[strongSwan] right=0.0.0.0 configuration on responder not working, with multiple initiators
divya mohan
m.divya.mohan at zoho.com
Sat Dec 20 10:43:57 CET 2014
Hi,
I am facing issue with strongswan IKEv2 in establishing connection, when
right=0.0.0.0 is configured.
My setup like this:
[ Initiator_1 ]
[ Responder ] [ 10.63.53.206 ]
[ 10.63.20.123]
[ Initiator_2 ]
[ 10.63.53.211 ]
On responder side, only single connection is configured in ipsec.conf:
left=10.63.20.123
right=0.0.0.0
leftsubnet=10.63.20.0/24
rightsubnet=10.63.53.0/24
Both initiators will send icmp requests to responder, and responder should
send reply back.
Initially when I start traffic from initiator_1, CHILD_SAs are established,
and request/reply works fine.
Now, when I start traffic from initiator_2, new CHILD_SAs are established,
and request/reply works for initiator_2;
but responder stops sending replies for initiator_1.
i.e at a time responder is sending replay to only one initiator.
I am sharing the ipsec.conf files used on all three nodes.
Could you please help to check whether any parameter needs to be changed.
Or, is this kind of configuration not supported?
ipsec.conf files:
=================
Responder:
----------
config setup
charonstart=yes
plutostart=no
uniqueids=no
charondebug="knl 0,enc 0,net 0"
conn %default
auto=route
keyexchange=ikev2
reauth=no
conn r1~v1
rekeymargin=500
rekeyfuzz=100%
left=10.63.20.123
right=0.0.0.0
leftsubnet=10.63.20.0/24
rightsubnet=10.63.53.0/24
leftprotoport=1
rightprotoport=1
authby=secret
leftid=10.63.20.123
rightid=%any
ike=aes128-sha1-modp768!
esp=3des-md5!
type=tunnel
ikelifetime=10000s
keylife=5000s
mobike=no
auto=route
reauth=no
encapdscp=yes
Initiator_1:
-----------
config setup
charonstart=yes
plutostart=no
uniqueids=no
charondebug="knl 0,enc 0,net 0"
conn %default
auto=route
keyexchange=ikev2
reauth=no
conn r1~v1
rekeymargin=500
rekeyfuzz=100%
left=10.63.53.206
right=10.63.20.123
leftsubnet=10.63.53.0/24
rightsubnet=10.63.20.0/24
leftprotoport=1
rightprotoport=1
authby=secret
leftid=10.63.53.206
rightid=%any
ike=aes128-sha1-modp768!
esp=3des-md5!
type=tunnel
ikelifetime=10000s
keylife=5000s
mobike=no
auto=route
reauth=no
encapdscp=yes
Initiator_2:
------------
config setup
charonstart=yes
plutostart=no
uniqueids=no
charondebug="knl 0,enc 0,net 0"
conn %default
auto=route
keyexchange=ikev2
reauth=no
conn r1~v1
rekeymargin=500
rekeyfuzz=100%
left=10.63.53.211
right=10.63.20.123
leftsubnet=10.63.53.0/24
rightsubnet=10.63.20.0/24
leftprotoport=1
rightprotoport=1
authby=secret
leftid=10.63.53.211
rightid=%any
ike=aes128-sha1-modp768!
esp=3des-md5!
type=tunnel
ikelifetime=10000s
keylife=5000s
mobike=no
auto=route
reauth=no
encapdscp=yes
strongswan.conf (same for all 3 nodes)
----------------
charon {
reuse_ikesa=no
install_routes=no
block_threshold=50
cookie_threshold=100
}
Logs:
=====
# starter --nofork &
[1] 24025
Starting strongSwan 4.3.6 IPsec [starter]...
[root at CFPU-0(BCNBlr34) /root]
# 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
00[CFG] loading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/etc/ipsec/certs/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from
'/etc/ipsec/certs/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec/certs/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded IKE secret for %any
00[DMN] loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc
stroke kernel-netlink
00[JOB] spawning 16 worker threads
charon (24032) started after 40 ms
02[CFG] received stroke: add connection 'r1~v1'
02[CFG] added configuration 'r1~v1'
08[CFG] rereading secrets
08[CFG] loading secrets from '/etc/ipsec.secrets'
08[CFG] loaded IKE secret for %any
08[CFG] rereading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'
08[CFG] rereading ocsp signer certificates from
'/etc/ipsec/certs/ipsec.d/ocspcerts'
08[CFG] rereading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'
08[CFG] rereading attribute certificates from
'/etc/ipsec/certs/ipsec.d/acerts'
08[CFG] rereading crls from '/etc/ipsec/certs/ipsec.d/crls'
09[CFG] received stroke: route 'r1~v1'
configuration 'r1~v1' routed
# ip xfrm policy
10.63.53.0/24[0] 10.63.20.0/24[0]
upspec 1 dev (none) uid 0
in allow index 0x00000558 priority 2758 share any flags 0x00000000
tmpl-1:
0.0.0.0 10.63.20.123
esp spi 0(0x00000000) reqid 1 tunnel
level required share any algo-mask:E=32, A=32, C=32
fpid 0x00000024
policy type main
10.63.20.0/24[0] 10.63.53.0/24[0]
upspec 1 dev (none) uid 0
out allow index 0x00000551 priority 2758 share any flags 0x00000000
tmpl-1:
10.63.20.123 0.0.0.0
esp spi 0(0x00000000) reqid 1 tunnel
level required share any algo-mask:E=32, A=32, C=32
fpid 0x00000023
policy type main
# ip xfrm state
# echo "starting traffic from initiator_1"
starting traffic from initiator_1
# 13[IKE] 10.63.53.206 is initiating an IKE_SA
14[CFG] looking for peer configs matching
10.63.20.123[(vr*)%any]...10.63.53.206[(vr*)10.63.53.206]
14[CFG] selected peer config 'r1~v1'
14[IKE] authentication of '(vr*)10.63.53.206' with pre-shared key successful
14[IKE] authentication of '(vr*)10.63.20.123' (myself) with pre-shared key
14[IKE] IKE_SA r1~v1[1] established between
10.63.20.123[(vr*)10.63.20.123]...10.63.53.206[(vr*)10.63.53.206]
14[IKE] scheduling rekeying in 9026s
14[IKE] maximum IKE_SA lifetime 9526s
14[IKE] CHILD_SA r1~v1{2} established with SPIs c82689f5_i ccf52265_o and
TS 10.63.20.0/24[icmp] === 10.63.53.0/24[icmp]
# ip xfrm policy
10.63.53.0/24[0] 10.63.20.0/24[0]
upspec 1 dev (none) uid 0
in allow index 0x00000558 priority 1758 share any flags 0x00000000
tmpl-1:
10.63.53.206 10.63.20.123
esp spi 0(0x00000000) reqid 2 tunnel
level required share any algo-mask:E=32, A=32, C=32
fpid 0x00000024
policy type main
10.63.20.0/24[0] 10.63.53.0/24[0]
upspec 1 dev (none) uid 0
out allow index 0x00000551 priority 1758 share any flags 0x00000000
tmpl-1:
10.63.20.123 10.63.53.206
esp spi 0(0x00000000) reqid 2 tunnel
level required share any algo-mask:E=32, A=32, C=32
fpid 0x00000023
policy type main
# ip xfrm state
10.63.20.123 10.63.53.206
esp spi 3438617189(0xccf52265) reqid 2 tunnel
A:hmac(md5) 5e7978f 567189b ef99bdc f6574fa
auth-trunc-len: 96
E:cbc(des3_ede) 378b326 f1211d12 a991dab d94ed64f b6f5a1b3 66fde6a5
fpid 0x000001a4
fp_output_blade 1
10.63.53.206 10.63.20.123
esp spi 3357968885(0xc82689f5) reqid 2 tunnel
A:hmac(md5) a793651a b1f11537 e8a634d6 71346779
auth-trunc-len: 96
E:cbc(des3_ede) 42dd3aa d3d38d32 a34ba5cb b6fc5e7e 93695117 e9ffdd7
fpid 0x000001a3
fp_output_blade 1
# tcpdump -nni eth0 host 10.63.53.206 -c 5
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:37:04.298926 IP 10.63.53.206 > 10.63.20.123: ESP(spi=0xc82689f5,seq=0x2a)
09:37:04.298926 IP 10.63.53.206 > 10.63.20.123: icmp 64: echo request seq 43
09:37:04.299128 IP 10.63.20.123 > 10.63.53.206: ESP(spi=0xccf52265,seq=0x22)
09:37:06.298861 IP 10.63.53.206 > 10.63.20.123: ESP(spi=0xc82689f5,seq=0x2c)
# echo "starting traffic from initiator_2"
starting traffic from initiator_2
# 01[IKE] 10.63.53.211 is initiating an IKE_SA
07[CFG] looking for peer configs matching
10.63.20.123[(vr*)%any]...10.63.53.211[(vr*)10.63.53.211]
07[CFG] selected peer config 'r1~v1'
07[IKE] authentication of '(vr*)10.63.53.211' with pre-shared key successful
07[IKE] authentication of '(vr*)10.63.20.123' (myself) with pre-shared key
07[IKE] IKE_SA r1~v1[2] established between
10.63.20.123[(vr*)10.63.20.123]...10.63.53.211[(vr*)10.63.53.211]
07[IKE] scheduling rekeying in 9171s
07[IKE] maximum IKE_SA lifetime 9671s
07[IKE] CHILD_SA r1~v1{3} established with SPIs c88a872f_i c8860ce1_o and
TS 10.63.20.0/24[icmp] === 10.63.53.0/24[icmp]
# ip xfrm policy
10.63.53.0/24[0] 10.63.20.0/24[0]
upspec 1 dev (none) uid 0
in allow index 0x00000558 priority 1758 share any flags 0x00000000
tmpl-1:
10.63.53.211 10.63.20.123
esp spi 0(0x00000000) reqid 3 tunnel
level required share any algo-mask:E=32, A=32, C=32
fpid 0x00000024
policy type main
10.63.20.0/24[0] 10.63.53.0/24[0]
upspec 1 dev (none) uid 0
out allow index 0x00000551 priority 1758 share any flags 0x00000000
tmpl-1:
10.63.20.123 10.63.53.211
esp spi 0(0x00000000) reqid 3 tunnel
level required share any algo-mask:E=32, A=32, C=32
fpid 0x00000023
policy type main
# ip xfrm state
10.63.20.123 10.63.53.211
esp spi 3364228321(0xc8860ce1) reqid 3 tunnel
A:hmac(md5) 09afd5c d4c77bba 39f8385a c78e71b7
auth-trunc-len: 96
E:cbc(des3_ede) b2416051 52e2413c 38b4d739 f5f65dc2 f3cdfdb 30187da4
fpid 0x000001a6
fp_output_blade 1
10.63.53.211 10.63.20.123
esp spi 3364521775(0xc88a872f) reqid 3 tunnel
A:hmac(md5) 5c54462 7afdd45a 945c9f1d 5d98f9b0
auth-trunc-len: 96
E:cbc(des3_ede) d0577f 9a15bc9a 4ae3f0a5 b159a334 761f3e17 53826c4
fpid 0x000001a5
fp_output_blade 1
10.63.20.123 10.63.53.206
esp spi 3438617189(0xccf52265) reqid 2 tunnel
A:hmac(md5) 5e7978f 567189b ef99bdc f6574fa
auth-trunc-len: 96
E:cbc(des3_ede) 378b326 f1211d12 a991dab d94ed64f b6f5a1b3 66fde6a5
fpid 0x000001a4
fp_output_blade 1
10.63.53.206 10.63.20.123
esp spi 3357968885(0xc82689f5) reqid 2 tunnel
A:hmac(md5) a793651a b1f11537 e8a634d6 71346779
auth-trunc-len: 96
E:cbc(des3_ede) 42dd3aa d3d38d32 a34ba5cb b6fc5e7e 93695117 e9ffdd7
fpid 0x000001a3
fp_output_blade 1
# tcpdump -nni eth0 host 10.63.53.206 -c 5
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:37:53.302254 IP 10.63.53.206 > 10.63.20.123: ESP(spi=0xc82689f5,seq=0x5b)
09:37:53.302254 IP 10.63.53.206 > 10.63.20.123: icmp 64: echo request seq 92
09:37:54.302243 IP 10.63.53.206 > 10.63.20.123: ESP(spi=0xc82689f5,seq=0x5c)
09:37:54.302243 IP 10.63.53.206 > 10.63.20.123: icmp 64: echo request seq 93
# tcpdump -nni eth0 host 10.63.53.211 -c 5
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:38:12.843102 IP 10.63.53.211 > 10.63.20.123: ESP(spi=0xc88a872f,seq=0x28)
09:38:12.843102 IP 10.63.53.211 > 10.63.20.123: icmp 64: echo request seq 41
09:38:12.843327 IP 10.63.20.123 > 10.63.53.211: ESP(spi=0xc8860ce1,seq=0x20)
09:38:13.843095 IP 10.63.53.211 > 10.63.20.123: ESP(spi=0xc88a872f,seq=0x29)
#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141220/704a3303/attachment-0001.html>
More information about the Users
mailing list