[strongSwan] IKE modeconfig IP address assignment

Troy Telford ttelford.groups at gmail.com
Sat Sep 25 09:59:27 CEST 2010


Interestingly enough:

I did simpify; oddly, though, if I had the L2TP connections listed before the rw-local or rw-local-nat connections, it wouldn't work.

If, however, I had the L2TP connections listed after rw-local, IKEv2 address assignment worked fine.

I think I may be a bit confused about IKEv1 & ModeCfg, though:
I was expecting an 'internal' IP address to be assigned from the IP address pool; however this doesn't appear to be happening at all.  (As before, no ModeCfg messages in the pluto log).

I'm not sure if that's very important, since I'm still able to connect to the network fine; but I'd certainly appreciate some enlightenment if my expectation is wrong for IKEv1 & ModeCfg.

On Sep 24, 2010, at 12:30 PM, Andreas Steffen wrote:

> Hi Troy,
> 
> everthing looks fine. Since the charon daemon is aware of the IKEv1
> connection definitions it might settle on one without a pool
> declaration. Could you remove all IKEv1 connections from your ipsec.conf
> and try again just to make sure. Just model it as close to the
> 
> http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
> scenario and if this works, start to expand your definitions.
> 
> Regards
> 
> Andreas
> 
> On 09/24/2010 05:37 PM, Troy Telford wrote:
>>> do pluto and charon both load the attr-sql and sqlite plugins?
>>> ipsec statusall should enumerate them.
>> 
>> For pluto:
>> 000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
>> pkcs1 pgp dnskey pem sqlite openssl hmac gmp xauth attr attr-sql resolve 
>> 
>> For charon:
>> 
>> loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey pkcs1
>> pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr attr-sql
>> resolve kernel-netlink socket-raw farp stroke updown eap-identity
>> eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp 
>> 
>> (It looks like the answer is yes to both)
>> 
>> My ipsec.sql is imported from:
>> 
>> http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/moon.ipsec.sql
>> 
>> And, for the sake of thoroughness, my /etc/strongswan.conf:
>> 
>> charon {
>>    threads = 16
>>    plugins {
>>        sql {
>>            loglevel = -1
>>            database = sqlite:///etc.ipsec.d/ipsec.db
>>        }
>>    }
>> }
>> 
>> pluto {
>> }
>> 
>> libstrongswan {
>> }
>> 
>> libhydra {
>>    plugins {
>>        attr-sql {
>>            database = sqlite:///etc/ipsec.d/ipsec.db
>>        }
>>    }
>> }
>> 
>> pool {
>>    load = sqlite
>> }
>> 
>> Lastly, the output of ipsec statusall
>> 
>> 000 Status of IKEv1 pluto daemon (strongSwan 4.4.1):
>> 000 interface eth0/eth0 2001:1938:240::1:500
>> 000 interface lo/lo ::1:500
>> 000 interface sixxs/sixxs 2001:1938:81:a5::2:500
>> 000 interface lo/lo 127.0.0.1:4500
>> 000 interface lo/lo 127.0.0.1:500
>> 000 interface eth2/eth2 192.168.2.1:4500
>> 000 interface eth2/eth2 192.168.2.1:500
>> 000 interface eth0/eth0 192.168.1.1:4500
>> 000 interface eth0/eth0 192.168.1.1:500
>> 000 interface eth1/eth1 76.27.20.26:4500
>> 000 interface eth1/eth1 76.27.20.26:500
>> 000 interface tun0/tun0 192.168.3.1:4500
>> 000 interface tun0/tun0 192.168.3.1:500
>> 000 %myid = '%any'
>> 000 loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
>> pkcs1 pgp dnskey pem sqlite openssl hmac gmp xauth attr attr-sql resolve 
>> 000 debug options: none
>> 000 
>> 000 "rw-dmz":
>> 192.168.2.0/24===192.168.1.1[myhost.fdqn.net]---76.27.16.1...%any[C=US,<foo>,
>> CN=*, E=*]===%hostpool; unrouted; eroute owner: #0
>> 000 "rw-dmz":   CAs: "C=US, <foo>"..."C=US, <foo>"
>> 000 "rw-dmz":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
>> rekey_fuzz: 100%; keyingtries: 1
>> 000 "rw-dmz":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
>> 000 "rw-dmz":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY;
>> prio: 24,32; interface: eth0; 
>> 000 "rw-dmz":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
>> 000 "rw-l2tp":
>> 76.27.20.26[myhost.fdqn.net]:17/1701---76.27.16.1...%any[C=US,<foo>,
>> CN=*, E=*]:17/%any; unrouted; eroute owner: #0
>> 000 "rw-l2tp":   CAs: "C=US, <foo>"..."C=US, <foo>"
>> 000 "rw-l2tp":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
>> rekey_fuzz: 100%; keyingtries: 1
>> 000 "rw-l2tp":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
>> 000 "rw-l2tp":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio: 32,32;
>> interface: eth1; 
>> 000 "rw-l2tp":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
>> 000 "rw-l2tp-nat":
>> 76.27.20.26[myhost.fdqn.net]:17/1701---76.27.16.1...%virtual[C=US,<foo>,
>> CN=*, E=*]:17/%any===?; unrouted; eroute owner: #0
>> 000 "rw-l2tp-nat":   CAs: "C=US, <foo>"..."C=US, <foo>"
>> 000 "rw-l2tp-nat":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
>> 180s; rekey_fuzz: 100%; keyingtries: 1
>> 000 "rw-l2tp-nat":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
>> 000 "rw-l2tp-nat":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL; prio:
>> 32,32; interface: eth1; 
>> 000 "rw-l2tp-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
>> 000 "rw-l2tp-psk":
>> 76.27.20.26[76.27.20.26]:17/1701---76.27.16.1...%any[%any]:17/%any;
>> unrouted; eroute owner: #0
>> 000 "rw-l2tp-psk":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
>> 180s; rekey_fuzz: 100%; keyingtries: 1
>> 000 "rw-l2tp-psk":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
>> 000 "rw-l2tp-psk":   policy: PSK+ENCRYPT+COMPRESS; prio: 32,32;
>> interface: eth1; 
>> 000 "rw-l2tp-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
>> 000 "rw-l2tp-psk-nat":
>> 76.27.20.26[76.27.20.26]:17/1701---76.27.16.1...%virtual[%any]:17/%any===?;
>> unrouted; eroute owner: #0
>> 000 "rw-l2tp-psk-nat":   ike_life: 3600s; ipsec_life: 1200s;
>> rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1
>> 000 "rw-l2tp-psk-nat":   dpd_action: clear; dpd_delay: 30s; dpd_timeout:
>> 120s;
>> 000 "rw-l2tp-psk-nat":   policy: PSK+ENCRYPT+COMPRESS; prio: 32,32;
>> interface: eth1; 
>> 000 "rw-l2tp-psk-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
>> 000 "rw-local":
>> 192.168.1.0/24===76.27.20.26[myhost.fdqn.net]---76.27.16.1...%any[C=US,<foo>,
>> CN=*, E=*]===%hostpool; unrouted; eroute owner: #0
>> 000 "rw-local":   CAs: "C=US, <foo>"..."C=US, <foo>"
>> 000 "rw-local":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
>> 180s; rekey_fuzz: 100%; keyingtries: 1
>> 000 "rw-local":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
>> 000 "rw-local":   policy: PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY;
>> prio: 24,32; interface: eth1; 
>> 000 "rw-local":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
>> 000 "rw-local-nat":
>> 192.168.1.0/24===76.27.20.26[myhost.fdqn.net]---76.27.16.1...%virtual[C=US,<foo>,
>> CN=*, E=*]===?; unrouted; eroute owner: #0
>> 000 "rw-local-nat":   CAs: "C=US, <foo>"..."C=US, <foo>"
>> 000 "rw-local-nat":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin:
>> 180s; rekey_fuzz: 100%; keyingtries: 1
>> 000 "rw-local-nat":   dpd_action: clear; dpd_delay: 30s; dpd_timeout: 120s;
>> 000 "rw-local-nat":   policy:
>> PUBKEY+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; prio: 24,32; interface: eth1; 
>> 000 "rw-local-nat":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
>> 000 
>> Status of IKEv2 charon daemon (strongSwan 4.4.1):
>>  uptime: 9 hours, since Sep 24 00:07:12 2010
>>  malloc: sbrk 516096, mmap 0, used 441552, free 74544
>>  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
>>  loaded plugins: curl ldap aes des sha1 sha2 md5 random x509 pubkey
>> pkcs1 pgp dnskey pem sqlite openssl fips-prf xcbc hmac agent gmp attr
>> attr-sql resolve kernel-netlink socket-raw farp stroke updown
>> eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 dhcp 
>> Listening IP addresses:
>>  192.168.2.1
>>  192.168.1.1
>>  2001:1938:240::1
>>  76.27.20.26
>>  2001:1938:81:a5::2
>>  192.168.3.1
>> Connections:
>> rw-charon-mobike:  76.27.20.26...%any, dpddelay=30s
>> rw-charon-mobike:   local:  [myhost.fdqn.net <http://myhost.fdqn.net>]
>> uses public key authentication
>> rw-charon-mobike:    cert:  "C=US,<foo>, CN=myhost.fdqn.net,
>> E=root at myhost.fdqn.net <mailto:E=root at myhost.fdqn.net>"
>> rw-charon-mobike:   remote: [C=US,<foo>, CN=*, E=*] uses any authentication
>> rw-charon-mobike:   child:  192.168.1.0/24 === dynamic , dpdaction=clear
>>   rw-charon:   child:  192.168.1.0/24 === dynamic , dpdaction=clear
>>          rw:  76.27.20.26...%any, dpddelay=30s
>>          rw:   local:  [myhost.fdqn.net <http://myhost.fdqn.net>] uses
>> public key authentication
>>          rw:    cert:  "C=US,<foo>, CN=myhost.fdqn.net,
>> E=root at myhost.fdqn.net <mailto:E=root at myhost.fdqn.net>"
>>          rw:   remote: [C=US,<foo>, CN=*, E=*] uses any authentication
>>          rw:   child:  dynamic === dynamic , dpdaction=clear
>> Security Associations:
>>  none
>> 
>> Thanks.
>> 
>>> Regards
>>> 
>>> Andreas
>>> 
>>> On 24.09.2010 07:20, Troy Telford wrote:
>>>> I must be a problem child... but I'm learning fast.
>>>> 
>>>> I'm mostly satisfied with L2TP (Save for my last tunnel/transport
>>>> question), so I've moved on to the more secure 'pure' IPsec
>>>> configurations.
>>>> 
>>>> I've been working on IP Address & DNS assignment setup via IKEv1 & IKEv2;
>>>> 
>>>> I've been following:
>>>> http://www.strongswan.org/uml/testresults/ikev1/ip-pool-db/
>>>> http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
>>>> 
>>>> I have the ipsec pool configured properly, I believe; 'ipsec pool
>>>> --status' shows the pool I'm expecting, at any rate.  However, with
>>>> both IKEv1 (Racoon/OS X) and IKEv2 (Win 7), I'm unable to get IP
>>>> addresses.
>>>> 
>>>> With IKEv1, I've got the OS X client so it is able to establish an
>>>> IPsec SA.  It has the config option "mode_cfg on".  However, I'm not
>>>> seeing any ModeCfg messages in 'auth.log | grep pluto'.
>>>> 
>>>> For IKEv2, the error is:
>>>> Sep 23 22:37:52 pilot charon: 13[IKE] peer requested virtual IP %any
>>>> Sep 23 22:37:52 pilot charon: 13[IKE] no virtual IP found, sending
>>>> INTERNAL_ADDRESS_FAILURE
>>>> 
>>>> My network is as follows:
>>>> <something> - Dynamic address; I use DynDNS to resolve it to a host name.
>>>> 192.168.1.1/24 (Main address space)
>>>> 192.168.2.1/24 (DMZ address space; unused)
>>>> 192.168.3.1/24 (Used for OpenVPN - for locations where ESP is blocked
>>>> at the firewall)
>>>> 192.168.4.1/26 (IPsec pool)
>>>> 
>>>> So I think a connection would be along the lines of:
>>>> (Int. network)     (Internet IP)        (RW ISP)     Road Warrior
>>>> 192.168.0.0/21 -- ISP Assigned IP .. ISP Assigned IP -- NAT IP
>>>> 
>>>> My configuration (with L2TP removed, for clarity) is as follows:
>>>> 
>>>> config setup
>>>>   crlcheckinterval="600"
>>>>   cachecrls=yes
>>>>   nat_traversal=yes
>>>> 
>>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24,%v4:!192.168.4.0/24
>>>> 
>>>> 
>>>>  interfaces=%defaultroute
>>>> 
>>>> conn %default
>>>>   keyingtries=1
>>>>   ikelifetime=60m
>>>>   keylife=20m
>>>>   rekeymargin=3m
>>>>   keyexchange=ikev2
>>>>   ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
>>>>   esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
>>>>   compress=yes
>>>>   left=%defaultroute
>>>>   right=%any
>>>>   dpddelay=30
>>>>   dpdtimeout=120
>>>>   dpdaction=clear
>>>>   pfs=yes
>>>> 
>>>> conn rw-local-nat
>>>>   rightsubnet=vhost:%no,%priv
>>>>   also=rw-local
>>>> 
>>>> conn rw-local
>>>>   keyexchange=ikev1
>>>>   # Supposedly rekey can be no, because the client will ask for it...
>>>>   rekey=no
>>>>   leftsubnet=192.168.1.0/24
>>>>   rightsourceip=%hostpool
>>>>   also=rw
>>>> 
>>>> conn rw-charon
>>>>   leftsubnet=192.168.1.0/24
>>>>   # In case we want a different (volatile) pool
>>>>   # rightsourceip=192.168.4.64/26
>>>>   rightsourceip=%hostpool
>>>>   also=rw
>>>> 
>>>> conn rw
>>>>   authby=rsasig
>>>>   leftrsasigkey=%cert
>>>>   rightrsasigkey=%cert
>>>>   leftcert=pilotCert.pem
>>>>   leftid=@pilot.pariahzero.net <mailto:leftid=@pilot.pariahzero.net>
>>>>   rightid="C=US... CN=*, E=*"
>>>>   rightca=%same
>>>>   auto=add
>>>> 
>>>> $ ipsec pool --status
>>>> dns servers: 192.168.1.1
>>>> no nbns servers found.
>>>>   name           start             end  timeout   size      online    
>>>>  usage
>>>> hostpool     192.168.4.2    192.168.4.63   static     62     0 ( 0%)    
>>>> 0 ( 0%)
>>>> 
>>>> $ ipsec pool --statusattr
>>>> type  description           pool        identity              value
>>>>   3  INTERNAL_IP4_DNS                                        192.168.1.1
>>>> 
>>>> $ ipsec pool --showattr
>>>> internal_ip4_netmask  --addr    (INTERNAL_IP4_NETMASK)
>>>> internal_ip6_netmask  --addr    (INTERNAL_IP6_NETMASK)
>>>> netmask               --addr    (INTERNAL_IP4_NETMASK,
>>>> INTERNAL_IP6_NETMASK)
>>>> internal_ip4_dns      --addr    (INTERNAL_IP4_DNS)
>>>> internal_ip6_dns      --addr    (INTERNAL_IP6_DNS)
>>>> dns                   --addr    (INTERNAL_IP4_DNS, INTERNAL_IP6_DNS)
>>>> internal_ip4_nbns     --addr    (INTERNAL_IP4_NBNS)
>>>> internal_ip6_nbns     --addr    (INTERNAL_IP6_NBNS)
>>>> nbns                  --addr    (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)
>>>> wins                  --addr    (INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS)
>>>> internal_ip4_dhcp     --addr    (INTERNAL_IP4_DHCP)
>>>> internal_ip6_dhcp     --addr    (INTERNAL_IP6_DHCP)
>>>> dhcp                  --addr    (INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP)
>>>> internal_ip4_server   --addr    (INTERNAL_IP4_SERVER)
>>>> internal_ip6_server   --addr    (INTERNAL_IP6_SERVER)
>>>> server                --addr    (INTERNAL_IP4_SERVER,
>>>> INTERNAL_IP6_SERVER)
>>>> application_version   --string  (APPLICATION_VERSION)
>>>> version               --string  (APPLICATION_VERSION)
>>>> unity_banner          --string  (UNITY_BANNER)
>>>> banner                --string  (UNITY_BANNER)
>>>> unity_def_domain      --string  (UNITY_DEF_DOMAIN)
>>>> unity_splitdns_name   --string  (UNITY_SPLITDNS_NAME)
>>>> unity_split_include   --subnet  (UNITY_SPLIT_INCLUDE)
>>>> unity_local_lan       --subnet  (UNITY_LOCAL_LAN)
>>>> 
>>>> So what do I need to do in order to get IP address assignment working?
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

--
Troy Telford
ttelford.groups at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100925/2e055f4c/attachment.html>


More information about the Users mailing list