[strongSwan] Reg : Protocal specific encryption in Strongswan 5.3

Sindhu S. (sins) sins at cisco.com
Wed Oct 7 12:32:09 CEST 2015


Hi Noel,

Thanks for the response..
I have tried that option, but I'm seeing same problem...
Some config details:

On DevA:

        left=fe80::20c:29ff:fea8:e174%eth1
        leftid=fe80::20c:29ff:fea8:e174
        right=fe80::20c:29ff:feb2:ae2f%eth1
        rightid=fe80::20c:29ff:feb2:ae2f
       auto=add
        ike=aes128-aes192-aes256-sha256-sha384-sha512-sha-md5-prfsha512-prfsha384-prfsha256-prfmd5-modp1024-modp1536!
        esp=aes,sha!
        keyexchange=ikev2
        type=transport
        leftsubnet=%dynamic[gre]
        rightsubnet=%dynamic[gre]

On DevB:

        left=fe80::20c:29ff:feb2:ae2f%eth1
        leftid=fe80::20c:29ff:feb2:ae2f
        right=fe80::20c:29ff:fea8:e174%eth1
        rightid=fe80::20c:29ff:fea8:e174
        ike=aes128-aes192-aes256-sha256-sha384-sha512-sha-md5-prfsha512-prfsha384-prfsha256-prfmd5-modp1024-modp1536!
        esp=aes,sha!
        keyexchange=ikev2
        type=transport
        leftsubnet=%dynamic[gre]
        rightsubnet=%dynamic[gre]
        auto=add


ipsec at ipsec1:~/client$ ip addr show dev gre_test_tunnel
12: gre_test_tunnel: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1448 qdisc noqueue state UNKNOWN group default 
    link/gre6 fe:80:00:00:00:00:00:00:02:0c:29:ff:fe:a8:e1:74 peer fe:80:00:00:00:00:00:00:02:0c:29:ff:fe:b2:ae:2f
    inet6 fd08:2fff:c2ee:0:aabb:cc00:c900:2/64 scope global 
       valid_lft forever preferred_lft forever

ipsec at ipsec1:~/client$ ip -6 route
fd08:2eef:c2ee:0:aabb:cc00:c900:10 dev gre_test_tunnel  metric 1024 
fd08:2eef:c2ee:0:aabb:cc00:c900:11 dev dummy_tb_b  proto kernel  metric 256 
fd08:2eef:c2ee:0:aabb:cc00:c900:31 dev dummy_tb_b_new  proto kernel  metric 256 
fd08:2fff:c2ee::/64 dev gre_test_tunnel  proto kernel  metric 256 
fe80::/64 dev eth1  proto kernel  metric 256 
fe80::/64 dev eth0  proto kernel  metric 256 
fe80::/64 dev dummy_tb_b  proto kernel  metric 256 
default via fe80::21b:2bff:fef6:8680 dev eth0  proto ra  metric 1024  expires 1658sec
default via fe80::5:73ff:fea0:57a dev eth0  proto ra  metric 1024  expires 1677sec
ipsec at ipsec1:~/client$

ipsec at ipsec1:~/client$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.13.0-24-generic, x86_64):
  uptime: 2 minutes, since Oct 07 09:13:57 2015
  malloc: sbrk 1351680, mmap 0, used 263760, free 1087920
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
  10.64.69.118
  2001:db8:0:f101::2
  fd08:2eef:c2ee:0:aabb:cc00:c900:11
  fd08:2eef:c2ee:0:aabb:cc00:c900:31
  fd08:2fff:c2ee:0:aabb:cc00:c900:2
Connections:
snbi_new_ipv6:  fe80::20c:29ff:fea8:e174%eth1...fe80::20c:29ff:feb2:ae2f%eth1  IKEv2
snbi_new_ipv6:   local:  [fe80::20c:29ff:fea8:e174] uses pre-shared key authentication
snbi_new_ipv6:   remote: [fe80::20c:29ff:feb2:ae2f] uses pre-shared key authentication
snbi_new_ipv6:   child:  dynamic[gre] === dynamic[gre] TRANSPORT
Security Associations (1 up, 0 connecting):
snbi_new_ipv6[1]: ESTABLISHED 2 minutes ago, fe80::20c:29ff:fea8:e174[fe80::20c:29ff:fea8:e174]...fe80::20c:29ff:feb2:ae2f[fe80::20c:29ff:feb2:ae2f]
snbi_new_ipv6[1]: IKEv2 SPIs: f02639a228d93f04_i 09f307cb83e7d17c_r*, pre-shared key reauthentication in 23 hours
snbi_new_ipv6[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_512/MODP_1024
snbi_new_ipv6{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: caaa2454_i c40dad2a_o
snbi_new_ipv6{1}:  AES_CBC_128, 0 bytes_i, 0 bytes_o, rekeying in 52 minutes
snbi_new_ipv6{1}:   fe80::20c:29ff:fea8:e174/128[gre] === fe80::20c:29ff:feb2:ae2f/128[gre]

Thanks,
Sindhu

-----Original Message-----
From: Noel Kuntze [mailto:noel at familie-kuntze.de] 
Sent: Wednesday, October 07, 2015 3:44 PM
To: Sindhu S. (sins); users at lists.strongswan.org
Subject: Re: [strongSwan] Reg : Protocal specific encryption in Strongswan 5.3


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Sindhu,

leftsubnet=%dynamic[gre]
rightsubnet=%dynamic[gre]

It's mentioned in the man page for ipsec.conf.

- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWFPB0AAoJEDg5KY9j7GZY/KwQAJPubo/WMR4FbE0nvaNq/w9e
6oZdCl03IuGnBFgVGCawTXwPBDy3gqWFJFla2zR/NmaLh7zPdeiJ3pQXAS25QzeW
l7e2HSgMVuD5C/9z/zwPHaVpChlf9ZcDYv+NoQf7kSwDj6LWn5uWf7kLUsQ4mnrZ
AMXWWaSR6sDUyPURLbL0ElTosdP6znP/jLpnHI54pwpUtjRQN/OxSQkP9R7nLCeX
D3IE4SIdheAD3d8UyW/ZK7X/rQGXXKEdZUVIGwBfgLav5smivtSz+0q4sUof1jgc
/CC7sT8xh2eo68iLm20zL9M8bUXUlvHv3RwCYiJPkN8Wa5Ef8IQKRa5Rkr1+YgOC
5OXRfdf0PQX1ff+NL7mipBsfVq6uCRMK8KNS+LCZyNN1ujgz9tgJYgmZE01bgsPg
iko0wGYlkPnfAQc5AOVbK6WsOb8zp7t+yNw0tDQY14xSLb2q06ocovU24HiwymrZ
ahiEi5lShsb4BHMFcNwjVaEF3Qe7Mv1Z+pQCl5eDgQGPTkvvRA7BCA43x4W3Fit9
W5dkZHcTl4F5yNcHECabdfC+SR84o8ITXsL6CdSoJ/6V3HDViCUgsA3Ib2dUFfj+
q1rVC2o6HdV2IvrL4KTCeG8vB2yxVmj3d17NW2uB7RlJmGhGKqJrJDOcwmuGP3YB
K4GLaphu6Xy9ZX+q6d79
=lMtu
-----END PGP SIGNATURE-----



More information about the Users mailing list