[strongSwan] First tunnel is working, all other fail

Dirk Hoelscher dirk.hoelscher at xplod.de
Sun Aug 20 15:16:25 CEST 2017 

Hi.

 
I’ve got a strange problem with my Strongswan VPN:

As long as I am the single user, my solution works as a charm:

Aug 20 14:52:57 charon: 12[IKE] building INTERNAL_IP4_DNS attribute

Aug 20 14:52:57 charon: 12[IKE] CHILD_SA nat-t-blho{6} established with SPIs c657a7f9_i 3527c10c_o and TS (fixed IP)/32 === 10.1.1.0/24

 
But the moment another device is trying to establish a separate tunnel to my server, the connection is aborted with following message:

 
Aug 20 15:09:28 charon: 06[IKE] authentication of 'C=DE, O=(url), CN=(url)@(url)' (myself) with RSA signature successful

Aug 20 15:09:28 charon: 06[IKE] IKE_SA nat-t-blho[5] established between (fixed IP)[C=DE, O=(url), CN=(url)@(url)]...37.24.26.125[C=DE, O=(url), CN=xplod@(url)]

Aug 20 15:09:28 charon: 06[IKE] IKE_SA nat-t-blho[5] state change: CONNECTING => ESTABLISHED

Aug 20 15:09:28 charon: 06[IKE] scheduling reauthentication in 3412s

Aug 20 15:09:28 charon: 06[IKE] maximum IKE_SA lifetime 3592s

Aug 20 15:09:28 charon: 06[IKE] sending end entity cert "C=DE, O=(url), CN=(url)@(url)"

Aug 20 15:09:28 charon: 06[IKE] peer requested virtual IP %any

Aug 20 15:09:28 charon: 06[IKE] assigning virtual IP 10.1.1.22 to peer 'C=DE, O=(url), CN=xplod@(url)'

Aug 20 15:09:28 charon: 06[IKE] peer requested virtual IP f100::21

Aug 20 15:09:28 charon: 06[IKE] no virtual IP found for f100::21 requested by 'C=DE, O=(url), CN=xplod@(url)'

Aug 20 15:09:28 charon: 06[IKE] building INTERNAL_IP4_DNS attribute

Aug 20 15:09:28 charon: 06[IKE] unable to install IPsec policies (SPD) in kernel

 
I would guess that strongswan opens the same port on the fixed ip twice, resulting in a problem. But I can’t see how to setup my server to allow multiple incoming connections…

 
My current ipsec.conf:

config setup

 
conn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=3

        keyexchange=ikev2

 
conn nat-t-blho

        left=%any

        leftsourceip=%config4

        leftcert=(url)_cert.pem

        leftid="C=DE, O=(url), CN=(url)"

        leftdns=8.8.4.4

        leftfirewall=yes

        right=%any

        rightsourceip=10.1.1.20/24

        rightsubnet=10.1.1.0/24

        auto=add

 
Can anybody help me?

 
Best regards,

Dirk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170820/536cf454/attachment.html>

More information about the Users mailing list