[strongSwan] Fwd: static virtual ips with pool
Banio
aau at mncarpenters.net
Tue Dec 17 18:23:36 CET 2013
It seems to me that strongswan is perhaps failing to find a virtual ip
for the client because it's not finding a id match between the client
and what it has in it's database, so I have tried using the cert as id,
which is really what I want, but I am still getting: no virtual IP found
for %any requested.
I added the addresses on the gateway like this: # strongswan pool
--replace vpnclients --addresses addresses2.txt
cat addresses2.txt
172.16.44.15=C=US,ST=IL,L=Chicago,O=Company,OU=test,CN=test4.domain.com
172.16.44.14=C=US,ST=IL,L=Chicago,O=Company,OU=test,CN=test5.domain.com
gateway ipsec.conf:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 3, cfg 0"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn aosclient
left=%defaultroute
leftcert=vpngateway3.domain.com_cert.pem
leftid=@vpngateway3.domain.com
leftfirewall=yes
leftsubnet=172.16.40.0/22
right=%any
rightsourceip=%vpnclients
auto=route
gateway log:
Dec 17 10:05:21 15[NET] received packet: from 96.116.65.100[500] to
172.16.42.10[500] (832 bytes)
Dec 17 10:05:21 15[IKE] 96.116.65.100 is initiating an IKE_SA
Dec 17 10:05:21 15[IKE] local host is behind NAT, sending keep alives
Dec 17 10:05:21 15[IKE] remote host is behind NAT
Dec 17 10:05:21 15[IKE] sending cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=MY CA"
Dec 17 10:05:21 15[NET] sending packet: from 172.16.42.10[500] to
96.116.65.100[500] (465 bytes)
Dec 17 10:05:22 16[NET] received packet: from 96.116.65.100[4500] to
172.16.42.10[4500] (1868 bytes)
Dec 17 10:05:22 16[IKE] received cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=MY CA"
Dec 17 10:05:22 16[IKE] received end entity cert "C=US, ST=IL,
L=Chicago, O=Company, OU=test, CN=test4.domain.com"
Dec 17 10:05:22 16[IKE] authentication of 'C=US, ST=IL, L=Chicago,
O=Company, OU=test, CN=test4.domain.com' with RSA signature successful
Dec 17 10:05:22 16[IKE] peer supports MOBIKE
Dec 17 10:05:22 16[IKE] authentication of 'vpngateway3.domain.com'
(myself) with RSA signature successful
Dec 17 10:05:22 16[IKE] IKE_SA aosclient[2] established between
172.16.42.10[vpngateway3.domain.com]...96.116.65.100[C=US, ST=IL,
L=Chicago, O=Company, OU=test, CN=test4.domain.com]
Dec 17 10:05:22 16[IKE] scheduling reauthentication in 3397s
Dec 17 10:05:22 16[IKE] maximum IKE_SA lifetime 3577s
Dec 17 10:05:22 16[IKE] sending end entity cert "C=US, ST=IL, L=Chicago,
O=Company, OU=vpn_gateway, CN=vpngateway3.domain.com"
Dec 17 10:05:22 16[IKE] peer requested virtual IP %any
Dec 17 10:05:22 16[IKE] no virtual IP found for %any requested by 'C=US,
ST=IL, L=Chicago, O=Company, OU=test, CN=test4.domain.com'
Dec 17 10:05:22 16[IKE] no virtual IP found, sending
INTERNAL_ADDRESS_FAILURE
Dec 17 10:05:22 16[IKE] configuration payload negotiation failed, no
CHILD_SA built
Dec 17 10:05:22 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Dec 17 10:05:22 16[NET] sending packet: from 172.16.42.10[4500] to
96.116.65.100[4500] (1484 bytes)
client log:
Dec 17 11:13:35 14[IKE] initiating IKE_SA aosclient[1] to 176.23.75.135
Dec 17 11:13:35 14[NET] sending packet: from 192.168.1.38[500] to
176.23.75.135[500]
Dec 17 11:13:35 15[NET] received packet: from 176.23.75.135[500] to
192.168.1.38[500]
Dec 17 11:13:35 15[IKE] local host is behind NAT, sending keep alives
Dec 17 11:13:35 15[IKE] remote host is behind NAT
Dec 17 11:13:35 15[IKE] received cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=MY CA"
Dec 17 11:13:35 15[IKE] sending cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=MY CA"
Dec 17 11:13:35 15[IKE] authentication of 'C=US, ST=IL, L=Chicago,
O=Company, OU=test, CN=test4.domain.com' (myself) with RSA signature
successful
Dec 17 11:13:35 15[IKE] sending end entity cert "C=US, ST=IL, L=Chicago,
O=Company, OU=test, CN=test4.domain.com"
Dec 17 11:13:35 15[IKE] establishing CHILD_SA aosclient
Dec 17 11:13:35 15[KNL] getting SPI for reqid {1}
Dec 17 11:13:35 15[KNL] sending XFRM_MSG_ALLOCSPI: => 248 bytes @
0x7fd725093770
Dec 17 11:13:35 15[KNL] 0: F8 00 00 00 16 00 01 00 C9 00 00 00 0B 5B
00 00 .............[..
Dec 17 11:13:35 15[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ................
Dec 17 11:13:35 15[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ................
Dec 17 11:13:35 15[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ................
Dec 17 11:13:35 15[KNL] 64: 00 00 00 00 00 00 00 00 C0 A8 01 26 00 00
00 00 ...........&....
Dec 17 11:13:35 15[KNL] 80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00
00 00 ............2...
Dec 17 11:13:35 15[KNL] 96: 36 D0 F1 C2 00 00 00 00 00 00 00 00 00 00
00 00 6...............
Dec 17 11:13:35 15[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ................
Dec 17 11:13:35 15[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ................
Dec 17 11:13:35 15[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ................
Dec 17 11:13:35 15[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ................
Dec 17 11:13:35 15[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ................
Dec 17 11:13:35 15[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ................
Dec 17 11:13:35 15[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ................
Dec 17 11:13:35 15[KNL] 224: 01 00 00 00 02 00 01 00 00 00 00 00 00 00
00 00 ................
Dec 17 11:13:35 15[KNL] 240: 00 00 00 C0 FF FF FF
CF ........
Dec 17 11:13:35 15[KNL] got SPI c50e4550 for reqid {1}
Dec 17 11:13:35 15[NET] sending packet: from 192.168.1.38[4500] to
176.23.75.135[4500]
gateway statusall
# strongswan statusall
Status of IKE charon daemon (strongSwan 5.0.4, Linux
2.6.32-431.el6.x86_64, x86_64):
uptime: 80 seconds, since Dec 17 10:19:21 2013
malloc: sbrk 540672, mmap 0, used 442912, free 97760
worker threads: 6 of 16 idle, 9/1/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon curl sqlite aes des sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem
openssl fips-prf gmp xcbc cmac hmac attr attr-sql kernel-netlink resolve
socket-default farp stroke updown eap-identity eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp
Listening IP addresses:
172.16.42.10
Connections:
aosclient: %any...%any IKEv2
aosclient: local: [vpngateway3.domain.com] uses public key
authentication
aosclient: cert: "C=US, ST=IL, L=Chicago, O=Company,
OU=vpn_gateway, CN=vpngateway3.domain.com"
aosclient: remote: uses public key authentication
aosclient: child: 172.16.40.0/22 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
aosclient[1]: ESTABLISHED 60 seconds ago,
172.16.42.10[vpngateway3.domain.com]...96.116.65.100[C=US, ST=IL,
L=Chicago, O=Company, OU=test, CN=test4.domain.com]
aosclient[1]: IKEv2 SPIs: a864f84b3127c8ac_i d828b50f563f6829_r*,
public key reauthentication in 54 minutes
aosclient[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
-------- Original Message --------
Subject: static virtual ips with pool
Date: Mon, 09 Dec 2013 14:52:32 -0600
From: Banio <aau at mncarpenters.net>
To: users at lists.strongswan.org
Hello I'm trying to get static virtual ips with pool working, but I'm
running into issues. I'm getting: no virtual IP found for %any requested.
I added the addresses on the gateway like this:
# strongswan pool --replace vpnclients --addresses addresses2.txt
addresses2.txt:
172.16.44.1=quique.domain.com
172.16.44.2=eripley.domain.com
gateway ipsec.conf:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 3, cfg 0"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn aosclient
left=%defaultroute
leftcert=vpngateway3.domain.com_cert.pem
leftid=@vpngateway3.domain.com
leftfirewall=yes
leftsubnet=172.16.40.0/22
right=%any
rightsourceip=%vpnclients
auto=route
client ipsec.conf:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn aosclient
left=%defaultroute
leftcert=quique.domain.com_cert.pem
leftfirewall=yes
leftid=@quique.domain.com
leftsourceip=%config
right=vpngateway3.domain.com
rightid=@vpngateway3.domain.com
rightsubnet=172.16.40.0/22
auto=add
client log:
# ipsec up aosclient
initiating IKE_SA aosclient[1] to 176.23.75.135
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.38[500] to 176.23.75.135[500]
received packet: from 176.23.75.135[500] to 192.168.1.38[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for "C=US, ST=IL, O=Company, OU=Platform IT, CN=MY CA"
sending cert request for "C=US, ST=IL, O=Company, OU=Platform IT, CN=MY CA"
authentication of 'quique.domain.com' (myself) with RSA signature successful
sending end entity cert "C=US, ST=IL, L=Chicago, O=Company, OU=Platform
IT, CN=quique.domain.com"
establishing CHILD_SA aosclient
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
AUTH CP(ADDR DNS DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.38[4500] to 176.23.75.135[4500]
received packet: from 176.23.75.135[4500] to 192.168.1.38[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(INT_ADDR_FAIL) ]
received end entity cert "C=US, ST=IL, L=Chicago, O=Company,
OU=vpn_gateway, CN=vpngateway3.domain.com"
using certificate "C=US, ST=IL, L=Chicago, O=Company, OU=vpn_gateway,
CN=vpngateway3.domain.com"
using trusted ca certificate "C=US, ST=IL, O=Company, OU=Platform IT,
CN=MY CA"
checking certificate status of "C=US, ST=IL, L=Chicago, O=Company,
OU=vpn_gateway, CN=vpngateway3.domain.com"
certificate status is not available
reached self-signed root ca with a path length of 0
authentication of 'vpngateway3.domain.com' with RSA signature successful
IKE_SA aosclient[1] established between
192.168.1.38[quique.domain.com]...176.23.75.135[vpngateway3.domain.com]
scheduling reauthentication in 3399s
maximum IKE_SA lifetime 3579s
received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built
server log:
Dec 9 10:23:42 15[NET] received packet: from 96.116.65.100[500] to
172.16.42.10[500] (832 bytes)
Dec 9 10:23:42 15[IKE] 96.116.65.100 is initiating an IKE_SA
Dec 9 10:23:42 15[IKE] local host is behind NAT, sending keep alives
Dec 9 10:23:42 15[IKE] remote host is behind NAT
Dec 9 10:23:42 15[IKE] sending cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=Company CA"
Dec 9 10:23:42 15[NET] sending packet: from 172.16.42.10[500] to
96.116.65.100[500] (465 bytes)
Dec 9 10:23:42 16[NET] received packet: from 96.116.65.100[4500] to
172.16.42.10[4500] (1788 bytes)
Dec 9 10:23:42 16[IKE] received cert request for "C=US, ST=IL,
O=Company, OU=Platform IT, CN=Company CA"
Dec 9 10:23:42 16[IKE] received end entity cert "C=US, ST=IL,
L=Chicago, O=Company, OU=Platform IT, CN=quique.domain.com"
Dec 9 10:23:42 16[IKE] authentication of 'quique.domain.com' with RSA
signature successful
Dec 9 10:23:42 16[IKE] peer supports MOBIKE
Dec 9 10:23:42 16[IKE] authentication of 'vpngateway3.domain.com'
(myself) with RSA signature successful
Dec 9 10:23:42 16[IKE] IKE_SA aosclient[1] established between
172.16.42.10[vpngateway3.domain.com]...96.116.65.100[quique.domain.com]
Dec 9 10:23:42 16[IKE] scheduling reauthentication in 3249s
Dec 9 10:23:42 16[IKE] maximum IKE_SA lifetime 3429s
Dec 9 10:23:42 16[IKE] sending end entity cert "C=US, ST=IL, L=Chicago,
O=Company, OU=vpn_gateway, CN=vpngateway3.domain.com"
Dec 9 10:23:42 16[IKE] peer requested virtual IP %any
Dec 9 10:23:42 16[IKE] no virtual IP found for %any requested by
'quique.domain.com'
Dec 9 10:23:42 16[IKE] no virtual IP found, sending
INTERNAL_ADDRESS_FAILURE
Dec 9 10:23:42 16[IKE] configuration payload negotiation failed, no
CHILD_SA built
Dec 9 10:23:42 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Dec 9 10:23:42 16[NET] sending packet: from 172.16.42.10[4500] to
96.116.65.100[4500] (1484 bytes)
Dec 9 10:24:02 01[IKE] sending keep alive to 96.116.65.100[4500]
Any help would be appreciated. Let me know if more info is needed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131217/5dd0e259/attachment.html>
More information about the Users
mailing list