[strongSwan] question to the IPv4 IKEv2 Remote Access senario

Mao, Zhiheng zmao at qualcomm.com
Mon Jul 30 00:57:45 CEST 2012


Hi there,

I just started using the strongswan (strongswan-5.0.0.tar.gz<http://download.strongswan.org/strongswan-5.0.0.tar.gz>) and have tried a simple IPv4 IKEv2 Remote Access case, where the road warrior carol (at 10.46.212.196) and the gateway moon (at 10.41.73.71) established the VPN tunnel and moon assigned the virtual IP addr 10.9.8.1 to carol. However, I checked the carol's machine after the VPN tunnel was up, and I did not see the 10.9.8.1 shown up under the dev eth0. From carol, I could ping the other end of the VPN (10.9.8.7) and tcpdump showed ESP packets. But from moon, I could not ping the other end of the VPN (10.9.8.1).

To work around (which I do not think is the right way), I had to add an extra line to the carol's ipsec.conf in order to make the assigned virtual IP address show up for the dev eth0. Then I could ping both VPN ends from the other side, and the tcpdump showed both in ESP packets.

Before adding the extra line to the carol's ipsec.conf, I did see a suspicious log in carol's syslog:
Jul 29 14:33:22 as3-iwf118 charon: 06[IKE] CHILD_SA home{1} established with SPIs cffd2e36_i ca69b222_o and TS 10.46.212.196/32 === 10.9.8.0/24

After adding the extra line to the carol's ipsec.conf, I did see a correct log in carol's syslog:
Jul 29 14:40:08 as3-iwf118 charon: 10[IKE] CHILD_SA home{1} established with SPIs c839f511_i c3456308_o and TS 10.9.8.1/32 === 10.9.8.0/24

The ipsec.conf files are shown below, the red line is the extra line I had to add. The logs shown below were before adding the extra line in the failure situation.

Could someone please tell me what I am missing? How can I make moon assign and make carol take the virtual IP address instead of having carol specifying the address it wants? Thanks a lot!

Regards,
Zhiheng Mao

==================  ipsec.conf  for gateway moon ==================
config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2

conn rw-carol
        left=10.41.73.71
        leftsubnet=10.9.8.0/24
        leftid=moon at strongswan.org<mailto:leftid=moon at strongswan.org>
        leftauth=psk
        leftfirewall=yes
        right=%any
        rightid=*@strongswan.org<mailto:rightid=*@strongswan.org>
        rightauth=psk
        rightsourceip=10.9.8.1
        auto=add

==================  ipsec.conf  for rw carol ==================
config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2

conn home
        left=10.46.212.196
        leftid=carol at strongswan.org<mailto:leftid=carol at strongswan.org>
        leftauth=psk
        leftfirewall=yes
        leftsourceip=10.9.8.1   # without this line, this virtual address does not show up under the dev eth0. Why?
        right=10.41.73.71
        rightid=moon at strongswan.org<mailto:rightid=moon at strongswan.org>
        rightsubnet=10.9.8.0/24
        rightauth=psk
        auto=start

==================  moon's syslog ==================
Jul 29 15:44:24 sit-iwf charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 2.6.18-238.el5, x86_64)
Jul 29 15:44:24 sit-iwf charon: 00[KNL] listening on interfaces:
Jul 29 15:44:24 sit-iwf charon: 00[KNL]   eth0
Jul 29 15:44:24 sit-iwf charon: 00[KNL]     10.41.73.71
Jul 29 15:44:24 sit-iwf charon: 00[KNL]     10.41.73.79
Jul 29 15:44:24 sit-iwf charon: 00[KNL]     2002:c023:9c17:21c::a29:4947
Jul 29 15:44:25 sit-iwf charon: 00[KNL]     fe80::21b:78ff:fe75:3bd8
Jul 29 15:44:25 sit-iwf charon: 00[KNL]   tun0
Jul 29 15:44:25 sit-iwf charon: 00[KNL]     10.9.8.7
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loaded 0 RADIUS server configurations
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jul 29 15:44:25 sit-iwf charon: 00[CFG]   loaded IKE secret for carol at strongswan.org
Jul 29 15:44:25 sit-iwf charon: 00[CFG]   loaded IKE secret for moon at strongswan.org
Jul 29 15:44:25 sit-iwf charon: 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown eap-aka eap-md5 eap-radius xauth-generic
Jul 29 15:44:25 sit-iwf charon: 00[JOB] spawning 16 worker threads
Jul 29 15:44:26 sit-iwf charon: 07[CFG] received stroke: add connection 'rw-carol'
Jul 29 15:44:26 sit-iwf charon: 07[CFG] added configuration 'rw-carol'
Jul 29 15:44:26 sit-iwf charon: 07[CFG] adding virtual IP address pool 'rw-carol': 10.9.8.1/32
Jul 29 15:44:32 sit-iwf charon: 09[NET] received packet: from 10.46.212.196[500] to 10.41.73.71[500]
Jul 29 15:44:32 sit-iwf charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 29 15:44:32 sit-iwf charon: 09[IKE] 10.46.212.196 is initiating an IKE_SA
Jul 29 15:44:32 sit-iwf charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 29 15:44:32 sit-iwf charon: 09[NET] sending packet: from 10.41.73.71[500] to 10.46.212.196[500]
Jul 29 15:44:32 sit-iwf charon: 10[NET] received packet: from 10.46.212.196[4500] to 10.41.73.71[4500]
Jul 29 15:44:32 sit-iwf charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jul 29 15:44:32 sit-iwf charon: 10[CFG] looking for peer configs matching 10.41.73.71[moon at strongswan.org]...10.46.212.196[carol at strongswan.org]
Jul 29 15:44:32 sit-iwf charon: 10[CFG] selected peer config 'rw-carol'
Jul 29 15:44:32 sit-iwf charon: 10[IKE] authentication of 'carol at strongswan.org' with pre-shared key successful
Jul 29 15:44:32 sit-iwf charon: 10[IKE] peer supports MOBIKE
Jul 29 15:44:32 sit-iwf charon: 10[IKE] authentication of 'moon at strongswan.org' (myself) with pre-shared key
Jul 29 15:44:32 sit-iwf charon: 10[IKE] IKE_SA rw-carol[1] established between 10.41.73.71[moon at strongswan.o rg]...10.46.212.196[carol at strongswan.org]
Jul 29 15:44:32 sit-iwf charon: 10[IKE] scheduling reauthentication in 3400s
Jul 29 15:44:32 sit-iwf charon: 10[IKE] maximum IKE_SA lifetime 3580s
Jul 29 15:44:32 sit-iwf charon: 10[IKE] CHILD_SA rw-carol{1} established with SPIs c0401f84_i c445a329_o and TS 10.9.8.0/24 === 10.46.212.196/32
Jul 29 15:44:33 sit-iwf charon: 10[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Jul 29 15:44:33 sit-iwf charon: 10[NET] sending packet: from 10.41.73.71[4500] to 10.46.212.196[4500]

==================  carol's eth0 before VPN setup, syslog during VPN setup, eth0 after VPN setup ==================
[zmao at as3-iwf118 sbin]$ /sbin/ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 78:e7:d1:ca:6f:b8 brd ff:ff:ff:ff:ff:ff
    inet 10.46.212.196/27 brd 10.46.212.223 scope global eth0
    inet6 2002:c023:9c17:21b::a2e:d4c4/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::7ae7:d1ff:feca:6fb8/64 scope link
       valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
442: ppp0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop qlen 3
    link/ppp

Jul 29 15:44:32 as3-iwf118 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 2.6.18-238.el5, x86_64)
Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] listening on interfaces:
Jul 29 15:44:32 as3-iwf118 charon: 00[KNL]   eth0
Jul 29 15:44:32 as3-iwf118 charon: 00[KNL]     10.46.212.196
Jul 29 15:44:32 as3-iwf118 charon: 00[KNL]     2002:c023:9c17:21b::a2e:d4c4
Jul 29 15:44:32 as3-iwf118 charon: 00[KNL]     fe80::7ae7:d1ff:feca:6fb8
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG]   loaded IKE secret for carol at strongswan.org
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG]   loaded IKE secret for moon at strongswan.org
Jul 29 15:44:32 as3-iwf118 charon: 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Jul 29 15:44:32 as3-iwf118 charon: 00[JOB] spawning 16 worker threads
Jul 29 15:44:32 as3-iwf118 charon: 05[CFG] received stroke: add connection 'home'
Jul 29 15:44:32 as3-iwf118 charon: 05[CFG] added configuration 'home'
Jul 29 15:44:32 as3-iwf118 charon: 07[CFG] received stroke: initiate 'home'
Jul 29 15:44:32 as3-iwf118 charon: 07[IKE] initiating IKE_SA home[1] to 10.41.73.71
Jul 29 15:44:32 as3-iwf118 charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 29 15:44:32 as3-iwf118 charon: 07[NET] sending packet: from 10.46.212.196[500] to 10.41.73.71[500]
Jul 29 15:44:32 as3-iwf118 charon: 09[NET] received packet: from 10.41.73.71[500] to 10.46.212.196[500]
Jul 29 15:44:32 as3-iwf118 charon: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 29 15:44:32 as3-iwf118 charon: 09[IKE] authentication of 'carol at strongswan.org' (myself) with pre-shared key
Jul 29 15:44:32 as3-iwf118 charon: 09[IKE] establishing CHILD_SA home
Jul 29 15:44:32 as3-iwf118 charon: 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jul 29 15:44:32 as3-iwf118 charon: 09[NET] sending packet: from 10.46.212.196[4500] to 10.41.73.71[4500]
Jul 29 15:44:33 as3-iwf118 charon: 10[NET] received packet: from 10.41.73.71[4500] to 10.46.212.196[4500]
Jul 29 15:44:33 as3-iwf118 charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] authentication of 'moon at strongswan.org' with pre-shared key successful
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] IKE_SA home[1] established between 10.46.212.196[carol at strongswan .org]...10.41.73.71[moon at strongswan.org]
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] scheduling reauthentication in 3386s
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] maximum IKE_SA lifetime 3566s
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] CHILD_SA home{1} established with SPIs c445a329_i c0401f84_o and TS 10.46.212.196/32 === 10.9.8.0/24
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] received AUTH_LIFETIME of 3400s, scheduling reauthentication in 3220s
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] peer supports MOBIKE

[zmao at as3-iwf118 sbin]$ /sbin/ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 78:e7:d1:ca:6f:b8 brd ff:ff:ff:ff:ff:ff
    inet 10.46.212.196/27 brd 10.46.212.223 scope global eth0
    inet6 2002:c023:9c17:21b::a2e:d4c4/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::7ae7:d1ff:feca:6fb8/64 scope link
       valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
442: ppp0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop qlen 3
    link/ppp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120729/c213c814/attachment.html>


More information about the Users mailing list