Hi there,
I just started using the strongswan
(strongswan-5.0.0.tar.gz<http://download.strongswan.org/strongswan-5.0.0.tar.gz>)
and have tried a simple IPv4 IKEv2 Remote Access case, where the road warrior
carol (at 10.46.212.196) and the gateway moon (at 10.41.73.71) established the
VPN tunnel and moon assigned the virtual IP addr 10.9.8.1 to carol. However, I
checked the carol's machine after the VPN tunnel was up, and I did not see the
10.9.8.1 shown up under the dev eth0. From carol, I could ping the other end of
the VPN (10.9.8.7) and tcpdump showed ESP packets. But from moon, I could not
ping the other end of the VPN (10.9.8.1).
To work around (which I do not think is the right way), I had to add an extra
line to the carol's ipsec.conf in order to make the assigned virtual IP address
show up for the dev eth0. Then I could ping both VPN ends from the other side,
and the tcpdump showed both in ESP packets.
Before adding the extra line to the carol's ipsec.conf, I did see a suspicious
log in carol's syslog:
Jul 29 14:33:22 as3-iwf118 charon: 06[IKE] CHILD_SA home{1} established with
SPIs cffd2e36_i ca69b222_o and TS 10.46.212.196/32 === 10.9.8.0/24
After adding the extra line to the carol's ipsec.conf, I did see a correct log
in carol's syslog:
Jul 29 14:40:08 as3-iwf118 charon: 10[IKE] CHILD_SA home{1} established with
SPIs c839f511_i c3456308_o and TS 10.9.8.1/32 === 10.9.8.0/24
The ipsec.conf files are shown below, the red line is the extra line I had to
add. The logs shown below were before adding the extra line in the failure
situation.
Could someone please tell me what I am missing? How can I make moon assign and
make carol take the virtual IP address instead of having carol specifying the
address it wants? Thanks a lot!
Regards,
Zhiheng Mao
================== ipsec.conf for gateway moon ==================
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-carol
left=10.41.73.71
leftsubnet=10.9.8.0/24
[email protected]<mailto:[email protected]>
leftauth=psk
leftfirewall=yes
right=%any
rightid=*@strongswan.org<mailto:rightid=*@strongswan.org>
rightauth=psk
rightsourceip=10.9.8.1
auto=add
================== ipsec.conf for rw carol ==================
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=10.46.212.196
[email protected]<mailto:[email protected]>
leftauth=psk
leftfirewall=yes
leftsourceip=10.9.8.1 # without this line, this virtual address does
not show up under the dev eth0. Why?
right=10.41.73.71
[email protected]<mailto:[email protected]>
rightsubnet=10.9.8.0/24
rightauth=psk
auto=start
================== moon's syslog ==================
Jul 29 15:44:24 sit-iwf charon: 00[DMN] Starting IKE charon daemon (strongSwan
5.0.0, Linux 2.6.18-238.el5, x86_64)
Jul 29 15:44:24 sit-iwf charon: 00[KNL] listening on interfaces:
Jul 29 15:44:24 sit-iwf charon: 00[KNL] eth0
Jul 29 15:44:24 sit-iwf charon: 00[KNL] 10.41.73.71
Jul 29 15:44:24 sit-iwf charon: 00[KNL] 10.41.73.79
Jul 29 15:44:24 sit-iwf charon: 00[KNL] 2002:c023:9c17:21c::a29:4947
Jul 29 15:44:25 sit-iwf charon: 00[KNL] fe80::21b:78ff:fe75:3bd8
Jul 29 15:44:25 sit-iwf charon: 00[KNL] tun0
Jul 29 15:44:25 sit-iwf charon: 00[KNL] 10.9.8.7
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loaded 0 RADIUS server configurations
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loaded IKE secret for
[email protected]<mailto:[email protected]>
Jul 29 15:44:25 sit-iwf charon: 00[CFG] loaded IKE secret for
[email protected]<mailto:[email protected]>
Jul 29 15:44:25 sit-iwf charon: 00[DMN] loaded plugins: charon aes des sha1
sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey
pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default
stroke updown eap-aka eap-md5 eap-radius xauth-generic
Jul 29 15:44:25 sit-iwf charon: 00[JOB] spawning 16 worker threads
Jul 29 15:44:26 sit-iwf charon: 07[CFG] received stroke: add connection
'rw-carol'
Jul 29 15:44:26 sit-iwf charon: 07[CFG] added configuration 'rw-carol'
Jul 29 15:44:26 sit-iwf charon: 07[CFG] adding virtual IP address pool
'rw-carol': 10.9.8.1/32
Jul 29 15:44:32 sit-iwf charon: 09[NET] received packet: from
10.46.212.196[500] to 10.41.73.71[500]
Jul 29 15:44:32 sit-iwf charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Jul 29 15:44:32 sit-iwf charon: 09[IKE] 10.46.212.196 is initiating an IKE_SA
Jul 29 15:44:32 sit-iwf charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 29 15:44:32 sit-iwf charon: 09[NET] sending packet: from 10.41.73.71[500]
to 10.46.212.196[500]
Jul 29 15:44:32 sit-iwf charon: 10[NET] received packet: from
10.46.212.196[4500] to 10.41.73.71[4500]
Jul 29 15:44:32 sit-iwf charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH)
N(EAP_ONLY) ]
Jul 29 15:44:32 sit-iwf charon: 10[CFG] looking for peer configs matching
10.41.73.71[[email protected]]...10.46.212.196[[email protected]]
Jul 29 15:44:32 sit-iwf charon: 10[CFG] selected peer config 'rw-carol'
Jul 29 15:44:32 sit-iwf charon: 10[IKE] authentication of
'[email protected]' with pre-shared key successful
Jul 29 15:44:32 sit-iwf charon: 10[IKE] peer supports MOBIKE
Jul 29 15:44:32 sit-iwf charon: 10[IKE] authentication of '[email protected]'
(myself) with pre-shared key
Jul 29 15:44:32 sit-iwf charon: 10[IKE] IKE_SA rw-carol[1] established between
10.41.73.71[[email protected] rg]...10.46.212.196[[email protected]]
Jul 29 15:44:32 sit-iwf charon: 10[IKE] scheduling reauthentication in 3400s
Jul 29 15:44:32 sit-iwf charon: 10[IKE] maximum IKE_SA lifetime 3580s
Jul 29 15:44:32 sit-iwf charon: 10[IKE] CHILD_SA rw-carol{1} established with
SPIs c0401f84_i c445a329_o and TS 10.9.8.0/24 === 10.46.212.196/32
Jul 29 15:44:33 sit-iwf charon: 10[ENC] generating IKE_AUTH response 1 [ IDr
AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_6_ADDR) ]
Jul 29 15:44:33 sit-iwf charon: 10[NET] sending packet: from 10.41.73.71[4500]
to 10.46.212.196[4500]
================== carol's eth0 before VPN setup, syslog during VPN setup,
eth0 after VPN setup ==================
[zmao@as3-iwf118 sbin]$ /sbin/ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 78:e7:d1:ca:6f:b8 brd ff:ff:ff:ff:ff:ff
inet 10.46.212.196/27 brd 10.46.212.223 scope global eth0
inet6 2002:c023:9c17:21b::a2e:d4c4/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::7ae7:d1ff:feca:6fb8/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
442: ppp0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop qlen 3
link/ppp
Jul 29 15:44:32 as3-iwf118 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.0.0, Linux 2.6.18-238.el5, x86_64)
Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] listening on interfaces:
Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] eth0
Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] 10.46.212.196
Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] 2002:c023:9c17:21b::a2e:d4c4
Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] fe80::7ae7:d1ff:feca:6fb8
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading ocsp signer certificates
from '/usr/local/etc/ipsec.d/ocspcerts'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loaded IKE secret for
[email protected]<mailto:[email protected]>
Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loaded IKE secret for
[email protected]<mailto:[email protected]>
Jul 29 15:44:32 as3-iwf118 charon: 00[DMN] loaded plugins: charon aes des sha1
sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey
pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default
stroke updown xauth-generic
Jul 29 15:44:32 as3-iwf118 charon: 00[JOB] spawning 16 worker threads
Jul 29 15:44:32 as3-iwf118 charon: 05[CFG] received stroke: add connection
'home'
Jul 29 15:44:32 as3-iwf118 charon: 05[CFG] added configuration 'home'
Jul 29 15:44:32 as3-iwf118 charon: 07[CFG] received stroke: initiate 'home'
Jul 29 15:44:32 as3-iwf118 charon: 07[IKE] initiating IKE_SA home[1] to
10.41.73.71
Jul 29 15:44:32 as3-iwf118 charon: 07[ENC] generating IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 29 15:44:32 as3-iwf118 charon: 07[NET] sending packet: from
10.46.212.196[500] to 10.41.73.71[500]
Jul 29 15:44:32 as3-iwf118 charon: 09[NET] received packet: from
10.41.73.71[500] to 10.46.212.196[500]
Jul 29 15:44:32 as3-iwf118 charon: 09[ENC] parsed IKE_SA_INIT response 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jul 29 15:44:32 as3-iwf118 charon: 09[IKE] authentication of
'[email protected]' (myself) with pre-shared key
Jul 29 15:44:32 as3-iwf118 charon: 09[IKE] establishing CHILD_SA home
Jul 29 15:44:32 as3-iwf118 charon: 09[ENC] generating IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH)
N(EAP_ONLY) ]
Jul 29 15:44:32 as3-iwf118 charon: 09[NET] sending packet: from
10.46.212.196[4500] to 10.41.73.71[4500]
Jul 29 15:44:33 as3-iwf118 charon: 10[NET] received packet: from
10.41.73.71[4500] to 10.46.212.196[4500]
Jul 29 15:44:33 as3-iwf118 charon: 10[ENC] parsed IKE_AUTH response 1 [ IDr
AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_6_ADDR) ]
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] authentication of
'[email protected]' with pre-shared key successful
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] IKE_SA home[1] established between
10.46.212.196[carol@strongswan .org]...10.41.73.71[[email protected]]
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] scheduling reauthentication in 3386s
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] maximum IKE_SA lifetime 3566s
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] CHILD_SA home{1} established with
SPIs c445a329_i c0401f84_o and TS 10.46.212.196/32 === 10.9.8.0/24
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] received AUTH_LIFETIME of 3400s,
scheduling reauthentication in 3220s
Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] peer supports MOBIKE
[zmao@as3-iwf118 sbin]$ /sbin/ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 78:e7:d1:ca:6f:b8 brd ff:ff:ff:ff:ff:ff
inet 10.46.212.196/27 brd 10.46.212.223 scope global eth0
inet6 2002:c023:9c17:21b::a2e:d4c4/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::7ae7:d1ff:feca:6fb8/64 scope link
valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
442: ppp0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop qlen 3
link/ppp
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
