[strongSwan] issue with using leftsubnet/rightsubnet = %dynamic. Tunnels are not coming up
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Sun May 3 23:58:33 CEST 2015
Hi
I have 2 clients with multiple subnets behind them connecting to a single
unity-supported vpn-server which also has multiple subnets behind it.
All are using strongswan-v5.2.1. Now can the below config on each of these
GWs work in suucessfully setting up tunnels and protect the traffic between
the subnets thru the ipsec tunnels once established. The modeconfig is
thought to be used to push all other unity-options except the virtual-ip
which is NOT required in this case, bcos we want to protect subnets
In summary the usage of %dynamic in leftsubnet and/or rightsubnet is an
issue observed here.
On client-1
===========
- I have the below network config
root at OpenWrt:/etc# ifconfig
eth0 Link encap:Ethernet HWaddr 00:ED:CD:EF:AA:CC
inet addr:1.1.1.2 Bcast:1.1.1.255 Mask:255.255.255.0
inet6 addr: 2005::2/64 Scope:Global
inet6 addr: fe80::2ed:cdff:feef:aacc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5976 errors:0 dropped:0 overruns:0 frame:0
TX packets:3697 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:641811 (626.7 KiB) TX bytes:435798 (425.5 KiB)
eth1 Link encap:Ethernet HWaddr 00:AA:BB:CC:DD:EE
inet addr:169.254.0.1 Bcast:169.254.255.255 Mask:255.255.0.0
inet6 addr: fe80::2aa:bbff:fecc:ddee/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:31 errors:0 dropped:0 overruns:0 frame:0
TX packets:2964 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:872 (872.0 B) TX bytes:261270 (255.1 KiB)
Interrupt:32
eth2 Link encap:Ethernet HWaddr 00:16:19:2C:9D:18
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::216:19ff:fe2c:9d18/64 Scope:Link
inet6 addr: 2007::1/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:39746 errors:0 dropped:0 overruns:0 frame:0
TX packets:8749 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3258891 (3.1 MiB) TX bytes:848610 (828.7 KiB)
eth2.10 Link encap:Ethernet HWaddr 00:16:19:2C:9D:18
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::216:19ff:fe2c:9d18/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2891 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:255624 (249.6 KiB)
eth2.5 Link encap:Ethernet HWaddr 00:16:19:2C:9D:18
inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::216:19ff:fe2c:9d18/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2892 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:255694 (249.7 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:108 errors:0 dropped:0 overruns:0 frame:0
TX packets:108 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8596 (8.3 KiB) TX bytes:8596 (8.3 KiB)
root at OpenWrt:/etc#
- and i have used the following sample config (for ikev1 support for
multiple subnets)
- Here on this client-gw1 i have to protect traffic from 192.168.1.0/24,
192.168.5.0/24 and 192.168.10.0/24
--------------
ipsec.conf
------------
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
conn %default
rekeymargin=9m
keyingtries=1
mobike=no
dpdaction=restart
dpddelay=30
dpdtimeout=120
conn subntconn1
leftsubnet=192.168.1.0/24
also=mainconn
conn subntconn2
leftsubnet=192.168.5.0/24
also=mainconn
conn subntconn3
leftsubnet=192.168.10.0/24
also=mainconn
conn mainconn
aggressive=yes
left=1.1.1.2
right=2.2.2.5
rightsubnet=0.0.0.0/0
modeconfig=pull
leftauth=psk
rightauth=psk
leftauth2=xauth
leftid=@grpname1
rightid=2.2.2.5
type=tunnel
keyexchange=ikev1
ike=3des-sha1-modp1024
esp=3des-sha1
ikelifetime=60m
keylife=20m
xauth=client
xauth_identity=user1
auto=add
root at OpenWrt:/etc#
root at OpenWrt:/etc# cat ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
@grpname1 2.2.2.5 : PSK "123456"
user1 : XAUTH "config123"
root at OpenWrt:/etc#
===================================================
On client-2 Gw
- here i have to protect 2 subnets behind this client-gw2 (192.168.11.0/24
and 192.168.15.0)
-----------------
ipsec.conf
-------------
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
conn %default
rekeymargin=9m
keyingtries=1
mobike=no
dpdaction=restart
dpddelay=30
dpdtimeout=120
conn mainconn2
aggressive=yes
left=1.1.1.5
leftsubnet=%dynamic
right=2.2.2.5
rightsubnet=0.0.0.0/0
modeconfig=pull
leftauth=psk
rightauth=psk
leftauth2=xauth
leftid=@grpname1
rightid=2.2.2.5
type=tunnel
keyexchange=ikev1
ike=3des-sha1-modp1024
esp=3des-sha1
ikelifetime=60m
keylife=20m
xauth=client
xauth_identity=user1
auto=add
root at OpenWrt:/etc#
===================================================
On Server-side
================
-Here we need to protect multiple subnets behind this server (such as
192.168.2.0/24, 172.16.0.0/16, etc)
- This also should assign split-tunnel, split-dns, dns/wins, backup-server
ipaddresses, default-domain, etc
root at suram-OptiPlex-7010:/usr/local/etc# cat ipsec.conf
#/etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
charondebug="ike 3, knl 1, cfg 3, chd 2, net 2, dmn 1, enc 2"
conn %default
rekeymargin=9m
keyingtries=1
mobike=no
dpddelay=30s
dpdtimeout=120s
dpdaction=clear
conn ezvpnserver1
aggressive=yes
left=2.2.2.5
leftsubnet=192.168.12.0/24,172.16.0.0/16
right=%any
rightsubnet=%dynamic
leftid=2.2.2.5
rightid=@grpname1
leftauth=psk
rightauth=psk
rightauth2=xauth
keyexchange=ikev1
ike=3des-sha1-modp1024
esp=3des-sha1
ikelifetime=60m
keylife=20m
xauth=server
auto=add
root at suram-OptiPlex-7010:/usr/local/etc# cat ipsec.secrets
#/etc/ipsec.secrets - strongSwan IPsec secrets file
2.2.2.5 @grpname1 : PSK "123456"
user1 : XAUTH "config123"
user2 : XAUTH "config1234"
user3 : XAUTH "config12345"
root at suram-OptiPlex-7010:/usr/local/etc#
=============================================================
On server, the attr.conf file is as below
- also enabled unity-plugin and the settings for supporting aggressive mode
# Section to specify arbitrary attributes that are assigned to a peer via
# configuration payload (CP).
attr {
# <attr> is an attribute name or an integer, values can be an IP
address,
# subnet or arbitrary value.
# <attr> =
dns = 192.168.2.20, 192.168.2.21
nbns = 172.16.1.2, 172.16.1.3
# the attribute for local-lan networks to be excluded from tunneling on
the client
# #split-exclude = 10.0.0.0/8, 172.31.1.0/24
# the attribute for backup-server ipaddresses
28681 = 10.232.90.122, 10.232.90.124
# the attribute for default-domain name for the connected client
28674 = svt1test.com
# the attribute for split-dns domain names for the connected client
28675 = svt1test.com svt2test.com
# the attribute for unity banner name for the connected client
28672 = "Welcome ...You are Connected"
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
}
=========================
etc
etc
Now the issue observed is as below (the tunnel is so called u, but the
traffic does not go thru at all
root at suram-OptiPlex-7010:/usr/local/etc# ipsec status
Security Associations (1 up, 0 connecting):
ezvpnserver1[1]: ESTABLISHED 16 minutes ago,
2.2.2.5[2.2.2.5]...1.1.1.2[grpname1
]
ezvpnserver1{1}: REKEYING, TUNNEL, expires in 3 minutes
ezvpnserver1{1}: 192.168.12.0/24 === 1.1.1.2/32
ezvpnserver1{1}: REKEYING, TUNNEL, expires in 15 minutes
ezvpnserver1{1}: 192.168.12.0/24 === 1.1.1.2/32
ezvpnserver1{1}: INSTALLED, TUNNEL, ESP SPIs: cf16cf05_i c86dd568_o
ezvpnserver1{1}: 192.168.12.0/24 === 1.1.1.2/32
root at suram-OptiPlex-7010:/usr/local/etc# ipsec statusall
Status of IKE charon daemon (weakSwan 5.2.1, Linux 3.11.0-26-generic,
x86_64):
uptime: 18 minutes, since May 04 00:28:50 2015
malloc: sbrk 663552, mmap 0, used 555168, free 108384
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
loaded plugins: charon aes des blowfish rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm
curl attr kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-sim eap-aka eap-simaka-pseudonym eap-md5 eap-gtc
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
xauth-generic xauth-eap xauth-noauth tnc-tnccs dhcp error-notify unity
Listening IP addresses:
2.2.2.5
192.168.12.5
10.232.90.125
192.168.122.1
172.16.1.1
Connections:
ezvpnserver1: 2.2.2.5...%any IKEv1 Aggressive, dpddelay=30s
ezvpnserver1: local: [2.2.2.5] uses pre-shared key authentication
ezvpnserver1: remote: [grpname1] uses pre-shared key authentication
ezvpnserver1: remote: uses XAuth authentication: any
ezvpnserver1: child: 192.168.12.0/24 172.16.0.0/16 === dynamic TUNNEL,
dpdaction=clear
Security Associations (1 up, 0 connecting):
ezvpnserver1[1]: ESTABLISHED 17 minutes ago,
2.2.2.5[2.2.2.5]...1.1.1.2[grpname1]
ezvpnserver1[1]: Remote XAuth identity: user1
ezvpnserver1[1]: IKEv1 SPIs: 257bbf22658999eb_i e2852cfe548b691d_r*,
pre-shared key reauthentication in 33 minutes
ezvpnserver1[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ezvpnserver1{1}: REKEYING, TUNNEL, expires in 2 minutes
ezvpnserver1{1}: 192.168.12.0/24 === 1.1.1.2/32
ezvpnserver1{1}: REKEYING, TUNNEL, expires in 14 minutes
ezvpnserver1{1}: 192.168.12.0/24 === 1.1.1.2/32
ezvpnserver1{1}: INSTALLED, TUNNEL, ESP SPIs: cf16cf05_i c86dd568_o
ezvpnserver1{1}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
2 minutes
ezvpnserver1{1}: 192.168.12.0/24 === 1.1.1.2/32
root at suram-OptiPlex-7010:/usr/local/etc#
oot at OpenWrt:/etc# ipsec status
Security Associations (1 up, 0 connecting):
subntconn1[1]: ESTABLISHED 20 minutes ago,
1.1.1.2[grpname1]...2.2.2.5[2.2.2.5]
mainconn{1}: INSTALLED, TUNNEL, ESP SPIs: c86dd568_i cf16cf05_o
mainconn{1}: 1.1.1.2/32 === 192.168.12.0/24
mainconn{1}: INSTALLED, TUNNEL, ESP SPIs: c53c99e0_i c34bfdca_o
mainconn{1}: 1.1.1.2/32 === 192.168.12.0/24
root at OpenWrt:/etc#
root at OpenWrt:/etc#
root at OpenWrt:/etc# ip xfrm state
src 1.1.1.2 dst 2.2.2.5
proto esp spi 0xc34bfdca reqid 1 mode tunnel
replay-window 32
auth-trunc hmac(sha1) 0xd939e33400f702405d5cc2229228bdc8d29f2955 96
enc cbc(des3_ede) 0xe7b2a0b158ff3d666b1d30dfdf8fa6d8e1f99a820d7ea084
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 2.2.2.5 dst 1.1.1.2
proto esp spi 0xc53c99e0 reqid 1 mode tunnel
replay-window 32
auth-trunc hmac(sha1) 0xecc7c4f61cbeade1c2258e3f8e2fd8e10580d1ac 96
enc cbc(des3_ede) 0x9d5362ac74137929c1e66d1bd0098904ffbefb353911c8bf
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 1.1.1.2 dst 2.2.2.5
proto esp spi 0xcf16cf05 reqid 1 mode tunnel
replay-window 32
auth-trunc hmac(sha1) 0x0663a100a9b74f99cfc783f50afa76d1ee66a2fd 96
enc cbc(des3_ede) 0x26f824bce9c71b14d8194c397629a279b0c66142664c8637
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 2.2.2.5 dst 1.1.1.2
proto esp spi 0xc86dd568 reqid 1 mode tunnel
replay-window 32
auth-trunc hmac(sha1) 0x00485d7a2faa2f6766da23171c89f120a9278c8b 96
enc cbc(des3_ede) 0x0a471632c5aa6208ca8c26cd37071ddaaffa57fd5ad95eb7
sel src 0.0.0.0/0 dst 0.0.0.0/0
root at OpenWrt:/etc# ip xfrm policy
src 192.168.12.0/24 dst 1.1.1.2/32
dir fwd priority 1827
tmpl src 2.2.2.5 dst 1.1.1.2
proto esp reqid 1 mode tunnel
src 192.168.12.0/24 dst 1.1.1.2/32
dir in priority 1827
tmpl src 2.2.2.5 dst 1.1.1.2
proto esp reqid 1 mode tunnel
src 1.1.1.2/32 dst 192.168.12.0/24
dir out priority 1827
tmpl src 1.1.1.2 dst 2.2.2.5
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
root at OpenWrt:/etc#
=======================================================
On server-side
root at suram-OptiPlex-7010:~#
root at suram-OptiPlex-7010:~# ipsec status
Security Associations (1 up, 0 connecting):
ezvpnserver1[2]: ESTABLISHED 3 minutes ago,
2.2.2.5[2.2.2.5]...1.1.1.5[grpname1]
ezvpnserver1{1}: INSTALLED, TUNNEL, ESP SPIs: c25701e2_i caf30f13_o
ezvpnserver1{1}: 192.168.12.0/24 172.16.0.0/16 === 1.1.1.5/32
root at suram-OptiPlex-7010:~# ipsec statusall
Status of IKE charon daemon (weakSwan 5.2.1, Linux 3.11.0-26-generic,
x86_64):
uptime: 8 minutes, since May 04 01:31:33 2015
malloc: sbrk 663552, mmap 0, used 555168, free 108384
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: charon aes des blowfish rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm
curl attr kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-sim eap-aka eap-simaka-pseudonym eap-md5 eap-gtc
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
xauth-generic xauth-eap xauth-noauth tnc-tnccs dhcp error-notify unity
Listening IP addresses:
2.2.2.5
192.168.12.5
10.232.90.125
192.168.122.1
172.16.1.1
Connections:
ezvpnserver1: 2.2.2.5...%any IKEv1 Aggressive, dpddelay=30s
ezvpnserver1: local: [2.2.2.5] uses pre-shared key authentication
ezvpnserver1: remote: [grpname1] uses pre-shared key authentication
ezvpnserver1: remote: uses XAuth authentication: any
ezvpnserver1: child: 192.168.12.0/24 172.16.0.0/16 === dynamic TUNNEL,
dpdaction=clear
Security Associations (1 up, 0 connecting):
ezvpnserver1[2]: ESTABLISHED 3 minutes ago,
2.2.2.5[2.2.2.5]...1.1.1.5[grpname1]
ezvpnserver1[2]: Remote XAuth identity: user2
ezvpnserver1[2]: IKEv1 SPIs: 500ff39dc6594249_i 42ade588961f947e_r*,
pre-shared key reauthentication in 39 minutes
ezvpnserver1[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ezvpnserver1{1}: INSTALLED, TUNNEL, ESP SPIs: c25701e2_i caf30f13_o
ezvpnserver1{1}: 3DES_CBC/HMAC_SHA1_96, 2356 bytes_i, 0 bytes_o, rekeying
in 17 seconds
ezvpnserver1{1}: 192.168.12.0/24 172.16.0.0/16 === 1.1.1.5/32
root at suram-OptiPlex-7010:~#
root at suram-OptiPlex-7010:~#
root at suram-OptiPlex-7010:~#
root at suram-OptiPlex-7010:~# ip xfrm state
src 2.2.2.5 dst 1.1.1.5
proto esp spi 0xc615b1cb reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xb7a9b68127289d00ae6fc8d0c589d17b89a9230e 96
enc cbc(des3_ede) 0x3356fe51ddbeaab6e8509adc83b4f2c0ca69aa5d7c90d2b6
src 1.1.1.5 dst 2.2.2.5
proto esp spi 0xcd9eb056 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xa85edfc052ccb2cf9658cbf7b24e1dbb541a4aa4 96
enc cbc(des3_ede) 0x7c08876a5b359835fbfe5a5b1ed310fb5379589c16b09a78
src 2.2.2.5 dst 1.1.1.5
proto esp spi 0xcaf30f13 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x7ce09d510a7266228f97f9e1f7a88bb2e7302c0d 96
enc cbc(des3_ede) 0x2f05d3d162128bf5ab004ef94d20d4b112e797f947198563
src 1.1.1.5 dst 2.2.2.5
proto esp spi 0xc25701e2 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xae657f83aad626b12e0a9f2440e9345edc66c0f5 96
enc cbc(des3_ede) 0xd92266439aa6957f2019e6394fe4d75c53c30ce55e5b410e
root at suram-OptiPlex-7010:~# ip xfrm policy
src 1.1.1.5/32 dst 172.16.0.0/16
dir fwd priority 2883
tmpl src 1.1.1.5 dst 2.2.2.5
proto esp reqid 1 mode tunnel
src 1.1.1.5/32 dst 172.16.0.0/16
dir in priority 2883
tmpl src 1.1.1.5 dst 2.2.2.5
proto esp reqid 1 mode tunnel
src 172.16.0.0/16 dst 1.1.1.5/32
dir out priority 2883
tmpl src 2.2.2.5 dst 1.1.1.5
proto esp reqid 1 mode tunnel
src 1.1.1.5/32 dst 192.168.12.0/24
dir fwd priority 2851
tmpl src 1.1.1.5 dst 2.2.2.5
proto esp reqid 1 mode tunnel
src 1.1.1.5/32 dst 192.168.12.0/24
dir in priority 2851
tmpl src 1.1.1.5 dst 2.2.2.5
proto esp reqid 1 mode tunnel
src 192.168.12.0/24 dst 1.1.1.5/32
dir out priority 2851
tmpl src 2.2.2.5 dst 1.1.1.5
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
root at suram-OptiPlex-7010:~#
==========================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150504/387722f4/attachment-0001.html>
More information about the Users
mailing list