[strongSwan] also= not behaving as expected

Bart Trojanowski bart at xelerance.com
Mon Nov 18 15:57:21 CET 2019 

Hello,

While setting up for testing, I created a host-to-host and a net-to-net
conn in ipsec.conf configuration.

Since the net-net config captures everything that the host-host config
captures, I use the also= option for brevity.

    conn net-net
       also=host-host
       leftsubnet=192.168.1.0/24
       rightsubnet=192.168.2.0/24

    conn host-host
       authby=secret
       left=192.168.0.1
       leftid=@sse
       right=192.168.100.2
       rightid=@ssw
       auto=add

I'm modeling this setup after
testing/tests/ipv6-stroke/net2net-ikev2/hosts/moon/etc/ipsec.conf

I discovered some strange behaviour as a result...

    $ sudo ipsec up host-host
    initiating IKE_SA net-net[1] to 192.168.100.2
    ...
    CHILD_SA host-host{1} established with SPIs c3bd3088_i c6a6bf88_o and TS 192.168.0.1/32 === 192.168.100.2/32
    connection 'host-host' established successfully

Note that 'host-host' was requested, it claims to be bringing up
'net-net', but in the end it only establishes 'host-host'.  I verified
that 'ip xfrm' only shows /32 endpoints.

Status shows something unexpected also...

    $ sudo ipsec status
    Security Associations (1 up, 0 connecting):
         net-net[3]: ESTABLISHED 3 seconds ago, 192.168.0.1[sse]...192.168.100.2[ssw]
       host-host{3}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: c8302add_i cf4ca0cc_o
       host-host{3}:   192.168.0.1/32 === 192.168.100.2/32

When I try to bring down the conn...

    $ sudo ipsec down host-host

... which returns 0, but doesn't actually do anything, however...

    $ sudo ipsec down net-net
    deleting IKE_SA net-net[1] between 192.168.0.1[sse]...192.168.100.2[ssw]
    ...
    IKE_SA [1] closed successfully

If I try to use 'net-net', then the 'net-net' conn is established and
the ipsec status and down commands work as expected.

I have confirmed that neight IPv4/IPv6 nor authby= change this
behaviour.

I've noticed that the order of the 'conn' statements in ipsec.conf
determines which of the conns will work as expected (the first one) and
which will be aliased to the previous one.

It should also be noted that the logs show the second conn being added
as a child of an existing configuration.

    Nov 11 13:50:12 xel-deb-east charon: 05[CFG] received stroke: add connection 'net-net'
    Nov 11 13:50:12 xel-deb-east charon: 05[CFG] added configuration 'net-net'
    Nov 11 13:50:12 xel-deb-east charon: 07[CFG] received stroke: add connection 'host-host'
    Nov 11 13:50:12 xel-deb-east charon: 07[CFG] added child to existing configuration 'net-net'

I was unable to reproduce this using swanctl.  Possibly because my lack
of experience with swanctl configurations.

-Bart

More information about the Users mailing list