[strongSwan] host to subnet support

Michael C. Cambria mcc at fid4.com
Thu Oct 9 22:16:48 CEST 2014 

Thanks for the help.  I finally had access to the systems in question.

Using 0.0.0.0/0 didn't work.  I tried using the IP address of the client 
interface, specifically "rightsubnet=192.168.56.2/32" instead.  That did 
work.  I might not always know that IP address though.

Thanks,
Michael

On 09/27/2014 09:34 AM, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Michael,
>
> the rightsubnet / leftsubnet settings default to the value of "right" or "left", if ommitted.
> If "right" or "left"  and the corresponding subnet setting is set to %any or ommitted ,
> charon takes the value of the layer three packet and takes it as configured value of left/rightsubnet.
> The value that is in the IKE packet differes from that, if NAT is used.
> That's the reason for it failing. Solution is to set left/rightsubnet to 0.0.0.0/0 and trust the client in what it does.
> Currently, strongSwan has no functionality to propose 0.0.0.0/0, but only accept a /32 subnet from a client.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 26.09.2014 um 00:16 schrieb Michael C. Cambria:
>> Hi,
>>
>> I've been able to successfully set up subnet to subnet connections using IKEv2 and a self signed cert.  StrongSwan is used at both ends.
>>
>> Using the same systems, I'm having some problems getting host-to-subnet to work in certain cases.  Host-to-subnet is the desired configuration.
>>
>> Here is the host to host config which works:
>>
>> conn clinetnet
>>          left=%defaultroute
>>          lefthostaccess=yes
>>          leftsubnet=192.168.1.0/24
>>          leftfirewall=yes
>>          right=132.197.247.50
>>          rightsubnet=172.16.0.0/16
>>          auto=route
>>
>> conn srvnetnet
>>          left=132.197.247.50
>>          leftsubnet=172.16.0.0/16
>>          leftfirewall=yes
>>          right=%any
>>          rightsubnet=192.168.1.0/24
>>          righthostaccess=yes
>>          auto=route
>>
>>
>> I thought all I need to do is remove leftsubnet= from the "client" ipsec.conf and rightsubnet= from the "server", but that works in one case and fails in another.
>>
>> So I'd like to know if host-to-subnet is supposed to be configured this way or not before digging any further.  If it should work, it seems the failing case uses NAT in the path between the two machines.  NAT works for the subnet-to-subnet configuration.  The failure only happens with the host-to-subnet config.
>>
>> In the failing case, the client receives:
>>
>> received TS_UNACCEPTABLE notify, no CHILD_SA built
>>
>> The server log shows (10.1.2.180 is the IPv4 address of the client):
>>
>> charon: 13[CFG] looking for a child config for 172.16.0.0/16 === 10.1.2.180/32
>> charon: 09[CFG] proposing traffic selectors for us:
>> charon: 09[CFG]  172.16.0.0/16
>> charon: 09[CFG] proposing traffic selectors for other:
>> charon: 09[CFG]  <IPv4 address of NAT device>/32
>> charon: 09[IKE] traffic selectors 172.16.0.0/16 === 10.1.2.180/32 inacceptable
>> charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
>>
>>
>> In the working case, NAT isn't involved.  The working case server log shows:
>>
>> charon: 13[CFG] looking for a child config for 172.16.0.0/16 === 10.1.2.180/32
>> charon: 13[CFG] proposing traffic selectors for us:
>> charon: 13[CFG]  172.16.0.0/16
>> charon: 13[CFG] proposing traffic selectors for other:
>> charon: 13[CFG]  10.1.2.180/32
>> charon: 13[CFG]   candidate "srvnetnet" with prio 5+5
>> charon: 13[CFG] found matching child config "srvnetnet" with prio 10
>>
>> Should this work?  Is there more I need to configure?
>>
>> Thanks for any help,
>> MikeC
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUJrzOAAoJEDg5KY9j7GZYmccP/R3BmBX59rtYt7mMU4rsznJH
> IveIUwKOAk+H6e/41rtuASFWOJwuMoymNOphlxBWi832rn7qiEVZsJv3lyauZHTw
> fkCR/e2Fq+f9H55pVqyTIJ+wv+zRkocz7vjg196cDaHd+ys9KzkuiTOMUWCHNrJw
> pQPGW1MZN5t7FFFTCp75MSEdhq2rMPBd11c2BqLW6k+ncwGU0qlkIVZXonAmoH7B
> 8RF/8hZ7th/kN6sFXnDdQ9fm8Ya/e7EE5OJoExcgK2+KVjou9TnT4vmundjp+VqP
> 8zrLAPlnB/cX5wk+yr1Fz9Ym8X2G6lEi+D63O/pQAyuix2bLp6br52t8e2yCBJoL
> J69nFFZaaOWwnWaYkBrYUFThHv47XZdbw+yqB+EQL3XcQmxHe3yK/edwpiIp20Pe
> KLP1lu2lVqD4b3jXGFK8WPvU2SHlBaIP+sO1Iignuj1ctXQEgkn6A7NdP8ABvqim
> 9mJkEKueS0s+WhNfsXWnoZo5j1Gotl4uwpxbEcAI172DsGqDa0eMCSfW5O9nMI2O
> 6ZEBDYHh5J72ADy5YUQPpfVULR07u/xeVwGJhvdgdCDu6uhIgjB4aJqeaswMvrM3
> RJgM4eC6ki4bKcdvAKJGhifLCAZf01JE7O+NbPWCVOhPIzEDvlLqRQWd0iMZh/rG
> ZrQvvKjpxnGmY7TXpG7x
> =0Zkz
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list