Folks, disregard, I found it, I need to add a patch to allow us to use
the cert common name and allow the XAuthName to be the same for
everyone, was a hand edit instead of a patchfile, so I missed it, sorry
to waste your time.
Miroslav, thanks again for your help, I have it dialed now w/ the
logging and am close to up to speed with the code, it is really nice to
work in, once I get the gist of it.
andrew
Miroslav,
sorry my last response to you got blocked, but when I use rightsubnet
this is what occurs in the logs and vpn doesn't connect, am I missing
something?
Apr 25 14:30:52 accel charon: 15[IKE] peer requested virtual IP %any
Apr 25 14:30:52 accel charon: 15[IKE] no virtual IP found for %any
requested by 'IDE-B1DA-3355-4C89-BA98-A580BD513292'
A little further further analysis and I have it working with uiqueids =
yes, but raised more questions, that I was not readily able to answer by
reviewing the code, but I am still coming up to speed on the structure
of the code.
We were using XAuthName "actmobile", I have changed it to the device id
'IDE-B1DA-3355-4C89-BA98-A580BD513292' and put a wildcard '*' into the
ipsec.secrets file and it is working, thankfully we seem to allow a
wildcard match with '*" for the secrets, though I suspect someone would
file that as a bug.
It appears the the ip address management may use the XAuthName as the
id, not the Cert subject as the docs imply.
Is that true? Is there any way to control that in the config and assure
sessions, SAs, etc. are tracked by the cert subject name?
Further, it appears that running version 5.0.2 it behaves better and in
5.3.0 the clients don't appear unique and all get the same ip address. I
am not convinced it was quite right in 5.0.2, but does seem to behave
differently.
I am suspecting that to ensure positive control over this I should do a
radius server and modify the dhcp plugin to really control the ip
addresses, but I am hoping to procrastinate doing anything major.
I think the question is;
Am I doing something wrong or unusual in the config or can I control in
the config to use the cert as the id for the clients? It feels like
something that has the potential to bite back down the road, if I do
something odd.
Also, is there anywhere this part of the system is documented, that I
coudl refer to as an assist while I review the code and understand what
it is doing?
thanks,
andrew
Here is the config I am using, with a
* : XAUTH "actmobile" in /etc/ipsec.secrets
conn ios
keyexchange=ikev1
#esp=null-sha1!
authby=xauthrsasig
xauth=server
#left=%defaultroute
leftsubnet=0.0.0.0/0
leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
leftcert=serverCert.pem
rightsourceip=172.20.0.0/16
auto=add
rekey=yes
fragmentation=yes
lifetime=24h
dpddelay=0
dpdtimeout=24h
compress=yes
On 4/25/15 2:26 AM, Group Manager wrote:
I replied on yours same question on users list.
I believe that you need to use "rightsubnet" instead of
"rightsourceip" in your conf.
M.
On Saturday, April 25, 2015 at 3:04:46 AM UTC+2, Andrew Foss wrote:
It appears that our ip addresses are being assigned by the XAuthName
'actmobile', unfortunately that is not unique?
On 4/24/15 5:28 PM, Andrew Foss wrote:
> Here's our situation;
>
> ios ipsec clients, they each have a certificate with a unique
common
> name.
>
> I want to configure strongswan to give them a different ip
address for
> each client/CN, regardless of what public ip address they may
arrive
> from at the moment, it is a road warrior config.
>
> I am thinking I can write a plugin like dhcp to do it for sure, but
> seems like I may have something in the config that is wrong. I
have to
> set uniqueids=no to get two clients to connect, which makes me
think I
> am using something else for the id, other than the cert subject
name.
>
> This error line seems to indicate the peer is referred to as
'actmobile'
>
> destroying duplicate IKE_SA for peer 'actmobile', received
> INITIAL_CONTACT
>
> in the updown scripts the PLUTO_PEER_ID does show up properly as
> [C=US, O=strongSwan, CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]
>
> All my clients seem to get 172.20.0.1 as their ip address and ipsec
> statusall shows just one SA even when I have 3 dvices connected.
>
> here's the config;
>
> conn ios
> keyexchange=ikev1
> #esp=null-sha1!
> authby=xauthrsasig
> xauth=server
> #left=%defaultroute
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> #leftsubnet=10.66.0.0/16 <http://10.66.0.0/16>
> #leftfirewall=yes
> #lefthostaccess=yes
> leftupdown=/opt/actmobile/accelerator/actmobile_ipsec_updown
> leftcert=serverCert.pem
> #right=%any
> rightsourceip=172.20.0.0/16 <http://172.20.0.0/16>
> #rightsourceip=10.100.255.0/28 <http://10.100.255.0/28>
> #rightcert=clientCert.pem
> #pfs=no
> auto=add
> rekey=yes
> fragmentation=yes
> lifetime=24h
> dpddelay=0
> dpdtimeout=24h
> compress=yes
>
> here's the log output of clients connecting;
>
> IKE_SA ios[6] established between 10.199.65.236[C=US,
ST=California,
> L=New York, O=Internet Widgits Pty Ltd, OU=ActMobile,
> CN=ipsec.corp.actmobile.com <http://ipsec.corp.actmobile.com>,
> [email protected]
<mailto:[email protected]>]...50.197.174.157[C=US, O=strongSwan,
> CN=IDE-4B53-E547-4C2A-A2B7-78D2BA436307]
> Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[6] state change:
> CONNECTING => ESTABLISHED
> Apr 25 00:12:43 accel charon: 12[IKE] scheduling
reauthentication in
> 10094s
> Apr 25 00:12:43 accel charon: 12[IKE] maximum IKE_SA lifetime
10634s
> Apr 25 00:12:43 accel charon: 12[IKE] activating new tasks
> Apr 25 00:12:43 accel charon: 12[IKE] nothing to initiate
> Apr 25 00:12:43 accel charon: 12[IKE] destroying duplicate
IKE_SA for
> peer 'actmobile', received INITIAL_CONTACT
> Apr 25 00:12:43 accel charon: 12[IKE] IKE_SA ios[5] state change:
> ESTABLISHED => DESTROYING
> Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI
> c1648e6d (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI
> c1648e6d (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting SAD entry with SPI
> 0d133ab7 (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleted SAD entry with SPI
> 0d133ab7 (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0
<http://0.0.0.0/0> ===
> 172.20.0.1/32 <http://172.20.0.1/32> out (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another
> CHILD_SA, not removed
> Apr 25 00:12:43 accel charon: 12[KNL] updating policy 0.0.0.0/0
<http://0.0.0.0/0> ===
> 172.20.0.1/32 <http://172.20.0.1/32> out (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy
172.20.0.1/32 <http://172.20.0.1/32>
> === 0.0.0.0/0 <http://0.0.0.0/0> in (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another
> CHILD_SA, not removed
> Apr 25 00:12:43 accel charon: 12[KNL] updating policy
172.20.0.1/32 <http://172.20.0.1/32>
> === 0.0.0.0/0 <http://0.0.0.0/0> in (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy
172.20.0.1/32 <http://172.20.0.1/32>
> === 0.0.0.0/0 <http://0.0.0.0/0> fwd (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] policy still used by another
> CHILD_SA, not removed
> Apr 25 00:12:43 accel charon: 12[KNL] updating policy
172.20.0.1/32 <http://172.20.0.1/32>
> === 0.0.0.0/0 <http://0.0.0.0/0> fwd (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] getting a local address in
> traffic selector 0.0.0.0/0 <http://0.0.0.0/0>
> Apr 25 00:12:43 accel charon: 12[KNL] using host %any
> Apr 25 00:12:43 accel charon: 12[KNL] using 10.199.65.193 as
nexthop
> to reach 166.170.42.208
> Apr 25 00:12:43 accel charon: 12[KNL] 10.199.65.236 is on
interface eth0
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy 0.0.0.0/0
<http://0.0.0.0/0> ===
> 172.20.0.1/32 <http://172.20.0.1/32> out (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy
172.20.0.1/32 <http://172.20.0.1/32>
> === 0.0.0.0/0 <http://0.0.0.0/0> in (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] deleting policy
172.20.0.1/32 <http://172.20.0.1/32>
> === 0.0.0.0/0 <http://0.0.0.0/0> fwd (mark 0/0x00000000)
> Apr 25 00:12:43 accel charon: 12[KNL] getting iface index for eth0
> Apr 25 00:12:43 accel charon: 12[CFG] lease 172.20.0.1 by
'actmobile'
> went offline
> _______________________________________________
> Dev mailing list
> [email protected] <mailto:[email protected]>
> https://lists.strongswan.org/mailman/listinfo/dev
<https://lists.strongswan.org/mailman/listinfo/dev>
_______________________________________________
Dev mailing list
[email protected] <mailto:[email protected]>
https://lists.strongswan.org/mailman/listinfo/dev
<https://lists.strongswan.org/mailman/listinfo/dev>
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
