[strongSwan] Multiple Peers/Proposals Connection Failure

Eliguzel, Cem cem.eliguzel at siemens.com
Tue Nov 24 12:21:05 CET 2015


Thanks Andreas.

Looks like same multiple proposals for all connections (as you described below) is the only solution.

Regards,
Cem


-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Tuesday, November 24, 2015 11:23 AM
To: Eliguzel, Cem; users at lists.strongswan.org
Cc: Liebscher, Christian
Subject: Re: [strongSwan] Multiple Peers/Proposals Connection Failure

Hi,

this is a general problem with roadwarrior connection templates
where the two IKE_SAs are not bound to a remote IP address
but to two different IKE IDs. Since the IDi is transmitted
in the encrypted IKE_SA request message the IKE_SA cipher
suite must be chosen before the identity becomes known.

strongSwan does not try find a match for a common cipher suite
but just chooses the first connection where remote_addrs = %any.

As a workaround assuming an honest VPN client, you could
just concatenate both cipher suites with varying positions:

device1: proposals = 3des-sha384-modp4096, 3des-sha384-modp8192

device2: proposals = 3des-sha384-modp8192, 3des-sha384-modp4096


or more concisely

device1: proposals = 3des-sha384-modp4096-modp8192

device2: proposals = 3des-sha384-modp8192-modp4096

Best regards

Andreas

On 24.11.2015 08:02, Eliguzel, Cem wrote:
> Hi,
>
> In our setup, we have multiple clients making ipsec connections to a
> server. So, in the server swanctl.conf, there are multiple connection
> entries.
>
> Phase1 proposals may be different for each connection. In our example
> phase1 proposals are as follows:
>
> *device1: 3des-sha384-modp4096*
>
> *device2: 3des-sha384-modp8192*
>
> But in such a case, one of the devices always fails due to invalid
> proposal (while the other one is successful). Here is the log from
> *swanctl –log *from the *device1* connection attempt:
>
> *06[CFG] received proposals:
> IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096*
>
> *06[CFG] configured proposals:
> IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_8192*
>
> *06[IKE] received proposals inacceptable*
>
> Looks like the proposal from the first connection is selected as
> configured proposal and thus the second connection entry becomes invalid.
>
> Is this the expected behaviour?
>
> /Here is the whole swanctl.conf:/
>
> //
>
> /connections {/
>
> //
>
> /    device2 {/
>
> /        local_addrs  = 172.31.254.127/
>
> //
>
> /        local {/
>
> /            auth = pubkey/
>
> /            certs = srv.crt/
>
> /            id = "CN=172.31.254.127"/
>
> /        }/
>
> /        remote {/
>
> /            id = "CN=device2 at 4.1"/
>
> /            auth = pubkey/
>
> /        }/
>
> /        children {/
>
> /            net {/
>
> /                local_ts = 10.0.3.0/24/
>
> /                remote_ts = 10.0.5.0/24/
>
> /                start_action = none/
>
> /                updown =  /path/to/script /
>
> /                ah_proposals = sha256-modp1536/
>
> /                rekey_time = 60m/
>
> /            }/
>
> /        }/
>
> //
>
> /        version = 2/
>
> /        dpd_timeout = 120s/
>
> /        rekey_time = 180m/
>
> /        proposals = 3des-sha384-modp8192/
>
> /    }/
>
> //
>
> /    device1 {/
>
> /        local_addrs  = 172.31.254.127/
>
> //
>
> /        local {/
>
> /            auth = pubkey/
>
> /            certs = srv.crt/
>
> /            id = "CN=172.31.254.127"/
>
> /        }/
>
> /        remote {/
>
> /            id = "CN=device1 at 2.1"/
>
> /            auth = pubkey/
>
> /        }/
>
> /        children {/
>
> /            net {/
>
> /                local_ts = 10.0.5.0/24/
>
> /                remote_ts = 10.0.3.0/24/
>
> /                start_action = none/
>
> /                updown =  /path/to/script /
>
> /                ah_proposals = sha256-modp1536/
>
> /                rekey_time = 60m/
>
> /            }/
>
> /        }/
>
> //
>
> /        version = 2/
>
> /        dpd_timeout = 120s/
>
> /        rekey_time = 180m/
>
> /        proposals = 3des-sha384-modp4096/
>
> /    }/
>
> //
>
> /}/
>
> Mit freundlichen Grüßen
>
> Cem Eliguzel
>
> Siemens Sanayi ve Ticaret A.S.
>
> DF TI EVO TR
>
> 1000. Cd. 13. Sk. No: 1004 - Gebze
>
> 41480 Kocaeli, Türkei
>
> mailto:cem.eliguzel at siemens.com
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==



More information about the Users mailing list