[strongSwan] issue with using leftsubnet/rightsubnet = %dynamic. Tunnels are not coming up

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Sun May 3 23:58:33 CEST 2015


Hi





I have 2 clients with multiple subnets behind them connecting to a single
unity-supported vpn-server which also has multiple subnets behind it.

All are using strongswan-v5.2.1. Now can the below config on each of these
GWs work in suucessfully setting up tunnels and protect the traffic between
the subnets thru the ipsec tunnels once established. The modeconfig is
thought to be used to push all other unity-options except the virtual-ip
which is NOT required in this case, bcos we want to protect subnets

In summary the usage of %dynamic in leftsubnet and/or rightsubnet is an
issue observed here.

On client-1
===========
- I have the below network config
root at OpenWrt:/etc# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:ED:CD:EF:AA:CC
          inet addr:1.1.1.2  Bcast:1.1.1.255  Mask:255.255.255.0
          inet6 addr: 2005::2/64 Scope:Global
          inet6 addr: fe80::2ed:cdff:feef:aacc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5976 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3697 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:641811 (626.7 KiB)  TX bytes:435798 (425.5 KiB)

eth1      Link encap:Ethernet  HWaddr 00:AA:BB:CC:DD:EE
          inet addr:169.254.0.1  Bcast:169.254.255.255  Mask:255.255.0.0
          inet6 addr: fe80::2aa:bbff:fecc:ddee/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:31 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2964 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:872 (872.0 B)  TX bytes:261270 (255.1 KiB)
          Interrupt:32

eth2      Link encap:Ethernet  HWaddr 00:16:19:2C:9D:18
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::216:19ff:fe2c:9d18/64 Scope:Link
          inet6 addr: 2007::1/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:39746 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8749 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3258891 (3.1 MiB)  TX bytes:848610 (828.7 KiB)

eth2.10   Link encap:Ethernet  HWaddr 00:16:19:2C:9D:18
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::216:19ff:fe2c:9d18/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2891 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:255624 (249.6 KiB)

eth2.5    Link encap:Ethernet  HWaddr 00:16:19:2C:9D:18
          inet addr:192.168.5.1  Bcast:192.168.5.255  Mask:255.255.255.0
          inet6 addr: fe80::216:19ff:fe2c:9d18/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2892 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:255694 (249.7 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:108 errors:0 dropped:0 overruns:0 frame:0
          TX packets:108 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8596 (8.3 KiB)  TX bytes:8596 (8.3 KiB)

root at OpenWrt:/etc#


- and i have used the following sample config (for ikev1 support for
multiple subnets)
- Here on this client-gw1 i have to protect traffic from 192.168.1.0/24,
192.168.5.0/24 and 192.168.10.0/24
--------------
ipsec.conf
------------
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        strictcrlpolicy=no

conn %default
        rekeymargin=9m
        keyingtries=1
        mobike=no
        dpdaction=restart
        dpddelay=30
        dpdtimeout=120

conn subntconn1
        leftsubnet=192.168.1.0/24
        also=mainconn

conn subntconn2
        leftsubnet=192.168.5.0/24
        also=mainconn

conn subntconn3
        leftsubnet=192.168.10.0/24
        also=mainconn

conn mainconn
        aggressive=yes
        left=1.1.1.2
        right=2.2.2.5
        rightsubnet=0.0.0.0/0
        modeconfig=pull
        leftauth=psk
        rightauth=psk
        leftauth2=xauth
        leftid=@grpname1
        rightid=2.2.2.5
        type=tunnel
        keyexchange=ikev1
        ike=3des-sha1-modp1024
        esp=3des-sha1
        ikelifetime=60m
        keylife=20m
        xauth=client
        xauth_identity=user1
        auto=add
root at OpenWrt:/etc#
root at OpenWrt:/etc# cat ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
@grpname1 2.2.2.5 : PSK "123456"
user1 : XAUTH "config123"
root at OpenWrt:/etc#

===================================================

On client-2 Gw
- here i have to protect 2 subnets behind this client-gw2 (192.168.11.0/24
and 192.168.15.0)
-----------------
ipsec.conf
-------------

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        strictcrlpolicy=no

conn %default
        rekeymargin=9m
        keyingtries=1
        mobike=no
        dpdaction=restart
        dpddelay=30
        dpdtimeout=120

conn mainconn2
        aggressive=yes
        left=1.1.1.5
        leftsubnet=%dynamic
        right=2.2.2.5
        rightsubnet=0.0.0.0/0
        modeconfig=pull
        leftauth=psk
        rightauth=psk
        leftauth2=xauth
        leftid=@grpname1
        rightid=2.2.2.5
        type=tunnel
        keyexchange=ikev1
        ike=3des-sha1-modp1024
        esp=3des-sha1
        ikelifetime=60m
        keylife=20m
        xauth=client
        xauth_identity=user1
        auto=add
root at OpenWrt:/etc#
===================================================


On Server-side
================

-Here we need to protect multiple subnets behind this server (such as
192.168.2.0/24, 172.16.0.0/16, etc)
- This also should assign split-tunnel, split-dns, dns/wins, backup-server
ipaddresses, default-domain, etc

root at suram-OptiPlex-7010:/usr/local/etc# cat ipsec.conf
#/etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        strictcrlpolicy=no
        charondebug="ike 3, knl 1, cfg 3, chd 2, net 2, dmn 1, enc 2"

conn %default
        rekeymargin=9m
        keyingtries=1
        mobike=no
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=clear

conn ezvpnserver1
        aggressive=yes
        left=2.2.2.5
        leftsubnet=192.168.12.0/24,172.16.0.0/16
        right=%any
        rightsubnet=%dynamic
        leftid=2.2.2.5
        rightid=@grpname1
        leftauth=psk
        rightauth=psk
        rightauth2=xauth
        keyexchange=ikev1
        ike=3des-sha1-modp1024
        esp=3des-sha1
        ikelifetime=60m
        keylife=20m
        xauth=server
        auto=add
root at suram-OptiPlex-7010:/usr/local/etc# cat ipsec.secrets
#/etc/ipsec.secrets - strongSwan IPsec secrets file
2.2.2.5 @grpname1 : PSK "123456"
user1 : XAUTH "config123"
user2 : XAUTH "config1234"
user3 : XAUTH "config12345"
root at suram-OptiPlex-7010:/usr/local/etc#

=============================================================

On server, the attr.conf file is as below
- also enabled unity-plugin and the settings for supporting aggressive mode

# Section to specify arbitrary attributes that are assigned to a peer via
# configuration payload (CP).
attr {

    # <attr> is an attribute name or an integer, values can be an IP
address,
    # subnet or arbitrary value.
    # <attr> =
    dns = 192.168.2.20, 192.168.2.21
        nbns = 172.16.1.2, 172.16.1.3
    # the attribute for local-lan networks to be excluded from tunneling on
the client
    #    #split-exclude = 10.0.0.0/8, 172.31.1.0/24
    # the attribute for backup-server ipaddresses
    28681 = 10.232.90.122, 10.232.90.124
    # the attribute for default-domain name for the connected client
    28674 = svt1test.com
    # the attribute for split-dns domain names for the connected client
        28675 = svt1test.com svt2test.com
    # the attribute for unity banner name for the connected client
        28672 = "Welcome ...You are Connected"
    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

}
=========================
etc
etc

Now the issue observed is as below (the tunnel is so called u, but the
traffic does not go thru at all



root at suram-OptiPlex-7010:/usr/local/etc# ipsec status
Security Associations (1 up, 0 connecting):
ezvpnserver1[1]: ESTABLISHED 16 minutes ago,
2.2.2.5[2.2.2.5]...1.1.1.2[grpname1
]
ezvpnserver1{1}:  REKEYING, TUNNEL, expires in 3 minutes
ezvpnserver1{1}:   192.168.12.0/24 === 1.1.1.2/32
ezvpnserver1{1}:  REKEYING, TUNNEL, expires in 15 minutes
ezvpnserver1{1}:   192.168.12.0/24 === 1.1.1.2/32
ezvpnserver1{1}:  INSTALLED, TUNNEL, ESP SPIs: cf16cf05_i c86dd568_o
ezvpnserver1{1}:   192.168.12.0/24 === 1.1.1.2/32
root at suram-OptiPlex-7010:/usr/local/etc# ipsec statusall
Status of IKE charon daemon (weakSwan 5.2.1, Linux 3.11.0-26-generic,
x86_64):
  uptime: 18 minutes, since May 04 00:28:50 2015
  malloc: sbrk 663552, mmap 0, used 555168, free 108384
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
  loaded plugins: charon aes des blowfish rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm
curl attr kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-sim eap-aka eap-simaka-pseudonym eap-md5 eap-gtc
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
xauth-generic xauth-eap xauth-noauth tnc-tnccs dhcp error-notify unity
Listening IP addresses:
  2.2.2.5
  192.168.12.5
  10.232.90.125
  192.168.122.1
  172.16.1.1
Connections:
ezvpnserver1:  2.2.2.5...%any  IKEv1 Aggressive, dpddelay=30s
ezvpnserver1:   local:  [2.2.2.5] uses pre-shared key authentication
ezvpnserver1:   remote: [grpname1] uses pre-shared key authentication
ezvpnserver1:   remote: uses XAuth authentication: any
ezvpnserver1:   child:  192.168.12.0/24 172.16.0.0/16 === dynamic TUNNEL,
dpdaction=clear
Security Associations (1 up, 0 connecting):
ezvpnserver1[1]: ESTABLISHED 17 minutes ago,
2.2.2.5[2.2.2.5]...1.1.1.2[grpname1]
ezvpnserver1[1]: Remote XAuth identity: user1
ezvpnserver1[1]: IKEv1 SPIs: 257bbf22658999eb_i e2852cfe548b691d_r*,
pre-shared key reauthentication in 33 minutes
ezvpnserver1[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ezvpnserver1{1}:  REKEYING, TUNNEL, expires in 2 minutes
ezvpnserver1{1}:   192.168.12.0/24 === 1.1.1.2/32
ezvpnserver1{1}:  REKEYING, TUNNEL, expires in 14 minutes
ezvpnserver1{1}:   192.168.12.0/24 === 1.1.1.2/32
ezvpnserver1{1}:  INSTALLED, TUNNEL, ESP SPIs: cf16cf05_i c86dd568_o
ezvpnserver1{1}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
2 minutes
ezvpnserver1{1}:   192.168.12.0/24 === 1.1.1.2/32
root at suram-OptiPlex-7010:/usr/local/etc#

oot at OpenWrt:/etc# ipsec status
Security Associations (1 up, 0 connecting):
  subntconn1[1]: ESTABLISHED 20 minutes ago,
1.1.1.2[grpname1]...2.2.2.5[2.2.2.5]
    mainconn{1}:  INSTALLED, TUNNEL, ESP SPIs: c86dd568_i cf16cf05_o
    mainconn{1}:   1.1.1.2/32 === 192.168.12.0/24
    mainconn{1}:  INSTALLED, TUNNEL, ESP SPIs: c53c99e0_i c34bfdca_o
    mainconn{1}:   1.1.1.2/32 === 192.168.12.0/24
root at OpenWrt:/etc#
root at OpenWrt:/etc#
root at OpenWrt:/etc# ip xfrm state
src 1.1.1.2 dst 2.2.2.5
        proto esp spi 0xc34bfdca reqid 1 mode tunnel
        replay-window 32
        auth-trunc hmac(sha1) 0xd939e33400f702405d5cc2229228bdc8d29f2955 96
        enc cbc(des3_ede) 0xe7b2a0b158ff3d666b1d30dfdf8fa6d8e1f99a820d7ea084
        sel src 0.0.0.0/0 dst 0.0.0.0/0
src 2.2.2.5 dst 1.1.1.2
        proto esp spi 0xc53c99e0 reqid 1 mode tunnel
        replay-window 32
        auth-trunc hmac(sha1) 0xecc7c4f61cbeade1c2258e3f8e2fd8e10580d1ac 96
        enc cbc(des3_ede) 0x9d5362ac74137929c1e66d1bd0098904ffbefb353911c8bf
        sel src 0.0.0.0/0 dst 0.0.0.0/0
src 1.1.1.2 dst 2.2.2.5
        proto esp spi 0xcf16cf05 reqid 1 mode tunnel
        replay-window 32
        auth-trunc hmac(sha1) 0x0663a100a9b74f99cfc783f50afa76d1ee66a2fd 96
        enc cbc(des3_ede) 0x26f824bce9c71b14d8194c397629a279b0c66142664c8637
        sel src 0.0.0.0/0 dst 0.0.0.0/0
src 2.2.2.5 dst 1.1.1.2
        proto esp spi 0xc86dd568 reqid 1 mode tunnel
        replay-window 32
        auth-trunc hmac(sha1) 0x00485d7a2faa2f6766da23171c89f120a9278c8b 96
        enc cbc(des3_ede) 0x0a471632c5aa6208ca8c26cd37071ddaaffa57fd5ad95eb7
        sel src 0.0.0.0/0 dst 0.0.0.0/0
root at OpenWrt:/etc# ip xfrm policy
src 192.168.12.0/24 dst 1.1.1.2/32
        dir fwd priority 1827
        tmpl src 2.2.2.5 dst 1.1.1.2
                proto esp reqid 1 mode tunnel
src 192.168.12.0/24 dst 1.1.1.2/32
        dir in priority 1827
        tmpl src 2.2.2.5 dst 1.1.1.2
                proto esp reqid 1 mode tunnel
src 1.1.1.2/32 dst 192.168.12.0/24
        dir out priority 1827
        tmpl src 1.1.1.2 dst 2.2.2.5
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
root at OpenWrt:/etc#
=======================================================


On server-side

root at suram-OptiPlex-7010:~#
root at suram-OptiPlex-7010:~# ipsec status
Security Associations (1 up, 0 connecting):
ezvpnserver1[2]: ESTABLISHED 3 minutes ago,
2.2.2.5[2.2.2.5]...1.1.1.5[grpname1]
ezvpnserver1{1}:  INSTALLED, TUNNEL, ESP SPIs: c25701e2_i caf30f13_o
ezvpnserver1{1}:   192.168.12.0/24 172.16.0.0/16 === 1.1.1.5/32
root at suram-OptiPlex-7010:~# ipsec statusall
Status of IKE charon daemon (weakSwan 5.2.1, Linux 3.11.0-26-generic,
x86_64):
  uptime: 8 minutes, since May 04 01:31:33 2015
  malloc: sbrk 663552, mmap 0, used 555168, free 108384
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 5
  loaded plugins: charon aes des blowfish rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm
curl attr kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-sim eap-aka eap-simaka-pseudonym eap-md5 eap-gtc
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
xauth-generic xauth-eap xauth-noauth tnc-tnccs dhcp error-notify unity
Listening IP addresses:
  2.2.2.5
  192.168.12.5
  10.232.90.125
  192.168.122.1
  172.16.1.1
Connections:
ezvpnserver1:  2.2.2.5...%any  IKEv1 Aggressive, dpddelay=30s
ezvpnserver1:   local:  [2.2.2.5] uses pre-shared key authentication
ezvpnserver1:   remote: [grpname1] uses pre-shared key authentication
ezvpnserver1:   remote: uses XAuth authentication: any
ezvpnserver1:   child:  192.168.12.0/24 172.16.0.0/16 === dynamic TUNNEL,
dpdaction=clear
Security Associations (1 up, 0 connecting):
ezvpnserver1[2]: ESTABLISHED 3 minutes ago,
2.2.2.5[2.2.2.5]...1.1.1.5[grpname1]
ezvpnserver1[2]: Remote XAuth identity: user2
ezvpnserver1[2]: IKEv1 SPIs: 500ff39dc6594249_i 42ade588961f947e_r*,
pre-shared key reauthentication in 39 minutes
ezvpnserver1[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ezvpnserver1{1}:  INSTALLED, TUNNEL, ESP SPIs: c25701e2_i caf30f13_o
ezvpnserver1{1}:  3DES_CBC/HMAC_SHA1_96, 2356 bytes_i, 0 bytes_o, rekeying
in 17 seconds
ezvpnserver1{1}:   192.168.12.0/24 172.16.0.0/16 === 1.1.1.5/32
root at suram-OptiPlex-7010:~#



root at suram-OptiPlex-7010:~#
root at suram-OptiPlex-7010:~#
root at suram-OptiPlex-7010:~# ip xfrm state
src 2.2.2.5 dst 1.1.1.5
        proto esp spi 0xc615b1cb reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0xb7a9b68127289d00ae6fc8d0c589d17b89a9230e 96
        enc cbc(des3_ede) 0x3356fe51ddbeaab6e8509adc83b4f2c0ca69aa5d7c90d2b6
src 1.1.1.5 dst 2.2.2.5
        proto esp spi 0xcd9eb056 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0xa85edfc052ccb2cf9658cbf7b24e1dbb541a4aa4 96
        enc cbc(des3_ede) 0x7c08876a5b359835fbfe5a5b1ed310fb5379589c16b09a78
src 2.2.2.5 dst 1.1.1.5
        proto esp spi 0xcaf30f13 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0x7ce09d510a7266228f97f9e1f7a88bb2e7302c0d 96
        enc cbc(des3_ede) 0x2f05d3d162128bf5ab004ef94d20d4b112e797f947198563
src 1.1.1.5 dst 2.2.2.5
        proto esp spi 0xc25701e2 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0xae657f83aad626b12e0a9f2440e9345edc66c0f5 96
        enc cbc(des3_ede) 0xd92266439aa6957f2019e6394fe4d75c53c30ce55e5b410e
root at suram-OptiPlex-7010:~# ip xfrm policy
src 1.1.1.5/32 dst 172.16.0.0/16
        dir fwd priority 2883
        tmpl src 1.1.1.5 dst 2.2.2.5
                proto esp reqid 1 mode tunnel
src 1.1.1.5/32 dst 172.16.0.0/16
        dir in priority 2883
        tmpl src 1.1.1.5 dst 2.2.2.5
                proto esp reqid 1 mode tunnel
src 172.16.0.0/16 dst 1.1.1.5/32
        dir out priority 2883
        tmpl src 2.2.2.5 dst 1.1.1.5
                proto esp reqid 1 mode tunnel
src 1.1.1.5/32 dst 192.168.12.0/24
        dir fwd priority 2851
        tmpl src 1.1.1.5 dst 2.2.2.5
                proto esp reqid 1 mode tunnel
src 1.1.1.5/32 dst 192.168.12.0/24
        dir in priority 2851
        tmpl src 1.1.1.5 dst 2.2.2.5
                proto esp reqid 1 mode tunnel
src 192.168.12.0/24 dst 1.1.1.5/32
        dir out priority 2851
        tmpl src 2.2.2.5 dst 1.1.1.5
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
root at suram-OptiPlex-7010:~#

==========================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150504/387722f4/attachment-0001.html>


More information about the Users mailing list