[strongSwan] question to the IPv4 IKEv2 Remote Access senario
Mao, Zhiheng
zmao at qualcomm.com
Mon Jul 30 07:57:15 CEST 2012
Hi Andreas,
That works! Thanks a lot for the help!
Regards,
Zhiheng
-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
Sent: Sunday, July 29, 2012 9:16 PM
To: Mao, Zhiheng
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] question to the IPv4 IKEv2 Remote Access senario
Hi,
the correct line that you have to add on the roadwarrior side is
leftsourceip=%config
which causes a virtual IP address to be requested from the gateway.
Regards
Andreas
On 07/30/2012 01:13 AM, Mao, Zhiheng wrote:
> Hi there,
>
>
>
> I just started using the strongswan (strongswan-5.0.0.tar.gz
> <http://download.strongswan.org/strongswan-5.0.0.tar.gz>) and have
> tried a simple IPv4 IKEv2 Remote Access case, where the road warrior
> carol (at
> 10.46.212.196) and the gateway moon (at 10.41.73.71) established the
> VPN tunnel and moon assigned the virtual IP addr 10.9.8.1 to carol.
> However, I checked the carol's machine after the VPN tunnel was up,
> and I did not see the 10.9.8.1 shown up under the dev eth0. From
> carol, I could ping the other end of the VPN (10.9.8.7) and tcpdump
> showed ESP packets. But from moon, I could not ping the other end of the VPN (10.9.8.1).
>
>
>
> To work around (which I do not think is the right way), I had to add
> an extra line to the carol's ipsec.conf in order to make the assigned
> virtual IP address show up for the dev eth0. Then I could ping both
> VPN ends from the other side, and the tcpdump showed both in ESP packets.
>
>
>
> Before adding the extra line to the carol's ipsec.conf, I did see a
> suspicious log in carol's syslog:
>
> Jul 29 14:33:22 as3-iwf118 charon: 06[IKE] CHILD_SA home{1}
> established with SPIs cffd2e36_i ca69b222_o and TS 10.46.212.196/32
> === 10.9.8.0/24
>
>
>
> After adding the extra line to the carol's ipsec.conf, I did see a
> correct log in carol's syslog:
>
> Jul 29 14:40:08 as3-iwf118 charon: 10[IKE] CHILD_SA home{1}
> established with SPIs c839f511_i c3456308_o and TS 10.9.8.1/32 ===
> 10.9.8.0/24
>
>
>
> The ipsec.conf files are shown below, the red line is the extra line I
> had to add. The logs shown below were before adding the extra line in
> the failure situation.
>
>
>
> Could someone please tell me what I am missing? How can I make moon
> assign and make carol take the virtual IP address instead of having
> carol specifying the address it wants? Thanks a lot!
>
>
>
> Regards,
>
> Zhiheng Mao
>
>
>
> ================== ipsec.conf for gateway moon ==================
>
> config setup
>
>
>
> conn %default
>
> ikelifetime=60m
>
> keylife=20m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev2
>
>
>
> conn rw-carol
>
> left=10.41.73.71
>
> leftsubnet=10.9.8.0/24
>
> leftid=moon at strongswan.org <mailto:leftid=moon at strongswan.org>
>
> leftauth=psk
>
> leftfirewall=yes
>
> right=%any
>
> rightid=*@strongswan.org <mailto:rightid=*@strongswan.org>
>
> rightauth=psk
>
> rightsourceip=10.9.8.1
>
> auto=add
>
>
>
> ================== ipsec.conf for rw carol ==================
>
> config setup
>
>
>
> conn %default
>
> ikelifetime=60m
>
> keylife=20m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev2
>
>
>
> conn home
>
> left=10.46.212.196
>
> leftid=carol at strongswan.org
> <mailto:leftid=carol at strongswan.org>
>
> leftauth=psk
>
> leftfirewall=yes
>
> leftsourceip=10.9.8.1 # without this line, this virtual
> address does not show up under the dev eth0. Why?
>
> right=10.41.73.71
>
> rightid=moon at strongswan.org
> <mailto:rightid=moon at strongswan.org>
>
> rightsubnet=10.9.8.0/24
>
> rightauth=psk
>
> auto=start
>
>
>
> ================== moon's syslog ==================
>
> Jul 29 15:44:24 sit-iwf charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.0.0, Linux 2.6.18-238.el5, x86_64)
>
> Jul 29 15:44:24 sit-iwf charon: 00[KNL] listening on interfaces:
>
> Jul 29 15:44:24 sit-iwf charon: 00[KNL] eth0
>
> Jul 29 15:44:24 sit-iwf charon: 00[KNL] 10.41.73.71
>
> Jul 29 15:44:24 sit-iwf charon: 00[KNL] 10.41.73.79
>
> Jul 29 15:44:24 sit-iwf charon: 00[KNL] 2002:c023:9c17:21c::a29:4947
>
> Jul 29 15:44:25 sit-iwf charon: 00[KNL] fe80::21b:78ff:fe75:3bd8
>
> Jul 29 15:44:25 sit-iwf charon: 00[KNL] tun0
>
> Jul 29 15:44:25 sit-iwf charon: 00[KNL] 10.9.8.7
>
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loaded 0 RADIUS server
> configurations
>
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading ca certificates from
> '/usr/local/etc/ipsec.d/cacerts'
>
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading aa certificates from
> '/usr/local/etc/ipsec.d/aacerts'
>
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading ocsp signer
> certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading attribute certificates
> from '/usr/local/etc/ipsec.d/acerts'
>
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading crls from
> '/usr/local/etc/ipsec.d/crls'
>
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading secrets from
> '/usr/local/etc/ipsec.secrets'
>
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loaded IKE secret for
> carol at strongswan.org <mailto:carol at strongswan.org>
>
> Jul 29 15:44:25 sit-iwf charon: 00[CFG] loaded IKE secret for
> moon at strongswan.org <mailto:moon at strongswan.org>
>
> Jul 29 15:44:25 sit-iwf charon: 00[DMN] loaded plugins: charon aes des
> sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
> pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink
> resolve socket-default stroke updown eap-aka eap-md5 eap-radius
> xauth-generic
>
> Jul 29 15:44:25 sit-iwf charon: 00[JOB] spawning 16 worker threads
>
> Jul 29 15:44:26 sit-iwf charon: 07[CFG] received stroke: add
> connection 'rw-carol'
>
> Jul 29 15:44:26 sit-iwf charon: 07[CFG] added configuration 'rw-carol'
>
> Jul 29 15:44:26 sit-iwf charon: 07[CFG] adding virtual IP address pool
> 'rw-carol': 10.9.8.1/32
>
> Jul 29 15:44:32 sit-iwf charon: 09[NET] received packet: from
> 10.46.212.196[500] to 10.41.73.71[500]
>
> Jul 29 15:44:32 sit-iwf charon: 09[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> Jul 29 15:44:32 sit-iwf charon: 09[IKE] 10.46.212.196 is initiating an
> IKE_SA
>
> Jul 29 15:44:32 sit-iwf charon: 09[ENC] generating IKE_SA_INIT
> response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>
> Jul 29 15:44:32 sit-iwf charon: 09[NET] sending packet: from
> 10.41.73.71[500] to 10.46.212.196[500]
>
> Jul 29 15:44:32 sit-iwf charon: 10[NET] received packet: from
> 10.46.212.196[4500] to 10.41.73.71[4500]
>
> Jul 29 15:44:32 sit-iwf charon: 10[ENC] parsed IKE_AUTH request 1 [
> IDi
> N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) ]
>
> Jul 29 15:44:32 sit-iwf charon: 10[CFG] looking for peer configs
> matching
> 10.41.73.71[moon at strongswan.org]...10.46.212.196[carol at strongswan.org]
>
> Jul 29 15:44:32 sit-iwf charon: 10[CFG] selected peer config 'rw-carol'
>
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] authentication of
> 'carol at strongswan.org' with pre-shared key successful
>
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] peer supports MOBIKE
>
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] authentication of
> 'moon at strongswan.org' (myself) with pre-shared key
>
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] IKE_SA rw-carol[1] established
> between 10.41.73.71[moon at strongswan.o
> rg]...10.46.212.196[carol at strongswan.org]
>
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] scheduling reauthentication in
> 3400s
>
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] maximum IKE_SA lifetime 3580s
>
> Jul 29 15:44:32 sit-iwf charon: 10[IKE] CHILD_SA rw-carol{1}
> established with SPIs c0401f84_i c445a329_o and TS 10.9.8.0/24 ===
> 10.46.212.196/32
>
> Jul 29 15:44:33 sit-iwf charon: 10[ENC] generating IKE_AUTH response 1
> [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(ADD_4_ADDR) N(ADD_6_ADDR) ]
>
> Jul 29 15:44:33 sit-iwf charon: 10[NET] sending packet: from
> 10.41.73.71[4500] to 10.46.212.196[4500]
>
>
>
> ================== carol's eth0 before VPN setup, syslog during VPN
> setup, eth0 after VPN setup ==================
>
> [zmao at as3-iwf118 sbin]$ /sbin/ip addr
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
>
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>
> inet 127.0.0.1/8 scope host lo
>
> inet6 ::1/128 scope host
>
> valid_lft forever preferred_lft forever
>
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> qlen 1000
>
> link/ether 78:e7:d1:ca:6f:b8 brd ff:ff:ff:ff:ff:ff
>
> inet 10.46.212.196/27 brd 10.46.212.223 scope global eth0
>
> inet6 2002:c023:9c17:21b::a2e:d4c4/64 scope global
>
> valid_lft forever preferred_lft forever
>
> inet6 fe80::7ae7:d1ff:feca:6fb8/64 scope link
>
> valid_lft forever preferred_lft forever
>
> 3: sit0: <NOARP> mtu 1480 qdisc noop
>
> link/sit 0.0.0.0 brd 0.0.0.0
>
> 442: ppp0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop qlen 3
>
> link/ppp
>
>
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.0.0, Linux 2.6.18-238.el5, x86_64)
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] listening on interfaces:
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] eth0
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] 10.46.212.196
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] 2002:c023:9c17:21b::a2e:d4c4
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] fe80::7ae7:d1ff:feca:6fb8
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading ca certificates
> from '/usr/local/etc/ipsec.d/cacerts'
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading aa certificates
> from '/usr/local/etc/ipsec.d/aacerts'
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading ocsp signer
> certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading attribute
> certificates from '/usr/local/etc/ipsec.d/acerts'
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading crls from
> '/usr/local/etc/ipsec.d/crls'
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading secrets from
> '/usr/local/etc/ipsec.secrets'
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loaded IKE secret for
> carol at strongswan.org <mailto:carol at strongswan.org>
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loaded IKE secret for
> moon at strongswan.org <mailto:moon at strongswan.org>
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[DMN] loaded plugins: charon aes
> des sha1 sha2 md5 random nonce x509 revocation constraints pubkey
> pkcs1
> pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink
> resolve socket-default stroke updown xauth-generic
>
> Jul 29 15:44:32 as3-iwf118 charon: 00[JOB] spawning 16 worker threads
>
> Jul 29 15:44:32 as3-iwf118 charon: 05[CFG] received stroke: add
> connection 'home'
>
> Jul 29 15:44:32 as3-iwf118 charon: 05[CFG] added configuration 'home'
>
> Jul 29 15:44:32 as3-iwf118 charon: 07[CFG] received stroke: initiate 'home'
>
> Jul 29 15:44:32 as3-iwf118 charon: 07[IKE] initiating IKE_SA home[1]
> to
> 10.41.73.71
>
> Jul 29 15:44:32 as3-iwf118 charon: 07[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> Jul 29 15:44:32 as3-iwf118 charon: 07[NET] sending packet: from
> 10.46.212.196[500] to 10.41.73.71[500]
>
> Jul 29 15:44:32 as3-iwf118 charon: 09[NET] received packet: from
> 10.41.73.71[500] to 10.46.212.196[500]
>
> Jul 29 15:44:32 as3-iwf118 charon: 09[ENC] parsed IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>
> Jul 29 15:44:32 as3-iwf118 charon: 09[IKE] authentication of
> 'carol at strongswan.org' (myself) with pre-shared key
>
> Jul 29 15:44:32 as3-iwf118 charon: 09[IKE] establishing CHILD_SA home
>
> Jul 29 15:44:32 as3-iwf118 charon: 09[ENC] generating IKE_AUTH request
> 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP)
> N(ADD_6_ADDR)
> N(MULT_AUTH) N(EAP_ONLY) ]
>
> Jul 29 15:44:32 as3-iwf118 charon: 09[NET] sending packet: from
> 10.46.212.196[4500] to 10.41.73.71[4500]
>
> Jul 29 15:44:33 as3-iwf118 charon: 10[NET] received packet: from
> 10.41.73.71[4500] to 10.46.212.196[4500]
>
> Jul 29 15:44:33 as3-iwf118 charon: 10[ENC] parsed IKE_AUTH response 1
> [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(ADD_4_ADDR) N(ADD_6_ADDR) ]
>
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] authentication of
> 'moon at strongswan.org' with pre-shared key successful
>
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] IKE_SA home[1] established
> between 10.46.212.196[carol at strongswan
> .org]...10.41.73.71[moon at strongswan.org]
>
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] scheduling reauthentication
> in 3386s
>
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] maximum IKE_SA lifetime
> 3566s
>
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] CHILD_SA home{1}
> established with SPIs c445a329_i c0401f84_o and TS 10.46.212.196/32
> === 10.9.8.0/24
>
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] received AUTH_LIFETIME of
> 3400s, scheduling reauthentication in 3220s
>
> Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] peer supports MOBIKE
>
>
>
> [zmao at as3-iwf118 sbin]$ /sbin/ip addr
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
>
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>
> inet 127.0.0.1/8 scope host lo
>
> inet6 ::1/128 scope host
>
> valid_lft forever preferred_lft forever
>
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> qlen 1000
>
> link/ether 78:e7:d1:ca:6f:b8 brd ff:ff:ff:ff:ff:ff
>
> inet 10.46.212.196/27 brd 10.46.212.223 scope global eth0
>
> inet6 2002:c023:9c17:21b::a2e:d4c4/64 scope global
>
> valid_lft forever preferred_lft forever
>
> inet6 fe80::7ae7:d1ff:feca:6fb8/64 scope link
>
> valid_lft forever preferred_lft forever
>
> 3: sit0: <NOARP> mtu 1480 qdisc noop
>
> link/sit 0.0.0.0 brd 0.0.0.0
>
> 442: ppp0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop qlen 3
>
> link/ppp
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list