[strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Tue Aug 2 15:24:59 CEST 2011
Hi
One more followup info. On the m/c enabled with load-tester plugin and
simulating multiple rw-clients, i have the following strongswan.conf config
file:
-----------------------------------------------------------------------------------
# strongswan.conf - strongSwan configuration file
charon {
reuse_ikesa = no
# number of worker threads in charon
threads = 32
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost
/database
}
load-tester {
# enable the plugin
enable = yes
# 10000 connections, ten in parallel
initiators = 5
iterations = 2
# use a delay of 100ms, overall time is: iterations * delay
= 100s
delay = 100
# address of the gateway
remote = 172.17.10.10
# IKE-proposal to use
proposal = aes128-sha1-modp1024
# use faster PSK authentication instead of 1024bit RSA
initiator_auth = psk
responder_auth = psk
# request a virtual IP using configuration payloads
request_virtual_ip = yes
# disable IKE_SA rekeying (default)
ike_rekey = 0
# enable CHILD_SA every 60s
child_rekey = 60
# do not delete the IKE_SA after it has been established
(default)
delete_after_established = no
# do not shut down the daemon if all IKE_SAs established
shutdown_when_complete = no
}
}
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
[root at dvtpc3 etc]#
[root at dvtpc3 etc]#
[root at dvtpc3 etc]# ipsec start
Starting strongSwan 4.5.2 IPsec [starter]...
[root at dvtpc3 etc]#
----------------------------------------------------------------------------------
and on running th command
[root at dvtpc3 etc]# ipsec start
[root at dvtpc3 etc]# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.17.10.253:500
000 interface eth2/eth2 192.168.21.1:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem
openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 4 seconds, since Aug 02 18:49:59 2011
malloc: sbrk 262144, mmap 0, used 92800, free 169344
worker threads: 25 idle of 32, job queue load: 0, scheduled events: 20
loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints
pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac attr load-tester
kernel-netlink resolve socket-raw stroke updown
Listening IP addresses:
172.17.10.253
192.168.21.1
Connections:
load-test: 0.0.0.0...172.17.10.10
load-test: local: [srv.strongswan.org] uses pre-shared key
authentication
load-test: remote: [*.strongswan.org] uses pre-shared key
authentication
load-test: child: dynamic === dynamic
Security Associations:
none
[root at dvtpc3 etc]#
so here it shows the local system with id as srv.strongswan.org, whereas it
is actually supposed to be a rw-client
thanks & regards
rajiv
On Tue, Aug 2, 2011 at 6:25 PM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com>wrote:
> Hi
>
> >>The problem is not the secret, but that no config matches on your
> >>responder. "leftid" defaults to "left" (172.17.10.10), but actually is
> >>srv.strongswan.org. Try leftid=srv.strongswan.org, or even leftid=%any.
> I did just that, i used leftid=%any on the rw-server. But when i start the
> ipsec (ipsec start --nofork) on the load-tester-plugin enabled m/c, i still
> get auth failed messages.
>
> Meanwhile on the server i get the following messages:
>
> -----------------------------------------------------------------------------
> 28[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500]
> 28[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
> N(MULT_AUTH) N(EAP_ONLY) ]
> 28[CFG] looking for peer configs matching 172.17.10.10[srv.strongswan.org
> ]...172.17.10.253[c6-r1.strongswan.org]
> 28[CFG] selected peer config 'rw-server'
> 28[IKE] tried 1 shared key for 'srv.strongswan.org' - '
> c6-r1.strongswan.org', but MAC mismatched
> 28[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 28[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500]
> 28[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500]
> 28[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
> N(MULT_AUTH) N(EAP_ONLY) ]
> 28[CFG] looking for peer configs matching 172.17.10.10[srv.strongswan.org
> ]...172.17.10.253[c6-r1.strongswan.org]
> 28[CFG] selected peer config 'rw-server'
> 28[IKE] tried 1 shared key for 'srv.strongswan.org' - '
> c6-r1.strongswan.org', but MAC mismatched
> 28[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 28[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500]
>
>
> ------------------------------------------------------------------------------------------
>
> - On the rw-server, iam using the following setting in the "ipsec.secrets"
> file
> : PSK "default-psk"
>
> - and the ipsec.conf on the rw-server m/c is as below:
> -------------------------------------------------------------------------
> [root at dvtpc1 etc]# cat ipsec.conf
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> config setup
> strictcrlpolicy=no
> crlcheckinterval=180
> plutostart=yes
> charonstart=yes
> conn %default
> ikelifetime=60m
> keylife=30m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> mobike=no
> conn rw-server
> left=172.17.10.10
> leftsubnet=192.168.20.0/24
> leftid=%any
>
> right=%any
> rightsourceip=10.3.0.0/16
> authby=psk
>
> keyexchange=ikev2
> type=tunnel
> auto=add
> #
> --------------------------------------------
>
> - both the rw-server (with ipaddr 172.17.10.10/24, DGw-IP: 172.17.10.253)
> and the rw-client (with load-tester-plugin enabled and with ipaddr
> 172.17.10.253/24, Dgw-ip: 172.17.10.10) are connected back-to-back and
> both are running strongswan4.5.2 on Linux-Fedora13.
>
>
> so where am i going wrong
> thanks & regards
> rajiv
>
> On Tue, Aug 2, 2011 at 1:09 PM, Martin Willi <martin at strongswan.org>wrote:
>
>>
>>
>> > 15[CFG] looking for peer configs matching 172.17.10.10[
>> srv.strongswan.org]...172.17.10.253[c5-1.strongswan.org]
>> > 15[CFG] no matching peer config found
>> > 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>
>>
>> > conn rw-server
>> > left=172.17.10.10
>> > leftsubnet=192.168.20.0/24
>> > right=%any
>>
>> The problem is not the secret, but that no config matches on your
>> responder. "leftid" defaults to "left" (172.17.10.10), but actually is
>> srv.strongswan.org. Try leftid=srv.strongswan.org, or even leftid=%any.
>>
>> Regards
>> Martin
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110802/4d7bf32a/attachment.html>
More information about the Users
mailing list