[strongSwan] question to the IPv4 IKEv2 Remote Access senario

Mao, Zhiheng zmao at qualcomm.com
Mon Jul 30 07:57:15 CEST 2012


Hi Andreas,

That works! Thanks a lot for the help!
Regards,

Zhiheng

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Sunday, July 29, 2012 9:16 PM
To: Mao, Zhiheng
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] question to the IPv4 IKEv2 Remote Access senario

Hi,

the correct line that you have to add on the roadwarrior side is

  leftsourceip=%config

which causes a virtual IP address to be requested from the gateway.

Regards

Andreas

On 07/30/2012 01:13 AM, Mao, Zhiheng wrote:
> Hi there,
> 
>  
> 
> I just started using the strongswan (strongswan-5.0.0.tar.gz
> <http://download.strongswan.org/strongswan-5.0.0.tar.gz>) and have 
> tried a simple IPv4 IKEv2 Remote Access case, where the road warrior 
> carol (at
> 10.46.212.196) and the gateway moon (at 10.41.73.71) established the 
> VPN tunnel and moon assigned the virtual IP addr 10.9.8.1 to carol. 
> However, I checked the carol's machine after the VPN tunnel was up, 
> and I did not see the 10.9.8.1 shown up under the dev eth0. From 
> carol, I could ping the other end of the VPN (10.9.8.7) and tcpdump 
> showed ESP packets. But from moon, I could not ping the other end of the VPN (10.9.8.1).
> 
>  
> 
> To work around (which I do not think is the right way), I had to add 
> an extra line to the carol's ipsec.conf in order to make the assigned 
> virtual IP address show up for the dev eth0. Then I could ping both 
> VPN ends from the other side, and the tcpdump showed both in ESP packets.
> 
>  
> 
> Before adding the extra line to the carol's ipsec.conf, I did see a 
> suspicious log in carol's syslog:
> 
> Jul 29 14:33:22 as3-iwf118 charon: 06[IKE] CHILD_SA home{1} 
> established with SPIs cffd2e36_i ca69b222_o and TS 10.46.212.196/32 
> === 10.9.8.0/24
> 
>  
> 
> After adding the extra line to the carol's ipsec.conf, I did see a 
> correct log in carol's syslog:
> 
> Jul 29 14:40:08 as3-iwf118 charon: 10[IKE] CHILD_SA home{1} 
> established with SPIs c839f511_i c3456308_o and TS 10.9.8.1/32 === 
> 10.9.8.0/24
> 
>  
> 
> The ipsec.conf files are shown below, the red line is the extra line I 
> had to add. The logs shown below were before adding the extra line in 
> the failure situation.
> 
>  
> 
> Could someone please tell me what I am missing? How can I make moon 
> assign and make carol take the virtual IP address instead of having 
> carol specifying the address it wants? Thanks a lot!
> 
>  
> 
> Regards,
> 
> Zhiheng Mao
> 
>  
> 
> ==================  ipsec.conf  for gateway moon ==================
> 
> config setup
> 
>  
> 
> conn %default
> 
>         ikelifetime=60m
> 
>         keylife=20m
> 
>         rekeymargin=3m
> 
>         keyingtries=1
> 
>         keyexchange=ikev2
> 
>  
> 
> conn rw-carol
> 
>         left=10.41.73.71
> 
>         leftsubnet=10.9.8.0/24
> 
>         leftid=moon at strongswan.org <mailto:leftid=moon at strongswan.org>
> 
>         leftauth=psk
> 
>         leftfirewall=yes
> 
>         right=%any
> 
>         rightid=*@strongswan.org <mailto:rightid=*@strongswan.org>
> 
>         rightauth=psk
> 
>         rightsourceip=10.9.8.1
> 
>         auto=add
> 
>  
> 
> ==================  ipsec.conf  for rw carol ==================
> 
> config setup
> 
>  
> 
> conn %default
> 
>         ikelifetime=60m
> 
>         keylife=20m
> 
>         rekeymargin=3m
> 
>         keyingtries=1
> 
>         keyexchange=ikev2
> 
>  
> 
> conn home
> 
>         left=10.46.212.196
> 
>         leftid=carol at strongswan.org 
> <mailto:leftid=carol at strongswan.org>
> 
>         leftauth=psk
> 
>         leftfirewall=yes
> 
>         leftsourceip=10.9.8.1   # without this line, this virtual
> address does not show up under the dev eth0. Why?
> 
>         right=10.41.73.71
> 
>         rightid=moon at strongswan.org 
> <mailto:rightid=moon at strongswan.org>
> 
>         rightsubnet=10.9.8.0/24
> 
>         rightauth=psk
> 
>         auto=start
> 
>  
> 
> ==================  moon's syslog ==================
> 
> Jul 29 15:44:24 sit-iwf charon: 00[DMN] Starting IKE charon daemon 
> (strongSwan 5.0.0, Linux 2.6.18-238.el5, x86_64)
> 
> Jul 29 15:44:24 sit-iwf charon: 00[KNL] listening on interfaces:
> 
> Jul 29 15:44:24 sit-iwf charon: 00[KNL]   eth0
> 
> Jul 29 15:44:24 sit-iwf charon: 00[KNL]     10.41.73.71
> 
> Jul 29 15:44:24 sit-iwf charon: 00[KNL]     10.41.73.79
> 
> Jul 29 15:44:24 sit-iwf charon: 00[KNL]     2002:c023:9c17:21c::a29:4947
> 
> Jul 29 15:44:25 sit-iwf charon: 00[KNL]     fe80::21b:78ff:fe75:3bd8
> 
> Jul 29 15:44:25 sit-iwf charon: 00[KNL]   tun0
> 
> Jul 29 15:44:25 sit-iwf charon: 00[KNL]     10.9.8.7
> 
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loaded 0 RADIUS server 
> configurations
> 
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading ca certificates from 
> '/usr/local/etc/ipsec.d/cacerts'
> 
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading aa certificates from 
> '/usr/local/etc/ipsec.d/aacerts'
> 
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading ocsp signer 
> certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> 
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading attribute certificates 
> from '/usr/local/etc/ipsec.d/acerts'
> 
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading crls from 
> '/usr/local/etc/ipsec.d/crls'
> 
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading secrets from 
> '/usr/local/etc/ipsec.secrets'
> 
> Jul 29 15:44:25 sit-iwf charon: 00[CFG]   loaded IKE secret for
> carol at strongswan.org <mailto:carol at strongswan.org>
> 
> Jul 29 15:44:25 sit-iwf charon: 00[CFG]   loaded IKE secret for
> moon at strongswan.org <mailto:moon at strongswan.org>
> 
> Jul 29 15:44:25 sit-iwf charon: 00[DMN] loaded plugins: charon aes des
> sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
> pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink 
> resolve socket-default stroke updown eap-aka eap-md5 eap-radius 
> xauth-generic
> 
> Jul 29 15:44:25 sit-iwf charon: 00[JOB] spawning 16 worker threads
> 
> Jul 29 15:44:26 sit-iwf charon: 07[CFG] received stroke: add 
> connection 'rw-carol'
> 
> Jul 29 15:44:26 sit-iwf charon: 07[CFG] added configuration 'rw-carol'
> 
> Jul 29 15:44:26 sit-iwf charon: 07[CFG] adding virtual IP address pool
> 'rw-carol': 10.9.8.1/32
> 
> Jul 29 15:44:32 sit-iwf charon: 09[NET] received packet: from 
> 10.46.212.196[500] to 10.41.73.71[500]
> 
> Jul 29 15:44:32 sit-iwf charon: 09[ENC] parsed IKE_SA_INIT request 0 [ 
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 
> Jul 29 15:44:32 sit-iwf charon: 09[IKE] 10.46.212.196 is initiating an 
> IKE_SA
> 
> Jul 29 15:44:32 sit-iwf charon: 09[ENC] generating IKE_SA_INIT 
> response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> 
> Jul 29 15:44:32 sit-iwf charon: 09[NET] sending packet: from 
> 10.41.73.71[500] to 10.46.212.196[500]
> 
> Jul 29 15:44:32 sit-iwf charon: 10[NET] received packet: from 
> 10.46.212.196[4500] to 10.41.73.71[4500]
> 
> Jul 29 15:44:32 sit-iwf charon: 10[ENC] parsed IKE_AUTH request 1 [ 
> IDi
> N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) ]
> 
> Jul 29 15:44:32 sit-iwf charon: 10[CFG] looking for peer configs 
> matching 
> 10.41.73.71[moon at strongswan.org]...10.46.212.196[carol at strongswan.org]
> 
> Jul 29 15:44:32 sit-iwf charon: 10[CFG] selected peer config 'rw-carol'
> 
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] authentication of 
> 'carol at strongswan.org' with pre-shared key successful
> 
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] peer supports MOBIKE
> 
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] authentication of 
> 'moon at strongswan.org' (myself) with pre-shared key
> 
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] IKE_SA rw-carol[1] established 
> between 10.41.73.71[moon at strongswan.o 
> rg]...10.46.212.196[carol at strongswan.org]
> 
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] scheduling reauthentication in 
> 3400s
> 
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] maximum IKE_SA lifetime 3580s
> 
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] CHILD_SA rw-carol{1} 
> established with SPIs c0401f84_i c445a329_o and TS 10.9.8.0/24 === 
> 10.46.212.196/32
> 
> Jul 29 15:44:33 sit-iwf charon: 10[ENC] generating IKE_AUTH response 1 
> [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(ADD_4_ADDR) N(ADD_6_ADDR) ]
> 
> Jul 29 15:44:33 sit-iwf charon: 10[NET] sending packet: from 
> 10.41.73.71[4500] to 10.46.212.196[4500]
> 
>  
> 
> ==================  carol's eth0 before VPN setup, syslog during VPN 
> setup, eth0 after VPN setup ==================
> 
> [zmao at as3-iwf118 sbin]$ /sbin/ip addr
> 
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
> 
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 
>     inet 127.0.0.1/8 scope host lo
> 
>     inet6 ::1/128 scope host
> 
>        valid_lft forever preferred_lft forever
> 
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
> qlen 1000
> 
>     link/ether 78:e7:d1:ca:6f:b8 brd ff:ff:ff:ff:ff:ff
> 
>     inet 10.46.212.196/27 brd 10.46.212.223 scope global eth0
> 
>     inet6 2002:c023:9c17:21b::a2e:d4c4/64 scope global
> 
>        valid_lft forever preferred_lft forever
> 
>     inet6 fe80::7ae7:d1ff:feca:6fb8/64 scope link
> 
>        valid_lft forever preferred_lft forever
> 
> 3: sit0: <NOARP> mtu 1480 qdisc noop
> 
>     link/sit 0.0.0.0 brd 0.0.0.0
> 
> 442: ppp0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop qlen 3
> 
>     link/ppp
> 
>  
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[DMN] Starting IKE charon daemon 
> (strongSwan 5.0.0, Linux 2.6.18-238.el5, x86_64)
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] listening on interfaces:
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[KNL]   eth0
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[KNL]     10.46.212.196
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[KNL]     2002:c023:9c17:21b::a2e:d4c4
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[KNL]     fe80::7ae7:d1ff:feca:6fb8
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading ca certificates 
> from '/usr/local/etc/ipsec.d/cacerts'
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading aa certificates 
> from '/usr/local/etc/ipsec.d/aacerts'
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading ocsp signer 
> certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading attribute 
> certificates from '/usr/local/etc/ipsec.d/acerts'
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading crls from 
> '/usr/local/etc/ipsec.d/crls'
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading secrets from 
> '/usr/local/etc/ipsec.secrets'
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG]   loaded IKE secret for
> carol at strongswan.org <mailto:carol at strongswan.org>
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG]   loaded IKE secret for
> moon at strongswan.org <mailto:moon at strongswan.org>
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[DMN] loaded plugins: charon aes 
> des sha1 sha2 md5 random nonce x509 revocation constraints pubkey 
> pkcs1
> pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink 
> resolve socket-default stroke updown xauth-generic
> 
> Jul 29 15:44:32 as3-iwf118 charon: 00[JOB] spawning 16 worker threads
> 
> Jul 29 15:44:32 as3-iwf118 charon: 05[CFG] received stroke: add 
> connection 'home'
> 
> Jul 29 15:44:32 as3-iwf118 charon: 05[CFG] added configuration 'home'
> 
> Jul 29 15:44:32 as3-iwf118 charon: 07[CFG] received stroke: initiate 'home'
> 
> Jul 29 15:44:32 as3-iwf118 charon: 07[IKE] initiating IKE_SA home[1] 
> to
> 10.41.73.71
> 
> Jul 29 15:44:32 as3-iwf118 charon: 07[ENC] generating IKE_SA_INIT 
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> 
> Jul 29 15:44:32 as3-iwf118 charon: 07[NET] sending packet: from 
> 10.46.212.196[500] to 10.41.73.71[500]
> 
> Jul 29 15:44:32 as3-iwf118 charon: 09[NET] received packet: from 
> 10.41.73.71[500] to 10.46.212.196[500]
> 
> Jul 29 15:44:32 as3-iwf118 charon: 09[ENC] parsed IKE_SA_INIT response 
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> 
> Jul 29 15:44:32 as3-iwf118 charon: 09[IKE] authentication of 
> 'carol at strongswan.org' (myself) with pre-shared key
> 
> Jul 29 15:44:32 as3-iwf118 charon: 09[IKE] establishing CHILD_SA home
> 
> Jul 29 15:44:32 as3-iwf118 charon: 09[ENC] generating IKE_AUTH request 
> 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) 
> N(ADD_6_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) ]
> 
> Jul 29 15:44:32 as3-iwf118 charon: 09[NET] sending packet: from 
> 10.46.212.196[4500] to 10.41.73.71[4500]
> 
> Jul 29 15:44:33 as3-iwf118 charon: 10[NET] received packet: from 
> 10.41.73.71[4500] to 10.46.212.196[4500]
> 
> Jul 29 15:44:33 as3-iwf118 charon: 10[ENC] parsed IKE_AUTH response 1 
> [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(ADD_4_ADDR) N(ADD_6_ADDR) ]
> 
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] authentication of 
> 'moon at strongswan.org' with pre-shared key successful
> 
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] IKE_SA home[1] established 
> between 10.46.212.196[carol at strongswan 
> .org]...10.41.73.71[moon at strongswan.org]
> 
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] scheduling reauthentication 
> in 3386s
> 
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] maximum IKE_SA lifetime 
> 3566s
> 
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] CHILD_SA home{1} 
> established with SPIs c445a329_i c0401f84_o and TS 10.46.212.196/32 
> === 10.9.8.0/24
> 
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] received AUTH_LIFETIME of 
> 3400s, scheduling reauthentication in 3220s
> 
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] peer supports MOBIKE
> 
>  
> 
> [zmao at as3-iwf118 sbin]$ /sbin/ip addr
> 
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
> 
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 
>     inet 127.0.0.1/8 scope host lo
> 
>     inet6 ::1/128 scope host
> 
>        valid_lft forever preferred_lft forever
> 
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
> qlen 1000
> 
>     link/ether 78:e7:d1:ca:6f:b8 brd ff:ff:ff:ff:ff:ff
> 
>     inet 10.46.212.196/27 brd 10.46.212.223 scope global eth0
> 
>     inet6 2002:c023:9c17:21b::a2e:d4c4/64 scope global
> 
>        valid_lft forever preferred_lft forever
> 
>     inet6 fe80::7ae7:d1ff:feca:6fb8/64 scope link
> 
>        valid_lft forever preferred_lft forever
> 
> 3: sit0: <NOARP> mtu 1480 qdisc noop
> 
>     link/sit 0.0.0.0 brd 0.0.0.0
> 
> 442: ppp0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop qlen 3
> 
>     link/ppp
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list