It appears that our ip addresses are being assigned by the XAuthName
'actmobile', unfortunately that is not unique?
On 4/24/15 5:28 PM, Andrew Foss wrote:
Here's our situation;
ios ipsec clients, they each have a certificate with a unique common
name.
I want to configure strongswan to give them a different ip address for
each client/CN, regardless of what public ip address they may arrive
from at the moment, it is a road warrior config.
I am thinking I can write a plugin like dhcp to do it for sure, but
seems like I may have something in the config that is wrong. I have to
set uniqueids=no to get two clients to connect, which makes me think I
am using something else for the id, other than the cert subject name.
This error line seems to indicate the peer is referred to as 'actmobile'
destroying duplicate IKE_SA for peer 'actmobile', received
INITIAL_CONTACT
in the updown scripts the PLUTO_PEER_ID does show up properly as
[C=US, O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]
All my clients seem to get 172.20.0.1 as their ip address and ipsec
statusall shows just one SA even when I have 3 dvices connected.
here's the config;
conn ios
keyexchange=ikev1
#esp=null-sha1!
authby=xauthrsasig
xauth=server
#left=%defaultroute
leftsubnet=0.0.0.0/0
#leftsubnet=10.66.0.0/16
#leftfirewall=yes
#lefthostaccess=yes
leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
leftcert=serverCert.pem
#right=%any
rightsourceip=172.20.0.0/16
#rightsourceip=10.100.255.0/28
#rightcert=clientCert.pem
#pfs=no
auto=add
rekey=yes
fragmentation=yes
lifetime=24h
dpddelay=0
dpdtimeout=24h
compress=yes
here's the log output of clients connecting;
IKE_SA ios[6] established between 10.199.65.236[C=US, ST=California,
L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile,
CN=ipsec.corp.actmobile.com,
[email protected]]...50.197.174.157[C=US, O=strongSwan,
CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]
Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[6] state change:
CONNECTING => ESTABLISHED
Apr 25 00:12:43 accel charon: 12[IKE] scheduling reauthentication in
10094s
Apr 25 00:12:43 accel charon: 12[IKE] maximum IKE_SA lifetime 10634s
Apr 25 00:12:43 accel charon: 12[IKE] activating new tasks
Apr 25 00:12:43 accel charon: 12[IKE] nothing to initiate
Apr 25 00:12:43 accel charon: 12[IKE] destroying duplicate IKE_SA for
peer 'actmobile', received INITIAL_CONTACT
Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[5] state change:
ESTABLISHED => DESTROYING
Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI
c1648e6d (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI
c1648e6d (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI
0d133ab7 (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI
0d133ab7 (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0 ===
172.20.0.1/32 out (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another
CHILD_SA, not removed
Apr 25 00:12:43 accel charon: 12[KNL] updating policy 0.0.0.0/0 ===
172.20.0.1/32 out (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32
=== 0.0.0.0/0 in (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another
CHILD_SA, not removed
Apr 25 00:12:43 accel charon: 12[KNL] updating policy 172.20.0.1/32
=== 0.0.0.0/0 in (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32
=== 0.0.0.0/0 fwd (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another
CHILD_SA, not removed
Apr 25 00:12:43 accel charon: 12[KNL] updating policy 172.20.0.1/32
=== 0.0.0.0/0 fwd (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] getting a local address in
traffic selector 0.0.0.0/0
Apr 25 00:12:43 accel charon: 12[KNL] using host %any
Apr 25 00:12:43 accel charon: 12[KNL] using 10.199.65.193 as nexthop
to reach 166.170.42.208
Apr 25 00:12:43 accel charon: 12[KNL] 10.199.65.236 is on interface eth0
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0 ===
172.20.0.1/32 out (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32
=== 0.0.0.0/0 in (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32
=== 0.0.0.0/0 fwd (mark 0/0x00000000)
Apr 25 00:12:43 accel charon: 12[KNL] getting iface index for eth0
Apr 25 00:12:43 accel charon: 12[CFG] lease 172.20.0.1 by 'actmobile'
went offline
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
