[strongSwan] "ipsec status" shows unexpected output

Meera Sudhakar mira.sudhakar at gmail.com
Thu Sep 8 09:09:16 CEST 2011


Hi Andreas,

Ok. I checked the example you mentioned. So now I need to have different
leftid and rightid for each of the tunnels.

You had mentioned that "The draw back is that two IKE SAs including
authentication must be set up." Does this mean that we need separate keys
and certificates for each tunnel? In other words, what will the content of
the folders /etc/ipsec.d/certs and /etc/ipsec.d/private be? Sorry, but I
just find it a bit confusing because from my understanding, the identities
are included in the peer cert creation, So if I'll need two identities on
each end-point, I'll need two keys/certs as well.

Could you please help me understand this better?

Thanks and regards,
Meera

On Wed, Sep 7, 2011 at 4:51 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Meera,
>
> this is a well known problem occuring because the
> mark value cannot be communicated to the other endpoint
> via the IKE protocol. Thus the responder will set up
> the first tunnel which it finds in its list of connections.
>
> As workaround you must define two different identities
> for tunnel1 and tunnel2 so that the endpoint is able
> to set up the correct SA according to the ID. The
> draw back is that two IKE SAs including authentication
> must be set up. Please check my example scenario
>
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/
>
> which uses two sets of identities.
>
> Regards
>
> Andreas
>
> On 07.09.2011 12:37, Meera Sudhakar wrote:
> > Hi,
> >
> > I have two end-points, between which I have created two identical
> > tunnels. However, the command "ipsec status" does not show the two
> > tunnels in the way I expect. Please find the required info below:
> >
> > _/etc/ipsec.conf on end-point 1:_
> > root at vc1_TPC2 <mailto:root at vc1_TPC2>:~# cat /etc/ipsec.conf
>  > # ipsec.conf - strongSwan IPsec configuration file
> > # basic configuration
> > config setup
> >         #plutostderrlog=/var/log/syslog
> >         # plutodebug=control
> >         # crlcheckinterval=600
> >         strictcrlpolicy=no
> >         # cachecrls=yes
> >         # nat_traversal=yes
> >         charonstart=yes
> >         charondebug=control
> >         plutostart=no
> > # Add connections here.
> >
> > ca strongswan
> >         cacert=caCert.der
> >         auto=add
> > conn %default
> >         type=tunnel
> >         left=169.254.0.70
> >         leftcert=VC1Cert.der
> >         right=169.254.1.70
> >         rightid="C=CH, O=strongSwan, CN=169.254.1.70"
> >         keyexchange=ikev2
> >         auto=start
> > conn tunnel1
> >         leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> >         rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> >         mark=10
> > conn tunnel2
> >         leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> >         rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> >         mark=20
> >
> >
> > _/etc/ipsec.conf on end-point 2:_
> > root at vc2_TPC2 <mailto:root at vc2_TPC2>:~#  cat /etc/ipsec.conf
> > # ipsec.conf - strongSwan IPsec configuration file
> > # basic configuration
> > config setup
> >         # plutodebug=control
> >         # crlcheckinterval=600
> >          strictcrlpolicy=no
> >         # cachecrls=yes
> >         # nat_traversal=yes
> >         charonstart=yes
> >         plutostart=no
> >         charondebug=control
> > # Add connections here.
> >
> > ca strongswan
> >         cacert=caCert.der
> >         auto=add
> > conn %default
> >         type=tunnel
> >         left=169.254.1.70
> >         leftcert=VC2Cert.der
> >         right=169.254.0.70
> >         rightid="C=CH, O=strongSwan, CN=169.254.0.70"
> >         keyexchange=ikev2
> >         auto=start
> > conn tunnel1
> >         leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> >         rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> >         mark=10
> > conn tunnel2
> >         leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> >         rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> >         mark=20
> >
> >
> > _ipsec status on end-point 1:_
> >  root at vc1_TPC2 <mailto:root at vc1_TPC2>:~# ipsec status
> > Security Associations:
> >      tunnel1[1]: ESTABLISHED 14 minutes ago, 169.254.0.70[C=CH,
> > O=strongSwan, CN=169.254.0.70]...169.254.1.70[C=CH, O=strongSwan,
> > CN=169.254.1.70]
> >      tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: ccd3d0ec_i c8d1ad66_o
> >      tunnel1{3}:   169.254.0.0/24 <http://169.254.0.0/24> ===
> > 169.254.1.0/24 <http://169.254.1.0/24>
> >      tunnel2{4}:  INSTALLED, TUNNEL, ESP SPIs: cc6da619_i c28e4022_o
> >      tunnel2{4}:   169.254.0.0/24 <http://169.254.0.0/24> ===
> > 169.254.1.0/24 <http://169.254.1.0/24>
> >
> > _ipsec status on end-point 2: _
> > root at vc2_TPC2 <mailto:root at vc2_TPC2>:~# ipsec status
> > Security Associations:
> >      tunnel1[2]: ESTABLISHED 14 minutes ago, 169.254.1.70[C=CH,
> > O=strongSwan, CN=169.254.1.70]...169.254.0.70[C=CH, O=strongSwan,
> > CN=169.254.0.70]
> >      tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: c8d1ad66_i ccd3d0ec_o
> >      tunnel1{3}:   169.254.1.0/24 <http://169.254.1.0/24> ===
> > 169.254.0.0/24 <http://169.254.0.0/24>
> >      tunnel1{4}:  INSTALLED, TUNNEL, ESP SPIs: c28e4022_i cc6da619_o
> >      tunnel1{4}:   169.254.1.0/24 <http://169.254.1.0/24> ===
> > 169.254.0.0/24 <http://169.254.0.0/24>
> > The questions I have are:
> > 1. End-point 1 shows tunnel1{3} and tunnel2{4}, while end-point 2 shows
> > only tunnel1 with either {3} or {4}. Could you please tell me why it
> > does not show tunnel2? Also, this varies from time to time. Sometimes
> > the numbers in flower brackets are different, and sometimes they are the
> > same.
> > 2. What do the numbers in flower brackets denote?
> >
> > Also, please let me know if I have configured anything incorrectly,
> > which may be causing this.
> >
> > Thanks and regards,
> > Meera
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110908/d43fa4dd/attachment.html>


More information about the Users mailing list