[strongSwan] First tunnel is working, all other fail

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Aug 20 16:17:05 CEST 2017


Hi,

On 20.08.2017 15:16, Dirk Hoelscher wrote:
>
> Hi.
>
>  
>
> I’ve got a strange problem with my Strongswan VPN:
>
> As long as I am the single user, my solution works as a charm:
>
> Aug 20 14:52:57 charon: 12[IKE] building INTERNAL_IP4_DNS attribute
>
> Aug 20 14:52:57 charon: 12[IKE] CHILD_SA nat-t-blho{6} established with SPIs c657a7f9_i 3527c10c_o and TS (fixed IP)/32 === 10.1.1.0/24
>
>  
>
You screwed up your config. You must not set rightsubnet in your (general) use case. Stick to the example configurations on the UsableExamples[1] page.
>
> But the moment another device is trying to establish a separate tunnel to my server, the connection is aborted with following message:
>
>  
>
> Aug 20 15:09:28 charon: 06[IKE] authentication of 'C=DE, O=(url), CN=(url)@(url)' (myself) with RSA signature successful
>
> Aug 20 15:09:28 charon: 06[IKE] IKE_SA nat-t-blho[5] established between (fixed IP)[C=DE, O=(url), CN=(url)@(url)]...37.24.26.125[C=DE, O=(url), CN=xplod@(url)]
>
> Aug 20 15:09:28 charon: 06[IKE] IKE_SA nat-t-blho[5] state change: CONNECTING => ESTABLISHED
>
> Aug 20 15:09:28 charon: 06[IKE] scheduling reauthentication in 3412s
>
> Aug 20 15:09:28 charon: 06[IKE] maximum IKE_SA lifetime 3592s
>
> Aug 20 15:09:28 charon: 06[IKE] sending end entity cert "C=DE, O=(url), CN=(url)@(url)"
>
> Aug 20 15:09:28 charon: 06[IKE] peer requested virtual IP %any
>
> Aug 20 15:09:28 charon: 06[IKE] assigning virtual IP 10.1.1.22 to peer 'C=DE, O=(url), CN=xplod@(url)'
>
> Aug 20 15:09:28 charon: 06[IKE] peer requested virtual IP f100::21
>
> Aug 20 15:09:28 charon: 06[IKE] no virtual IP found for f100::21 requested by 'C=DE, O=(url), CN=xplod@(url)'
>
> Aug 20 15:09:28 charon: 06[IKE] building INTERNAL_IP4_DNS attribute
>
> Aug 20 15:09:28 charon: 06[IKE] unable to install IPsec policies (SPD) in kernel
>
>  
>
> I would guess that strongswan opens the same port on the fixed ip twice, resulting in a problem. But I can’t see how to setup my server to allow multiple incoming connections…
>
Nope. Please don't try to guess what happens. Read the log messages, they tell you exactly what the problem is (not a higher level interpretation).
It has nothing to do with port. Read the introduction[2] before trying to diagnose the problem. Generally, use the HelpRequests[3] page.

>  
>
> My current ipsec.conf:
>
> config setup
>
>  
>
> conn %default
>
>         ikelifetime=60m
>
>         keylife=20m
>
>         rekeymargin=3m
>
>         keyingtries=3
>
>         keyexchange=ikev2
>
>  
>
> conn nat-t-blho
>
>         left=%any
>
>         leftsourceip=%config4
>
>         leftcert=(url)_cert.pem
>
>         leftid="C=DE, O=(url), CN=(url)"
>
>         leftdns=8.8.4.4
>
>         leftfirewall=yes
>
>         right=%any
>
>         rightsourceip=10.1.1.20/24
>
>         rightsubnet=10.1.1.0/24
>
There's your culprit.
>
>         auto=add
>
>  
>

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
[2] https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan
[3] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170820/81d1e1c6/attachment.sig>


More information about the Users mailing list