[strongSwan] "ipsec status" shows unexpected output

Andreas Steffen andreas.steffen at strongswan.org
Wed Sep 7 13:21:18 CEST 2011 

Hi Meera,

this is a well known problem occuring because the
mark value cannot be communicated to the other endpoint
via the IKE protocol. Thus the responder will set up
the first tunnel which it finds in its list of connections.

As workaround you must define two different identities
for tunnel1 and tunnel2 so that the endpoint is able
to set up the correct SA according to the ID. The
draw back is that two IKE SAs including authentication
must be set up. Please check my example scenario

http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/

which uses two sets of identities.

Regards

Andreas

On 07.09.2011 12:37, Meera Sudhakar wrote:
> Hi,
>  
> I have two end-points, between which I have created two identical
> tunnels. However, the command "ipsec status" does not show the two
> tunnels in the way I expect. Please find the required info below:
>  
> _/etc/ipsec.conf on end-point 1:_
> root at vc1_TPC2 <mailto:root at vc1_TPC2>:~# cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
>         #plutostderrlog=/var/log/syslog
>         # plutodebug=control
>         # crlcheckinterval=600
>         strictcrlpolicy=no
>         # cachecrls=yes
>         # nat_traversal=yes
>         charonstart=yes
>         charondebug=control
>         plutostart=no
> # Add connections here.
> 
> ca strongswan
>         cacert=caCert.der
>         auto=add
> conn %default
>         type=tunnel
>         left=169.254.0.70
>         leftcert=VC1Cert.der
>         right=169.254.1.70
>         rightid="C=CH, O=strongSwan, CN=169.254.1.70"
>         keyexchange=ikev2
>         auto=start
> conn tunnel1
>         leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
>         rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
>         mark=10
> conn tunnel2
>         leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
>         rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
>         mark=20
> 
>  
> _/etc/ipsec.conf on end-point 2:_
> root at vc2_TPC2 <mailto:root at vc2_TPC2>:~#  cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
>         # plutodebug=control
>         # crlcheckinterval=600
>          strictcrlpolicy=no
>         # cachecrls=yes
>         # nat_traversal=yes
>         charonstart=yes
>         plutostart=no
>         charondebug=control
> # Add connections here.
> 
> ca strongswan
>         cacert=caCert.der
>         auto=add
> conn %default
>         type=tunnel
>         left=169.254.1.70
>         leftcert=VC2Cert.der
>         right=169.254.0.70
>         rightid="C=CH, O=strongSwan, CN=169.254.0.70"
>         keyexchange=ikev2
>         auto=start
> conn tunnel1
>         leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
>         rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
>         mark=10
> conn tunnel2
>         leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
>         rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
>         mark=20
> 
>  
> _ipsec status on end-point 1:_
>  root at vc1_TPC2 <mailto:root at vc1_TPC2>:~# ipsec status
> Security Associations:
>      tunnel1[1]: ESTABLISHED 14 minutes ago, 169.254.0.70[C=CH,
> O=strongSwan, CN=169.254.0.70]...169.254.1.70[C=CH, O=strongSwan,
> CN=169.254.1.70]
>      tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: ccd3d0ec_i c8d1ad66_o
>      tunnel1{3}:   169.254.0.0/24 <http://169.254.0.0/24> ===
> 169.254.1.0/24 <http://169.254.1.0/24>
>      tunnel2{4}:  INSTALLED, TUNNEL, ESP SPIs: cc6da619_i c28e4022_o
>      tunnel2{4}:   169.254.0.0/24 <http://169.254.0.0/24> ===
> 169.254.1.0/24 <http://169.254.1.0/24>
>  
> _ipsec status on end-point 2: _
> root at vc2_TPC2 <mailto:root at vc2_TPC2>:~# ipsec status
> Security Associations:
>      tunnel1[2]: ESTABLISHED 14 minutes ago, 169.254.1.70[C=CH,
> O=strongSwan, CN=169.254.1.70]...169.254.0.70[C=CH, O=strongSwan,
> CN=169.254.0.70]
>      tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: c8d1ad66_i ccd3d0ec_o
>      tunnel1{3}:   169.254.1.0/24 <http://169.254.1.0/24> ===
> 169.254.0.0/24 <http://169.254.0.0/24>
>      tunnel1{4}:  INSTALLED, TUNNEL, ESP SPIs: c28e4022_i cc6da619_o
>      tunnel1{4}:   169.254.1.0/24 <http://169.254.1.0/24> ===
> 169.254.0.0/24 <http://169.254.0.0/24>
> The questions I have are:
> 1. End-point 1 shows tunnel1{3} and tunnel2{4}, while end-point 2 shows
> only tunnel1 with either {3} or {4}. Could you please tell me why it
> does not show tunnel2? Also, this varies from time to time. Sometimes
> the numbers in flower brackets are different, and sometimes they are the
> same.
> 2. What do the numbers in flower brackets denote?
>  
> Also, please let me know if I have configured anything incorrectly,
> which may be causing this.
>  
> Thanks and regards,
> Meera
>  
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list