[strongSwan] IPv4 lan in IKEv1 IPv6 tunnel

Andreas Steffen andreas.steffen at strongswan.org
Sat Dec 21 09:41:21 CET 2013 

Hi Eric,

even if the client statically defines its own virtual IP address
(in your example apparently 10.10.10.1) it must request this
address explicitly from the strongSwan server via an IKEv1 mode config
payload. Just defining rightsourceip=<pool> (in your example
rightsourceip=10.10.10.0/24) on the server side is not sufficient for
a traffic selector proposal based on dynamic to match successfully.

Thus with a strongSwan client you would define

  leftsourceip=10.10.10.1

which would cause a mode config request for this address to be
generated. Thus we would expect the same behaviour from a Greenbow
client. If it is not possible to activate mode config then you must
explicitly enumerate all clients with their corresponding source IP
addresses:

conn rw
     ....

conn rw1
     also=rw
     rightsubnet=10.10.10.1/32
     auto=add

conn rw2
     also=rw
     rightsubnet=10.10.10.2/32

     ...

Best regards

Andreas

On 12/20/2013 04:39 PM, Eric Boudrand wrote:
> Hello,
> 
> I have an problem for establishing a tunnel between a roadwarrior and a 
> Strongswan 5.1.1 server. Both endpoints have IPv6 addresses and the 
> client need to access to a IPv4 lan behind the strongswan server.
> 
> During phase 2, the server is responding in Quick Mode with "INVALID ID 
> INFORMATION" error.
> 
> The Strongswan logs show :
> charon: 14[CFG] looking for a child config for 192.168.16.0/24 === 
> 10.10.10.1/32
> charon: 14[CFG] proposing traffic selectors for us:
> charon: 14[CFG]  192.168.16.0/24
> charon: 14[CFG] proposing traffic selectors for other:
> charon: 14[CFG]  dynamic
> charon: 14[IKE] no matching CHILD_SA config found
> 
> 
> ipsec statusall returns :
> Status of IKE charon daemon (strongSwan 5.1.1, Linux 2.6.32-5-686, i686):
>    uptime: 16 minutes, since Dec 20 15:55:21 2013
>    malloc: sbrk 274432, mmap 0, used 133088, free 141344
>    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 
>                  1
>    loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce 
> x509 revocation
>    constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
> fips-prf gmp
>    xcbc cmac hmac attr kernel-pfkey kernel-netlink resolve 
> socket-default stroke
>    updown eap-identity eap-md5 eap-gtc eap-mschapv2 xauth-generic
> Virtual IP pools (size/online/offline):
>    10.10.10.0/24: 254/0/0
> Listening IP addresses:
>    192.168.50.22
>    fc01:8714:6432:6104::2
>    192.168.16.10
> Connections:
> ikev1_tgb_IPV6:  fc01:8714:6432:6104::2...%any6  IKEv1, dpddelay=30s
> ikev1_tgb_IPV6:   local:  [C=FR, L=Bordeaux, O=TheGreenBow, OU=Support, 
> CN=Serveur VPN Bordeaux, E=support at thegreenbow.com] uses public key 
> authentication
> ikev1_tgb_IPV6:    cert:  "C=FR, L=Bordeaux, O=TheGreenBow, OU=Support, 
> CN=Serveur VPN Bordeaux, E=support at thegreenbow.com"
> ikev1_tgb_IPV6:   remote: uses public key authentication
> ikev1_tgb_IPV6:   child:  192.168.16.0/24 === dynamic TUNNEL, 
> dpdaction=clear
> Security Associations (0 up, 0 connecting):
>    none
> 
> In ipsec.conf file, connection settings are :
> conn ikev1_tgb_IPV6
> 	left=fc01:8714:6432:6104::2
> 	leftsubnet=192.168.16.0/24
> 	leftcert=bordeaux.pem
> 	leftid="C=FR, L=Bordeaux, O=TheGreenBow, OU=Support, CN=Serveur VPN 
> Bordeaux, E=support at thegreenbow.com"
> 	leftfirewall=yes
>          lefthostaccess=yes
> 	right=%any6
> 	rightsourceip=10.10.10.0/24
> 	rightauth=pubkey
> 	keyexchange=ikev1
> 
> Config mode is not activated.
> 
> Thanks for any help.
> 
> Regards.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131221/edd9d248/attachment.bin>

More information about the Users mailing list