[strongSwan] "unable to install policy" for clients some minutes after the first client has connected
Noel Kuntze
noel at familie-kuntze.de
Tue Jul 21 12:08:26 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Larsen,
Then the IPfire project is probably doing things blatantly wrong.
The virtual IPs for the clients are chosen from the rightsubnet option.
Whatever IPfire does, it's not what standard strongSwan does.
It does not take "vhost:%no,%priv" as argument to rightsubnet.
What version of strongSwan are you using?
I don't think we can support a version of strongSwan that is modified by a third
party vendor very well.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 21.07.2015 um 11:48 schrieb Larsen:
> Hello Noel,
>
> we´ve adhered to the examples and threads from the IPfire project.
>
> So, if rightsubnet is removed from the conf, what IP will clients get?
> Also, "rightsubnet=vhost:%no,%priv" is generated from IPfire automatically. This has to be removed as well?
>
>
> Lars
>
>
> On Tue, 21 Jul 2015 11:13:38 +0200, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
>>
> Hello Larsen,
>
> Stop using rightsubnet for roadwarrior connections. That's what is wrong.
> If you don't know what you're doing, then adhere to the examples in the wiki.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 21.07.2015 um 10:55 schrieb Larsen:
> >>> Hello,
> >>>
> >>> as newbies to IPsec we are using IPfire, so most of the configuration is
> >>> generated automatically. Clients can login at first, but the problem is that
> >>> after one client has been connected for some time (~30 to 70 minutes), no
> >>> further client can connect (error "Invalid payload received"). The initial
> >>> client is still connected.
> >>>
> >>> Clients: Windows 7 SP1
> >>> Server: strongSwan U5.3.2/K3.14.43-ipfire-pae
> >>>
> >>>
> >>> # First client connects
> >>> Jul 20 21:36:12 ipfire charon: 11[NET] received packet: from 31.19.180.145[500] to y.y.y.y[500] (528 bytes)
> >>> Jul 20 21:36:12 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> >>> Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an IKE_SA
> >>> Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an IKE_SA
> >>> Jul 20 21:36:12 ipfire charon: 11[IKE] remote host is behind NAT
> >>> Jul 20 21:36:12 ipfire charon: 11[IKE] sending cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> >>> Jul 20 21:36:12 ipfire charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> >>> Jul 20 21:36:12 ipfire charon: 11[NET] sending packet: from y.y.y.y[500] to 31.19.180.145[500] (337 bytes)
> >>> Jul 20 21:36:12 ipfire charon: 13[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (2480 bytes)
> >>> Jul 20 21:36:12 ipfire charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
> >>> Jul 20 21:36:12 ipfire charon: 13[IKE] received cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> >>> Jul 20 21:36:12 ipfire charon: 13[IKE] received 47 cert requests for an unknown ca
> >>> Jul 20 21:36:12 ipfire charon: 13[IKE] received end entity cert "C=DE, ST=mytown, O=mycompany, CN=alice"
> >>> Jul 20 21:36:12 ipfire charon: 13[CFG] looking for peer configs matching y.y.y.y[%any]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
> >>> Jul 20 21:36:12 ipfire charon: 13[CFG] selected peer config 'alice'
> >>> Jul 20 21:36:12 ipfire charon: 13[CFG] using trusted ca certificate "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> >>> Jul 20 21:36:12 ipfire charon: 13[CFG] checking certificate status of "C=DE, ST=mytown, O=mycompany, CN=alice"
> >>> Jul 20 21:36:12 ipfire charon: 13[CFG] certificate status is not available
> >>> Jul 20 21:36:12 ipfire charon: 13[CFG] reached self-signed root ca with a path length of 0
> >>> Jul 20 21:36:12 ipfire charon: 13[CFG] using trusted certificate "C=DE, ST=mytown, O=mycompany, CN=alice"
> >>> Jul 20 21:36:12 ipfire charon: 13[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=alice' with RSA signature successful
> >>> Jul 20 21:36:13 ipfire charon: 13[IKE] peer supports MOBIKE
> >>> Jul 20 21:36:13 ipfire charon: 13[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=y.y.y.y' (myself) with RSA signature successful
> >>> Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
> >>> Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
> >>> Jul 20 21:36:13 ipfire charon: 13[IKE] sending end entity cert "C=DE, ST=mytown, O=mycompany, CN=y.y.y.y"
> >>> Jul 20 21:36:13 ipfire charon: 13[IKE] peer requested virtual IP %any
> >>> Jul 20 21:36:13 ipfire charon: 13[CFG] reassigning offline lease to 'C=DE, ST=mytown, O=mycompany, CN=alice'
> >>> Jul 20 21:36:13 ipfire charon: 13[IKE] assigning virtual IP 192.168.110.3 to peer 'C=DE, ST=mytown, O=mycompany, CN=alice'
> >>> Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established with SPIs ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established with SPIs ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 21:36:13 ipfire vpn: client+ C=DE, ST=mytown, O=mycompany, CN=alice 192.168.110.0/24 == 31.19.180.145 -- y.y.y.y == 0.0.0.0/0
> >>> Jul 20 21:36:13 ipfire vpn: tunnel+ 31.19.180.145 -- y.y.y.y
> >>> Jul 20 21:36:13 ipfire vpn: snat+ red0-y.y.y.y : 192.168.110.0/24 - 192.168.120.1
> >>> Jul 20 21:36:13 ipfire charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> >>> Jul 20 21:36:13 ipfire charon: 13[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (1536 bytes)
> >>>
> >>> # Further packets from first client
> >>> Jul 20 21:54:31 ipfire charon: 11[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
> >>> Jul 20 21:54:32 ipfire charon: 11[ENC] parsed CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No TSi TSr ]
> >>> Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established with SPIs c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established with SPIs c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 21:54:32 ipfire charon: 11[ENC] generating CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
> >>> Jul 20 21:54:32 ipfire charon: 11[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
> >>> Jul 20 21:54:32 ipfire charon: 16[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
> >>> Jul 20 21:54:32 ipfire charon: 16[ENC] parsed INFORMATIONAL request 3 [ D ]
> >>> Jul 20 21:54:32 ipfire charon: 16[IKE] received DELETE for ESP CHILD_SA with SPI 86a1c9df
> >>> Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with SPIs ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with SPIs ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 21:54:32 ipfire charon: 16[IKE] sending DELETE for ESP CHILD_SA with SPI ca89176e
> >>> Jul 20 21:54:32 ipfire charon: 16[IKE] CHILD_SA closed
> >>> Jul 20 21:54:32 ipfire charon: 16[ENC] generating INFORMATIONAL response 3 [ D ]
> >>> Jul 20 21:54:32 ipfire charon: 16[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
> >>> Jul 20 22:01:13 ipfire charon: 04[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
> >>> Jul 20 22:01:13 ipfire charon: 04[ENC] parsed CREATE_CHILD_SA request 4 [ N(REKEY_SA) SA No TSi TSr ]
> >>> Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established with SPIs c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established with SPIs c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 22:01:13 ipfire charon: 04[ENC] generating CREATE_CHILD_SA response 4 [ SA No TSi TSr ]
> >>> Jul 20 22:01:13 ipfire charon: 04[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
> >>> Jul 20 22:01:13 ipfire charon: 11[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
> >>> Jul 20 22:01:13 ipfire charon: 11[ENC] parsed INFORMATIONAL request 5 [ D ]
> >>> Jul 20 22:01:13 ipfire charon: 11[IKE] received DELETE for ESP CHILD_SA with SPI 180e5730
> >>> Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with SPIs c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with SPIs c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 22:01:13 ipfire charon: 11[IKE] sending DELETE for ESP CHILD_SA with SPI c99d4e2d
> >>> Jul 20 22:01:13 ipfire charon: 11[IKE] CHILD_SA closed
> >>> Jul 20 22:01:13 ipfire charon: 11[ENC] generating INFORMATIONAL response 5 [ D ]
> >>> Jul 20 22:01:14 ipfire charon: 11[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
> >>> Jul 20 22:05:43 ipfire charon: 13[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
> >>> Jul 20 22:05:43 ipfire charon: 13[ENC] parsed CREATE_CHILD_SA request 6 [ N(REKEY_SA) SA No TSi TSr ]
> >>> Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established with SPIs cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established with SPIs cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 22:05:43 ipfire charon: 13[ENC] generating CREATE_CHILD_SA response 6 [ SA No TSi TSr ]
> >>> Jul 20 22:05:43 ipfire charon: 13[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
> >>> Jul 20 22:05:43 ipfire charon: 12[NET] received packet: from 31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
> >>> Jul 20 22:05:43 ipfire charon: 12[ENC] parsed INFORMATIONAL request 7 [ D ]
> >>> Jul 20 22:05:43 ipfire charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI 92dd8be2
> >>> Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with SPIs c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with SPIs c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS 0.0.0.0/0 === 192.168.110.0/24
> >>> Jul 20 22:05:43 ipfire charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI c55279ed
> >>> Jul 20 22:05:43 ipfire charon: 12[IKE] CHILD_SA closed
> >>> Jul 20 22:05:43 ipfire charon: 12[ENC] generating INFORMATIONAL response 7 [ D ]
> >>> Jul 20 22:05:43 ipfire charon: 12[NET] sending packet: from y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
> >>>
> >>> # Second client tries to connect and fails
> >>> Jul 20 22:08:50 ipfire charon: 11[NET] received packet: from 2.241.32.16[500] to y.y.y.y[500] (528 bytes)
> >>> Jul 20 22:08:50 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> >>> Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an IKE_SA
> >>> Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an IKE_SA
> >>> Jul 20 22:08:50 ipfire charon: 11[IKE] remote host is behind NAT
> >>> Jul 20 22:08:51 ipfire charon: 11[IKE] sending cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> >>> Jul 20 22:08:51 ipfire charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> >>> Jul 20 22:08:51 ipfire charon: 11[NET] sending packet: from y.y.y.y[500] to 2.241.32.16[500] (337 bytes)
> >>> Jul 20 22:08:51 ipfire charon: 02[NET] received packet: from 2.241.32.16[4500] to y.y.y.y[4500] (2384 bytes)
> >>> Jul 20 22:08:51 ipfire charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
> >>> Jul 20 22:08:51 ipfire charon: 02[IKE] received cert request for "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> >>> Jul 20 22:08:51 ipfire charon: 02[IKE] received 42 cert requests for an unknown ca
> >>> Jul 20 22:08:51 ipfire charon: 02[IKE] received end entity cert "C=DE, ST=mytown, O=mycompany, CN=bob"
> >>> Jul 20 22:08:51 ipfire charon: 02[CFG] looking for peer configs matching y.y.y.y[%any]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
> >>> Jul 20 22:08:51 ipfire charon: 02[CFG] selected peer config 'bob'
> >>> Jul 20 22:08:51 ipfire charon: 02[CFG] using trusted ca certificate "C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=system at example.com"
> >>> Jul 20 22:08:51 ipfire charon: 02[CFG] checking certificate status of "C=DE, ST=mytown, O=mycompany, CN=bob"
> >>> Jul 20 22:08:51 ipfire charon: 02[CFG] certificate status is not available
> >>> Jul 20 22:08:51 ipfire charon: 02[CFG] reached self-signed root ca with a path length of 0
> >>> Jul 20 22:08:51 ipfire charon: 02[CFG] using trusted certificate "C=DE, ST=mytown, O=mycompany, CN=bob"
> >>> Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=bob' with RSA signature successful
> >>> Jul 20 22:08:51 ipfire charon: 02[IKE] peer supports MOBIKE
> >>> Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE, ST=mytown, O=mycompany, CN=y.y.y.y' (myself) with RSA signature successful
> >>> Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
> >>> Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
> >>> Jul 20 22:08:51 ipfire charon: 02[IKE] sending end entity cert "C=DE, ST=mytown, O=mycompany, CN=y.y.y.y"
> >>> Jul 20 22:08:51 ipfire charon: 02[IKE] peer requested virtual IP %any
> >>> Jul 20 22:08:52 ipfire charon: 02[CFG] reassigning offline lease to 'C=DE, ST=mytown, O=mycompany, CN=bob'
> >>> Jul 20 22:08:52 ipfire charon: 02[IKE] assigning virtual IP 192.168.110.1 to peer 'C=DE, ST=mytown, O=mycompany, CN=bob'
> >>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 0.0.0.0/0 === 192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> >>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> >>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> >>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 0.0.0.0/0 === 192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> >>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> >>> Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the same policy for reqid 7 exists
> >>> Jul 20 22:08:52 ipfire charon: 02[IKE] unable to install IPsec policies (SPD) in kernel
> >>> Jul 20 22:08:52 ipfire charon: 02[IKE] failed to establish CHILD_SA, keeping IKE_SA
> >>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 === 192.168.110.0/24 out failed, not found
> >>> Jul 20 22:08:52 ipfire charon: 04[MGR] ignoring request with ID 1, already processing
> >>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 in failed, not found
> >>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 fwd failed, not found
> >>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 === 192.168.110.0/24 out failed, not found
> >>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 in failed, not found
> >>> Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 0.0.0.0/0 fwd failed, not found
> >>> Jul 20 22:08:52 ipfire charon: 02[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
> >>> Jul 20 22:08:52 ipfire charon: 02[NET] sending packet: from y.y.y.y[4500] to 2.241.32.16[4500] (1440 bytes)
> >>> Jul 20 22:08:52 ipfire charon: 12[NET] received packet: from 2.241.32.16[4500] to y.y.y.y[4500] (80 bytes)
> >>> Jul 20 22:08:52 ipfire charon: 12[ENC] parsed INFORMATIONAL request 2 [ D ]
> >>> Jul 20 22:08:52 ipfire charon: 12[IKE] received DELETE for IKE_SA bob[12]
> >>> Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
> >>> Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
> >>> Jul 20 22:08:52 ipfire charon: 12[IKE] IKE_SA deleted
> >>> Jul 20 22:08:53 ipfire charon: 12[IKE] IKE_SA deleted
> >>> Jul 20 22:08:53 ipfire charon: 12[ENC] generating INFORMATIONAL response 2 [ ]
> >>> Jul 20 22:08:53 ipfire charon: 12[NET] sending packet: from y.y.y.y[4500] to 2.241.32.16[4500] (80 bytes)
> >>> Jul 20 22:08:53 ipfire charon: 12[CFG] lease 192.168.110.1 by 'C=DE, ST=mytown, O=mycompany, CN=bob' went offline
> >>>
> >>>
> >>>
> >>> ipfire:~# ipsec status
> >>> Security Associations (1 up, 0 connecting):
> >>> alice[10]: ESTABLISHED 33 minutes ago, y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
> >>> alice{17}: INSTALLED, TUNNEL, reqid 7, ESP in UDP SPIs: c91792eb_i 85952394_o
> >>> alice{17}: 0.0.0.0/0 === 192.168.110.0/24
> >>>
> >>>
> >>>
> >>> # From /etc/ipsec.conf
> >>> # (also includes "ipsec.user-post.conf" at the end; conn for alice looks the same)
> >>> version 2
> >>>
> >>> conn %default
> >>> keyingtries=%forever
> >>>
> >>> conn bob
> >>> left=vpn.example.com
> >>> leftsubnet=192.168.120.0/24
> >>> leftfirewall=yes
> >>> lefthostaccess=yes
> >>> right=%any
> >>> rightsubnet=vhost:%no,%priv
> >>> leftcert=/var/ipfire/certs/hostcert.pem
> >>> rightcert=/var/ipfire/certs/bobcert.pem
> >>>
>
ike=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp4096,aes256-sha-modp3072,aes256-sha-modp2048,aes256-sha-modp1536,aes256-sha-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp4096,aes192-sha-modp3072,aes192-sha-modp2048,aes192-sha-modp1536,aes192-sha-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp4096,aes128-sha-modp3072
> >>> ,aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024
> >>>
>
esp=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp4096,aes256-sha1-modp3072,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp4096,aes192-sha1-modp3072,aes192-sha1-modp2048,aes192-sha1-modp1536,aes192-sha1-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp4096,aes128-s
> >>> ha1-modp3072,aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024
> >>> keyexchange=ikev2
> >>> ikelifetime=3h
> >>> keylife=1h
> >>> compress=yes
> >>> dpdaction=clear
> >>> dpddelay=30
> >>> dpdtimeout=120
> >>> authby=rsasig
> >>> leftrsasigkey=%cert
> >>> rightrsasigkey=%cert
> >>> auto=add
> >>> rightsourceip=
> >>> fragmentation=yes
> >>>
> >>>
> >>> # From /etc/ipsec.user-post.conf
> >>> conn bob
> >>> leftsubnet=0.0.0.0/0
> >>> leftallowany=yes
> >>> rightsubnet=192.168.110.0/24
> >>> rightsourceip=192.168.110.0/24
> >>> rekey=no
> >>>
> >>>
> >>> "rightsourceip" is set to "192.168.110.0/24" to get any IP from that range.
> >>> Our internal network is "192.168.120.0/24" while the IPsec-network is "192.168.110.0/24".
> >>> Clients connect from different outside IP adresses.
> >>>
> >>> There is most certainly something wrong with the configuration, I guess.
> >>>
> >>>
> >>>
> >>> Lars
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
>
>>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVrhoXAAoJEDg5KY9j7GZYrcgP/3/aMDXLDimhc8nq+UZUCQBX
LIL8rKHyKtf+Ni+oRUni71vXuxSjjpgozyLBBjHw3/hkbbtzWHddYOgITEspxMcc
z7ND/oLPX2oxxpaBmKdIWFRP3Ln1twRJDVARkfeNDYnqkCv2U931qjEEvHcOs9ta
oQhAJ5c/iHFaug1S1AJLfUTnj7mdmmQd1tDC+38jIU+nEHp/eBIHPnVMe9qnkmeM
iAYqsrN0YYlRq+Qa1zajVtbSHhzKMPYUyPwepfR8cC1WdahIPxh+DhYzu/XpuO14
R9BaQYx2Xptnluh/Ft19IUp8lygnu/edP3JOI0rqRpYruullbIreyJhQ5sfz2xib
TBz44C4sjuu+xM1fnTQrrlIRsK5U8j4RYB5tSRnSFko5WhpY3hgV4eIrp6r0cma+
lEd92khj6/1/Zn8PWRy+nM1shPPNkp5osz/4kYTbyDWF/QKi238iMFW+oHbzMN0N
64ENzRC9mdJVgyvhWiFVXPpc4hyADTLnNQkO42Z+dlj+LrOcTN2L7e8Rm/ZQ8PP6
2uZTGPt0SUP3A8cyx8csCtG0tLPwBwRk5DNZ5iq0TvsmFFJ98TXmNSchUfNe2x0q
TOtbjMx/BBLhAOjg36iuQcbUaKR85DjYC6/fe30y+lR9/2Ph2nJct2VmvmHfNVjE
2DnakXt78UNyv/vtqLi9
=q1kW
-----END PGP SIGNATURE-----
More information about the Users
mailing list