[strongSwan] "unable to install policy" for clients some minutes after the first client has connected

Larsen larsen007 at web.de
Tue Jul 21 11:48:06 CEST 2015


Hello Noel,

we´ve adhered to the examples and threads from the IPfire project.

So, if rightsubnet is removed from the conf, what IP will clients get?
Also, "rightsubnet=vhost:%no,%priv" is generated from IPfire  
automatically. This has to be removed as well?


Lars


On Tue, 21 Jul 2015 11:13:38 +0200, Noel Kuntze <noel at familie-kuntze.de>  
wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Larsen,
>
> Stop using rightsubnet for roadwarrior connections. That's what is wrong.
> If you don't know what you're doing, then adhere to the examples in the  
> wiki.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 21.07.2015 um 10:55 schrieb Larsen:
>> Hello,
>>
>> as newbies to IPsec we are using IPfire, so most of the configuration is
>> generated automatically. Clients can login at first, but the problem is  
>> that
>> after one client has been connected for some time (~30 to 70 minutes),  
>> no
>> further client can connect (error "Invalid payload received"). The  
>> initial
>> client is still connected.
>>
>> Clients: Windows 7 SP1
>> Server: strongSwan U5.3.2/K3.14.43-ipfire-pae
>>
>>
>> # First client connects
>> Jul 20 21:36:12 ipfire charon: 11[NET] received packet: from  
>> 31.19.180.145[500] to y.y.y.y[500] (528 bytes)
>> Jul 20 21:36:12 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [  
>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an  
>> IKE_SA
>> Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an  
>> IKE_SA
>> Jul 20 21:36:12 ipfire charon: 11[IKE] remote host is behind NAT
>> Jul 20 21:36:12 ipfire charon: 11[IKE] sending cert request for "C=DE,  
>> ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
>> Jul 20 21:36:12 ipfire charon: 11[ENC] generating IKE_SA_INIT response  
>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> Jul 20 21:36:12 ipfire charon: 11[NET] sending packet: from  
>> y.y.y.y[500] to 31.19.180.145[500] (337 bytes)
>> Jul 20 21:36:12 ipfire charon: 13[NET] received packet: from  
>> 31.19.180.145[4500] to y.y.y.y[4500] (2480 bytes)
>> Jul 20 21:36:12 ipfire charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi  
>> CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
>> Jul 20 21:36:12 ipfire charon: 13[IKE] received cert request for "C=DE,  
>> ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
>> Jul 20 21:36:12 ipfire charon: 13[IKE] received 47 cert requests for an  
>> unknown ca
>> Jul 20 21:36:12 ipfire charon: 13[IKE] received end entity cert "C=DE,  
>> ST=mytown, O=mycompany, CN=alice"
>> Jul 20 21:36:12 ipfire charon: 13[CFG] looking for peer configs  
>> matching y.y.y.y[%any]...31.19.180.145[C=DE, ST=mytown, O=mycompany,  
>> CN=alice]
>> Jul 20 21:36:12 ipfire charon: 13[CFG] selected peer config 'alice'
>> Jul 20 21:36:12 ipfire charon: 13[CFG]   using trusted ca certificate  
>> "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA,  
>> E=system at example.com"
>> Jul 20 21:36:12 ipfire charon: 13[CFG] checking certificate status of  
>> "C=DE, ST=mytown, O=mycompany, CN=alice"
>> Jul 20 21:36:12 ipfire charon: 13[CFG] certificate status is not  
>> available
>> Jul 20 21:36:12 ipfire charon: 13[CFG]   reached self-signed root ca  
>> with a path length of 0
>> Jul 20 21:36:12 ipfire charon: 13[CFG]   using trusted certificate  
>> "C=DE, ST=mytown, O=mycompany, CN=alice"
>> Jul 20 21:36:12 ipfire charon: 13[IKE] authentication of 'C=DE,  
>> ST=mytown, O=mycompany, CN=alice' with RSA signature successful
>> Jul 20 21:36:13 ipfire charon: 13[IKE] peer supports MOBIKE
>> Jul 20 21:36:13 ipfire charon: 13[IKE] authentication of 'C=DE,  
>> ST=mytown, O=mycompany, CN=y.y.y.y' (myself) with RSA signature  
>> successful
>> Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established  
>> between y.y.y.y[C=DE, ST=mytown, O=mycompany,  
>> CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
>> Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established  
>> between y.y.y.y[C=DE, ST=mytown, O=mycompany,  
>> CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
>> Jul 20 21:36:13 ipfire charon: 13[IKE] sending end entity cert "C=DE,  
>> ST=mytown, O=mycompany, CN=y.y.y.y"
>> Jul 20 21:36:13 ipfire charon: 13[IKE] peer requested virtual IP %any
>> Jul 20 21:36:13 ipfire charon: 13[CFG] reassigning offline lease to  
>> 'C=DE, ST=mytown, O=mycompany, CN=alice'
>> Jul 20 21:36:13 ipfire charon: 13[IKE] assigning virtual IP  
>> 192.168.110.3 to peer 'C=DE, ST=mytown, O=mycompany, CN=alice'
>> Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established  
>> with SPIs ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established  
>> with SPIs ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 21:36:13 ipfire vpn: client+ C=DE, ST=mytown, O=mycompany,  
>> CN=alice 192.168.110.0/24 == 31.19.180.145 -- y.y.y.y == 0.0.0.0/0
>> Jul 20 21:36:13 ipfire vpn: tunnel+ 31.19.180.145 -- y.y.y.y
>> Jul 20 21:36:13 ipfire vpn: snat+ red0-y.y.y.y : 192.168.110.0/24 -  
>> 192.168.120.1
>> Jul 20 21:36:13 ipfire charon: 13[ENC] generating IKE_AUTH response 1 [  
>> IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)  
>> N(ADD_4_ADDR) ]
>> Jul 20 21:36:13 ipfire charon: 13[NET] sending packet: from  
>> y.y.y.y[4500] to 31.19.180.145[4500] (1536 bytes)
>>
>> # Further packets from first client
>> Jul 20 21:54:31 ipfire charon: 11[NET] received packet: from  
>> 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
>> Jul 20 21:54:32 ipfire charon: 11[ENC] parsed CREATE_CHILD_SA request 2  
>> [ N(REKEY_SA) SA No TSi TSr ]
>> Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established  
>> with SPIs c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established  
>> with SPIs c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 21:54:32 ipfire charon: 11[ENC] generating CREATE_CHILD_SA  
>> response 2 [ SA No TSi TSr ]
>> Jul 20 21:54:32 ipfire charon: 11[NET] sending packet: from  
>> y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
>> Jul 20 21:54:32 ipfire charon: 16[NET] received packet: from  
>> 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
>> Jul 20 21:54:32 ipfire charon: 16[ENC] parsed INFORMATIONAL request 3 [  
>> D ]
>> Jul 20 21:54:32 ipfire charon: 16[IKE] received DELETE for ESP CHILD_SA  
>> with SPI 86a1c9df
>> Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with  
>> SPIs ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS  
>> 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with  
>> SPIs ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS  
>> 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 21:54:32 ipfire charon: 16[IKE] sending DELETE for ESP CHILD_SA  
>> with SPI ca89176e
>> Jul 20 21:54:32 ipfire charon: 16[IKE] CHILD_SA closed
>> Jul 20 21:54:32 ipfire charon: 16[ENC] generating INFORMATIONAL  
>> response 3 [ D ]
>> Jul 20 21:54:32 ipfire charon: 16[NET] sending packet: from  
>> y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
>> Jul 20 22:01:13 ipfire charon: 04[NET] received packet: from  
>> 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
>> Jul 20 22:01:13 ipfire charon: 04[ENC] parsed CREATE_CHILD_SA request 4  
>> [ N(REKEY_SA) SA No TSi TSr ]
>> Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established  
>> with SPIs c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established  
>> with SPIs c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 22:01:13 ipfire charon: 04[ENC] generating CREATE_CHILD_SA  
>> response 4 [ SA No TSi TSr ]
>> Jul 20 22:01:13 ipfire charon: 04[NET] sending packet: from  
>> y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
>> Jul 20 22:01:13 ipfire charon: 11[NET] received packet: from  
>> 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
>> Jul 20 22:01:13 ipfire charon: 11[ENC] parsed INFORMATIONAL request 5 [  
>> D ]
>> Jul 20 22:01:13 ipfire charon: 11[IKE] received DELETE for ESP CHILD_SA  
>> with SPI 180e5730
>> Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with  
>> SPIs c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS  
>> 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with  
>> SPIs c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS  
>> 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 22:01:13 ipfire charon: 11[IKE] sending DELETE for ESP CHILD_SA  
>> with SPI c99d4e2d
>> Jul 20 22:01:13 ipfire charon: 11[IKE] CHILD_SA closed
>> Jul 20 22:01:13 ipfire charon: 11[ENC] generating INFORMATIONAL  
>> response 5 [ D ]
>> Jul 20 22:01:14 ipfire charon: 11[NET] sending packet: from  
>> y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
>> Jul 20 22:05:43 ipfire charon: 13[NET] received packet: from  
>> 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
>> Jul 20 22:05:43 ipfire charon: 13[ENC] parsed CREATE_CHILD_SA request 6  
>> [ N(REKEY_SA) SA No TSi TSr ]
>> Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established  
>> with SPIs cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established  
>> with SPIs cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 22:05:43 ipfire charon: 13[ENC] generating CREATE_CHILD_SA  
>> response 6 [ SA No TSi TSr ]
>> Jul 20 22:05:43 ipfire charon: 13[NET] sending packet: from  
>> y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
>> Jul 20 22:05:43 ipfire charon: 12[NET] received packet: from  
>> 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
>> Jul 20 22:05:43 ipfire charon: 12[ENC] parsed INFORMATIONAL request 7 [  
>> D ]
>> Jul 20 22:05:43 ipfire charon: 12[IKE] received DELETE for ESP CHILD_SA  
>> with SPI 92dd8be2
>> Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with  
>> SPIs c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS  
>> 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with  
>> SPIs c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS  
>> 0.0.0.0/0 === 192.168.110.0/24
>> Jul 20 22:05:43 ipfire charon: 12[IKE] sending DELETE for ESP CHILD_SA  
>> with SPI c55279ed
>> Jul 20 22:05:43 ipfire charon: 12[IKE] CHILD_SA closed
>> Jul 20 22:05:43 ipfire charon: 12[ENC] generating INFORMATIONAL  
>> response 7 [ D ]
>> Jul 20 22:05:43 ipfire charon: 12[NET] sending packet: from  
>> y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
>>
>> # Second client tries to connect and fails
>> Jul 20 22:08:50 ipfire charon: 11[NET] received packet: from  
>> 2.241.32.16[500] to y.y.y.y[500] (528 bytes)
>> Jul 20 22:08:50 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [  
>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an  
>> IKE_SA
>> Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an  
>> IKE_SA
>> Jul 20 22:08:50 ipfire charon: 11[IKE] remote host is behind NAT
>> Jul 20 22:08:51 ipfire charon: 11[IKE] sending cert request for "C=DE,  
>> ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
>> Jul 20 22:08:51 ipfire charon: 11[ENC] generating IKE_SA_INIT response  
>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> Jul 20 22:08:51 ipfire charon: 11[NET] sending packet: from  
>> y.y.y.y[500] to 2.241.32.16[500] (337 bytes)
>> Jul 20 22:08:51 ipfire charon: 02[NET] received packet: from  
>> 2.241.32.16[4500] to y.y.y.y[4500] (2384 bytes)
>> Jul 20 22:08:51 ipfire charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi  
>> CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
>> Jul 20 22:08:51 ipfire charon: 02[IKE] received cert request for "C=DE,  
>> ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
>> Jul 20 22:08:51 ipfire charon: 02[IKE] received 42 cert requests for an  
>> unknown ca
>> Jul 20 22:08:51 ipfire charon: 02[IKE] received end entity cert "C=DE,  
>> ST=mytown, O=mycompany, CN=bob"
>> Jul 20 22:08:51 ipfire charon: 02[CFG] looking for peer configs  
>> matching y.y.y.y[%any]...2.241.32.16[C=DE, ST=mytown, O=mycompany,  
>> CN=bob]
>> Jul 20 22:08:51 ipfire charon: 02[CFG] selected peer config 'bob'
>> Jul 20 22:08:51 ipfire charon: 02[CFG]   using trusted ca certificate  
>> "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA,  
>> E=system at example.com"
>> Jul 20 22:08:51 ipfire charon: 02[CFG] checking certificate status of  
>> "C=DE, ST=mytown, O=mycompany, CN=bob"
>> Jul 20 22:08:51 ipfire charon: 02[CFG] certificate status is not  
>> available
>> Jul 20 22:08:51 ipfire charon: 02[CFG]   reached self-signed root ca  
>> with a path length of 0
>> Jul 20 22:08:51 ipfire charon: 02[CFG]   using trusted certificate  
>> "C=DE, ST=mytown, O=mycompany, CN=bob"
>> Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE,  
>> ST=mytown, O=mycompany, CN=bob' with RSA signature successful
>> Jul 20 22:08:51 ipfire charon: 02[IKE] peer supports MOBIKE
>> Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE,  
>> ST=mytown, O=mycompany, CN=y.y.y.y' (myself) with RSA signature  
>> successful
>> Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established  
>> between y.y.y.y[C=DE, ST=mytown, O=mycompany,  
>> CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
>> Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established  
>> between y.y.y.y[C=DE, ST=mytown, O=mycompany,  
>> CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
>> Jul 20 22:08:51 ipfire charon: 02[IKE] sending end entity cert "C=DE,  
>> ST=mytown, O=mycompany, CN=y.y.y.y"
>> Jul 20 22:08:51 ipfire charon: 02[IKE] peer requested virtual IP %any
>> Jul 20 22:08:52 ipfire charon: 02[CFG] reassigning offline lease to  
>> 'C=DE, ST=mytown, O=mycompany, CN=bob'
>> Jul 20 22:08:52 ipfire charon: 02[IKE] assigning virtual IP  
>> 192.168.110.1 to peer 'C=DE, ST=mytown, O=mycompany, CN=bob'
>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
>> 0.0.0.0/0 === 192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the  
>> same policy for reqid 7 exists
>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
>> 192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the  
>> same policy for reqid 7 exists
>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
>> 192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the  
>> same policy for reqid 7 exists
>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
>> 0.0.0.0/0 === 192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the  
>> same policy for reqid 7 exists
>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
>> 192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the  
>> same policy for reqid 7 exists
>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
>> 192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the  
>> same policy for reqid 7 exists
>> Jul 20 22:08:52 ipfire charon: 02[IKE] unable to install IPsec policies  
>> (SPD) in kernel
>> Jul 20 22:08:52 ipfire charon: 02[IKE] failed to establish CHILD_SA,  
>> keeping IKE_SA
>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 ===  
>> 192.168.110.0/24 out failed, not found
>> Jul 20 22:08:52 ipfire charon: 04[MGR] ignoring request with ID 1,  
>> already processing
>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24  
>> === 0.0.0.0/0 in failed, not found
>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24  
>> === 0.0.0.0/0 fwd failed, not found
>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 ===  
>> 192.168.110.0/24 out failed, not found
>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24  
>> === 0.0.0.0/0 in failed, not found
>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24  
>> === 0.0.0.0/0 fwd failed, not found
>> Jul 20 22:08:52 ipfire charon: 02[ENC] generating IKE_AUTH response 1 [  
>> IDr CERT AUTH CPRP(ADDR DNS) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)  
>> N(TS_UNACCEPT) ]
>> Jul 20 22:08:52 ipfire charon: 02[NET] sending packet: from  
>> y.y.y.y[4500] to 2.241.32.16[4500] (1440 bytes)
>> Jul 20 22:08:52 ipfire charon: 12[NET] received packet: from  
>> 2.241.32.16[4500] to y.y.y.y[4500] (80 bytes)
>> Jul 20 22:08:52 ipfire charon: 12[ENC] parsed INFORMATIONAL request 2 [  
>> D ]
>> Jul 20 22:08:52 ipfire charon: 12[IKE] received DELETE for IKE_SA  
>> bob[12]
>> Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between  
>> y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE,  
>> ST=mytown, O=mycompany, CN=bob]
>> Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between  
>> y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE,  
>> ST=mytown, O=mycompany, CN=bob]
>> Jul 20 22:08:52 ipfire charon: 12[IKE] IKE_SA deleted
>> Jul 20 22:08:53 ipfire charon: 12[IKE] IKE_SA deleted
>> Jul 20 22:08:53 ipfire charon: 12[ENC] generating INFORMATIONAL  
>> response 2 [ ]
>> Jul 20 22:08:53 ipfire charon: 12[NET] sending packet: from  
>> y.y.y.y[4500] to 2.241.32.16[4500] (80 bytes)
>> Jul 20 22:08:53 ipfire charon: 12[CFG] lease 192.168.110.1 by 'C=DE,  
>> ST=mytown, O=mycompany, CN=bob' went offline
>>
>>
>>
>> ipfire:~# ipsec status
>> Security Associations (1 up, 0 connecting):
>>     alice[10]: ESTABLISHED 33 minutes ago, y.y.y.y[C=DE, ST=mytown,  
>> O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany,  
>> CN=alice]
>>     alice{17}:  INSTALLED, TUNNEL, reqid 7, ESP in UDP SPIs: c91792eb_i  
>> 85952394_o
>>     alice{17}:   0.0.0.0/0 === 192.168.110.0/24
>>
>>
>>
>> # From /etc/ipsec.conf
>> # (also includes "ipsec.user-post.conf" at the end; conn for alice  
>> looks the same)
>> version 2
>>
>> conn %default
>>     keyingtries=%forever
>>
>> conn bob
>>     left=vpn.example.com
>>     leftsubnet=192.168.120.0/24
>>     leftfirewall=yes
>>     lefthostaccess=yes
>>     right=%any
>>     rightsubnet=vhost:%no,%priv
>>     leftcert=/var/ipfire/certs/hostcert.pem
>>     rightcert=/var/ipfire/certs/bobcert.pem
>>
> ike=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp4096,aes256-sha-modp3072,aes256-sha-modp2048,aes256-sha-modp1536,aes256-sha-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp4096,aes192-sha-modp3072,aes192-sha-modp2048,aes192-sha-modp1536,aes192-sha-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp4096,aes128-sha-modp3072
>> ,aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024
>>
> esp=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp4096,aes256-sha1-modp3072,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp4096,aes192-sha1-modp3072,aes192-sha1-modp2048,aes192-sha1-modp1536,aes192-sha1-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp4096,aes128-s
>> ha1-modp3072,aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024
>>     keyexchange=ikev2
>>     ikelifetime=3h
>>     keylife=1h
>>     compress=yes
>>     dpdaction=clear
>>     dpddelay=30
>>     dpdtimeout=120
>>     authby=rsasig
>>     leftrsasigkey=%cert
>>     rightrsasigkey=%cert
>>     auto=add
>>     rightsourceip=
>>     fragmentation=yes
>>
>>
>> # From /etc/ipsec.user-post.conf
>> conn bob
>>     leftsubnet=0.0.0.0/0
>>     leftallowany=yes
>>     rightsubnet=192.168.110.0/24
>>     rightsourceip=192.168.110.0/24
>>     rekey=no
>>
>>
>> "rightsourceip" is set to "192.168.110.0/24" to get any IP from that  
>> range.
>> Our internal network is "192.168.120.0/24" while the IPsec-network is  
>> "192.168.110.0/24".
>> Clients connect from different outside IP adresses.
>>
>> There is most certainly something wrong with the configuration, I guess.
>>
>>
>>
>> Lars
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVrg0/AAoJEDg5KY9j7GZY7oQP/0k+aSPtBZ8hKEjTPdqTCSGO
> l4Y5LcUB7leQl/1nYDGvYHN4fbHdbkaFyOyj76il7seFScE147GB4rcIHgV30M8+
> z4vgzZ1DmpClNEo8wivBXoVVumBqRpS0H6DWiYeYx1iQknq1gXt6habhKkztoh18
> 3+uZjhY0YVvY/zVI8KJqgSnfwysnsE7rarBrVPAsfmvIFX5bKKncyCCeTg1YbfN5
> /iBKdFlkG67Cf18RYL2KlkjoN0Tf07qRiks++hg8UsF3zKMs4d6t2tCbM0NDAshu
> Fp6oKQNBHc1q4JUfEKe9+9Th47sRczqFm/ucEO0iysMmuB2ghN8WiUmNeb+R4I/F
> Mb5waXbGOL3pesoiCUq2iGSKHMR78Z7nocT/i3nCzHL+pZvL3JZuHQ0J53sWvB7b
> 92CrWh2ZyjlFNqwWMdox2an8onvtY7YtkQrXUEFA4uNlcm1XSXgf46m23auDGFOm
> gBNn50F3wC7g6E2Btq8dmJHos/abhV+PJ6U2q24ZUnRb+kC0dOLMw7iNjHFXoZhP
> VsogWi8vyWGWhyFbWhDcX5sO96U03eKngIg/bt7X0bcQ1yuq7ipfm2TQgNL+rAmG
> h6+InWePlTpn8Hu9T5dL4jrxZAVa/hc3JMo8Kpgu2pm3NVmNIqGzJVD9hztUkNWB
> CDz3w5OVtYfl89pJ+7RU
> =nRBd
> -----END PGP SIGNATURE-----
>


More information about the Users mailing list