[strongSwan] Fwd: static virtual ips with pool

Banio aau at mncarpenters.net
Tue Dec 17 18:23:36 CET 2013


It seems to me that strongswan is perhaps failing to find a virtual ip 
for the client because it's not finding a id match between the client 
and what it has in it's database, so I have tried using the cert as id, 
which is really what I want, but I am still getting: no virtual IP found 
for %any requested.

I added the addresses on the gateway like this: # strongswan pool 
--replace vpnclients --addresses addresses2.txt

cat addresses2.txt
172.16.44.15=C=US,ST=IL,L=Chicago,O=Company,OU=test,CN=test4.domain.com
172.16.44.14=C=US,ST=IL,L=Chicago,O=Company,OU=test,CN=test5.domain.com

gateway ipsec.conf:
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
     charondebug="ike 2, knl 3, cfg 0"

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev2

conn aosclient
     left=%defaultroute
     leftcert=vpngateway3.domain.com_cert.pem
     leftid=@vpngateway3.domain.com
     leftfirewall=yes
     leftsubnet=172.16.40.0/22
     right=%any
     rightsourceip=%vpnclients
     auto=route


gateway log:

Dec 17 10:05:21 15[NET] received packet: from 96.116.65.100[500] to 
172.16.42.10[500] (832 bytes)
Dec 17 10:05:21 15[IKE] 96.116.65.100 is initiating an IKE_SA
Dec 17 10:05:21 15[IKE] local host is behind NAT, sending keep alives
Dec 17 10:05:21 15[IKE] remote host is behind NAT
Dec 17 10:05:21 15[IKE] sending cert request for "C=US, ST=IL, 
O=Company, OU=Platform IT, CN=MY CA"
Dec 17 10:05:21 15[NET] sending packet: from 172.16.42.10[500] to 
96.116.65.100[500] (465 bytes)
Dec 17 10:05:22 16[NET] received packet: from 96.116.65.100[4500] to 
172.16.42.10[4500] (1868 bytes)
Dec 17 10:05:22 16[IKE] received cert request for "C=US, ST=IL, 
O=Company, OU=Platform IT, CN=MY CA"
Dec 17 10:05:22 16[IKE] received end entity cert "C=US, ST=IL, 
L=Chicago, O=Company, OU=test, CN=test4.domain.com"
Dec 17 10:05:22 16[IKE] authentication of 'C=US, ST=IL, L=Chicago, 
O=Company, OU=test, CN=test4.domain.com' with RSA signature successful
Dec 17 10:05:22 16[IKE] peer supports MOBIKE
Dec 17 10:05:22 16[IKE] authentication of 'vpngateway3.domain.com' 
(myself) with RSA signature successful
Dec 17 10:05:22 16[IKE] IKE_SA aosclient[2] established between 
172.16.42.10[vpngateway3.domain.com]...96.116.65.100[C=US, ST=IL, 
L=Chicago, O=Company, OU=test, CN=test4.domain.com]
Dec 17 10:05:22 16[IKE] scheduling reauthentication in 3397s
Dec 17 10:05:22 16[IKE] maximum IKE_SA lifetime 3577s
Dec 17 10:05:22 16[IKE] sending end entity cert "C=US, ST=IL, L=Chicago, 
O=Company, OU=vpn_gateway, CN=vpngateway3.domain.com"
Dec 17 10:05:22 16[IKE] peer requested virtual IP %any
Dec 17 10:05:22 16[IKE] no virtual IP found for %any requested by 'C=US, 
ST=IL, L=Chicago, O=Company, OU=test, CN=test4.domain.com'
Dec 17 10:05:22 16[IKE] no virtual IP found, sending 
INTERNAL_ADDRESS_FAILURE
Dec 17 10:05:22 16[IKE] configuration payload negotiation failed, no 
CHILD_SA built
Dec 17 10:05:22 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Dec 17 10:05:22 16[NET] sending packet: from 172.16.42.10[4500] to 
96.116.65.100[4500] (1484 bytes)

client log:

Dec 17 11:13:35 14[IKE] initiating IKE_SA aosclient[1] to 176.23.75.135
Dec 17 11:13:35 14[NET] sending packet: from 192.168.1.38[500] to 
176.23.75.135[500]
Dec 17 11:13:35 15[NET] received packet: from 176.23.75.135[500] to 
192.168.1.38[500]
Dec 17 11:13:35 15[IKE] local host is behind NAT, sending keep alives
Dec 17 11:13:35 15[IKE] remote host is behind NAT
Dec 17 11:13:35 15[IKE] received cert request for "C=US, ST=IL, 
O=Company, OU=Platform IT, CN=MY CA"
Dec 17 11:13:35 15[IKE] sending cert request for "C=US, ST=IL, 
O=Company, OU=Platform IT, CN=MY CA"
Dec 17 11:13:35 15[IKE] authentication of 'C=US, ST=IL, L=Chicago, 
O=Company, OU=test, CN=test4.domain.com' (myself) with RSA signature 
successful
Dec 17 11:13:35 15[IKE] sending end entity cert "C=US, ST=IL, L=Chicago, 
O=Company, OU=test, CN=test4.domain.com"
Dec 17 11:13:35 15[IKE] establishing CHILD_SA aosclient
Dec 17 11:13:35 15[KNL] getting SPI for reqid {1}
Dec 17 11:13:35 15[KNL] sending XFRM_MSG_ALLOCSPI: => 248 bytes @ 
0x7fd725093770
Dec 17 11:13:35 15[KNL]    0: F8 00 00 00 16 00 01 00 C9 00 00 00 0B 5B 
00 00  .............[..
Dec 17 11:13:35 15[KNL]   16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00  ................
Dec 17 11:13:35 15[KNL]   32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00  ................
Dec 17 11:13:35 15[KNL]   48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00  ................
Dec 17 11:13:35 15[KNL]   64: 00 00 00 00 00 00 00 00 C0 A8 01 26 00 00 
00 00  ...........&....
Dec 17 11:13:35 15[KNL]   80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 
00 00  ............2...
Dec 17 11:13:35 15[KNL]   96: 36 D0 F1 C2 00 00 00 00 00 00 00 00 00 00 
00 00  6...............
Dec 17 11:13:35 15[KNL]  112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00  ................
Dec 17 11:13:35 15[KNL]  128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00  ................
Dec 17 11:13:35 15[KNL]  144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00  ................
Dec 17 11:13:35 15[KNL]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00  ................
Dec 17 11:13:35 15[KNL]  176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00  ................
Dec 17 11:13:35 15[KNL]  192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00  ................
Dec 17 11:13:35 15[KNL]  208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00  ................
Dec 17 11:13:35 15[KNL]  224: 01 00 00 00 02 00 01 00 00 00 00 00 00 00 
00 00  ................
Dec 17 11:13:35 15[KNL]  240: 00 00 00 C0 FF FF FF 
CF                          ........
Dec 17 11:13:35 15[KNL] got SPI c50e4550 for reqid {1}
Dec 17 11:13:35 15[NET] sending packet: from 192.168.1.38[4500] to 
176.23.75.135[4500]


gateway statusall
# strongswan statusall
Status of IKE charon daemon (strongSwan 5.0.4, Linux 
2.6.32-431.el6.x86_64, x86_64):
   uptime: 80 seconds, since Dec 17 10:19:21 2013
   malloc: sbrk 540672, mmap 0, used 442912, free 97760
   worker threads: 6 of 16 idle, 9/1/0/0 working, job queue: 0/0/0/0, 
scheduled: 3
   loaded plugins: charon curl sqlite aes des sha1 sha2 md4 md5 random 
nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem 
openssl fips-prf gmp xcbc cmac hmac attr attr-sql kernel-netlink resolve 
socket-default farp stroke updown eap-identity eap-md5 eap-gtc 
eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic 
xauth-eap tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp
Listening IP addresses:
   172.16.42.10
Connections:
    aosclient:  %any...%any  IKEv2
    aosclient:   local:  [vpngateway3.domain.com] uses public key 
authentication
    aosclient:    cert:  "C=US, ST=IL, L=Chicago, O=Company, 
OU=vpn_gateway, CN=vpngateway3.domain.com"
    aosclient:   remote: uses public key authentication
    aosclient:   child:  172.16.40.0/22 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
    aosclient[1]: ESTABLISHED 60 seconds ago, 
172.16.42.10[vpngateway3.domain.com]...96.116.65.100[C=US, ST=IL, 
L=Chicago, O=Company, OU=test, CN=test4.domain.com]
    aosclient[1]: IKEv2 SPIs: a864f84b3127c8ac_i d828b50f563f6829_r*, 
public key reauthentication in 54 minutes
    aosclient[1]: IKE proposal: 
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048



-------- Original Message --------
Subject: 	static virtual ips with pool
Date: 	Mon, 09 Dec 2013 14:52:32 -0600
From: 	Banio <aau at mncarpenters.net>
To: 	users at lists.strongswan.org



Hello I'm trying to get static virtual ips with pool working, but I'm
running into issues.  I'm getting: no virtual IP found for %any requested.

I added the addresses on the gateway like this:
# strongswan pool --replace vpnclients --addresses addresses2.txt

addresses2.txt:

172.16.44.1=quique.domain.com
172.16.44.2=eripley.domain.com

gateway ipsec.conf:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
     charondebug="ike 2, knl 3, cfg 0"

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev2

conn aosclient
     left=%defaultroute
     leftcert=vpngateway3.domain.com_cert.pem
     leftid=@vpngateway3.domain.com
     leftfirewall=yes
     leftsubnet=172.16.40.0/22
     right=%any
     rightsourceip=%vpnclients
     auto=route

client ipsec.conf:

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
         crlcheckinterval=180
     strictcrlpolicy=no
     plutostart=no

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev2

conn aosclient
     left=%defaultroute
     leftcert=quique.domain.com_cert.pem
     leftfirewall=yes
     leftid=@quique.domain.com
     leftsourceip=%config
     right=vpngateway3.domain.com
     rightid=@vpngateway3.domain.com
     rightsubnet=172.16.40.0/22
     auto=add

client log:

# ipsec up aosclient
initiating IKE_SA aosclient[1] to 176.23.75.135
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.38[500] to 176.23.75.135[500]
received packet: from 176.23.75.135[500] to 192.168.1.38[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for "C=US, ST=IL, O=Company, OU=Platform IT, CN=MY CA"
sending cert request for "C=US, ST=IL, O=Company, OU=Platform IT, CN=MY CA"
authentication of 'quique.domain.com' (myself) with RSA signature successful
sending end entity cert "C=US, ST=IL, L=Chicago, O=Company, OU=Platform
IT, CN=quique.domain.com"
establishing CHILD_SA aosclient
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
AUTH CP(ADDR DNS DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.38[4500] to 176.23.75.135[4500]
received packet: from 176.23.75.135[4500] to 192.168.1.38[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
received end entity cert "C=US, ST=IL, L=Chicago, O=Company,
OU=vpn_gateway, CN=vpngateway3.domain.com"
   using certificate "C=US, ST=IL, L=Chicago, O=Company, OU=vpn_gateway,
CN=vpngateway3.domain.com"
   using trusted ca certificate "C=US, ST=IL, O=Company, OU=Platform IT,
CN=MY CA"
checking certificate status of "C=US, ST=IL, L=Chicago, O=Company,
OU=vpn_gateway, CN=vpngateway3.domain.com"
certificate status is not available
   reached self-signed root ca with a path length of 0
authentication of 'vpngateway3.domain.com' with RSA signature successful
IKE_SA aosclient[1] established between
192.168.1.38[quique.domain.com]...176.23.75.135[vpngateway3.domain.com]
scheduling reauthentication in 3399s
maximum IKE_SA lifetime 3579s
received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built


server log:

Dec  9 10:23:42 15[NET] received packet: from 96.116.65.100[500] to
172.16.42.10[500] (832 bytes)
Dec  9 10:23:42 15[IKE] 96.116.65.100 is initiating an IKE_SA
Dec  9 10:23:42 15[IKE] local host is behind NAT, sending keep alives
Dec  9 10:23:42 15[IKE] remote host is behind NAT
Dec  9 10:23:42 15[IKE] sending cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=Company CA"
Dec  9 10:23:42 15[NET] sending packet: from 172.16.42.10[500] to
96.116.65.100[500] (465 bytes)
Dec  9 10:23:42 16[NET] received packet: from 96.116.65.100[4500] to
172.16.42.10[4500] (1788 bytes)
Dec  9 10:23:42 16[IKE] received cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=Company CA"
Dec  9 10:23:42 16[IKE] received end entity cert "C=US, ST=IL,
L=Chicago, O=Company, OU=Platform IT, CN=quique.domain.com"
Dec  9 10:23:42 16[IKE] authentication of 'quique.domain.com' with RSA
signature successful
Dec  9 10:23:42 16[IKE] peer supports MOBIKE
Dec  9 10:23:42 16[IKE] authentication of 'vpngateway3.domain.com'
(myself) with RSA signature successful
Dec  9 10:23:42 16[IKE] IKE_SA aosclient[1] established between
172.16.42.10[vpngateway3.domain.com]...96.116.65.100[quique.domain.com]
Dec  9 10:23:42 16[IKE] scheduling reauthentication in 3249s
Dec  9 10:23:42 16[IKE] maximum IKE_SA lifetime 3429s
Dec  9 10:23:42 16[IKE] sending end entity cert "C=US, ST=IL, L=Chicago,
O=Company, OU=vpn_gateway, CN=vpngateway3.domain.com"
Dec  9 10:23:42 16[IKE] peer requested virtual IP %any
Dec  9 10:23:42 16[IKE] no virtual IP found for %any requested by
'quique.domain.com'
Dec  9 10:23:42 16[IKE] no virtual IP found, sending
INTERNAL_ADDRESS_FAILURE
Dec  9 10:23:42 16[IKE] configuration payload negotiation failed, no
CHILD_SA built
Dec  9 10:23:42 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Dec  9 10:23:42 16[NET] sending packet: from 172.16.42.10[4500] to
96.116.65.100[4500] (1484 bytes)
Dec  9 10:24:02 01[IKE] sending keep alive to 96.116.65.100[4500]


Any help would be appreciated. Let me know if more info is needed.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131217/5dd0e259/attachment.html>


More information about the Users mailing list