[strongSwan] IPv4 lan in IKEv1 IPv6 tunnel

Eric Boudrand eric.boudrand at thegreenbow.com
Fri Dec 20 16:39:45 CET 2013 

Hello,

I have an problem for establishing a tunnel between a roadwarrior and a 
Strongswan 5.1.1 server. Both endpoints have IPv6 addresses and the 
client need to access to a IPv4 lan behind the strongswan server.

During phase 2, the server is responding in Quick Mode with "INVALID ID 
INFORMATION" error.

The Strongswan logs show :
charon: 14[CFG] looking for a child config for 192.168.16.0/24 === 
10.10.10.1/32
charon: 14[CFG] proposing traffic selectors for us:
charon: 14[CFG]  192.168.16.0/24
charon: 14[CFG] proposing traffic selectors for other:
charon: 14[CFG]  dynamic
charon: 14[IKE] no matching CHILD_SA config found


ipsec statusall returns :
Status of IKE charon daemon (strongSwan 5.1.1, Linux 2.6.32-5-686, i686):
   uptime: 16 minutes, since Dec 20 15:55:21 2013
   malloc: sbrk 274432, mmap 0, used 133088, free 141344
   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 
                 1
   loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce 
x509 revocation
   constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
fips-prf gmp
   xcbc cmac hmac attr kernel-pfkey kernel-netlink resolve 
socket-default stroke
   updown eap-identity eap-md5 eap-gtc eap-mschapv2 xauth-generic
Virtual IP pools (size/online/offline):
   10.10.10.0/24: 254/0/0
Listening IP addresses:
   192.168.50.22
   fc01:8714:6432:6104::2
   192.168.16.10
Connections:
ikev1_tgb_IPV6:  fc01:8714:6432:6104::2...%any6  IKEv1, dpddelay=30s
ikev1_tgb_IPV6:   local:  [C=FR, L=Bordeaux, O=TheGreenBow, OU=Support, 
CN=Serveur VPN Bordeaux, E=support at thegreenbow.com] uses public key 
authentication
ikev1_tgb_IPV6:    cert:  "C=FR, L=Bordeaux, O=TheGreenBow, OU=Support, 
CN=Serveur VPN Bordeaux, E=support at thegreenbow.com"
ikev1_tgb_IPV6:   remote: uses public key authentication
ikev1_tgb_IPV6:   child:  192.168.16.0/24 === dynamic TUNNEL, 
dpdaction=clear
Security Associations (0 up, 0 connecting):
   none

In ipsec.conf file, connection settings are :
conn ikev1_tgb_IPV6
	left=fc01:8714:6432:6104::2
	leftsubnet=192.168.16.0/24
	leftcert=bordeaux.pem
	leftid="C=FR, L=Bordeaux, O=TheGreenBow, OU=Support, CN=Serveur VPN 
Bordeaux, E=support at thegreenbow.com"
	leftfirewall=yes
         lefthostaccess=yes
	right=%any6
	rightsourceip=10.10.10.0/24
	rightauth=pubkey
	keyexchange=ikev1

Config mode is not activated.

Thanks for any help.

Regards.
-- 
Eric Boudrand

More information about the Users mailing list