[strongSwan] second connection from the same machine fails

[Naveen Neelakanta]

Hi Noel,


Need some guidance on the below issues using strongswan .


1) The second connection with the below configuration fails .



config setup


conn %default

        ikelifetime=8h

        keylife=8h

        rekeymargin=3m

        keyingtries=2

        keyexchange=ikev1

        authby=secret

        type=tunnel

        left=10.24.18.209

        leftsubnet=0.0.0.0/0

        ike=aes128-sha1-modp1024

        esp=null-md5-modp1024



conn net-net

        right=10.24.18.35

        rightsubnet=0.0.0.0/0

        mark_out=32

        auto=add

        installpolicy=yes


conn net1-net1

        right=10.24.18.36

        rightsubnet=0.0.0.0/0

        mark_out=33

        auto=add

        installpolicy=yes


#ipsec up net1-net1


unable to install policy 0.0.0.0/0 === 0.0.0.0/0 in for reqid 2, the same
policy for reqid 1 exists

unable to install policy 0.0.0.0/0 === 0.0.0.0/0 fwd for reqid 2, the same
policy for reqid 1 exists

unable to install IPsec policies (SPD) in kernel

*establishing connection 'net1-net1' failed*



2)  I intend to use marking as selector using VTI interface , i see that
the packet gets encrypted and leave the machine, however my intention is
identify return traffic after decryption to be marked with the same
marking, so that i can route based on the marked packet to a specific
interface, but i see that the inbound SA does not have the mark and the
policy drops the return traffic .

src 0.0.0.0/0 dst 0.0.0.0/0

dir out priority 399999

mark 32/0xffffffff

tmpl src 10.24.18.209 dst 10.24.18.35

proto esp spi 0xce437d69 reqid 1 mode tunnel


src 0.0.0.0/0 dst 0.0.0.0/0

dir in priority 399999

        mark 32/0xffffffff

tmpl src 10.24.18.35 dst 10.24.18.209

proto esp reqid 1 mode tunnel

 SADB:

src 10.24.18.209 dst 10.24.18.35

proto esp spi 0xce437d69 reqid 1 mode tunnel

replay-window 0 flag af-unspec

mark 32/0xffffffff

auth-trunc hmac(md5) 0x73f7dac6b9ef4de0dd6965ce30e2e548 96

enc ecb(cipher_null)

src 10.24.18.35 dst 10.24.18.209

proto esp spi 0xca115267 reqid 1 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(md5) 0xcc44e5211adb4b23d281e9b94853b31c 96

enc ecb(cipher_null)



How can i get the return traffic to be marked so that there is no policy
mismatch.

3) When i bring up the tunnel with the leftsubnet any and rightsubnet any ,
i lose ssh access, i have disabled route install from strongswan
configuration file .

conn %default

        ikelifetime=8h

        keylife=8h

        rekeymargin=3m

        keyingtries=2

        keyexchange=ikev1

        authby=secret

        type=tunnel

        left=10.24.18.209

        leftsubnet=0.0.0.0/0

        ike=aes128-sha1-modp1024

        esp=null-md5-modp1024

        installpolicy=no



conn net-net

        right=10.24.18.35

        rightsubnet=0.0.0.0/0

        mark_out=32

        auto=add

        installpolicy=yes

######### strongswan.conf #######

        interfaces_use = eth3

        install_routes = no

Please provide some light on the above issues.

Thanks,
Naveen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180302/50441952/attachment-0001.html>