[strongSwan] Strongswan part of Ubuntu 18.04 LTS = Duplicate client IPs.. and same for Ubuntu 20.04 LTS

Magnus Larsson list at mserv.pw
Tue Dec 1 17:33:05 CET 2020


Hi Tobias,

The only difference between the VMs is the Ubuntu distribution, as I cloned and did a release upgrade (sudo do-release-upgrade).

All 3 VPN clients were assigned the same IP and are connected in parallel and dropping packets obviously, don't know what to tell you but maybe someone can test this?

Here are the steps to reproduce:
Install Ubuntu Server 16.04 LTS from ISO 
apt-get the necessary strongswan packages, 
install let's encrypt certificate
configure ipsec.conf and ipsec.secrets
Connect more than 1 client to verify everything is working (works fine here)
Upgrade from 16.04 LTS to 18.04 LTS
Connect more than 1 client to verify everything is working (did not work for me)
Upgrade from 18.04 LTS to 20.04 LTS
Connect more than 1 client to verify everything is working (still not working for me)

ipsec.secrets:
<FQDN>        : RSA "/etc/ipsec.d/private/server-key.pem"
testuser      : EAP "testpassword"

Thanks,
Magnus

> On December 1, 2020, at 08:58, Tobias Brunner <tobias at strongswan.org> wrote:
> 
> Hi Magnus,
> 
>> root at vpn:~# ipsec leases
>> Leases in pool '10.0.214.220-10.0.214.250', usage: 1/31, 1 online
>>      10.0.214.220   online   ‘/userid/'
>> root at vpn:~#
> 
> This output makes no sense if three clients are concurrently connected
> (online leases are not reassigned).  Check the output of `ipsec
> statusall`, are there really three clients online (with duplicate
> traffic selectors)?  Or do you have uniqueids enabled and clients just
> got the same offline lease assigned after the existing IKE_SA was closed
> (check the log)?
> 
>> *If I change:*
>> *rightsourceip=10.0.214.220-10.0.214.250*
>> 
>> *to:*
>> rightsourceip=10.0.214.0/24
>> 
>> The VPN server then hands out unique IPs in both 18.04 LTS and 20.04 LTS
> 
> That makes even less sense because other than how the address pool is
> constructed (i.e. how the size and base address are determined) there is
> no difference in the implementation.  There is even a unit test that
> uses the same identity to request multiple (different) addresses from a
> range-based address pool.
> 
> Regards,
> Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201201/6bac9483/attachment.html>


More information about the Users mailing list