[strongSwan] Strongswan config different 'ike' values in end points

Jayapal Reddy jayapalatiiit at gmail.com
Thu Nov 19 05:56:35 CET 2015 

Hi,

I have the site to site  vpn config where ike in the config has different
values. The vpn tunnel is coming up with this config. Is it expected
behavior or something wrong.

*  ike=aes128-sha1                               ** ike=3des-md5*
Router104 ---------------public--------------Router103

root at r-104-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.52.103.conf
conn vpn-10.147.52.103
  left=10.147.52.106
  leftsubnet=10.10.0.0/16
  leftnexthop=10.147.52.1
  right=10.147.52.103
  rightsubnet=192.168.0.0/16
  type=tunnel
  authby=secret
  keyexchange=ikev1
*  ike=aes128-sha1*
  ikelifetime=86400s
  esp=aes128-sha1
  lifetime=3600s
  pfs=no
  keyingtries=2
  auto=start
root at r-104-QA:~#
root at r-104-QA:~# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 169.254.2.237:4500
000 interface eth0/eth0 169.254.2.237:500
000 interface eth1/eth1 10.147.52.106:4500
000 interface eth1/eth1 10.147.52.106:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "L2TP-PSK":
172.26.0.151[172.26.0.151]:17/1701---10.147.52.1...%any[%any]:17/%any==={
10.0.0.0/8}; unrouted; eroute owner: #0
000 "L2TP-PSK":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,8;
interface: ;
000 "L2TP-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpn-10.147.52.103":
10.10.0.0/16===10.147.52.106[10.147.52.106]---10.147.52.1...10.147.52.103[10.147.52.103]===192.168.0.0/16;
erouted; eroute owner: #11
000 "vpn-10.147.52.103":   ike_life: 86400s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2
000 "vpn-10.147.52.103":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,16;
interface: eth1;
000 "vpn-10.147.52.103":   newest ISAKMP SA: #8; newest IPsec SA: #11;
*000 "vpn-10.147.52.103":   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1536*
000 "vpn-10.147.52.103":   ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A>
000
000 #11: "vpn-10.147.52.103" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 2366s; newest IPSEC; eroute owner
000 #11: "vpn-10.147.52.103" esp.ccd56ea8 at 10.147.52.103 (0 bytes)
esp.cd9efa23 at 10.147.52.106 (0 bytes); tunnel
000 #10: "vpn-10.147.52.103" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 2599s
000 #10: "vpn-10.147.52.103" esp.c96e6831 at 10.147.52.103 (0 bytes)
esp.c59d350e at 10.147.52.106 (0 bytes); tunnel
000 #9: "vpn-10.147.52.103" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 2674s
000 #9: "vpn-10.147.52.103" esp.c422c096 at 10.147.52.103 (0 bytes)
esp.c1444f5f at 10.147.52.106 (0 bytes); tunnel
000 #8: "vpn-10.147.52.103" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 85088s; newest ISAKMP
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 13 minutes, since Nov 18 09:00:50 2015
  malloc: sbrk 380928, mmap 0, used 245664, free 135264
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509
revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent
pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp
stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius
eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
  169.254.2.237
  10.147.52.106
Connections:
Security Associations:
  none
root at r-104-QA:~#



root at r-103-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.52.106.conf
conn vpn-10.147.52.106
  left=10.147.52.103
  leftsubnet=192.168.0.0/16
  leftnexthop=10.147.52.1
  right=10.147.52.106
  rightsubnet=10.10.0.0/16
  type=tunnel
  authby=secret
  keyexchange=ikev1
*  ike=3des-md5*
  ikelifetime=86400s
  esp=3des-md5
  lifetime=3600s
  pfs=no
  keyingtries=2
  auto=start
root at r-103-QA:~#
root at r-103-QA:~#
root at r-103-QA:~# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 169.254.1.56:4500
000 interface eth0/eth0 169.254.1.56:500
000 interface eth1/eth1 10.147.52.103:4500
000 interface eth1/eth1 10.147.52.103:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "L2TP-PSK":
172.26.0.151[172.26.0.151]:17/1701---10.147.52.1...%any[%any]:17/%any==={
10.0.0.0/8}; unrouted; eroute owner: #0
000 "L2TP-PSK":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,8;
interface: ;
000 "L2TP-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpn-10.147.52.106":
192.168.0.0/16===10.147.52.103[10.147.52.103]---10.147.52.1...10.147.52.106[10.147.52.106]===10.10.0.0/16;
erouted; eroute owner: #15
000 "vpn-10.147.52.106":   ike_life: 86400s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2
000 "vpn-10.147.52.106":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,16;
interface: eth1;
000 "vpn-10.147.52.106":   newest ISAKMP SA: #12; newest IPsec SA: #15;
*000 "vpn-10.147.52.106":   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1536*
000 "vpn-10.147.52.106":   ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A>
000
000 #15: "vpn-10.147.52.106" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 2974s; newest IPSEC; eroute owner
000 #15: "vpn-10.147.52.106" esp.cd9efa23 at 10.147.52.106 (0 bytes)
esp.ccd56ea8 at 10.147.52.103 (0 bytes); tunnel
000 #14: "vpn-10.147.52.106" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 2974s
000 #14: "vpn-10.147.52.106" esp.c59d350e at 10.147.52.106 (0 bytes)
esp.c96e6831 at 10.147.52.103 (0 bytes); tunnel
000 #13: "vpn-10.147.52.106" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 2974s
000 #13: "vpn-10.147.52.106" esp.c1444f5f at 10.147.52.106 (0 bytes)
esp.c422c096 at 10.147.52.103 (0 bytes); tunnel
000 #12: "vpn-10.147.52.106" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 85774s; newest ISAKMP
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 16 minutes, since Nov 18 08:59:07 2015
  malloc: sbrk 380928, mmap 0, used 245648, free 135280
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509
revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent
pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp
stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius
eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
  169.254.1.56
  10.147.52.103
Connections:
Security Associations:
  none

Thanks,
Jayapal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151119/e5d5838a/attachment.html>

More information about the Users mailing list