[strongSwan] Multiple Peers/Proposals Connection Failure

Eliguzel, Cem cem.eliguzel at siemens.com
Tue Nov 24 08:02:52 CET 2015 

Hi,

In our setup, we have multiple clients making ipsec connections to a server. So, in the server swanctl.conf, there are multiple connection entries.

Phase1 proposals may be different for each connection. In our example phase1 proposals are as follows:

device1: 3des-sha384-modp4096
device2: 3des-sha384-modp8192

But in such a case, one of the devices always fails due to invalid proposal (while the other one is successful). Here is the log from swanctl -log from the device1 connection attempt:

06[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096
06[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_8192
06[IKE] received proposals inacceptable

Looks like the proposal from the first connection is selected as configured proposal and thus the second connection entry becomes invalid.

Is this the expected behaviour?


Here is the whole swanctl.conf:

connections {

    device2 {
        local_addrs  = 172.31.254.127

        local {
            auth = pubkey
            certs = srv.crt
            id = "CN=172.31.254.127"
        }
        remote {
            id = "CN=device2 at 4.1"
            auth = pubkey
        }
        children {
            net {
                local_ts = 10.0.3.0/24
                remote_ts = 10.0.5.0/24
                start_action = none
                updown =  /path/to/script
                ah_proposals = sha256-modp1536
                rekey_time = 60m
            }
        }

        version = 2
        dpd_timeout = 120s
        rekey_time = 180m
        proposals = 3des-sha384-modp8192
    }

    device1 {
        local_addrs  = 172.31.254.127

        local {
            auth = pubkey
            certs = srv.crt
            id = "CN=172.31.254.127"
        }
        remote {
            id = "CN=device1 at 2.1"
            auth = pubkey
        }
        children {
            net {
                local_ts = 10.0.5.0/24
                remote_ts = 10.0.3.0/24
                start_action = none
                updown =  /path/to/script
                ah_proposals = sha256-modp1536
                rekey_time = 60m
            }
        }

        version = 2
        dpd_timeout = 120s
        rekey_time = 180m
        proposals = 3des-sha384-modp4096
    }

}


Mit freundlichen Grüßen
Cem Eliguzel

Siemens Sanayi ve Ticaret A.S.
DF TI EVO TR
1000. Cd. 13. Sk. No: 1004 - Gebze
41480 Kocaeli, Türkei
mailto:cem.eliguzel at siemens.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151124/ffc94f2e/attachment.html>

More information about the Users mailing list