[strongSwan] "unable to install policy" for clients some minutes after the first client has connected

Noel Kuntze noel at familie-kuntze.de
Tue Jul 21 11:13:38 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Larsen,

Stop using rightsubnet for roadwarrior connections. That's what is wrong.
If you don't know what you're doing, then adhere to the examples in the wiki.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 21.07.2015 um 10:55 schrieb Larsen:
> Hello,
>
> as newbies to IPsec we are using IPfire, so most of the configuration is
> generated automatically. Clients can login at first, but the problem is that
> after one client has been connected for some time (~30 to 70 minutes), no
> further client can connect (error "Invalid payload received"). The initial
> client is still connected.
>
> Clients: Windows 7 SP1
> Server: strongSwan U5.3.2/K3.14.43-ipfire-pae
>
>
> # First client connects
> Jul 20 21:36:12 ipfire charon: 11[NET] received packet: from 31.19.180.145[500] to y.y.y.y[500] (528 bytes)
> Jul 20 21:36:12 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an IKE_SA
> Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an IKE_SA
> Jul 20 21:36:12 ipfire charon: 11[IKE] remote host is behind NAT
> Jul 20 21:36:12 ipfire charon: 11[IKE] sending cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> Jul 20 21:36:12 ipfire charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Jul 20 21:36:12 ipfire charon: 11[NET] sending packet: from y.y.y.y[500] to 31.19.180.145[500] (337 bytes)
> Jul 20 21:36:12 ipfire charon: 13[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (2480 bytes)
> Jul 20 21:36:12 ipfire charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
> Jul 20 21:36:12 ipfire charon: 13[IKE] received cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> Jul 20 21:36:12 ipfire charon: 13[IKE] received 47 cert requests for an unknown ca
> Jul 20 21:36:12 ipfire charon: 13[IKE] received end entity cert "C=DE, ST=mytown, O=mycompany, CN=alice"
> Jul 20 21:36:12 ipfire charon: 13[CFG] looking for peer configs matching y.y.y.y[%any]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
> Jul 20 21:36:12 ipfire charon: 13[CFG] selected peer config 'alice'
> Jul 20 21:36:12 ipfire charon: 13[CFG]   using trusted ca certificate "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> Jul 20 21:36:12 ipfire charon: 13[CFG] checking certificate status of "C=DE, ST=mytown, O=mycompany, CN=alice"
> Jul 20 21:36:12 ipfire charon: 13[CFG] certificate status is not available
> Jul 20 21:36:12 ipfire charon: 13[CFG]   reached self-signed root ca with a path length of 0
> Jul 20 21:36:12 ipfire charon: 13[CFG]   using trusted certificate "C=DE, ST=mytown, O=mycompany, CN=alice"
> Jul 20 21:36:12 ipfire charon: 13[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=alice' with RSA signature successful
> Jul 20 21:36:13 ipfire charon: 13[IKE] peer supports MOBIKE
> Jul 20 21:36:13 ipfire charon: 13[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=y.y.y.y' (myself) with RSA signature successful
> Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
> Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
> Jul 20 21:36:13 ipfire charon: 13[IKE] sending end entity cert "C=DE, ST=mytown, O=mycompany, CN=y.y.y.y"
> Jul 20 21:36:13 ipfire charon: 13[IKE] peer requested virtual IP %any
> Jul 20 21:36:13 ipfire charon: 13[CFG] reassigning offline lease to 'C=DE, ST=mytown, O=mycompany, CN=alice'
> Jul 20 21:36:13 ipfire charon: 13[IKE] assigning virtual IP 192.168.110.3 to peer 'C=DE, ST=mytown, O=mycompany, CN=alice'
> Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established with SPIs ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established with SPIs ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 21:36:13 ipfire vpn: client+ C=DE, ST=mytown, O=mycompany, CN=alice 192.168.110.0/24 == 31.19.180.145 -- y.y.y.y == 0.0.0.0/0
> Jul 20 21:36:13 ipfire vpn: tunnel+ 31.19.180.145 -- y.y.y.y
> Jul 20 21:36:13 ipfire vpn: snat+ red0-y.y.y.y : 192.168.110.0/24 - 192.168.120.1
> Jul 20 21:36:13 ipfire charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> Jul 20 21:36:13 ipfire charon: 13[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (1536 bytes)
>
> # Further packets from first client
> Jul 20 21:54:31 ipfire charon: 11[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
> Jul 20 21:54:32 ipfire charon: 11[ENC] parsed CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No TSi TSr ]
> Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established with SPIs c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established with SPIs c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 21:54:32 ipfire charon: 11[ENC] generating CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
> Jul 20 21:54:32 ipfire charon: 11[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
> Jul 20 21:54:32 ipfire charon: 16[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
> Jul 20 21:54:32 ipfire charon: 16[ENC] parsed INFORMATIONAL request 3 [ D ]
> Jul 20 21:54:32 ipfire charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI 86a1c9df
> Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with SPIs ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with SPIs ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 21:54:32 ipfire charon: 16[IKE] sending DELETE for ESP CHILD_SA with SPI ca89176e
> Jul 20 21:54:32 ipfire charon: 16[IKE] CHILD_SA closed
> Jul 20 21:54:32 ipfire charon: 16[ENC] generating INFORMATIONAL response 3 [ D ]
> Jul 20 21:54:32 ipfire charon: 16[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
> Jul 20 22:01:13 ipfire charon: 04[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
> Jul 20 22:01:13 ipfire charon: 04[ENC] parsed CREATE_CHILD_SA request 4 [ N(REKEY_SA) SA No TSi TSr ]
> Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established with SPIs c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established with SPIs c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 22:01:13 ipfire charon: 04[ENC] generating CREATE_CHILD_SA response 4 [ SA No TSi TSr ]
> Jul 20 22:01:13 ipfire charon: 04[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
> Jul 20 22:01:13 ipfire charon: 11[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
> Jul 20 22:01:13 ipfire charon: 11[ENC] parsed INFORMATIONAL request 5 [ D ]
> Jul 20 22:01:13 ipfire charon: 11[IKE] received DELETE for ESP CHILD_SA with SPI 180e5730
> Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with SPIs c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with SPIs c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 22:01:13 ipfire charon: 11[IKE] sending DELETE for ESP CHILD_SA with SPI c99d4e2d
> Jul 20 22:01:13 ipfire charon: 11[IKE] CHILD_SA closed
> Jul 20 22:01:13 ipfire charon: 11[ENC] generating INFORMATIONAL response 5 [ D ]
> Jul 20 22:01:14 ipfire charon: 11[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
> Jul 20 22:05:43 ipfire charon: 13[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
> Jul 20 22:05:43 ipfire charon: 13[ENC] parsed CREATE_CHILD_SA request 6 [ N(REKEY_SA) SA No TSi TSr ]
> Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established with SPIs cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established with SPIs cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 22:05:43 ipfire charon: 13[ENC] generating CREATE_CHILD_SA response 6 [ SA No TSi TSr ]
> Jul 20 22:05:43 ipfire charon: 13[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
> Jul 20 22:05:43 ipfire charon: 12[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
> Jul 20 22:05:43 ipfire charon: 12[ENC] parsed INFORMATIONAL request 7 [ D ]
> Jul 20 22:05:43 ipfire charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI 92dd8be2
> Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with SPIs c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with SPIs c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> Jul 20 22:05:43 ipfire charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI c55279ed
> Jul 20 22:05:43 ipfire charon: 12[IKE] CHILD_SA closed
> Jul 20 22:05:43 ipfire charon: 12[ENC] generating INFORMATIONAL response 7 [ D ]
> Jul 20 22:05:43 ipfire charon: 12[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
>
> # Second client tries to connect and fails
> Jul 20 22:08:50 ipfire charon: 11[NET] received packet: from 2.241.32.16[500] to y.y.y.y[500] (528 bytes)
> Jul 20 22:08:50 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an IKE_SA
> Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an IKE_SA
> Jul 20 22:08:50 ipfire charon: 11[IKE] remote host is behind NAT
> Jul 20 22:08:51 ipfire charon: 11[IKE] sending cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> Jul 20 22:08:51 ipfire charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Jul 20 22:08:51 ipfire charon: 11[NET] sending packet: from y.y.y.y[500] to 2.241.32.16[500] (337 bytes)
> Jul 20 22:08:51 ipfire charon: 02[NET] received packet: from 2.241.32.16[4500] to y.y.y.y[4500] (2384 bytes)
> Jul 20 22:08:51 ipfire charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
> Jul 20 22:08:51 ipfire charon: 02[IKE] received cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> Jul 20 22:08:51 ipfire charon: 02[IKE] received 42 cert requests for an unknown ca
> Jul 20 22:08:51 ipfire charon: 02[IKE] received end entity cert "C=DE, ST=mytown, O=mycompany, CN=bob"
> Jul 20 22:08:51 ipfire charon: 02[CFG] looking for peer configs matching y.y.y.y[%any]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
> Jul 20 22:08:51 ipfire charon: 02[CFG] selected peer config 'bob'
> Jul 20 22:08:51 ipfire charon: 02[CFG]   using trusted ca certificate "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> Jul 20 22:08:51 ipfire charon: 02[CFG] checking certificate status of "C=DE, ST=mytown, O=mycompany, CN=bob"
> Jul 20 22:08:51 ipfire charon: 02[CFG] certificate status is not available
> Jul 20 22:08:51 ipfire charon: 02[CFG]   reached self-signed root ca with a path length of 0
> Jul 20 22:08:51 ipfire charon: 02[CFG]   using trusted certificate "C=DE, ST=mytown, O=mycompany, CN=bob"
> Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=bob' with RSA signature successful
> Jul 20 22:08:51 ipfire charon: 02[IKE] peer supports MOBIKE
> Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=y.y.y.y' (myself) with RSA signature successful
> Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
> Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
> Jul 20 22:08:51 ipfire charon: 02[IKE] sending end entity cert "C=DE, ST=mytown, O=mycompany, CN=y.y.y.y"
> Jul 20 22:08:51 ipfire charon: 02[IKE] peer requested virtual IP %any
> Jul 20 22:08:52 ipfire charon: 02[CFG] reassigning offline lease to 'C=DE, ST=mytown, O=mycompany, CN=bob'
> Jul 20 22:08:52 ipfire charon: 02[IKE] assigning virtual IP 192.168.110.1 to peer 'C=DE, ST=mytown, O=mycompany, CN=bob'
> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 0.0.0.0/0 === 192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 0.0.0.0/0 === 192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> Jul 20 22:08:52 ipfire charon: 02[IKE] unable to install IPsec policies (SPD) in kernel
> Jul 20 22:08:52 ipfire charon: 02[IKE] failed to establish CHILD_SA, keeping IKE_SA
> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 === 192.168.110.0/24 out failed, not found
> Jul 20 22:08:52 ipfire charon: 04[MGR] ignoring request with ID 1, already processing
> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 in failed, not found
> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 fwd failed, not found
> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 === 192.168.110.0/24 out failed, not found
> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 in failed, not found
> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 fwd failed, not found
> Jul 20 22:08:52 ipfire charon: 02[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
> Jul 20 22:08:52 ipfire charon: 02[NET] sending packet: from y.y.y.y[4500] to 2.241.32.16[4500] (1440 bytes)
> Jul 20 22:08:52 ipfire charon: 12[NET] received packet: from 2.241.32.16[4500] to y.y.y.y[4500] (80 bytes)
> Jul 20 22:08:52 ipfire charon: 12[ENC] parsed INFORMATIONAL request 2 [ D ]
> Jul 20 22:08:52 ipfire charon: 12[IKE] received DELETE for IKE_SA bob[12]
> Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
> Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
> Jul 20 22:08:52 ipfire charon: 12[IKE] IKE_SA deleted
> Jul 20 22:08:53 ipfire charon: 12[IKE] IKE_SA deleted
> Jul 20 22:08:53 ipfire charon: 12[ENC] generating INFORMATIONAL response 2 [ ]
> Jul 20 22:08:53 ipfire charon: 12[NET] sending packet: from y.y.y.y[4500] to 2.241.32.16[4500] (80 bytes)
> Jul 20 22:08:53 ipfire charon: 12[CFG] lease 192.168.110.1 by 'C=DE, ST=mytown, O=mycompany, CN=bob' went offline
>
>
>
> ipfire:~# ipsec status
> Security Associations (1 up, 0 connecting):
>     alice[10]: ESTABLISHED 33 minutes ago, y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
>     alice{17}:  INSTALLED, TUNNEL, reqid 7, ESP in UDP SPIs: c91792eb_i 85952394_o
>     alice{17}:   0.0.0.0/0 === 192.168.110.0/24
>
>
>
> # From /etc/ipsec.conf
> # (also includes "ipsec.user-post.conf" at the end; conn for alice looks the same)
> version 2
>
> conn %default
>     keyingtries=%forever
>
> conn bob
>     left=vpn.example.com
>     leftsubnet=192.168.120.0/24
>     leftfirewall=yes
>     lefthostaccess=yes
>     right=%any
>     rightsubnet=vhost:%no,%priv
>     leftcert=/var/ipfire/certs/hostcert.pem
>     rightcert=/var/ipfire/certs/bobcert.pem
>    
ike=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp4096,aes256-sha-modp3072,aes256-sha-modp2048,aes256-sha-modp1536,aes256-sha-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp4096,aes192-sha-modp3072,aes192-sha-modp2048,aes192-sha-modp1536,aes192-sha-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp4096,aes128-sha-modp3072
> ,aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024
>    
esp=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp4096,aes256-sha1-modp3072,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp4096,aes192-sha1-modp3072,aes192-sha1-modp2048,aes192-sha1-modp1536,aes192-sha1-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp4096,aes128-s
> ha1-modp3072,aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024
>     keyexchange=ikev2
>     ikelifetime=3h
>     keylife=1h
>     compress=yes
>     dpdaction=clear
>     dpddelay=30
>     dpdtimeout=120
>     authby=rsasig
>     leftrsasigkey=%cert
>     rightrsasigkey=%cert
>     auto=add
>     rightsourceip=
>     fragmentation=yes
>
>
> # From /etc/ipsec.user-post.conf
> conn bob
>     leftsubnet=0.0.0.0/0
>     leftallowany=yes
>     rightsubnet=192.168.110.0/24
>     rightsourceip=192.168.110.0/24
>     rekey=no
>
>
> "rightsourceip" is set to "192.168.110.0/24" to get any IP from that range.
> Our internal network is "192.168.120.0/24" while the IPsec-network is "192.168.110.0/24".
> Clients connect from different outside IP adresses.
>
> There is most certainly something wrong with the configuration, I guess.
>
>
>
> Lars
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVrg0/AAoJEDg5KY9j7GZY7oQP/0k+aSPtBZ8hKEjTPdqTCSGO
l4Y5LcUB7leQl/1nYDGvYHN4fbHdbkaFyOyj76il7seFScE147GB4rcIHgV30M8+
z4vgzZ1DmpClNEo8wivBXoVVumBqRpS0H6DWiYeYx1iQknq1gXt6habhKkztoh18
3+uZjhY0YVvY/zVI8KJqgSnfwysnsE7rarBrVPAsfmvIFX5bKKncyCCeTg1YbfN5
/iBKdFlkG67Cf18RYL2KlkjoN0Tf07qRiks++hg8UsF3zKMs4d6t2tCbM0NDAshu
Fp6oKQNBHc1q4JUfEKe9+9Th47sRczqFm/ucEO0iysMmuB2ghN8WiUmNeb+R4I/F
Mb5waXbGOL3pesoiCUq2iGSKHMR78Z7nocT/i3nCzHL+pZvL3JZuHQ0J53sWvB7b
92CrWh2ZyjlFNqwWMdox2an8onvtY7YtkQrXUEFA4uNlcm1XSXgf46m23auDGFOm
gBNn50F3wC7g6E2Btq8dmJHos/abhV+PJ6U2q24ZUnRb+kC0dOLMw7iNjHFXoZhP
VsogWi8vyWGWhyFbWhDcX5sO96U03eKngIg/bt7X0bcQ1yuq7ipfm2TQgNL+rAmG
h6+InWePlTpn8Hu9T5dL4jrxZAVa/hc3JMo8Kpgu2pm3NVmNIqGzJVD9hztUkNWB
CDz3w5OVtYfl89pJ+7RU
=nRBd
-----END PGP SIGNATURE-----




More information about the Users mailing list