Hi Again, Can any one please explain why strongSwan 5.0.0 IKEv1 installs two tunnels but only one with IKEv2? Is this expected behaviour ?
Thanks! Jordan. On Wed, Jul 4, 2012 at 3:59 PM, yordanos beyene <[email protected]> wrote: > Hi, > > I created *site-to-site* vpn with strongSwan 5.0.0. IKEv1 installs > duplicate tunnels but IKEv2 works as expected. > See my configuration and ipsec statusall output for both scenarios. Please > advise if the IKEv1 output is expected or if there is any change I need to > make in my configuration. > > strongswan is running on two centos machines, and my end hosts are win7. I > initiated the IKE negotiation by staring ping from one win7 host to other. > > *=====IKEv1 configuration and ipsec statusall=====* > *ipsec.conf for centos1* > # ipsec.conf - strongSwan IPsec configuration file > # basic configuration > config setup > #plutodebug=control > #plutostart=no > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > conn net-net > keyingtries=1 > keyexchange=ikev1 > authby=secret > left=172.16.20.1 > leftsubnet=172.16.50.0/24 > [email protected] > leftfirewall=no > right=172.16.20.2 > rightsubnet=172.16.60.0/24 > [email protected] > auto=route > *ipsec.conf for centos2* > # ipsec.conf - strongSwan IPsec configuration file > # basic configuration > config setup > #plutodebug=control > #plutostart=no > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > conn net-net > keyingtries=1 > keyexchange=ikev1 > authby=secret > left=172.16.20.2 > leftsubnet=172.16.60.0/24 > [email protected] > leftfirewall=no > right=172.16.20.1 > rightsubnet=172.16.50.0/24 > [email protected] > auto=route > > *centos1 ipsecstatusall output* > [root@centos-01 ~]# ipsec statusall > Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686, > i686): > uptime: 65 seconds, since Jul 04 12:58:34 2012 > ... > Listening IP addresses: > 172.16.20.1 > 172.16.50.1 > 192.168.0.114 > Connections: > net-net: 172.16.20.1...172.16.20.2 IKEv1 > net-net: local: [centos1.test.net] uses pre-shared key > authentication > net-net: remote: [centos2.test.net] uses pre-shared key > authentication > net-net: child: 172.16.50.0/24 === 172.16.60.0/24 TUNNEL > Routed Connections: > net-net{1}: ROUTED, TUNNEL > net-net{1}: 172.16.50.0/24 === 172.16.60.0/24 > Security Associations (1 up, 0 connecting): > net-net[1]: ESTABLISHED 26 seconds ago, 172.16.20.1[centos1.test.net > ]...172.16.20.2[centos2.test.net] > net-net[1]: IKEv1 SPIs: e36ac562faaf6552_i* 2d73a82503c8ba33_r, > pre-shared key reauthentication in 54 minutes > net-net[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > *net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c3287b68_i c7445ee4_o > * net-net{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 1020 bytes_o (1s > ago), rekeying in 15 minutes > net-net{1}: > 172.16.50.10/32[icmp/8]<http://172.16.50.10/32%5Bicmp/8%5D>=== > 172.16.60.10/32[icmp] <http://172.16.60.10/32%5Bicmp%5D> > *net-net{2}: INSTALLED, TUNNEL, ESP SPIs: ccd6a57c_i c71087c5_o > * net-net{2}: AES_CBC_128/HMAC_SHA1_96, 960 bytes_i (1s ago), 0 > bytes_o, rekeying in 14 minutes > net-net{2}: 172.16.50.10/32[icmp]<http://172.16.50.10/32%5Bicmp%5D>=== > 172.16.60.10/32[icmp] <http://172.16.60.10/32%5Bicmp%5D> > *centos2 ipsecstatusall output:* > [root@centos-02 ~]# ipsec statusall > Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686, > i686): > uptime: 39 seconds, since Jul 04 12:58:45 2012 > ... > Listening IP addresses: > 172.16.20.2 > 172.16.60.1 > 192.168.0.115 > Connections: > net-net: 172.16.20.2...172.16.20.1 IKEv1 > net-net: local: [centos2.test.net] uses pre-shared key > authentication > net-net: remote: [centos1.test.net] uses pre-shared key > authentication > net-net: child: 172.16.60.0/24 === 172.16.50.0/24 TUNNEL > Routed Connections: > net-net{1}: ROUTED, TUNNEL > net-net{1}: 172.16.60.0/24 === 172.16.50.0/24 > Security Associations (1 up, 0 connecting): > net-net[1]: ESTABLISHED 18 seconds ago, 172.16.20.2[centos2.test.net > ]...172.16.20.1[centos1.test.net] > net-net[1]: IKEv1 SPIs: e36ac562faaf6552_i 2d73a82503c8ba33_r*, > pre-shared key reauthentication in 54 minutes > net-net[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > * net-net{2}: INSTALLED, TUNNEL, ESP SPIs: c7445ee4_i c3287b68_o > * net-net{2}: AES_CBC_128/HMAC_SHA1_96, 660 bytes_i (0s ago), 0 > bytes_o, rekeying in 14 minutes > net-net{2}: 172.16.60.10/32[icmp]<http://172.16.60.10/32%5Bicmp%5D>=== > 172.16.50.10/32[icmp/8] <http://172.16.50.10/32%5Bicmp/8%5D> > *net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c71087c5_i ccd6a57c_o > * net-net{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 600 bytes_o (0s > ago), rekeying in 14 minutes > net-net{1}: 172.16.60.10/32[icmp]<http://172.16.60.10/32%5Bicmp%5D>=== > 172.16.50.10/32[icmp] <http://172.16.50.10/32%5Bicmp%5D> > *=====IKEv2 configuration and ipsec statusall=====* > *ipsec.conf for centos1 and centos2* > ipsec.conf for centos1 and centos 2 is identical to IKEv1 configuration > with the exception that "keyexchange=ikev2" instead of "keyexchange=ikev1" > *centos1 ipsecstatusall output:* > [root@centos-01 ~]# ipsec statusall > Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686, > i686): > uptime: 52 seconds, since Jul 04 13:03:28 2012 > .... > Listening IP addresses: > 172.16.20.1 > 172.16.50.1 > 192.168.0.114 > Connections: > net-net: 172.16.20.1...172.16.20.2 IKEv2 > net-net: local: [centos1.test.net] uses pre-shared key > authentication > net-net: remote: [centos2.test.net] uses pre-shared key > authentication > net-net: child: 172.16.50.0/24 === 172.16.60.0/24 TUNNEL > Routed Connections: > net-net{1}: ROUTED, TUNNEL > net-net{1}: 172.16.50.0/24 === 172.16.60.0/24 > Security Associations (1 up, 0 connecting): > net-net[1]: ESTABLISHED 14 seconds ago, 172.16.20.1[centos1.test.net > ]...172.16.20.2[centos2.test.net] > net-net[1]: IKEv2 SPIs: e2b4f97331fbc456_i* cb94400f15735d88_r, > pre-shared key reauthentication in 51 minutes > net-net[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > * net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c3ea4626_i cd83b323_o > * net-net{1}: AES_CBC_128/HMAC_SHA1_96, 600 bytes_i (0s ago), 600 > bytes_o (0s ago), rekeying in 13 minutes > net-net{1}: 172.16.50.0/24 === 172.16.60.0/24 > === > > *centos2 ipsecstatusall output:* > [root@centos-02 ~]# ipsec statusall > Status of IKE charon daemon (strongSwan 5.0.0, Linux 2.6.32-220.el6.i686, > i686): > uptime: 87 seconds, since Jul 04 13:03:45 2012 > ... > Listening IP addresses: > 172.16.20.2 > 172.16.60.1 > 192.168.0.115 > Connections: > net-net: 172.16.20.2...172.16.20.1 IKEv2 > net-net: local: [centos2.test.net] uses pre-shared key > authentication > net-net: remote: [centos1.test.net] uses pre-shared key > authentication > net-net: child: 172.16.60.0/24 === 172.16.50.0/24 TUNNEL > Routed Connections: > net-net{1}: ROUTED, TUNNEL > net-net{1}: 172.16.60.0/24 === 172.16.50.0/24 > Security Associations (1 up, 0 connecting): > net-net[1]: ESTABLISHED 75 seconds ago, 172.16.20.2[centos2.test.net > ]...172.16.20.1[centos1.test.net] > net-net[1]: IKEv2 SPIs: e2b4f97331fbc456_i cb94400f15735d88_r*, > pre-shared key reauthentication in 53 minutes > net-net[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > * net-net{2}: INSTALLED, TUNNEL, ESP SPIs: cd83b323_i c3ea4626_o > * net-net{2}: AES_CBC_128/HMAC_SHA1_96, 4140 bytes_i (1s ago), 4140 > bytes_o (1s ago), rekeying in 13 minutes > net-net{2}: 172.16.60.0/24 === 172.16.50.0/24 > > Thanks you! > > Jordan. >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
