[strongSwan] Dual Stack problems

Claude Tompers claude.tompers at restena.lu
Tue Mar 26 09:46:31 CET 2013 

Hello,

My strongswan 5.0.2 installation has some bizarre behaviour with IKEv2
connections that ask both an IPv4 and an IPv6 address.

My client ipsec.conf is as follows :

conn IKEv2
    keyexchange=ikev2
    left=%any
    leftauth=pubkey
    leftcert=nullpointerexception-cert.pem
    leftsourceip=%config4,%config6
    right=casarrondo.restena.lu
    rightauth=pubkey
    rightid=@casarrondo.restena.lu


My server ipsec.conf is as follows :

conn IKEv2-tech
    keyexchange=ikev2
    rightauth=pubkey
    rightsendcert=always
    rightid="C=LU, L=Luxembourg, O=Fondation RESTENA, OU=Technical,
CN=*, E=*"
    rightsourceip=%tech-v4,%tech-v6
    auto=add


Both pools are defined as follows :

    name           start             end  timeout   size     
online       usage
 tech-v4   158.64.15.193   158.64.15.206       1h     14     0 ( 0%)    
2 (14%)
 tech-v6 2001:a18:1:40::1 2001:a18:1:40::ff       1h    255     0 (
0%)     0 ( 0%)


In the server logs, I see the following lines :

Mar 26 09:35:47 casarrondo charon: 07[CFG] acquired existing lease for
address 158.64.15.193 in pool 'tech-v4'
Mar 26 09:35:47 casarrondo charon: 07[IKE] assigning virtual IP
158.64.15.193 to peer 'C=LU ...
Mar 26 09:35:47 casarrondo charon: 07[IKE] peer requested virtual IP %any6
Mar 26 09:35:47 casarrondo charon: 07[CFG] acquired existing lease for
address 158.64.15.194 in pool 'tech-v4'
Mar 26 09:35:47 casarrondo charon: 07[IKE] assigning virtual IP
158.64.15.194 to peer 'C=LU ...

The client really ends up with two addresses from tech-v4 pool.
I've changed the following line in the server's ipsec.conf :

    rightsourceip=%tech-v6,%tech-v4

The result was that strongswan distributed 2 addresses from the tech-v6
pool.
Is there an error in my configuration ?

kind regards,
Claude

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130326/b8f845f3/attachment.pgp>

More information about the Users mailing list