[strongSwan] multiple right subnets - road warrior config
Arun G Nair
arungnair at gmail.com
Tue Mar 26 06:27:09 CET 2013
Any clue on what might be happening ?
On Tue, Mar 26, 2013 at 1:40 AM, Arun G Nair <arungnair at gmail.com> wrote:
> Hi,
>
> I'm trying to connect to a Fortigate vpn gateway with Strongswan
> 5.0.2 from linux. I've used parameters from windows fortinet ipsec
> client (config below) and I'm able to successfully connect to the
> gateway. But I can't connect to multiple remote subnets at the same
> time. I can only connect to the last subnet defined. If I re-order the
> definitions, I can connect to the other subnet. I've done this before
> with site to site vpn connections but this is a road warrior set up.
> What am I missing here ?
>
>
> PS: I've not tried connecting to network-mgmt. That was in the docs
> provided for fortinet on windows, but I don't have any servers in that
> subnet.
>
> [~]> cat /opt/strongswan/etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> # strictcrlpolicy=yes
> uniqueids=never
> #charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2,
> enc 1, lib 1"
>
> conn %default
> ikelifetime=8h
> keylife=30m
> rekeymargin=3m
> keyingtries=3
> keyexchange=ikev1
> ike=3des-sha-modp1536,aes-sha-modp1536
> esp=3des-sha-modp1536,aes-sha-modp1536
> aggressive=yes
> authby=secret
>
> conn network
> left=192.168.1.12
> leftid=user
> right=gateway.net
> rightid=vv.xx.yy.zz
>
> conn network-mgmt
> also=network
> rightsubnet=xx.yy.248.8/29
> auto=start
>
> conn network-trust
> also=network
> rightsubnet=xx.yy.248.32/28
> auto=start
>
> conn network-dmz
> also=network
> rightsubnet=xx.yy.248.48/28
> auto=start
>
>
> [~]> sudo /opt/strongswan/sbin/ipsec statusall
> Status of IKE charon daemon (strongSwan 5.0.2, Linux
> 2.6.32-358.2.1.el6.i686, i686):
> uptime: 7 seconds, since Mar 26 01:24:51 2013
> malloc: sbrk 135168, mmap 0, used 95552, free 39616
> worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 3
> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs8 pgp dn
> skey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke updown xauth-generic
> Listening IP addresses:
> 192.168.1.12
> Connections:
> network-mgmt: 192.168.1.12...gateway.net IKEv1 Aggressive
> network-mgmt: local: [user] uses pre-shared key authentication
> network-mgmt: remote: [vv.xx.yy.zz] uses pre-shared key authentication
> network-mgmt: child: dynamic === xx.yy.248.8/29 TUNNEL
> network-trust: child: dynamic === xx.yy.248.32/28 TUNNEL
> network-dmz: child: dynamic === xx.yy.248.48/28 TUNNEL
> Security Associations (1 up, 0 connecting):
> network-mgmt[1]: ESTABLISHED 6 seconds ago,
> 192.168.1.12[user]...vv.xx.yy.zz[vv.xx.yy.zz]
> network-mgmt[1]: IKEv1 SPIs: a3676024cee6d6d2_i* b8f961a5eedca572_r,
> pre-shared key reauthentication in 7 hours
> network-mgmt[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> network-mgmt{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c99b5d07_i 381c7157_o
> network-mgmt{1}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 24 minutes
> network-mgmt{1}: 192.168.1.12/32 === xx.yy.248.8/29
> network-trust{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c44f6125_i 381c7158_o
> network-trust{2}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 25 minutes
> network-trust{2}: 192.168.1.12/32 === xx.yy.248.32/28
> network-dmz{3}: INSTALLED, TUNNEL, ESP in UDP SPIs: c2348492_i 381c7159_o
> network-dmz{3}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
> rekeying in 24 minutes
> network-dmz{3}: 192.168.1.12/32 === xx.yy.248.48/28
>
>
>
> [~]> cat /opt/strongswan/etc/ipsec.secrets
> user : PSK passphrase
>
>
> Any help is appreciated.
>
> Regards,
> Arun G Nair
--
::: Keep Smiling :::
More information about the Users
mailing list