[strongSwan] right=0.0.0.0 configuration on responder not working, with multiple initiators

Andreas Steffen andreas.steffen at strongswan.org
Sat Dec 20 16:05:57 CET 2014


Hi Divya,

both Initiator 1 (10.63.53.206) and Initiatior 2 (10.63.53.211) define
the same leftsubnet 10.63.53.0/24. How is this supposed to work.
When both tunnels are up the responder will not be able to decide
if to route IP packets with a destination in 10.63.53.0/24 to
Initiator 1 or Initiator 2. With IPsec the routing must be
unambiguous. Thus just omit the leftsubnet definition on both
Initiator 1 and 2 resulting in leftsubnet=10.63.53.206/32 and
leftsubnet=10.63.53.211/32, respectively. On the responder
you can either keep the rightsubnet=10.63.53.0/24 definition since
an automatic narrowing to the initiator proposal is going to happen
or you could omit the rightsubnet definition altogether.

BTW - auto=route on the responder will not be effective since
      the reponder will not know with which host to negotiate a tunnel
      with automatically. Better set the mode to auto=add.

Best regards

Andreas

since
On 12/20/2014 10:43 AM, divya mohan wrote:
> 
> Hi,
> 
> I am facing issue with strongswan IKEv2 in establishing connection, when
> right=0.0.0.0 is configured.
> 
> My setup like this:
> 
>                                         [ Initiator_1  ]
> [  Responder  ]                [ 10.63.53.206 ]
> [ 10.63.20.123]
>  
>                                         [  Initiator_2  ]
>                                         [  10.63.53.211 ]
> 
> 
> On responder side, only single connection is configured in ipsec.conf:
>         left=10.63.20.123
>         right=0.0.0.0
>         leftsubnet=10.63.20.0/24 
>         rightsubnet=10.63.53.0/24
> 
> 
> Both initiators will send icmp requests to responder, and responder
> should send reply back.
> 
> Initially when I start traffic from initiator_1, CHILD_SAs are
> established, and request/reply works fine.
> Now, when I start traffic from initiator_2, new CHILD_SAs are
> established, and request/reply works for initiator_2;
> but responder stops sending replies for initiator_1.
> i.e at a time responder is sending replay to only one initiator.
> 
> I am sharing the ipsec.conf files used on all three nodes.
> Could you please help to check whether any parameter needs to be changed.
> Or, is this kind of configuration not supported?
> 
> ipsec.conf files:
> =================
> 
> Responder:
> ----------
> config setup
>         charonstart=yes
>         plutostart=no
>         uniqueids=no
>         charondebug="knl 0,enc 0,net 0"
> conn %default
>         auto=route
>         keyexchange=ikev2
>         reauth=no
> conn r1~v1
>         rekeymargin=500
>         rekeyfuzz=100%
>         left=10.63.20.123
>         right=0.0.0.0
>         leftsubnet=10.63.20.0/24 
>         rightsubnet=10.63.53.0/24
>         leftprotoport=1
>         rightprotoport=1
>         authby=secret
>         leftid=10.63.20.123
>         rightid=%any
>         ike=aes128-sha1-modp768!
>         esp=3des-md5!
>         type=tunnel
>         ikelifetime=10000s
>         keylife=5000s
>         mobike=no
>         auto=route
>         reauth=no
>         encapdscp=yes
> 
> 
> Initiator_1:
> -----------
> config setup
>         charonstart=yes
>         plutostart=no
>         uniqueids=no
>         charondebug="knl 0,enc 0,net 0"
> conn %default
>         auto=route
>         keyexchange=ikev2
>         reauth=no
> conn r1~v1
>         rekeymargin=500
>         rekeyfuzz=100%
>         left=10.63.53.206
>         right=10.63.20.123
>         leftsubnet=10.63.53.0/24 
>         rightsubnet=10.63.20.0/24 
>         leftprotoport=1
>         rightprotoport=1
>         authby=secret
>         leftid=10.63.53.206
>         rightid=%any
>         ike=aes128-sha1-modp768!
>         esp=3des-md5!
>         type=tunnel
>         ikelifetime=10000s
>         keylife=5000s
>         mobike=no
>         auto=route
>         reauth=no
>         encapdscp=yes
> 
> Initiator_2:
> ------------
> config setup
>         charonstart=yes
>         plutostart=no
>         uniqueids=no
>         charondebug="knl 0,enc 0,net 0"
> conn %default
>         auto=route
>         keyexchange=ikev2
>         reauth=no
> conn r1~v1
>         rekeymargin=500
>         rekeyfuzz=100%
>         left=10.63.53.211
>         right=10.63.20.123
>         leftsubnet=10.63.53.0/24 
>         rightsubnet=10.63.20.0/24
>         leftprotoport=1
>         rightprotoport=1
>         authby=secret
>         leftid=10.63.53.211
>         rightid=%any
>         ike=aes128-sha1-modp768!
>         esp=3des-md5!
>         type=tunnel
>         ikelifetime=10000s
>         keylife=5000s
>         mobike=no
>         auto=route
>         reauth=no
>         encapdscp=yes
> 
> 
> strongswan.conf (same for all 3 nodes)
> ----------------
> charon {
> reuse_ikesa=no
> install_routes=no
> block_threshold=50
> cookie_threshold=100
> }
> 
> Logs:
> =====
> 
> # starter --nofork &
> [1] 24025
> Starting strongSwan 4.3.6 IPsec [starter]...
> [root at CFPU-0(BCNBlr34) /root]
> # 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
> 00[CFG] loading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec/certs/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from
> '/etc/ipsec/certs/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec/certs/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG]   loaded IKE secret for %any
> 00[DMN] loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc
> stroke kernel-netlink
> 00[JOB] spawning 16 worker threads
> charon (24032) started after 40 ms
> 02[CFG] received stroke: add connection 'r1~v1'
> 02[CFG] added configuration 'r1~v1'
> 08[CFG] rereading secrets
> 08[CFG] loading secrets from '/etc/ipsec.secrets'
> 08[CFG]   loaded IKE secret for %any
> 08[CFG] rereading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'
> 08[CFG] rereading ocsp signer certificates from
> '/etc/ipsec/certs/ipsec.d/ocspcerts'
> 08[CFG] rereading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'
> 08[CFG] rereading attribute certificates from
> '/etc/ipsec/certs/ipsec.d/acerts'
> 08[CFG] rereading crls from '/etc/ipsec/certs/ipsec.d/crls'
> 09[CFG] received stroke: route 'r1~v1'
> configuration 'r1~v1' routed
> 
> 
> # ip xfrm policy
> 10.63.53.0/24[0] <http://10.63.53.0/24[0]> 10.63.20.0/24[0]
> <http://10.63.20.0/24[0]>
>         upspec 1 dev (none) uid 0
>         in  allow index 0x00000558 priority 2758 share any flags 0x00000000
>         tmpl-1:
>           0.0.0.0 10.63.20.123
>                 esp spi 0(0x00000000) reqid 1 tunnel
>                 level required share any algo-mask:E=32, A=32, C=32
>         fpid 0x00000024
>         policy type main
> 10.63.20.0/24[0] <http://10.63.20.0/24[0]> 10.63.53.0/24[0]
> <http://10.63.53.0/24[0]>
>         upspec 1 dev (none) uid 0
>         out allow index 0x00000551 priority 2758 share any flags 0x00000000
>         tmpl-1:
>           10.63.20.123 0.0.0.0
>                 esp spi 0(0x00000000) reqid 1 tunnel
>                 level required share any algo-mask:E=32, A=32, C=32
>         fpid 0x00000023
>         policy type main
> 
> # ip xfrm state
> # echo "starting traffic from initiator_1"
> starting traffic from initiator_1
> # 13[IKE] 10.63.53.206 is initiating an IKE_SA
> 14[CFG] looking for peer configs matching
> 10.63.20.123[(vr*)%any]...10.63.53.206[(vr*)10.63.53.206]
> 14[CFG] selected peer config 'r1~v1'
> 14[IKE] authentication of '(vr*)10.63.53.206' with pre-shared key successful
> 14[IKE] authentication of '(vr*)10.63.20.123' (myself) with pre-shared key
> 14[IKE] IKE_SA r1~v1[1] established between
> 10.63.20.123[(vr*)10.63.20.123]...10.63.53.206[(vr*)10.63.53.206]
> 14[IKE] scheduling rekeying in 9026s
> 14[IKE] maximum IKE_SA lifetime 9526s
> 14[IKE] CHILD_SA r1~v1{2} established with SPIs c82689f5_i ccf52265_o
> and TS 10.63.20.0/24[icmp] <http://10.63.20.0/24[icmp]> ===
> 10.63.53.0/24[icmp] <http://10.63.53.0/24[icmp]>
> 
> # ip xfrm policy
> 10.63.53.0/24[0] <http://10.63.53.0/24[0]> 10.63.20.0/24[0]
> <http://10.63.20.0/24[0]>
>         upspec 1 dev (none) uid 0
>         in  allow index 0x00000558 priority 1758 share any flags 0x00000000
>         tmpl-1:
>           10.63.53.206 10.63.20.123
>                 esp spi 0(0x00000000) reqid 2 tunnel
>                 level required share any algo-mask:E=32, A=32, C=32
>         fpid 0x00000024
>         policy type main
> 10.63.20.0/24[0] <http://10.63.20.0/24[0]> 10.63.53.0/24[0]
> <http://10.63.53.0/24[0]>
>         upspec 1 dev (none) uid 0
>         out allow index 0x00000551 priority 1758 share any flags 0x00000000
>         tmpl-1:
>           10.63.20.123 10.63.53.206
>                 esp spi 0(0x00000000) reqid 2 tunnel
>                 level required share any algo-mask:E=32, A=32, C=32
>         fpid 0x00000023
>         policy type main
> 
> # ip xfrm state
> 10.63.20.123 10.63.53.206
>         esp spi 3438617189(0xccf52265) reqid 2 tunnel
>         A:hmac(md5) 5e7978f 567189b ef99bdc f6574fa
>         auth-trunc-len: 96
>         E:cbc(des3_ede) 378b326 f1211d12 a991dab d94ed64f b6f5a1b3 66fde6a5
>         fpid 0x000001a4
>         fp_output_blade 1
> 10.63.53.206 10.63.20.123
>         esp spi 3357968885(0xc82689f5) reqid 2 tunnel
>         A:hmac(md5) a793651a b1f11537 e8a634d6 71346779
>         auth-trunc-len: 96
>         E:cbc(des3_ede) 42dd3aa d3d38d32 a34ba5cb b6fc5e7e 93695117 e9ffdd7
>         fpid 0x000001a3
>         fp_output_blade 1
> 
> # tcpdump -nni eth0 host 10.63.53.206 -c 5
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 09:37:04.298926 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc82689f5,seq=0x2a)
> 09:37:04.298926 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> icmp 64: echo request seq 43
> 09:37:04.299128 IP 10.63.20.123 > 10.63.53.206 <http://10.63.53.206>:
> ESP(spi=0xccf52265,seq=0x22)
> 09:37:06.298861 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc82689f5,seq=0x2c)
> 
> 
> # echo "starting traffic from initiator_2"
> starting traffic from initiator_2
> # 01[IKE] 10.63.53.211 is initiating an IKE_SA
> 07[CFG] looking for peer configs matching
> 10.63.20.123[(vr*)%any]...10.63.53.211[(vr*)10.63.53.211]
> 07[CFG] selected peer config 'r1~v1'
> 07[IKE] authentication of '(vr*)10.63.53.211' with pre-shared key successful
> 07[IKE] authentication of '(vr*)10.63.20.123' (myself) with pre-shared key
> 07[IKE] IKE_SA r1~v1[2] established between
> 10.63.20.123[(vr*)10.63.20.123]...10.63.53.211[(vr*)10.63.53.211]
> 07[IKE] scheduling rekeying in 9171s
> 07[IKE] maximum IKE_SA lifetime 9671s
> 07[IKE] CHILD_SA r1~v1{3} established with SPIs c88a872f_i c8860ce1_o
> and TS 10.63.20.0/24[icmp] <http://10.63.20.0/24[icmp]> ===
> 10.63.53.0/24[icmp] <http://10.63.53.0/24[icmp]>
> 
> 
> # ip xfrm policy
> 10.63.53.0/24[0] <http://10.63.53.0/24[0]> 10.63.20.0/24[0]
> <http://10.63.20.0/24[0]>
>         upspec 1 dev (none) uid 0
>         in  allow index 0x00000558 priority 1758 share any flags 0x00000000
>         tmpl-1:
>           10.63.53.211 10.63.20.123
>                 esp spi 0(0x00000000) reqid 3 tunnel
>                 level required share any algo-mask:E=32, A=32, C=32
>         fpid 0x00000024
>         policy type main
> 10.63.20.0/24[0] <http://10.63.20.0/24[0]> 10.63.53.0/24[0]
> <http://10.63.53.0/24[0]>
>         upspec 1 dev (none) uid 0
>         out allow index 0x00000551 priority 1758 share any flags 0x00000000
>         tmpl-1:
>           10.63.20.123 10.63.53.211
>                 esp spi 0(0x00000000) reqid 3 tunnel
>                 level required share any algo-mask:E=32, A=32, C=32
>         fpid 0x00000023
>         policy type main
> 
> # ip xfrm state
> 10.63.20.123 10.63.53.211
>         esp spi 3364228321(0xc8860ce1) reqid 3 tunnel
>         A:hmac(md5) 09afd5c d4c77bba 39f8385a c78e71b7
>         auth-trunc-len: 96
>         E:cbc(des3_ede) b2416051 52e2413c 38b4d739 f5f65dc2 f3cdfdb 30187da4
>         fpid 0x000001a6
>         fp_output_blade 1
> 10.63.53.211 10.63.20.123
>         esp spi 3364521775(0xc88a872f) reqid 3 tunnel
>         A:hmac(md5) 5c54462 7afdd45a 945c9f1d 5d98f9b0
>         auth-trunc-len: 96
>         E:cbc(des3_ede) d0577f 9a15bc9a 4ae3f0a5 b159a334 761f3e17 53826c4
>         fpid 0x000001a5
>         fp_output_blade 1
> 10.63.20.123 10.63.53.206
>         esp spi 3438617189(0xccf52265) reqid 2 tunnel
>         A:hmac(md5) 5e7978f 567189b ef99bdc f6574fa
>         auth-trunc-len: 96
>         E:cbc(des3_ede) 378b326 f1211d12 a991dab d94ed64f b6f5a1b3 66fde6a5
>         fpid 0x000001a4
>         fp_output_blade 1
> 10.63.53.206 10.63.20.123
>         esp spi 3357968885(0xc82689f5) reqid 2 tunnel
>         A:hmac(md5) a793651a b1f11537 e8a634d6 71346779
>         auth-trunc-len: 96
>         E:cbc(des3_ede) 42dd3aa d3d38d32 a34ba5cb b6fc5e7e 93695117 e9ffdd7
>         fpid 0x000001a3
>         fp_output_blade 1
> 
> # tcpdump -nni eth0 host 10.63.53.206 -c 5
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 09:37:53.302254 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc82689f5,seq=0x5b)
> 09:37:53.302254 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> icmp 64: echo request seq 92
> 09:37:54.302243 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc82689f5,seq=0x5c)
> 09:37:54.302243 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> icmp 64: echo request seq 93
> 
> # tcpdump -nni eth0 host 10.63.53.211 -c 5
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 09:38:12.843102 IP 10.63.53.211 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc88a872f,seq=0x28)
> 09:38:12.843102 IP 10.63.53.211 > 10.63.20.123 <http://10.63.20.123>:
> icmp 64: echo request seq 41
> 09:38:12.843327 IP 10.63.20.123 > 10.63.53.211 <http://10.63.53.211>:
> ESP(spi=0xc8860ce1,seq=0x20)
> 09:38:13.843095 IP 10.63.53.211 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc88a872f,seq=0x29)
> #

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141220/f4f95325/attachment-0001.bin>


More information about the Users mailing list