Andrew, Sorry for misleading advice with "rightsubnet". "rightsubnet" is a traffic selector and has no relation to virtual IP pool. Your configuration with "rightsourceip" is correct.
Are you able to find same scenario as yours among testcases here <http://www.strongswan.org/testresults.html> and compare setup and logfiles? Without complete logfile, attached as a file, I am not able to help you further. Miroslav Miroslav Svoboda | +420 608 224 486 On 25 April 2015 at 16:51, Andrew Foss <[email protected]> wrote: > Miroslav, > > sorry my last response to you got blocked, but when I use rightsubnet this > is what occurs in the logs and vpn doesn't connect, am I missing something? > > Apr 25 14:30:52 accel charon: 15[IKE] peer requested virtual IP %any > Apr 25 14:30:52 accel charon: 15[IKE] no virtual IP found for %any > requested by 'IDE-B1DA-3355-4C89-BA98-A580BD513292' > > A little further further analysis and I have it working with uiqueids = > yes, but raised more questions, that I was not readily able to answer by > reviewing the code, but I am still coming up to speed on the structure of > the code. > > We were using XAuthName "actmobile", I have changed it to the device id > 'IDE-B1DA-3355-4C89-BA98-A580BD513292' and put a wildcard '*' into the > ipsec.secrets file and it is working, thankfully we seem to allow a > wildcard match with '*" for the secrets, though I suspect someone would > file that as a bug. > > It appears the the ip address management may use the XAuthName as the id, > not the Cert subject as the docs imply. > > Is that true? Is there any way to control that in the config and assure > sessions, SAs, etc. are tracked by the cert subject name? > > Further, it appears that running version 5.0.2 it behaves better and in > 5.3.0 the clients don't appear unique and all get the same ip address. I am > not convinced it was quite right in 5.0.2, but does seem to behave > differently. > > I am suspecting that to ensure positive control over this I should do a > radius server and modify the dhcp plugin to really control the ip > addresses, but I am hoping to procrastinate doing anything major. > > I think the question is; > > Am I doing something wrong or unusual in the config or can I control in > the config to use the cert as the id for the clients? It feels like > something that has the potential to bite back down the road, if I do > something odd. > > Also, is there anywhere this part of the system is documented, that I > coudl refer to as an assist while I review the code and understand what it > is doing? > > thanks, > andrew > > Here is the config I am using, with a > > * : XAUTH "actmobile" in /etc/ipsec.secrets > > conn > ios > > > keyexchange=ikev1 > > > #esp=null-sha1! > > > authby=xauthrsasig > > > xauth=server > > > #left=%defaultroute > > leftsubnet=0.0.0.0/0 > > > leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown > > > leftcert=serverCert.pem > > rightsourceip=172.20.0.0/16 > > > > auto=add > > > rekey=yes > > > fragmentation=yes > > > lifetime=24h > > > dpddelay=0 > > > dpdtimeout=24h > > compress=yes > > On 4/25/15 2:26 AM, Group Manager wrote: > > I replied on yours same question on users list. > I believe that you need to use "rightsubnet" instead of "rightsourceip" in > your conf. > M. > > On Saturday, April 25, 2015 at 3:04:46 AM UTC+2, Andrew Foss wrote: >> >> It appears that our ip addresses are being assigned by the XAuthName >> 'actmobile', unfortunately that is not unique? >> >> On 4/24/15 5:28 PM, Andrew Foss wrote: >> > Here's our situation; >> > >> > ios ipsec clients, they each have a certificate with a unique common >> > name. >> > >> > I want to configure strongswan to give them a different ip address for >> > each client/CN, regardless of what public ip address they may arrive >> > from at the moment, it is a road warrior config. >> > >> > I am thinking I can write a plugin like dhcp to do it for sure, but >> > seems like I may have something in the config that is wrong. I have to >> > set uniqueids=no to get two clients to connect, which makes me think I >> > am using something else for the id, other than the cert subject name. >> > >> > This error line seems to indicate the peer is referred to as >> 'actmobile' >> > >> > destroying duplicate IKE_SA for peer 'actmobile', received >> > INITIAL_CONTACT >> > >> > in the updown scripts the PLUTO_PEER_ID does show up properly as >> > [C=US, O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307] >> > >> > All my clients seem to get 172.20.0.1 as their ip address and ipsec >> > statusall shows just one SA even when I have 3 dvices connected. >> > >> > here's the config; >> > >> > conn ios >> > keyexchange=ikev1 >> > #esp=null-sha1! >> > authby=xauthrsasig >> > xauth=server >> > #left=%defaultroute >> > leftsubnet=0.0.0.0/0 >> > #leftsubnet=10.66.0.0/16 >> > #leftfirewall=yes >> > #lefthostaccess=yes >> > leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown >> > leftcert=serverCert.pem >> > #right=%any >> > rightsourceip=172.20.0.0/16 >> > #rightsourceip=10.100.255.0/28 >> > #rightcert=clientCert.pem >> > #pfs=no >> > auto=add >> > rekey=yes >> > fragmentation=yes >> > lifetime=24h >> > dpddelay=0 >> > dpdtimeout=24h >> > compress=yes >> > >> > here's the log output of clients connecting; >> > >> > IKE_SA ios[6] established between 10.199.65.236[C=US, ST=California, >> > L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile, >> > CN=ipsec.corp.actmobile.com, >> > [email protected]]...50.197.174.157[C=US, O=strongSwan, >> > CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307] >> > Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[6] state change: >> > CONNECTING => ESTABLISHED >> > Apr 25 00:12:43 accel charon: 12[IKE] scheduling reauthentication in >> > 10094s >> > Apr 25 00:12:43 accel charon: 12[IKE] maximum IKE_SA lifetime 10634s >> > Apr 25 00:12:43 accel charon: 12[IKE] activating new tasks >> > Apr 25 00:12:43 accel charon: 12[IKE] nothing to initiate >> > Apr 25 00:12:43 accel charon: 12[IKE] destroying duplicate IKE_SA for >> > peer 'actmobile', received INITIAL_CONTACT >> > Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[5] state change: >> > ESTABLISHED => DESTROYING >> > Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI >> > c1648e6d (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI >> > c1648e6d (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI >> > 0d133ab7 (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI >> > 0d133ab7 (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0 === >> > 172.20.0.1/32 out (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another >> > CHILD_SA, not removed >> > Apr 25 00:12:43 accel charon: 12[KNL] updating policy 0.0.0.0/0 === >> > 172.20.0.1/32 out (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 >> > === 0.0.0.0/0 in (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another >> > CHILD_SA, not removed >> > Apr 25 00:12:43 accel charon: 12[KNL] updating policy 172.20.0.1/32 >> > === 0.0.0.0/0 in (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 >> > === 0.0.0.0/0 fwd (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another >> > CHILD_SA, not removed >> > Apr 25 00:12:43 accel charon: 12[KNL] updating policy 172.20.0.1/32 >> > === 0.0.0.0/0 fwd (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] getting a local address in >> > traffic selector 0.0.0.0/0 >> > Apr 25 00:12:43 accel charon: 12[KNL] using host %any >> > Apr 25 00:12:43 accel charon: 12[KNL] using 10.199.65.193 as nexthop >> > to reach 166.170.42.208 >> > Apr 25 00:12:43 accel charon: 12[KNL] 10.199.65.236 is on interface >> eth0 >> > Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0 === >> > 172.20.0.1/32 out (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 >> > === 0.0.0.0/0 in (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 172.20.0.1/32 >> > === 0.0.0.0/0 fwd (mark 0/0x00000000) >> > Apr 25 00:12:43 accel charon: 12[KNL] getting iface index for eth0 >> > Apr 25 00:12:43 accel charon: 12[CFG] lease 172.20.0.1 by 'actmobile' >> > went offline >> > _______________________________________________ >> > Dev mailing list >> > [email protected] >> > https://lists.strongswan.org/mailman/listinfo/dev >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/dev >> > >
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
