[strongSwan] multiple id for same ipsec peer

Marco Berizzi pupilla at hotmail.com
Tue May 8 11:20:17 CEST 2018 

Hello everyone,

I'm running strongswan 5.6.3dr1 on Slackware linux.
On this strongswan box it is configured an ikev2 tunnel
to a customer checkpoint R77.30 gateway.

Sometimes, for an unknown reason, the checkpoint will
try to initiate the IKE_SA, but instead of using its
public ip address as the id, it is using another ip
address. Here is the relevant log:

12[NET] received packet: from customer_public[500] to my_public[500] (260 bytes) 
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
12[IKE] customer_public is initiating an IKE_SA 
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] 
12[NET] sending packet: from my_public[500] to customer_public[500] (280 bytes) 
04[NET] received packet: from customer_public[500] to my_public[500] (336 bytes) 
04[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N((47997)) SA TSi TSr N(INIT_CONTACT) V N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] 
04[CFG] looking for peer configs matching my_public[%any]...customer_public[192.168.53.22] 
04[CFG] selected peer config 'customer-10.10.92.0' 
04[IKE] authentication of '192.168.53.22' with pre-shared key successful 
04[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 
04[IKE] authentication of 'my_public' (myself) with pre-shared key 
04[IKE] IKE_SA customer-10.10.92.0[10] established between my_public[my_public]...customer_public[192.168.53.22] 

I have bypassed this checkpoint crazy behaviour
adding another conn section to the ipsec.conf file,
and configuring it only as responder (auto=add):

conn customer
        left=my_public
        right=customer_public
	leftsubnet=10.28.155.0/24
        leftauth=secret
        rightauth=secret
        leftid=my_public
        rightid=customer_public

conn customer-10.10.92.0
        auto=route
        also=customer

conn customer-10.10.92.0-192.168.53.22
        auto=add
        also=customer
        rightid=192.168.53.22

Now I would like to move this configuration to the
new swanctl.conf file format.

I would like to ask if this swanctl.conf file is
equivalent to the above ipsec.conf:

connections {

   customer {
      local_addrs  = my_public
      remote_addrs = customer_public

      local {
         auth = psk
         id = my_public
      }
      remote {
         auth = psk
         id = customer_public
         id = 192.168.53.22
      }
      children {
         customer-networks {
            local_ts  = 10.28.155.0/24
            remote_ts = 10.10.92.0
            start_action = trap
	    esp_proposals = aes256-sha384-ecp521
         }
      }
      proposals = aes256-sha384-ecp521
      send_cert = never
      send_certreq = no
   }
}

secrets {
   ike-customer {
      id = customer_public
      id = 192.168.53.22
      secret = "blablabla"
   }
}

Thanks

More information about the Users mailing list