[strongSwan] StrongSwan 5.3.3 / iOS 9.1 split-exclude does not work

Michael Stiller ms at 2scale.net
Tue Nov 3 11:37:34 CET 2015 

Hi,

I have a working setup of StrongSwan with (iOS) clients and want to exclude some subnets from the vpn
using "split-exclude". This does not work, any suggestions on this?

This is my setup:

Server: Linux 3.13, StrongSwan 5.3.3 (also tried strongswan-5.1.2)
Client: iphone 6, iOS 9.1(13B143)

Server config:

conn ike1
        keyexchange=ikev1
        authby=xauthrsasig
        auto=add
        dpdaction=clear
        left=172.31.20.201
        leftsubnet=0.0.0.0/0
        leftcert=serverCert.pem
        rightcert=clientCert.pem
        rightsourceip=%radius
        type=tunnel
        xauth=server

ipsec statusall:

Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.13.0-66-generic, x86_64):
  uptime: 9 minutes, since Nov 03 08:40:35 2015
  malloc: sbrk 2433024, mmap 0, used 431856, free 2001168
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 25
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-radius xauth-generic addrblock
Listening IP addresses:
  172.31.20.201
Connections:
        ike1:  172.31.20.201...%any  IKEv1, dpddelay=30s
        ike1:   local:  [172.31.20.201] uses public key authentication
        ike1:    cert:  "C=DE, O=2scale GmbH, CN=REDACTED"
        ike1:   remote: [C=DE, O=2scale GmbH, CN=client] uses public key authentication
        ike1:    cert:  "C=DE, O=2scale GmbH, CN=client"
        ike1:   remote: uses XAuth authentication: any
        ike1:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
        ike1[19]: ESTABLISHED 8 seconds ago, 172.31.20.201[172.31.20.201]...REDACTED[C=DE, O=2scale GmbH, CN=client]
        ike1[19]: Remote XAuth identity: REDACTED
        ike1[19]: IKEv1 SPIs: aa5a0c1810d42c43_i 4153f0344cbc76bf_r*, public key reauthentication in 2 hours
        ike1[19]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
        ike1{18}:  INSTALLED, TUNNEL, reqid 18, ESP in UDP SPIs: c89ab56a_i 00860e4a_o
        ike1{18}:  AES_CBC_128/HMAC_SHA1_96, 5514 bytes_i (20 pkts, 6s ago), 3943 bytes_o (17 pkts, 6s ago), rekeying in 45 minutes
        ike1{18}:   0.0.0.0/0 === 10.1.0.1/32

Everything is working fine.

Now a subnet should be excluded from the vpn, tried to configure it this way:

/etc/strongswan.d/charon/attr.conf:

attr {
    load = yes
    split-exclude = REDACTED/24
}

If this config is active, that subnet is not reachable from the
client anymore but everything else works as expected.
Digging in the archives I tried the suggestion by Tobias Brunner in
https://wiki.strongswan.org/issues/635, define all subnets except
the unwanted ones as leftsubnet and remove split-exclude. This
looks like this:

ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.13.0-66-generic, x86_64):
  uptime: 22 seconds, since Nov 03 09:08:23 2015
  malloc: sbrk 2433024, mmap 0, used 445680, free 1987344
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-radius xauth-generic addrblock
Listening IP addresses:
  172.31.20.201
Connections:
        ike1:  172.31.20.201...%any  IKEv1, dpddelay=30s
        ike1:   local:  [172.31.20.201] uses public key authentication
        ike1:    cert:  "C=DE, O=2scale GmbH, CN=52.28.184.188"
        ike1:   remote: [C=DE, O=2scale GmbH, CN=client] uses public key authentication
        ike1:    cert:  "C=DE, O=2scale GmbH, CN=client"
        ike1:   remote: uses XAuth authentication: any
        ike1:   child:  0.0.0.0/2 64.0.0.0/4 80.0.0.0/8 ...REDACTED... 88.0.0.0/5 96.0.0.0/3 128.0.0.0/1 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
        ike1[1]: ESTABLISHED 3 seconds ago, 172.31.20.201[172.31.20.201]...91.19.106.128[C=DE, O=2scale GmbH, CN=client]
        ike1[1]: Remote XAuth identity: ms_be
        ike1[1]: IKEv1 SPIs: 454ef16fe08f14a4_i 81ff175094e31b38_r*, public key reauthentication in 2 hours
        ike1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
        ike1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cae3191f_i 06a964ce_o
        ike1{1}:  AES_CBC_128/HMAC_SHA1_96, 624 bytes_i, 0 bytes_o, rekeying in 42 minutes
        ike1{1}:   0.0.0.0/2 === 10.1.0.1/32

Now only tcp/ip connections matching 0.0.0.0/2 work e.g. a traceroute to 8.8.8.8.

This was configured like this:

leftsubnet=0.0.0.0/2,64.0.0.0/4,80.0.0.0/8,...,128.0.0.0/1

Any clues?

I tried to configure ike2 using the iOS gui config, but had no success so far.
Would any one share a working ike2 config with iOS 9.1 which is multi-client and
gui configurable?

Best regards,

Michael

-- 
2scale GmbH, Schanzenstr. 20, 40549 Düsseldorf
Amtsgericht: 		Düsseldorf HRB 50718
Geschäftsführer: 	Georg von Zezschwitz, Dirk Vleugels
USt-IdNr.: 		DE 210936505

More information about the Users mailing list