[strongSwan] 5.0.x <-> 4.6.4 IKEv1 connection problem

Fri May 10 18:09:47 CEST 2013

Hi,

I have a large network (> 60 gateways) with mostly any-to-any connections, running
strongswan 4.6.4 and IKEv1. A big bang switch to IKEv2 is no option, and I never
succeeded using charon and pluto in parallel on both ends (one end end with charon
and pluto is ok with 4.6.4).

Now I try to go with 5.0.4 to avoid running to daemons in parallel. But there 
seems to be a bug in 5.0.x in my concrete scenario:

Central Gateway nrhgate1:
# 4.6.4, running pluto/IKEv1 only.
conn wobgate
        right=%any
        rightid="..."
        keyexchange=ikev1
        left=<my-ip>
        rightrsasigkey=%cert
        authby=rsasig
        leftid="..."
        leftcert=...
        leftsubnet=172.17.144.0/20
        rightsubnet=192.168.1.0/24
        auto=add
        dpdaction=clear
        mobike=no

Road warrior wobgate:
# 5.0.4
conn nrhgate1
        right=<some ip>
        rightid="..."
        leftid="..."
        leftcert=...
        rightsubnet=172.17.144.0/20
        leftsubnet=192.168.1.0/24
        auto=start
        keyexchange=ikev1
        authby=rsasig
        dpdaction=restart
        dpddelay=10
        dpdtimeout=60
        mobike=no

With strongswan 4.x.x on both ends this works without any problems in
the last years. If I start a connection on wobgate with 5.0.4, I get the
following log entry on nrhgate1:

May 10 17:57:02 nrhgate1 pluto[3266]: "wobgate" #119434: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===x.x.x.x:4500[C=DE, O=Marienhaus GmbH, OU=NRH, CN=nrh.st-elisabeth.de]...y.y.y.y:24492[C=DE, O=Marienhaus GmbH, OU=EDVIT, CN=wobgate.eli.st-elisabeth.de]===192.168.1.0/24

Since there is no configuration for rightsubnet=0.0.0.0/0 on nrhgate1, the
connection comes not up. 

5.0.4 did not sent the rightsubnet for IKEv1 correctly. Is this a bug or
I am missing something in my configuration?

Wolfgang
-- 
<wob (at) swobspace de> * http://www.swobspace.de