[strongSwan] Strongswan ikev1 any-any protect policy

Mon Jun 13 11:20:07 CEST 2011

Hi Swetha,

why would you want to define an 0.0.0.0/0 == 0.0.0.0/0 policy anyway?
I think either the Linux netkey IPsec stack doesn't accept such a
policy or the IKEv2 charon daemon hasn't foreseen such an exotic case.

Regards

Andreas

On 06/13/2011 08:23 AM, Swetha RK wrote:
> Hi All,
>                       We would like to know if configuring an any-any
> protect policy with ikev1 is a valid case. ikev2 tunnels are established
> with the same configuration. We use strongswan 4.4.1.The configuration
> is as follows :-
> conn conn65535
>    type=tunnel
>    leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>    rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>    left=10.46.155.153
>    right=10.44.34.130
>    keyexchange=ikev1
>    ike=aes128-sha1-modp1024,3des-sha1-modp1024!
>    ikelifetime=83069s
>    esp=aes128-sha1,3des-sha1!
>    authby=pubkey
>    rightid=%any
>    keylife=86400s
>    dpdaction=restart
>    dpddelay=10
>    dpdtimeout=120
>    rekeyfuzz=50%
>    rekeymargin=180s
> This gives us an error like this :-
> "conn65535" #1: ISAKMP SA established
> "conn65535" #4: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+UP {using
> isakmp#1}
> "conn65535" #4: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME
> "conn65535" #4: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow
> tun.0 at 10.44.34.130 <mailto:tun.0 at 10.44.34.130> included errno 17: File
> exists
> "conn65535" #4: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME
> "conn65535" #4: ERROR: netlink response for Add SA
> esp.d798a9b8 at 10.46.155.153 <mailto:esp.d798a9b8 at 10.46.155.153> included
> errno 3: No such process
> "conn65535" #3: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow
> tun.0 at 10.44.34.130 <mailto:tun.0 at 10.44.34.130> included errno 17: File
> exists
> "conn65535" #3: ERROR: netlink response for Del SA
> esp.bb700eae at 10.46.155.153 <mailto:esp.bb700eae at 10.46.155.153> included
> errno 3: No such process
> "conn65535" #4: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME
> "conn65535" #4: ERROR: netlink response for Add SA
> esp.d798a9b8 at 10.46.155.153 <mailto:esp.d798a9b8 at 10.46.155.153> included
> errno 3: No such process
> "conn65535" #3: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow
> tun.0 at 10.44.34.130 <mailto:tun.0 at 10.44.34.130> included errno 17: File
> exists
> "conn65535" #3: ERROR: netlink response for Del SA
> esp.bb700eae at 10.46.155.153 <mailto:esp.bb700eae at 10.46.155.153> included
> errno 3: No such process
> "conn65535" #4: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME
> "conn65535" #4: ERROR: netlink response for Add SA
> esp.d798a9b8 at 10.46.155.153 <mailto:esp.d798a9b8 at 10.46.155.153> included
> errno 3: No such process
> "conn65535" #4: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME
> "conn65535" #4: ERROR: netlink response for Add SA
> esp.d798a9b8 at 10.46.155.153 <mailto:esp.d798a9b8 at 10.46.155.153> included
> errno 3: No such process
> "conn65535" #3: max number of retransmissions (2) reached STATE_QUICK_R1
> "conn65535" #3: ERROR: netlink response for Del SA
> esp.bb700eae at 10.46.155.153 <mailto:esp.bb700eae at 10.46.155.153> included
> errno 3: No such process
> "conn65535" #4: max number of retransmissions (2) reached
> STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
> perhaps peer likes no proposal
> Could you please let us know if this is a known issue or are we missing
> something in our configuration?
> Thanks and regards
> R.K Swetha

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==