[strongSwan] 答复: how to config multiple specific virtual ips per road warrior on swanctl.conf?
陈 锐
ioiioi at live.cn
Thu Jan 14 08:08:07 CET 2016
wow, what an elegent solution!
thanks andreas.
I am still struggling on migrate from ipsec.conf to swanctl.conf, when I initial child_sa from client, it failed:
[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN notify error
initiate failed: establishing CHILD_SA 'gw1-jklab-chd' failed
here is my config and error log:
gateway swanctl.conf
-------------8<-----------------
connections {
rw-ssTester {
local_addrs = 192.168.111.93
pools = ssTester
local {
auth = pubkey
certs = gw1.jklab.cert.pem
id = gateway1.jklab.qmcc
}
remote {
auth = pubkey
id = ssTester at jklab.qmcc
}
children {
rw-ssTester {
local_ts = 192.168.33.0/24, 192.168.66.0/24
start_action = none
updown = /opt/strongswan/libexec/ipsec/_updown iptables
rekey_time = 10m
esp_proposals = aes128gcm128-modp2048
}
}
version = 2
reauth_time = 60m
rekey_time = 20m
proposals = aes128-sha256-modp2048
}
}
pools {
ssTester {
addrs = 192.168.8.10/32
}
}
-------------8<-----------------
client swanctl.conf
-------------8<-----------------
when I initial child_sa from client:
connections {
gw1-jklab {
local_addrs = 10.10.0.17
remote_addrs = 221.182.254.189
vips = 0.0.0.0
version = 2
reauth_time = 60m
rekey_time = 20m
# proposals = aes128-sha256-modp2048
local {
auth = pubkey
certs = ssTester.cert.pem
id = ssTester at jklab.qmcc
}
remote {
auth = pubkey
id = gateway1.jklab.qmcc
}
children {
gw1-jklab-chd {
remote_ts = 192.168.33.0/24, 192.168.66.0/24
start_action = none
updown = /opt/strongswan/libexec/ipsec/_updown iptables
rekey_time = 10m
# esp_proposals = aes128gcm128-modp2048
}
}
}
}
# no matter what if I enable or disable client's esp_proposals/proposals,
# I got the same result.
-------------8<-----------------
# swanctl -i -c gw1-jklab-chd
[IKE] initiating IKE_SA gw1-jklab[20] to xx.xx.254.189
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
[NET] sending packet: from 10.10.0.17[500] to xx.xx.254.189[500] (1064 bytes)
[NET] received packet: from xx.xx.254.189[500] to 10.10.0.17[500] (36 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN notify error
initiate failed: establishing CHILD_SA 'gw1-jklab-chd' failed
and the gateway's charon-systemd log:
Jan 14 00:22:29 d8-64-gw-1 charon-systemd[5213]: received packet: from xx.xx.236.34[9863] to 192.168.33.93[500] (1064 bytes)
Jan 14 00:22:29 d8-64-gw-1 charon-systemd[5213]: parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Jan 14 00:22:29 d8-64-gw-1 charon-systemd[5213]: no IKE config found for 192.168.33.93...xx.xx.236.34, sending NO_PROPOSAL_CHOSEN
Jan 14 00:22:29 d8-64-gw-1 charon-systemd[5213]: generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan 14 00:22:29 d8-64-gw-1 charon-systemd[5213]: sending packet: from 192.168.33.93[500] to xx.xx.236.34[9863] (36 bytes)
what is the problem?
________________________________________
发件人: Andreas Steffen <andreas.steffen at strongswan.org>
发送时间: 2016年1月14日 1:23
收件人: 陈 锐; users at lists.strongswan.org
主题: Re: [strongSwan] how to config multiple specific virtual ips per road warrior on swanctl.conf?
Hi,
if you want to explicitly assign a specific virtual IP to each client
then you could use an include statement in swanctl.conf which includes
the common parameters for each connection definition and define
specific single address poll for each roadwarrior as in the following
example I did for you:
https://www.strongswan.org/testing/config-payload/swanctl/config-payload/
The common parameters are defined in /etc/swanctl/swanctl_base.conf:
local_addrs = 192.168.0.1
local {
auth = pubkey
certs = moonCert.pem
id = moon.strongswan.org
}
children {
net {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = aes128gcm128-modp3072
}
}
version = 2
proposals = aes128-sha256-modp3072
Best regards
Andreas
On 01/13/2016 09:31 AM, 陈 锐 wrote:
> hello,
>
>
> I got multiple road warriors to logon and get specific virtualip from
> strongswan. I have been successful got it works with charon/ipsec.conf.
> unfortunally, debian 8 have been move to systemd, so I have to change
> from ipsec.conf to swanctl.conf because of charon-systemd. the following
> is my ipsec.conf on strongswan gateway:
>
>
>
> config setup
> # uniqueids=never
>
> #############################################
> # ikev2 road warrios pubkey template
> #############################################
> conn ikev2-rw-pub-template
> keyexchange=ikev2
> left=%defaultroute
> leftauth=pubkey
> #leftfirewall=yes
> leftsubnet=0.0.0.0/0
> leftcert=gw1.jklab.cert.pem
> leftid=gateway1.jklab.qmcc
> right=%any
> rightauth=pubkey
> auto=add
>
> # ikev2 road warrios pubkey linux client
> conn ikev2-rw-pub-linux-ssTester
> also=ikev2-rw-pub-template
> #rightdns=192.168.5.12
> rightsourceip=192.168.8.10
> rightid="ssTester at jklab.qmcc"
>
> # ikev2 road warrios pubkey windows7+ client
> conn ikev2-rw-pub-win7-chenrui
> also=ikev2-rw-pub-template
> ike=aes256-sha1-modp1024!
> rekey=no
> rightsourceip=192.168.8.2
> rightid="OU=syharman, CN=chenrui at syharman.qmcc"
>
> how to translate it to swanctl.conf?
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list