[strongSwan] right=0.0.0.0 configuration on responder not working, with multiple initiators
Andreas Steffen
andreas.steffen at strongswan.org
Sat Dec 20 16:05:57 CET 2014
Hi Divya,
both Initiator 1 (10.63.53.206) and Initiatior 2 (10.63.53.211) define
the same leftsubnet 10.63.53.0/24. How is this supposed to work.
When both tunnels are up the responder will not be able to decide
if to route IP packets with a destination in 10.63.53.0/24 to
Initiator 1 or Initiator 2. With IPsec the routing must be
unambiguous. Thus just omit the leftsubnet definition on both
Initiator 1 and 2 resulting in leftsubnet=10.63.53.206/32 and
leftsubnet=10.63.53.211/32, respectively. On the responder
you can either keep the rightsubnet=10.63.53.0/24 definition since
an automatic narrowing to the initiator proposal is going to happen
or you could omit the rightsubnet definition altogether.
BTW - auto=route on the responder will not be effective since
the reponder will not know with which host to negotiate a tunnel
with automatically. Better set the mode to auto=add.
Best regards
Andreas
since
On 12/20/2014 10:43 AM, divya mohan wrote:
>
> Hi,
>
> I am facing issue with strongswan IKEv2 in establishing connection, when
> right=0.0.0.0 is configured.
>
> My setup like this:
>
> [ Initiator_1 ]
> [ Responder ] [ 10.63.53.206 ]
> [ 10.63.20.123]
>
> [ Initiator_2 ]
> [ 10.63.53.211 ]
>
>
> On responder side, only single connection is configured in ipsec.conf:
> left=10.63.20.123
> right=0.0.0.0
> leftsubnet=10.63.20.0/24
> rightsubnet=10.63.53.0/24
>
>
> Both initiators will send icmp requests to responder, and responder
> should send reply back.
>
> Initially when I start traffic from initiator_1, CHILD_SAs are
> established, and request/reply works fine.
> Now, when I start traffic from initiator_2, new CHILD_SAs are
> established, and request/reply works for initiator_2;
> but responder stops sending replies for initiator_1.
> i.e at a time responder is sending replay to only one initiator.
>
> I am sharing the ipsec.conf files used on all three nodes.
> Could you please help to check whether any parameter needs to be changed.
> Or, is this kind of configuration not supported?
>
> ipsec.conf files:
> =================
>
> Responder:
> ----------
> config setup
> charonstart=yes
> plutostart=no
> uniqueids=no
> charondebug="knl 0,enc 0,net 0"
> conn %default
> auto=route
> keyexchange=ikev2
> reauth=no
> conn r1~v1
> rekeymargin=500
> rekeyfuzz=100%
> left=10.63.20.123
> right=0.0.0.0
> leftsubnet=10.63.20.0/24
> rightsubnet=10.63.53.0/24
> leftprotoport=1
> rightprotoport=1
> authby=secret
> leftid=10.63.20.123
> rightid=%any
> ike=aes128-sha1-modp768!
> esp=3des-md5!
> type=tunnel
> ikelifetime=10000s
> keylife=5000s
> mobike=no
> auto=route
> reauth=no
> encapdscp=yes
>
>
> Initiator_1:
> -----------
> config setup
> charonstart=yes
> plutostart=no
> uniqueids=no
> charondebug="knl 0,enc 0,net 0"
> conn %default
> auto=route
> keyexchange=ikev2
> reauth=no
> conn r1~v1
> rekeymargin=500
> rekeyfuzz=100%
> left=10.63.53.206
> right=10.63.20.123
> leftsubnet=10.63.53.0/24
> rightsubnet=10.63.20.0/24
> leftprotoport=1
> rightprotoport=1
> authby=secret
> leftid=10.63.53.206
> rightid=%any
> ike=aes128-sha1-modp768!
> esp=3des-md5!
> type=tunnel
> ikelifetime=10000s
> keylife=5000s
> mobike=no
> auto=route
> reauth=no
> encapdscp=yes
>
> Initiator_2:
> ------------
> config setup
> charonstart=yes
> plutostart=no
> uniqueids=no
> charondebug="knl 0,enc 0,net 0"
> conn %default
> auto=route
> keyexchange=ikev2
> reauth=no
> conn r1~v1
> rekeymargin=500
> rekeyfuzz=100%
> left=10.63.53.211
> right=10.63.20.123
> leftsubnet=10.63.53.0/24
> rightsubnet=10.63.20.0/24
> leftprotoport=1
> rightprotoport=1
> authby=secret
> leftid=10.63.53.211
> rightid=%any
> ike=aes128-sha1-modp768!
> esp=3des-md5!
> type=tunnel
> ikelifetime=10000s
> keylife=5000s
> mobike=no
> auto=route
> reauth=no
> encapdscp=yes
>
>
> strongswan.conf (same for all 3 nodes)
> ----------------
> charon {
> reuse_ikesa=no
> install_routes=no
> block_threshold=50
> cookie_threshold=100
> }
>
> Logs:
> =====
>
> # starter --nofork &
> [1] 24025
> Starting strongSwan 4.3.6 IPsec [starter]...
> [root at CFPU-0(BCNBlr34) /root]
> # 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
> 00[CFG] loading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec/certs/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from
> '/etc/ipsec/certs/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec/certs/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG] loaded IKE secret for %any
> 00[DMN] loaded plugins: openssl random pem x509 pubkey pkcs1 hmac xcbc
> stroke kernel-netlink
> 00[JOB] spawning 16 worker threads
> charon (24032) started after 40 ms
> 02[CFG] received stroke: add connection 'r1~v1'
> 02[CFG] added configuration 'r1~v1'
> 08[CFG] rereading secrets
> 08[CFG] loading secrets from '/etc/ipsec.secrets'
> 08[CFG] loaded IKE secret for %any
> 08[CFG] rereading ca certificates from '/etc/ipsec/certs/ipsec.d/cacerts'
> 08[CFG] rereading ocsp signer certificates from
> '/etc/ipsec/certs/ipsec.d/ocspcerts'
> 08[CFG] rereading aa certificates from '/etc/ipsec/certs/ipsec.d/aacerts'
> 08[CFG] rereading attribute certificates from
> '/etc/ipsec/certs/ipsec.d/acerts'
> 08[CFG] rereading crls from '/etc/ipsec/certs/ipsec.d/crls'
> 09[CFG] received stroke: route 'r1~v1'
> configuration 'r1~v1' routed
>
>
> # ip xfrm policy
> 10.63.53.0/24[0] <http://10.63.53.0/24[0]> 10.63.20.0/24[0]
> <http://10.63.20.0/24[0]>
> upspec 1 dev (none) uid 0
> in allow index 0x00000558 priority 2758 share any flags 0x00000000
> tmpl-1:
> 0.0.0.0 10.63.20.123
> esp spi 0(0x00000000) reqid 1 tunnel
> level required share any algo-mask:E=32, A=32, C=32
> fpid 0x00000024
> policy type main
> 10.63.20.0/24[0] <http://10.63.20.0/24[0]> 10.63.53.0/24[0]
> <http://10.63.53.0/24[0]>
> upspec 1 dev (none) uid 0
> out allow index 0x00000551 priority 2758 share any flags 0x00000000
> tmpl-1:
> 10.63.20.123 0.0.0.0
> esp spi 0(0x00000000) reqid 1 tunnel
> level required share any algo-mask:E=32, A=32, C=32
> fpid 0x00000023
> policy type main
>
> # ip xfrm state
> # echo "starting traffic from initiator_1"
> starting traffic from initiator_1
> # 13[IKE] 10.63.53.206 is initiating an IKE_SA
> 14[CFG] looking for peer configs matching
> 10.63.20.123[(vr*)%any]...10.63.53.206[(vr*)10.63.53.206]
> 14[CFG] selected peer config 'r1~v1'
> 14[IKE] authentication of '(vr*)10.63.53.206' with pre-shared key successful
> 14[IKE] authentication of '(vr*)10.63.20.123' (myself) with pre-shared key
> 14[IKE] IKE_SA r1~v1[1] established between
> 10.63.20.123[(vr*)10.63.20.123]...10.63.53.206[(vr*)10.63.53.206]
> 14[IKE] scheduling rekeying in 9026s
> 14[IKE] maximum IKE_SA lifetime 9526s
> 14[IKE] CHILD_SA r1~v1{2} established with SPIs c82689f5_i ccf52265_o
> and TS 10.63.20.0/24[icmp] <http://10.63.20.0/24[icmp]> ===
> 10.63.53.0/24[icmp] <http://10.63.53.0/24[icmp]>
>
> # ip xfrm policy
> 10.63.53.0/24[0] <http://10.63.53.0/24[0]> 10.63.20.0/24[0]
> <http://10.63.20.0/24[0]>
> upspec 1 dev (none) uid 0
> in allow index 0x00000558 priority 1758 share any flags 0x00000000
> tmpl-1:
> 10.63.53.206 10.63.20.123
> esp spi 0(0x00000000) reqid 2 tunnel
> level required share any algo-mask:E=32, A=32, C=32
> fpid 0x00000024
> policy type main
> 10.63.20.0/24[0] <http://10.63.20.0/24[0]> 10.63.53.0/24[0]
> <http://10.63.53.0/24[0]>
> upspec 1 dev (none) uid 0
> out allow index 0x00000551 priority 1758 share any flags 0x00000000
> tmpl-1:
> 10.63.20.123 10.63.53.206
> esp spi 0(0x00000000) reqid 2 tunnel
> level required share any algo-mask:E=32, A=32, C=32
> fpid 0x00000023
> policy type main
>
> # ip xfrm state
> 10.63.20.123 10.63.53.206
> esp spi 3438617189(0xccf52265) reqid 2 tunnel
> A:hmac(md5) 5e7978f 567189b ef99bdc f6574fa
> auth-trunc-len: 96
> E:cbc(des3_ede) 378b326 f1211d12 a991dab d94ed64f b6f5a1b3 66fde6a5
> fpid 0x000001a4
> fp_output_blade 1
> 10.63.53.206 10.63.20.123
> esp spi 3357968885(0xc82689f5) reqid 2 tunnel
> A:hmac(md5) a793651a b1f11537 e8a634d6 71346779
> auth-trunc-len: 96
> E:cbc(des3_ede) 42dd3aa d3d38d32 a34ba5cb b6fc5e7e 93695117 e9ffdd7
> fpid 0x000001a3
> fp_output_blade 1
>
> # tcpdump -nni eth0 host 10.63.53.206 -c 5
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 09:37:04.298926 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc82689f5,seq=0x2a)
> 09:37:04.298926 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> icmp 64: echo request seq 43
> 09:37:04.299128 IP 10.63.20.123 > 10.63.53.206 <http://10.63.53.206>:
> ESP(spi=0xccf52265,seq=0x22)
> 09:37:06.298861 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc82689f5,seq=0x2c)
>
>
> # echo "starting traffic from initiator_2"
> starting traffic from initiator_2
> # 01[IKE] 10.63.53.211 is initiating an IKE_SA
> 07[CFG] looking for peer configs matching
> 10.63.20.123[(vr*)%any]...10.63.53.211[(vr*)10.63.53.211]
> 07[CFG] selected peer config 'r1~v1'
> 07[IKE] authentication of '(vr*)10.63.53.211' with pre-shared key successful
> 07[IKE] authentication of '(vr*)10.63.20.123' (myself) with pre-shared key
> 07[IKE] IKE_SA r1~v1[2] established between
> 10.63.20.123[(vr*)10.63.20.123]...10.63.53.211[(vr*)10.63.53.211]
> 07[IKE] scheduling rekeying in 9171s
> 07[IKE] maximum IKE_SA lifetime 9671s
> 07[IKE] CHILD_SA r1~v1{3} established with SPIs c88a872f_i c8860ce1_o
> and TS 10.63.20.0/24[icmp] <http://10.63.20.0/24[icmp]> ===
> 10.63.53.0/24[icmp] <http://10.63.53.0/24[icmp]>
>
>
> # ip xfrm policy
> 10.63.53.0/24[0] <http://10.63.53.0/24[0]> 10.63.20.0/24[0]
> <http://10.63.20.0/24[0]>
> upspec 1 dev (none) uid 0
> in allow index 0x00000558 priority 1758 share any flags 0x00000000
> tmpl-1:
> 10.63.53.211 10.63.20.123
> esp spi 0(0x00000000) reqid 3 tunnel
> level required share any algo-mask:E=32, A=32, C=32
> fpid 0x00000024
> policy type main
> 10.63.20.0/24[0] <http://10.63.20.0/24[0]> 10.63.53.0/24[0]
> <http://10.63.53.0/24[0]>
> upspec 1 dev (none) uid 0
> out allow index 0x00000551 priority 1758 share any flags 0x00000000
> tmpl-1:
> 10.63.20.123 10.63.53.211
> esp spi 0(0x00000000) reqid 3 tunnel
> level required share any algo-mask:E=32, A=32, C=32
> fpid 0x00000023
> policy type main
>
> # ip xfrm state
> 10.63.20.123 10.63.53.211
> esp spi 3364228321(0xc8860ce1) reqid 3 tunnel
> A:hmac(md5) 09afd5c d4c77bba 39f8385a c78e71b7
> auth-trunc-len: 96
> E:cbc(des3_ede) b2416051 52e2413c 38b4d739 f5f65dc2 f3cdfdb 30187da4
> fpid 0x000001a6
> fp_output_blade 1
> 10.63.53.211 10.63.20.123
> esp spi 3364521775(0xc88a872f) reqid 3 tunnel
> A:hmac(md5) 5c54462 7afdd45a 945c9f1d 5d98f9b0
> auth-trunc-len: 96
> E:cbc(des3_ede) d0577f 9a15bc9a 4ae3f0a5 b159a334 761f3e17 53826c4
> fpid 0x000001a5
> fp_output_blade 1
> 10.63.20.123 10.63.53.206
> esp spi 3438617189(0xccf52265) reqid 2 tunnel
> A:hmac(md5) 5e7978f 567189b ef99bdc f6574fa
> auth-trunc-len: 96
> E:cbc(des3_ede) 378b326 f1211d12 a991dab d94ed64f b6f5a1b3 66fde6a5
> fpid 0x000001a4
> fp_output_blade 1
> 10.63.53.206 10.63.20.123
> esp spi 3357968885(0xc82689f5) reqid 2 tunnel
> A:hmac(md5) a793651a b1f11537 e8a634d6 71346779
> auth-trunc-len: 96
> E:cbc(des3_ede) 42dd3aa d3d38d32 a34ba5cb b6fc5e7e 93695117 e9ffdd7
> fpid 0x000001a3
> fp_output_blade 1
>
> # tcpdump -nni eth0 host 10.63.53.206 -c 5
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 09:37:53.302254 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc82689f5,seq=0x5b)
> 09:37:53.302254 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> icmp 64: echo request seq 92
> 09:37:54.302243 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc82689f5,seq=0x5c)
> 09:37:54.302243 IP 10.63.53.206 > 10.63.20.123 <http://10.63.20.123>:
> icmp 64: echo request seq 93
>
> # tcpdump -nni eth0 host 10.63.53.211 -c 5
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 09:38:12.843102 IP 10.63.53.211 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc88a872f,seq=0x28)
> 09:38:12.843102 IP 10.63.53.211 > 10.63.20.123 <http://10.63.20.123>:
> icmp 64: echo request seq 41
> 09:38:12.843327 IP 10.63.20.123 > 10.63.53.211 <http://10.63.53.211>:
> ESP(spi=0xc8860ce1,seq=0x20)
> 09:38:13.843095 IP 10.63.53.211 > 10.63.20.123 <http://10.63.20.123>:
> ESP(spi=0xc88a872f,seq=0x29)
> #
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141220/f4f95325/attachment-0001.bin>
More information about the Users
mailing list