[strongSwan] "unable to install policy" for clients some minutes after the first client has connected

Larsen larsen007 at web.de
Tue Jul 21 10:55:30 CEST 2015


Hello,

as newbies to IPsec we are using IPfire, so most of the configuration is
generated automatically. Clients can login at first, but the problem is that
after one client has been connected for some time (~30 to 70 minutes), no
further client can connect (error "Invalid payload received"). The initial
client is still connected.

Clients: Windows 7 SP1
Server: strongSwan U5.3.2/K3.14.43-ipfire-pae


# First client connects
Jul 20 21:36:12 ipfire charon: 11[NET] received packet: from 31.19.180.145[500] to y.y.y.y[500] (528 bytes)
Jul 20 21:36:12 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an IKE_SA
Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an IKE_SA
Jul 20 21:36:12 ipfire charon: 11[IKE] remote host is behind NAT
Jul 20 21:36:12 ipfire charon: 11[IKE] sending cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
Jul 20 21:36:12 ipfire charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 20 21:36:12 ipfire charon: 11[NET] sending packet: from y.y.y.y[500] to 31.19.180.145[500] (337 bytes)
Jul 20 21:36:12 ipfire charon: 13[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (2480 bytes)
Jul 20 21:36:12 ipfire charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Jul 20 21:36:12 ipfire charon: 13[IKE] received cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
Jul 20 21:36:12 ipfire charon: 13[IKE] received 47 cert requests for an unknown ca
Jul 20 21:36:12 ipfire charon: 13[IKE] received end entity cert "C=DE, ST=mytown, O=mycompany, CN=alice"
Jul 20 21:36:12 ipfire charon: 13[CFG] looking for peer configs matching y.y.y.y[%any]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
Jul 20 21:36:12 ipfire charon: 13[CFG] selected peer config 'alice'
Jul 20 21:36:12 ipfire charon: 13[CFG]   using trusted ca certificate "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
Jul 20 21:36:12 ipfire charon: 13[CFG] checking certificate status of "C=DE, ST=mytown, O=mycompany, CN=alice"
Jul 20 21:36:12 ipfire charon: 13[CFG] certificate status is not available
Jul 20 21:36:12 ipfire charon: 13[CFG]   reached self-signed root ca with a path length of 0
Jul 20 21:36:12 ipfire charon: 13[CFG]   using trusted certificate "C=DE, ST=mytown, O=mycompany, CN=alice"
Jul 20 21:36:12 ipfire charon: 13[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=alice' with RSA signature successful
Jul 20 21:36:13 ipfire charon: 13[IKE] peer supports MOBIKE
Jul 20 21:36:13 ipfire charon: 13[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=y.y.y.y' (myself) with RSA signature successful
Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
Jul 20 21:36:13 ipfire charon: 13[IKE] sending end entity cert "C=DE, ST=mytown, O=mycompany, CN=y.y.y.y"
Jul 20 21:36:13 ipfire charon: 13[IKE] peer requested virtual IP %any
Jul 20 21:36:13 ipfire charon: 13[CFG] reassigning offline lease to 'C=DE, ST=mytown, O=mycompany, CN=alice'
Jul 20 21:36:13 ipfire charon: 13[IKE] assigning virtual IP 192.168.110.3 to peer 'C=DE, ST=mytown, O=mycompany, CN=alice'
Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established with SPIs ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established with SPIs ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:36:13 ipfire vpn: client+ C=DE, ST=mytown, O=mycompany, CN=alice 192.168.110.0/24 == 31.19.180.145 -- y.y.y.y == 0.0.0.0/0
Jul 20 21:36:13 ipfire vpn: tunnel+ 31.19.180.145 -- y.y.y.y
Jul 20 21:36:13 ipfire vpn: snat+ red0-y.y.y.y : 192.168.110.0/24 - 192.168.120.1
Jul 20 21:36:13 ipfire charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 20 21:36:13 ipfire charon: 13[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (1536 bytes)

# Further packets from first client
Jul 20 21:54:31 ipfire charon: 11[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
Jul 20 21:54:32 ipfire charon: 11[ENC] parsed CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No TSi TSr ]
Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established with SPIs c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established with SPIs c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 11[ENC] generating CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
Jul 20 21:54:32 ipfire charon: 11[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
Jul 20 21:54:32 ipfire charon: 16[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
Jul 20 21:54:32 ipfire charon: 16[ENC] parsed INFORMATIONAL request 3 [ D ]
Jul 20 21:54:32 ipfire charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI 86a1c9df
Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with SPIs ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with SPIs ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 16[IKE] sending DELETE for ESP CHILD_SA with SPI ca89176e
Jul 20 21:54:32 ipfire charon: 16[IKE] CHILD_SA closed
Jul 20 21:54:32 ipfire charon: 16[ENC] generating INFORMATIONAL response 3 [ D ]
Jul 20 21:54:32 ipfire charon: 16[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
Jul 20 22:01:13 ipfire charon: 04[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
Jul 20 22:01:13 ipfire charon: 04[ENC] parsed CREATE_CHILD_SA request 4 [ N(REKEY_SA) SA No TSi TSr ]
Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established with SPIs c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established with SPIs c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 04[ENC] generating CREATE_CHILD_SA response 4 [ SA No TSi TSr ]
Jul 20 22:01:13 ipfire charon: 04[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
Jul 20 22:01:13 ipfire charon: 11[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
Jul 20 22:01:13 ipfire charon: 11[ENC] parsed INFORMATIONAL request 5 [ D ]
Jul 20 22:01:13 ipfire charon: 11[IKE] received DELETE for ESP CHILD_SA with SPI 180e5730
Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with SPIs c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with SPIs c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 11[IKE] sending DELETE for ESP CHILD_SA with SPI c99d4e2d
Jul 20 22:01:13 ipfire charon: 11[IKE] CHILD_SA closed
Jul 20 22:01:13 ipfire charon: 11[ENC] generating INFORMATIONAL response 5 [ D ]
Jul 20 22:01:14 ipfire charon: 11[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
Jul 20 22:05:43 ipfire charon: 13[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
Jul 20 22:05:43 ipfire charon: 13[ENC] parsed CREATE_CHILD_SA request 6 [ N(REKEY_SA) SA No TSi TSr ]
Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established with SPIs cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established with SPIs cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 13[ENC] generating CREATE_CHILD_SA response 6 [ SA No TSi TSr ]
Jul 20 22:05:43 ipfire charon: 13[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
Jul 20 22:05:43 ipfire charon: 12[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
Jul 20 22:05:43 ipfire charon: 12[ENC] parsed INFORMATIONAL request 7 [ D ]
Jul 20 22:05:43 ipfire charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI 92dd8be2
Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with SPIs c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with SPIs c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI c55279ed
Jul 20 22:05:43 ipfire charon: 12[IKE] CHILD_SA closed
Jul 20 22:05:43 ipfire charon: 12[ENC] generating INFORMATIONAL response 7 [ D ]
Jul 20 22:05:43 ipfire charon: 12[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)

# Second client tries to connect and fails
Jul 20 22:08:50 ipfire charon: 11[NET] received packet: from 2.241.32.16[500] to y.y.y.y[500] (528 bytes)
Jul 20 22:08:50 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an IKE_SA
Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an IKE_SA
Jul 20 22:08:50 ipfire charon: 11[IKE] remote host is behind NAT
Jul 20 22:08:51 ipfire charon: 11[IKE] sending cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
Jul 20 22:08:51 ipfire charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 20 22:08:51 ipfire charon: 11[NET] sending packet: from y.y.y.y[500] to 2.241.32.16[500] (337 bytes)
Jul 20 22:08:51 ipfire charon: 02[NET] received packet: from 2.241.32.16[4500] to y.y.y.y[4500] (2384 bytes)
Jul 20 22:08:51 ipfire charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Jul 20 22:08:51 ipfire charon: 02[IKE] received cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
Jul 20 22:08:51 ipfire charon: 02[IKE] received 42 cert requests for an unknown ca
Jul 20 22:08:51 ipfire charon: 02[IKE] received end entity cert "C=DE, ST=mytown, O=mycompany, CN=bob"
Jul 20 22:08:51 ipfire charon: 02[CFG] looking for peer configs matching y.y.y.y[%any]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:51 ipfire charon: 02[CFG] selected peer config 'bob'
Jul 20 22:08:51 ipfire charon: 02[CFG]   using trusted ca certificate "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
Jul 20 22:08:51 ipfire charon: 02[CFG] checking certificate status of "C=DE, ST=mytown, O=mycompany, CN=bob"
Jul 20 22:08:51 ipfire charon: 02[CFG] certificate status is not available
Jul 20 22:08:51 ipfire charon: 02[CFG]   reached self-signed root ca with a path length of 0
Jul 20 22:08:51 ipfire charon: 02[CFG]   using trusted certificate "C=DE, ST=mytown, O=mycompany, CN=bob"
Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=bob' with RSA signature successful
Jul 20 22:08:51 ipfire charon: 02[IKE] peer supports MOBIKE
Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=y.y.y.y' (myself) with RSA signature successful
Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:51 ipfire charon: 02[IKE] sending end entity cert "C=DE, ST=mytown, O=mycompany, CN=y.y.y.y"
Jul 20 22:08:51 ipfire charon: 02[IKE] peer requested virtual IP %any
Jul 20 22:08:52 ipfire charon: 02[CFG] reassigning offline lease to 'C=DE, ST=mytown, O=mycompany, CN=bob'
Jul 20 22:08:52 ipfire charon: 02[IKE] assigning virtual IP 192.168.110.1 to peer 'C=DE, ST=mytown, O=mycompany, CN=bob'
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 0.0.0.0/0 === 192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 0.0.0.0/0 === 192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[IKE] unable to install IPsec policies (SPD) in kernel
Jul 20 22:08:52 ipfire charon: 02[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 === 192.168.110.0/24 out failed, not found
Jul 20 22:08:52 ipfire charon: 04[MGR] ignoring request with ID 1, already processing
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 in failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 fwd failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 === 192.168.110.0/24 out failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 in failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 fwd failed, not found
Jul 20 22:08:52 ipfire charon: 02[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
Jul 20 22:08:52 ipfire charon: 02[NET] sending packet: from y.y.y.y[4500] to 2.241.32.16[4500] (1440 bytes)
Jul 20 22:08:52 ipfire charon: 12[NET] received packet: from 2.241.32.16[4500] to y.y.y.y[4500] (80 bytes)
Jul 20 22:08:52 ipfire charon: 12[ENC] parsed INFORMATIONAL request 2 [ D ]
Jul 20 22:08:52 ipfire charon: 12[IKE] received DELETE for IKE_SA bob[12]
Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:52 ipfire charon: 12[IKE] IKE_SA deleted
Jul 20 22:08:53 ipfire charon: 12[IKE] IKE_SA deleted
Jul 20 22:08:53 ipfire charon: 12[ENC] generating INFORMATIONAL response 2 [ ]
Jul 20 22:08:53 ipfire charon: 12[NET] sending packet: from y.y.y.y[4500] to 2.241.32.16[4500] (80 bytes)
Jul 20 22:08:53 ipfire charon: 12[CFG] lease 192.168.110.1 by 'C=DE, ST=mytown, O=mycompany, CN=bob' went offline



ipfire:~# ipsec status
Security Associations (1 up, 0 connecting):
     alice[10]: ESTABLISHED 33 minutes ago, y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
     alice{17}:  INSTALLED, TUNNEL, reqid 7, ESP in UDP SPIs: c91792eb_i 85952394_o
     alice{17}:   0.0.0.0/0 === 192.168.110.0/24



# From /etc/ipsec.conf
# (also includes "ipsec.user-post.conf" at the end; conn for alice looks the same)
version 2

conn %default
     keyingtries=%forever

conn bob
     left=vpn.example.com
     leftsubnet=192.168.120.0/24
     leftfirewall=yes
     lefthostaccess=yes
     right=%any
     rightsubnet=vhost:%no,%priv
     leftcert=/var/ipfire/certs/hostcert.pem
     rightcert=/var/ipfire/certs/bobcert.pem
     ike=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp4096,aes256-sha-modp3072,aes256-sha-modp2048,aes256-sha-modp1536,aes256-sha-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp4096,aes192-sha-modp3072,aes192-sha-modp2048,aes192-sha-modp1536,aes192-sha-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp4096,aes128-sha-modp3072, 
aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024
     esp=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp4096,aes256-sha1-modp3072,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp4096,aes192-sha1-modp3072,aes192-sha1-modp2048,aes192-sha1-modp1536,aes192-sha1-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp4096,aes128-sh 
a1-modp3072,aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024
     keyexchange=ikev2
     ikelifetime=3h
     keylife=1h
     compress=yes
     dpdaction=clear
     dpddelay=30
     dpdtimeout=120
     authby=rsasig
     leftrsasigkey=%cert
     rightrsasigkey=%cert
     auto=add
     rightsourceip=
     fragmentation=yes


# From /etc/ipsec.user-post.conf
conn bob
     leftsubnet=0.0.0.0/0
     leftallowany=yes
     rightsubnet=192.168.110.0/24
     rightsourceip=192.168.110.0/24
     rekey=no


"rightsourceip" is set to "192.168.110.0/24" to get any IP from that range.
Our internal network is "192.168.120.0/24" while the IPsec-network is "192.168.110.0/24".
Clients connect from different outside IP adresses.

There is most certainly something wrong with the configuration, I guess.



Lars


More information about the Users mailing list