[strongSwan] How to allow several connections for each user simultaneously ?
Noel Kuntze
noel at familie-kuntze.de
Sun Jan 25 15:06:26 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Dhingsheng,
You have "rightsubnet=10.1.1.0/24" set in conn default, which makes
the TS be "0.0.0.0/0 == 10.1.1.0/24". As you cannot have multiple policies
with the same TS, it is obvious why it doesn't work. I figure your goal was to give clients to reach each other,
as well as all hosts, but that is already achieved with "leftsubnet=0.0.0.0/0". Ommit rightsubnet completely
to make the TS be "0.0.0.0/0 == IPGivenToTheClient/32". That will make it work. You do not need to set rightsubnet manually here.
StrongSwan automaticly sets the rightsubnet to be the one IP that was given to the client.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 25.01.2015 um 04:07 schrieb Dongsheng Song:
> Hi,
>
> I use strongswan 5.2.1, it only works one connection per user
> simultaneously. I had set 'uniqueids' to 'never', but no lock. Here is
> my configration:
>
>
> $ cat /etc/ipsec.conf
> config setup
> uniqueids=never
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
>
> conn default
> leftsubnet=0.0.0.0/0
> leftid=@songdongsheng.info
> leftcert=ipsecCert.cer
> leftauth=pubkey
> rightsourceip=10.1.1.0/24
> rightsubnet=10.1.1.0/24
> rightauth=eap-mschapv2
> rightsendcert=never
> eap_identity=%any
> auto=add
>
> $ cat /etc/strongswan.conf
> charon {
> load_modular = yes
>
> dns1 = 192.168.30.248
> dns2 = 8.8.8.8
>
> plugins {
> include strongswan.d/charon/*.conf
> duplicheck.enable = no
> }
>
> The server log said:
>
> ...
>
> 2015-01-25T11:03:39.466969+08:00 charon: 06[CFG] unable to install
> policy 0.0.0.0/0 === 10.1.1.0/24 out (mark 0/0x00000000) for reqid 29,
> the same policy for reqid 28 exists
> 2015-01-25T11:03:39.466978+08:00 charon: 06[CFG] unable to install
> policy 10.1.1.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 29,
> the same policy for reqid 28 exists
> 2015-01-25T11:03:39.466982+08:00 charon: 06[CFG] unable to install
> policy 10.1.1.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 29,
> the same policy for reqid 28 exists
> 2015-01-25T11:03:39.466989+08:00 charon: 06[CFG] unable to install
> policy 0.0.0.0/0 === 10.1.1.0/24 out (mark 0/0x00000000) for reqid 29,
> the same policy for reqid 28 exists
> 2015-01-25T11:03:39.467001+08:00 charon: 06[CFG] unable to install
> policy 10.1.1.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 29,
> the same policy for reqid 28 exists
> 2015-01-25T11:03:39.467004+08:00 charon: 06[CFG] unable to install
> policy 10.1.1.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 29,
> the same policy for reqid 28 exists
> 2015-01-25T11:03:39.467011+08:00 charon: 06[IKE] unable to install
> IPsec policies (SPD) in kernel
> 2015-01-25T11:03:39.467029+08:00 charon: 06[IKE] failed to establish
> CHILD_SA, keeping IKE_SA
> 2015-01-25T11:03:39.467052+08:00 charon: 06[KNL] deleting policy
> 0.0.0.0/0 === 10.1.1.0/24 out failed, not found
> 2015-01-25T11:03:39.467061+08:00 charon: 06[KNL] deleting policy
> 10.1.1.0/24 === 0.0.0.0/0 in failed, not found
> 2015-01-25T11:03:39.467063+08:00 charon: 06[KNL] deleting policy
> 10.1.1.0/24 === 0.0.0.0/0 fwd failed, not found
> 2015-01-25T11:03:39.467066+08:00 charon: 06[KNL] deleting policy
> 0.0.0.0/0 === 10.1.1.0/24 out failed, not found
> 2015-01-25T11:03:39.467080+08:00 charon: 06[KNL] deleting policy
> 10.1.1.0/24 === 0.0.0.0/0 in failed, not found
> 2015-01-25T11:03:39.467084+08:00 charon: 06[KNL] deleting policy
> 10.1.1.0/24 === 0.0.0.0/0 fwd failed, not found
> 2015-01-25T11:03:39.467122+08:00 charon: 06[ENC] generating IKE_AUTH
> response 5 [ AUTH CPRP(ADDR DNS DNS) N(AUTH_LFT) N(MOBIKE_SUP)
> N(ADD_4_ADDR) N(TS_UNACCEPT) ]
> ...
>
> Thanks,
> Dongsheng
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUxPhfAAoJEDg5KY9j7GZYpYAP/R4oayuHQi26WFzHmO1AJrzz
i2jNgIuMV+z2HiW61dI2XUlEyhdq7ot2SnEfuBzg/JAmTH9OvhGCWDm7BbTVWFmk
uTE9wr2v9XGMwiSBhURB/yT0I6VaEck4+gGUCHfg7KMfsmSy0qL5cvQmepRKEPNo
xQFb6LBgbklLXN8DTL6x+8Qju8ftWA2pTtaYe4IGzfLrsFQUTBhWuORNwyLEeUqz
BU0MTlkbooUHKsI0zLsHHH07o8Kp3wSu7JlpU0jQvDcM7XEEZ3NY9xbdqyvzdzcu
Qsh7xGLn+W8aKCqw1bfxnqK+CCGSg42Ad3TcXNvFIlyojtFLJci1UP623sbTjIIx
qOBYhFxcdPc080VSD1PdnSZqvdQo18qNBWf/ouk+iM6BtmRctdTr2VDGS/AjkysR
o3NaqpRyv7pAox7DiYQnJv1PL1zcEz0uCwlIgaXYXfB0ECWrV/q+BMaezqB4wZoE
CsrOc32fp1N7cWW3UtlPjx43OwM+DX2KzK3/XMIIMiSvlXnc7OKtvi/2tVsUA0OS
vrIgwxhUJH61UKIiD5hY/e7zpqgAqbKFRHdlxBqZpO25NL1fZX5MOIxFetd2dfj1
L8ln+p7BecBJxPuhuNUS8xgPn2FlVE7Eu6YYRaQmWSgd1dpzvQTxGbz4OJqGR86z
tuRXg5XTxfrF6YVDj3Jf
=pePI
-----END PGP SIGNATURE-----
More information about the Users
mailing list