[strongSwan] Dual Stack problems

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 26 10:22:23 CET 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Claude,

this problem with persistent SQL-based pools was fixed with
5.0.3rc1. See also our new example scenario

https://www.strongswan.org/uml/testresults5rc/ikev2/ip-two-pools-v4v6-db/

Regards

Andreas

On 03/26/2013 09:46 AM, Claude Tompers wrote:
> Hello,
> 
> My strongswan 5.0.2 installation has some bizarre behaviour with 
> IKEv2 connections that ask both an IPv4 and an IPv6 address.
> 
> My client ipsec.conf is as follows :
> 
> conn IKEv2 keyexchange=ikev2 left=%any leftauth=pubkey 
> leftcert=nullpointerexception-cert.pem 
> leftsourceip=%config4,%config6 right=casarrondo.restena.lu 
> rightauth=pubkey rightid=@casarrondo.restena.lu
> 
> 
> My server ipsec.conf is as follows :
> 
> conn IKEv2-tech keyexchange=ikev2 rightauth=pubkey 
> rightsendcert=always rightid="C=LU, L=Luxembourg, O=Fondation 
> RESTENA, OU=Technical, CN=*, E=*" rightsourceip=%tech-v4,%tech-v6 
> auto=add
> 
> 
> Both pools are defined as follows :
> 
> name           start             end  timeout   size online usage
> tech-v4   158.64.15.193   158.64.15.206       1h     14     0 ( 0%)
> 2 (14%) tech-v6 2001:a18:1:40::1 2001:a18:1:40::ff       1h 255
> 0 ( 0%)     0 ( 0%)
> 
> 
> In the server logs, I see the following lines :
> 
> Mar 26 09:35:47 casarrondo charon: 07[CFG] acquired existing lease 
> for address 158.64.15.193 in pool 'tech-v4' Mar 26 09:35:47 
> casarrondo charon: 07[IKE] assigning virtual IP 158.64.15.193 to 
> peer 'C=LU ... Mar 26 09:35:47 casarrondo charon: 07[IKE] peer 
> requested virtual IP %any6 Mar 26 09:35:47 casarrondo charon: 
> 07[CFG] acquired existing lease for address 158.64.15.194 in pool 
> 'tech-v4' Mar 26 09:35:47 casarrondo charon: 07[IKE] assigning 
> virtual IP 158.64.15.194 to peer 'C=LU ...
> 
> The client really ends up with two addresses from tech-v4 pool. 
> I've changed the following line in the server's ipsec.conf :
> 
> rightsourceip=%tech-v6,%tech-v4
> 
> The result was that strongswan distributed 2 addresses from the 
> tech-v6 pool. Is there an error in my configuration ?
> 
> kind regards, Claude
> 
> 
> 
> _______________________________________________ Users mailing list
>  Users at lists.strongswan.org 
> https://lists.strongswan.org/mailman/listinfo/users
> 


- -- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQCVAwUBUVFoydYbDnNAmVNZAQL+WwP8DlbAUGFqpEB6nyYY1Iy1jzw3QJdyhah8
Y6FgoI5xqOD1mdeTO9S3wpohyIzHRnpim0FHHfzqSUumtsnQPPdS2V8r2E6ILy7D
gdHYXYZR/Mu0IU4JLWre5AXAESXjiiNWtdmpTIk6xqkw825V2nvG9XHEP0cxhFWo
XBIjPLUSiwc=
=psqE
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130326/a67a6c29/attachment.bin>

More information about the Users mailing list