[strongSwan] Fwd: Multiple tunnels between same peer

Arun G Nair arungnair at gmail.com
Mon Nov 5 11:46:59 CET 2012 

Hello,

   Let me try to explain the scenario first:

Right:
--------
  [PIX]        <env1_dmz>
(x.x.x.x)     <env1_trust>

  [PIX]        <env2_dmz>
(y.y.y.y)     <env2_trust>


Left:
------
[StrongSwan1]       <dmz>
   (a.a.a.a)

[StrongSwan2]       <trust>
    (b.b.b.b)

So peer uses a a cisco PIX and has two environments behind it. Each
environment has a different public ip (x.x.x.x and y.y.y.y). In each
environment there are two networks (envX_dmz and envX_trust). I'm
using strongswan to connect to these two peer environments. As our
environment has two different networks (dmz and trust), I have two
different servers running strongswan for each network. I can connect
to both peer environments (env1 and env2) from either dmz or trust but
not both at the same time. dmz and trust on our side is not connected
by any means. Is there anything that I need to do in strongswan to
make it work ? Should I mark the packets ? I believe this is due to
some issue on the peer end. I'm not an expert on cisco, but if there
are any cisco experts here please let me know what needs to be done on
the PIX to get this working (assuming this is an ACL/routing issue at
peer). The strongswan config is provided below. Similar config for the
other box (dmz) also.

------ ipsec.conf -----
config setup
        # strictcrlpolicy=yes
        # uniqueids = never
        # plutostart = no

conn %default
        ikelifetime=24h
        keylife=1h
        rekeymargin=9m
        keyingtries=%forever
        keyexchange=ikev1
        ike=3des-sha-modp1024
        esp=3des-sha
        authby=secret
        #dpdaction=restart
        #dpddelay=10s
        #dpdtimeout=60s

## env2 ##
conn env2-common
        left=%defaultroute
        leftsubnet=10.208.191.0/24
        leftid=@trust
        #leftfirewall=yes
        right=y.y.y.y
        rightid=y.y.y.y

conn env2-dmz
        also=env2-common
        rightsubnet=10.38.43.0/24
        auto=start

conn env2-trust
        also=env2-common
        rightsubnet=10.38.45.0/24
        auto=start

## env1 ##
conn env1-common
        left=%defaultroute
        leftsubnet=10.208.191.0/24
        leftid=@trust
        #leftfirewall=yes
        right=x.x.x.x
        rightid=x.x.x.x

conn env1-dmz
        also=env1-common
        rightsubnet=10.38.33.0/24
        auto=start

conn env1-trust
        also=env1-common
        rightsubnet=10.38.35.0/24
        auto=start

------ EOF -----


I've also attached the log from the server. I see some "integrity
check failed" errors in the logs. I would be glad if someone can throw
some light on the errors in the log. I also see some uniqueness
errors. I guess, I should disable the uniqueness check in the config
(uniqueness=never).

Regards,
Arun G Nair
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.bz2
Type: application/x-bzip2
Size: 37077 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121105/45f3f084/attachment.bin>

More information about the Users mailing list