> On July 14, 2022 at 2:32 AM Michael Schwartzkopff <m...@sys4.de> wrote:
> Just Add the site-c subnet to the tunnel of A-B.
I tried that. It doesn't work. I get an error on Site B when attempting to
establish the child SAs
Subnets:
siteA: 192.168.127.254/24
siteB: 192.168.126.254/24
siteC: 192.168.125.254/24
Site A config:
siteA {
version=2
local_addrs=A.A.A.A
remote_addrs=B.B.B.B
proposals=aes256-sha1-modp1024
local {
auth = psk
}
remote {
auth = psk
}
children {
siteBC {
esp_proposals=aes256-sha1
local_ts=192.168.127.0/24
remote_ts=192.168.125.0/24,192.168.126.0/24
updown=/usr/libexec/strongswan/_updown iptables
hostaccess=yes
}
}
}
site B:
siteBC {
version=2
local_addrs=B.B.B.B
remote_addrs=A.A.A.A
proposals=aes256-sha1-modp1024
local {
auth = psk
}
remote {
auth = psk
}
children {
siteA {
esp_proposals=aes256-sha1
remote_ts=192.168.127.0/24
local_ts=192.168.126.0/24,192.168.125.0/24
updown=/usr/libexec/strongswan/_updown iptables
hostaccess=yes
}
}
}
swanctl --initiate --ike siteBC --child siteA
[IKE] initiating IKE_SA siteBC[2] to A.A.A.A
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from B.B.B.B[500] to A.A.A.A[500] (336 bytes)
[NET] received packet: from A.A.A.A[500] to B.B.B.B[500] (344 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[IKE] remote host is behind NAT
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of 'B.B.B.B' (myself) with pre-shared key
[IKE] establishing CHILD_SA siteA{2}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (316 bytes)
[NET] received packet: from A.A.A.A[4500] to B.B.B.B[4500] (316 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
[IKE] authentication of 'A.A.A.A' with pre-shared key successful
[IKE] IKE_SA siteA[2] established between B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
[IKE] scheduling rekeying in 13618s
[IKE] maximum IKE_SA lifetime 15058s
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[KNL] error installing route with policy 192.168.125.0/24 === 192.168.127.0/24
out
[IKE] unable to install IPsec policies (SPD) in kernel
[IKE] failed to establish CHILD_SA, keeping IKE_SA
[IKE] peer supports MOBIKE
[IKE] sending DELETE for ESP CHILD_SA with SPI 1caca0b6
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (76 bytes)
[NET] received packet: from A.A.A.A[4500] to B.B.B.B[4500] (220 bytes)
[ENC] parsed CREATE_CHILD_SA request 0 [ SA No TSi TSr ]
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[KNL] error installing route with policy 192.168.125.0/24 === 192.168.127.0/24
out
[IKE] unable to install IPsec policies (SPD) in kernel
[IKE] failed to establish CHILD_SA, keeping IKE_SA
[ENC] generating CREATE_CHILD_SA response 0 [ N(TS_UNACCEPT) ]
[NET] sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (76 bytes)
initiate failed: establishing CHILD_SA 'siteA' failed
If I modify siteBC config and remove site C subnet from the local_ts, it works:
[IKE] initiating IKE_SA siteBC[4] to A.A.A.A
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from B.B.B.B[500] to A.A.A.A[500] (336 bytes)
[NET] received packet: from A.A.A.A[500] to B.B.B.B[500] (344 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[IKE] remote host is behind NAT
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of 'B.B.B.B' (myself) with pre-shared key
[IKE] establishing CHILD_SA siteA{2}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (300 bytes)
[NET] received packet: from A.A.A.A[4500] to B.B.B.B[4500] (300 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
[IKE] authentication of 'A.A.A.A' with pre-shared key successful
[IKE] IKE_SA siteA[4] established between B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
[IKE] scheduling rekeying in 13270s
[IKE] maximum IKE_SA lifetime 14710s
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[IKE] CHILD_SA siteA{2} established with SPIs 73a57791_i 00e2cfd8_o and TS
192.168.126.0/24 === 192.168.127.0/24
So simply adding the siteC subnet to the local/remote ts entries for the site A
and Site B connections doesn't seem to work, unless I'm missing something else
I need to add in my configuration.
I'm running these connections on CentOS linux with strongswan from the EPEL
repo. Currently at U5.9.6/K5.4.204-1.el8.elrepo.x86_64
