto daemon (strongSwan 4.4.1):
> 000 interface eth0/eth0 2001:1938:240::1:500
> 000 interface lo/lo ::1:500
> 000 interface sixxs/sixxs 2001:1938:81:a5::2:500
> 000 interface lo/lo 127.0.0.1:4500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth2/eth2 192.168.2.1:4500
> 000 interface eth2/eth2 192.168.2.1:500
> 000 interface eth0/eth0 192.168.1.1:4500
> 000 interface eth0/eth0 192.168.1.1:500
> 000 interface eth1/eth1 76.27.20.26:4500
> 000 interface eth1/eth1 76.27.20.26:500
> 000 interface tun0/tun0 192.168.3.1:4500
> 000 interface tun0/tun0 192.168.3.1:500
> 000 %myid = '%any'
> 000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
> pkcs1 pgp dnskey pem sqlite openssl hmac gmp xauth attr attr-sql resolve 
> 000 debug options: none
> 000 
> 000 "rw-dmz":
> 192.168.2.0/24===192.168.1.1[myhost.fdqn.net]---76.27.16.1...%any[C=US,<foo>,
> CN=*, E=*]===%hostpool; unrouted; eroute owner: #0
> 000 "rw-dmz":   CAs: "C=US, <foo>"..."C=US, <foo>"
> 000 "rw-dmz":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
> rekey_fuzz: 100%; keyingtries: 1
> 000 "rw-dmz":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
> 000 "rw-dmz":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY;
> prio: 24,32; interface: eth0; 
> 000 "rw-dmz":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
> 000 "rw-l2tp":
> 76.27.20.26[myhost.fdqn.net]:17/1701---76.27.16.1...%any[C=US,<foo>,
> CN=*, E=*]:17/%any; unrouted; eroute owner: #0
> 000 "rw-l2tp":   CAs: "C=US, <foo>"..."C=US, <foo>"
> 000 "rw-l2tp":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
> rekey_fuzz: 100%; keyingtries: 1
> 000 "rw-l2tp":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
> 000 "rw-l2tp":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32;
> interface: eth1; 
> 000 "rw-l2tp":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
> 000 "rw-l2tp-nat":
> 76.27.20.26[myhost.fdqn.net]:17/1701---76.27.16.1...%virtual[C=US,<foo>,
> CN=*, E=*]:17/%any===?; unrouted; eroute owner: #0
> 000 "rw-l2tp-nat":   CAs: "C=US, <foo>"..."C=US, <foo>"
> 000 "rw-l2tp-nat":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
> 180s; rekey_fuzz: 100%; keyingtries: 1
> 000 "rw-l2tp-nat":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
> 000 "rw-l2tp-nat":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio:
> 32,32; interface: eth1; 
> 000 "rw-l2tp-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
> 000 "rw-l2tp-psk":
> 76.27.20.26[76.27.20.26]:17/1701---76.27.16.1...%any[%any]:17/%any;
> unrouted; eroute owner: #0
> 000 "rw-l2tp-psk":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
> 180s; rekey_fuzz: 100%; keyingtries: 1
> 000 "rw-l2tp-psk":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
> 000 "rw-l2tp-psk":   policy: PSK+ENCRYPT+COMPRESS; prio: 32,32;
> interface: eth1; 
> 000 "rw-l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
> 000 "rw-l2tp-psk-nat":
> 76.27.20.26[76.27.20.26]:17/1701---76.27.16.1...%virtual[%any]:17/%any===?;
> unrouted; eroute owner: #0
> 000 "rw-l2tp-psk-nat":   ike_life: 3600s; ipsec_life: 1200s;
> rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1
> 000 "rw-l2tp-psk-nat":   dpd_action: clear; dpd_delay: 30s; dpd_timeout:
> 120s;
> 000 "rw-l2tp-psk-nat":   policy: PSK+ENCRYPT+COMPRESS; prio: 32,32;
> interface: eth1; 
> 000 "rw-l2tp-psk-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
> 000 "rw-local":
> 192.168.1.0/24===76.27.20.26[myhost.fdqn.net]---76.27.16.1...%any[C=US,<foo>,
> CN=*, E=*]===%hostpool; unrouted; eroute owner: #0
> 000 "rw-local":   CAs: "C=US, <foo>"..."C=US, <foo>"
> 000 "rw-local":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
> 180s; rekey_fuzz: 100%; keyingtries: 1
> 000 "rw-local":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
> 000 "rw-local":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY;
> prio: 24,32; interface: eth1; 
> 000 "rw-local":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
> 000 "rw-local-nat":
> 192.168.1.0/24===76.27.20.26[myhost.fdqn.net]---76.27.16.1...%virtual[C=US,<foo>,
> CN=*, E=*]===?; unrouted; eroute owner: #0
> 000 "rw-local-nat":   CAs: "C=US, <foo>"..."C=US, <foo>"
> 000 "rw-local-nat":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
> 180s; rekey_fuzz: 100%; keyingtries: 1
> 000 "rw-local-nat":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
> 000 "rw-local-nat":   policy:
> PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; prio: 24,32; interface: eth1; 
> 000 "rw-local-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
> 000 
> Status of IKEv2 charon daemon (strongSwan 4.4.1):
>   uptime: 9 hours, since Sep 24 00:07:12 2010
>   malloc: sbrk 516096, mmap 0, used 441552, free 74544
>   worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
>   loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
> pkcs1 pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr
> attr-sql resolve kernel-netlink socket-raw farp stroke updown
> eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp 
> Listening IP addresses:
>   192.168.2.1
>   192.168.1.1
>   2001:1938:240::1
>   76.27.20.26
>   2001:1938:81:a5::2
>   192.168.3.1
> Connections:
> rw-charon-mobike:  76.27.20.26...%any, dpddelay=30s
> rw-charon-mobike:   local:  [myhost.fdqn.net <http://myhost.fdqn.net>]
> uses public key authentication
> rw-charon-mobike:    cert:  "C=US,<foo>, CN=myhost.fdqn.net,
> E=root at myhost.fdqn.net <mailto:E=root at myhost.fdqn.net>"
> rw-charon-mobike:   remote: [C=US,<foo>, CN=*, E=*] uses any authentication
> rw-charon-mobike:   child:  192.168.1.0/24 === dynamic , dpdaction=clear
>    rw-charon:   child:  192.168.1.0/24 === dynamic , dpdaction=clear
>           rw:  76.27.20.26...%any, dpddelay=30s
>           rw:   local:  [myhost.fdqn.net <http://myhost.fdqn.net>] uses
> public key authentication
>           rw:    cert:  "C=US,<foo>, CN=myhost.fdqn.net,
> E=root at myhost.fdqn.net <mailto:E=root at myhost.fdqn.net>"
>           rw:   remote: [C=US,<foo>, CN=*, E=*] uses any authentication
>           rw:   child:  dynamic === dynamic , dpdaction=clear
> Security Associations:
>   none
> 
> Thanks.
> 
>> Regards
>>
>> Andreas
>>
>> On 24.09.2010 07:20, Troy Telford wrote:
>>> I must be a problem child... but I'm learning fast.
>>>
>>> I'm mostly satisfied with L2TP (Save for my last tunnel/transport
>>> question), so I've moved on to the more secure 'pure' IPsec
>>> configurations.
>>>
>>> I've been working on IP Address & DNS assignment setup via IKEv1 & IKEv2;
>>>
>>> I've been following:
>>> http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/
>>> http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
>>>
>>> I have the ipsec pool configured properly, I believe; 'ipsec pool
>>> --status' shows the pool I'm expecting, at any rate.  However, with
>>> both IKEv1 (Racoon/OS X) and IKEv2 (Win 7), I'm unable to get IP
>>> addresses.
>>>
>>> With IKEv1, I've got the OS X client so it is able to establish an
>>> IPsec SA.  It has the config option "mode_cfg on".  However, I'm not
>>> seeing any ModeCfg messages in 'auth.log | grep pluto'.
>>>
>>> For IKEv2, the error is:
>>> Sep 23 22:37:52 pilot charon: 13[IKE] peer requested virtual IP %any
>>> Sep 23 22:37:52 pilot charon: 13[IKE] no virtual IP found, sending
>>> INTERNAL_ADDRESS_FAILURE
>>>
>>> My network is as follows:
>>> <something> - Dynamic address; I use DynDNS to resolve it to a host name.
>>> 192.168.1.1/24 (Main address space)
>>> 192.168.2.1/24 (DMZ address space; unused)
>>> 192.168.3.1/24 (Used for OpenVPN - for locations where ESP is blocked
>>> at the firewall)
>>> 192.168.4.1/26 (IPsec pool)
>>>
>>> So I think a connection would be along the lines of:
>>> (Int. network)     (Internet IP)        (RW ISP)     Road Warrior
>>> 192.168.0.0/21 -- ISP Assigned IP .. ISP Assigned IP -- NAT IP
>>>
>>> My configuration (with L2TP removed, for clarity) is as follows:
>>>
>>> config setup
>>>    crlcheckinterval="600"
>>>    cachecrls=yes
>>>    nat_traversal=yes
>>>
>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24,%v4:!192.168.4.0/24
>>>
>>>
>>>   interfaces=%defaultroute
>>>
>>> conn %default
>>>    keyingtries=1
>>>    ikelifetime=60m
>>>    keylife=20m
>>>    rekeymargin=3m
>>>    keyexchange=ikev2
>>>    ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
>>>    esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
>>>    compress=yes
>>>    left=%defaultroute
>>>    right=%any
>>>    dpddelay=30
>>>    dpdtimeout=120
>>>    dpdaction=clear
>>>    pfs=yes
>>>
>>> conn rw-local-nat
>>>    rightsubnet=vhost:%no,%priv
>>>    also=rw-local
>>>
>>> conn rw-local
>>>    keyexchange=ikev1
>>>    # Supposedly rekey can be no, because the client will ask for it...
>>>    rekey=no
>>>    leftsubnet=192.168.1.0/24
>>>    rightsourceip=%hostpool
>>>    also=rw
>>>
>>> conn rw-charon
>>>    leftsubnet=192.168.1.0/24
>>>    # In case we want a different (volatile) pool
>>>    # rightsourceip=192.168.4.64/26
>>>    rightsourceip=%hostpool
>>>    also=rw
>>>
>>> conn rw
>>>    authby=rsasig
>>>    leftrsasigkey=%cert
>>>    rightrsasigkey=%cert
>>>    leftcert=pilotCert.pem
>>>    leftid=@pilot.pariahzero.net <mailto:leftid=@pilot.pariahzero.net>
>>>    rightid="C=US... CN=*, E=*"
>>>    rightca=%same
>>>    auto=add
>>>
>>> $ ipsec pool --status
>>> dns servers: 192.168.1.1
>>> no nbns servers found.
>>>    name           start             end  timeout   size      online    
>>>   usage
>>> hostpool     192.168.4.2    192.168.4.63   static     62     0 ( 0%)    
>>> 0 ( 0%)
>>>
>>> $ ipsec pool --statusattr
>>> type  description           pool        identity              value
>>>    3  INTERNAL_IP4_DNS                                        192.168.1.1
>>>
>>> $ ipsec pool --showattr
>>> internal_ip4_netmask  --addr    (INTERNAL_IP4_NETMASK)
>>> internal_ip6_netmask  --addr    (INTERNAL_IP6_NETMASK)
>>> netmask               --addr    (INTERNAL_IP4_NETMASK,
>>> INTERNAL_IP6_NETMASK)
>>> internal_ip4_dns      --addr    (INTERNAL_IP4_DNS)
>>> internal_ip6_dns      --addr    (INTERNAL_IP6_DNS)
>>> dns                   --addr    (INTERNAL_IP4_DNS, INTERNAL_IP6_DNS)
>>> internal_ip4_nbns     --addr    (INTERNAL_IP4_NBNS)
>>> internal_ip6_nbns     --addr    (INTERNAL_IP6_NBNS)
>>> nbns                  --addr    (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)
>>> wins                  --addr    (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)
>>> internal_ip4_dhcp     --addr    (INTERNAL_IP4_DHCP)
>>> internal_ip6_dhcp     --addr    (INTERNAL_IP6_DHCP)
>>> dhcp                  --addr    (INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP)
>>> internal_ip4_server   --addr    (INTERNAL_IP4_SERVER)
>>> internal_ip6_server   --addr    (INTERNAL_IP6_SERVER)
>>> server                --addr    (INTERNAL_IP4_SERVER,
>>> INTERNAL_IP6_SERVER)
>>> application_version   --string  (APPLICATION_VERSION)
>>> version               --string  (APPLICATION_VERSION)
>>> unity_banner          --string  (UNITY_BANNER)
>>> banner                --string  (UNITY_BANNER)
>>> unity_def_domain      --string  (UNITY_DEF_DOMAIN)
>>> unity_splitdns_name   --string  (UNITY_SPLITDNS_NAME)
>>> unity_split_include   --subnet  (UNITY_SPLIT_INCLUDE)
>>> unity_local_lan       --subnet  (UNITY_LOCAL_LAN)
>>>
>>> So what do I need to do in order to get IP address assignment working?

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list