[strongSwan] Issue seen in Tunnel establishment when there is no protect policy at one end
deepak vashisht
vashisht.deepak08 at gmail.com
Sat Jan 4 11:47:46 CET 2014
Hi Team,
Linux strongSwan U*4.5.3*/K2.6.32.60-2-fblfs130450-ci1-fct
Issue:
*Tunnel* is getting established with “*ByPass/PassThrough*” policy on one
end and “*Protect*” policy on other.
*Local End: Device A*
*Bypass/PassThrough policy: Configured with local IP (20.20.20.141) to
any(0.0.0.0)*
*/etc/ipsec.conf:*
config setup
plutostart=yes
plutodebug=none
nat_traversal=yes
uniqueids=no
charonstart=yes
charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc
-1, lib -1"
conn %default
leftcert=/etc/ipsec.d/certs/btsCert.pem
auto=start
pfs=no
keyingtries=%forever
mobike=no
*conn conn11*
* type=passthrough*
* leftsubnet=20.20.20.141/32 <http://20.20.20.141/32>*
* rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>*
*ipsec status*
Connections:
conn11: %any...%any
conn11: local: [CN=RY110409750.nokiasiemensnetworks.com, O=Nokia
Siemens Networks] uses public key authentication
conn11: cert: "CN=RY110409750.nokiasiemensnetworks.com, O=Nokia
Siemens Networks"
conn11: remote: [%any] uses any authentication
conn11: child: 20.20.20.141/32 === 0.0.0.0/0 PASS
Security Associations (1 up, 0 connecting):
conn11[2]: ESTABLISHED 5 minutes ago, 20.20.20.141[CN=
RY110409750.nokiasiemensnetworks.com, O=Nokia Siemens
Networks]...20.20.20.142[CN=RY110409750.nokiasiemensnetworks.com, O=Nokia
Siemens Networks]
conn11[2]: IKE SPIs: 9dcf651b52418115_i 8ca0aedc28cc36db_r*, public
key reauthentication in 2 hours
conn11[2]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
conn11{1}: INSTALLED, TUNNEL, ESP SPIs: c9508643_i c1500df6_o
conn11{1}: AES_CBC_128/HMAC_SHA1_96, 38136 bytes_i (1s ago), 38136
bytes_o (1s ago), rekeying in 45 minutes
conn11{1}: 20.20.20.141/32 === 20.20.20.142/32
emo
*RemoteEnd: Device B*
*Protect Policy : Local IP to remote IP*
*/etc/ipsec.conf:*
config setup
plutostart=yes
plutodebug=none
nat_traversal=yes
uniqueids=no
charonstart=yes
charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc
-1, lib -1"
conn %default
leftcert=/etc/ipsec.d/certs/btsCert.pem
auto=start
pfs=no
keyingtries=%forever
mobike=no
*conn conn11*
*type=tunnel*
* leftsubnet=20.20.20.142/32 <http://20.20.20.142/32>*
* rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>*
left=20.20.20.142
right=20.20.20.141
keyexchange=ikev2
reauth=no
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
ikelifetime=84437s
esp=aes128-sha1,3des-sha1!
authby=pubkey
rightid=%any
keylife=86400s
dpdaction=restart
dpddelay=10
dpdtimeout=120
rekeyfuzz=50%
rekeymargin=180s
*ipsec status*
Connections:
conn11: 20.20.20.142...20.20.20.141, dpddelay=10s
conn11: local: [CN=RY110409750.nokiasiemensnetworks.com, O=Nokia
Siemens Networks] uses public key authentication
conn11: cert: "CN=RY110409750.nokiasiemensnetworks.com, O=Nokia
Siemens Networks"
conn11: remote: [%any] uses any authentication
conn11: child: 20.20.20.142/32 === 0.0.0.0/0 TUNNEL,
dpdaction=restart
Security Associations (1 up, 0 connecting):
conn11[2]: ESTABLISHED 5 minutes ago, 20.20.20.142[CN=
RY110409750.nokiasiemensnetworks.com, O=Nokia Siemens
Networks]...20.20.20.141[CN=RY110409750.nokiasiemensnetworks.com, O=Nokia
Siemens Networks]
conn11[2]: IKE SPIs: 9dcf651b52418115_i* 8ca0aedc28cc36db_r, rekeying
in 23 hours, public key reauthentication in 2 hours
conn11[2]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
conn11{2}: INSTALLED, TUNNEL, ESP SPIs: c1500df6_i c9508643_o
conn11{2}: AES_CBC_128/HMAC_SHA1_96, 40236 bytes_i (14s ago), 40236
bytes_o (13s ago), rekeying in 23 hours
conn11{2}: 20.20.20.142/32 === 20.20.20.141/32
Only issue is why is tunnel is getting established when we have bypass
policy at one end and protect policy on other end.
Please let me know if any other information required.
Thanks & Regards,
Deepak Vashisht
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140104/9aa434bd/attachment.html>
More information about the Users
mailing list