Hi Andreas, That works! Thanks a lot for the help! Regards,
Zhiheng -----Original Message----- From: Andreas Steffen [mailto:[email protected]] Sent: Sunday, July 29, 2012 9:16 PM To: Mao, Zhiheng Cc: [email protected] Subject: Re: [strongSwan] question to the IPv4 IKEv2 Remote Access senario Hi, the correct line that you have to add on the roadwarrior side is leftsourceip=%config which causes a virtual IP address to be requested from the gateway. Regards Andreas On 07/30/2012 01:13 AM, Mao, Zhiheng wrote: > Hi there, > > > > I just started using the strongswan (strongswan-5.0.0.tar.gz > <http://download.strongswan.org/strongswan-5.0.0.tar.gz>) and have > tried a simple IPv4 IKEv2 Remote Access case, where the road warrior > carol (at > 10.46.212.196) and the gateway moon (at 10.41.73.71) established the > VPN tunnel and moon assigned the virtual IP addr 10.9.8.1 to carol. > However, I checked the carol's machine after the VPN tunnel was up, > and I did not see the 10.9.8.1 shown up under the dev eth0. From > carol, I could ping the other end of the VPN (10.9.8.7) and tcpdump > showed ESP packets. But from moon, I could not ping the other end of the VPN > (10.9.8.1). > > > > To work around (which I do not think is the right way), I had to add > an extra line to the carol's ipsec.conf in order to make the assigned > virtual IP address show up for the dev eth0. Then I could ping both > VPN ends from the other side, and the tcpdump showed both in ESP packets. > > > > Before adding the extra line to the carol's ipsec.conf, I did see a > suspicious log in carol's syslog: > > Jul 29 14:33:22 as3-iwf118 charon: 06[IKE] CHILD_SA home{1} > established with SPIs cffd2e36_i ca69b222_o and TS 10.46.212.196/32 > === 10.9.8.0/24 > > > > After adding the extra line to the carol's ipsec.conf, I did see a > correct log in carol's syslog: > > Jul 29 14:40:08 as3-iwf118 charon: 10[IKE] CHILD_SA home{1} > established with SPIs c839f511_i c3456308_o and TS 10.9.8.1/32 === > 10.9.8.0/24 > > > > The ipsec.conf files are shown below, the red line is the extra line I > had to add. The logs shown below were before adding the extra line in > the failure situation. > > > > Could someone please tell me what I am missing? How can I make moon > assign and make carol take the virtual IP address instead of having > carol specifying the address it wants? Thanks a lot! > > > > Regards, > > Zhiheng Mao > > > > ================== ipsec.conf for gateway moon ================== > > config setup > > > > conn %default > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=1 > > keyexchange=ikev2 > > > > conn rw-carol > > left=10.41.73.71 > > leftsubnet=10.9.8.0/24 > > [email protected] <mailto:[email protected]> > > leftauth=psk > > leftfirewall=yes > > right=%any > > rightid=*@strongswan.org <mailto:rightid=*@strongswan.org> > > rightauth=psk > > rightsourceip=10.9.8.1 > > auto=add > > > > ================== ipsec.conf for rw carol ================== > > config setup > > > > conn %default > > ikelifetime=60m > > keylife=20m > > rekeymargin=3m > > keyingtries=1 > > keyexchange=ikev2 > > > > conn home > > left=10.46.212.196 > > [email protected] > <mailto:[email protected]> > > leftauth=psk > > leftfirewall=yes > > leftsourceip=10.9.8.1 # without this line, this virtual > address does not show up under the dev eth0. Why? > > right=10.41.73.71 > > [email protected] > <mailto:[email protected]> > > rightsubnet=10.9.8.0/24 > > rightauth=psk > > auto=start > > > > ================== moon's syslog ================== > > Jul 29 15:44:24 sit-iwf charon: 00[DMN] Starting IKE charon daemon > (strongSwan 5.0.0, Linux 2.6.18-238.el5, x86_64) > > Jul 29 15:44:24 sit-iwf charon: 00[KNL] listening on interfaces: > > Jul 29 15:44:24 sit-iwf charon: 00[KNL] eth0 > > Jul 29 15:44:24 sit-iwf charon: 00[KNL] 10.41.73.71 > > Jul 29 15:44:24 sit-iwf charon: 00[KNL] 10.41.73.79 > > Jul 29 15:44:24 sit-iwf charon: 00[KNL] 2002:c023:9c17:21c::a29:4947 > > Jul 29 15:44:25 sit-iwf charon: 00[KNL] fe80::21b:78ff:fe75:3bd8 > > Jul 29 15:44:25 sit-iwf charon: 00[KNL] tun0 > > Jul 29 15:44:25 sit-iwf charon: 00[KNL] 10.9.8.7 > > Jul 29 15:44:25 sit-iwf charon: 00[CFG] loaded 0 RADIUS server > configurations > > Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading ca certificates from > '/usr/local/etc/ipsec.d/cacerts' > > Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading aa certificates from > '/usr/local/etc/ipsec.d/aacerts' > > Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading ocsp signer > certificates from '/usr/local/etc/ipsec.d/ocspcerts' > > Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading attribute certificates > from '/usr/local/etc/ipsec.d/acerts' > > Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading crls from > '/usr/local/etc/ipsec.d/crls' > > Jul 29 15:44:25 sit-iwf charon: 00[CFG] loading secrets from > '/usr/local/etc/ipsec.secrets' > > Jul 29 15:44:25 sit-iwf charon: 00[CFG] loaded IKE secret for > [email protected] <mailto:[email protected]> > > Jul 29 15:44:25 sit-iwf charon: 00[CFG] loaded IKE secret for > [email protected] <mailto:[email protected]> > > Jul 29 15:44:25 sit-iwf charon: 00[DMN] loaded plugins: charon aes des > sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 > pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink > resolve socket-default stroke updown eap-aka eap-md5 eap-radius > xauth-generic > > Jul 29 15:44:25 sit-iwf charon: 00[JOB] spawning 16 worker threads > > Jul 29 15:44:26 sit-iwf charon: 07[CFG] received stroke: add > connection 'rw-carol' > > Jul 29 15:44:26 sit-iwf charon: 07[CFG] added configuration 'rw-carol' > > Jul 29 15:44:26 sit-iwf charon: 07[CFG] adding virtual IP address pool > 'rw-carol': 10.9.8.1/32 > > Jul 29 15:44:32 sit-iwf charon: 09[NET] received packet: from > 10.46.212.196[500] to 10.41.73.71[500] > > Jul 29 15:44:32 sit-iwf charon: 09[ENC] parsed IKE_SA_INIT request 0 [ > SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > Jul 29 15:44:32 sit-iwf charon: 09[IKE] 10.46.212.196 is initiating an > IKE_SA > > Jul 29 15:44:32 sit-iwf charon: 09[ENC] generating IKE_SA_INIT > response > 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] > > Jul 29 15:44:32 sit-iwf charon: 09[NET] sending packet: from > 10.41.73.71[500] to 10.46.212.196[500] > > Jul 29 15:44:32 sit-iwf charon: 10[NET] received packet: from > 10.46.212.196[4500] to 10.41.73.71[4500] > > Jul 29 15:44:32 sit-iwf charon: 10[ENC] parsed IKE_AUTH request 1 [ > IDi > N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) > N(MULT_AUTH) N(EAP_ONLY) ] > > Jul 29 15:44:32 sit-iwf charon: 10[CFG] looking for peer configs > matching > 10.41.73.71[[email protected]]...10.46.212.196[[email protected]] > > Jul 29 15:44:32 sit-iwf charon: 10[CFG] selected peer config 'rw-carol' > > Jul 29 15:44:32 sit-iwf charon: 10[IKE] authentication of > '[email protected]' with pre-shared key successful > > Jul 29 15:44:32 sit-iwf charon: 10[IKE] peer supports MOBIKE > > Jul 29 15:44:32 sit-iwf charon: 10[IKE] authentication of > '[email protected]' (myself) with pre-shared key > > Jul 29 15:44:32 sit-iwf charon: 10[IKE] IKE_SA rw-carol[1] established > between 10.41.73.71[[email protected] > rg]...10.46.212.196[[email protected]] > > Jul 29 15:44:32 sit-iwf charon: 10[IKE] scheduling reauthentication in > 3400s > > Jul 29 15:44:32 sit-iwf charon: 10[IKE] maximum IKE_SA lifetime 3580s > > Jul 29 15:44:32 sit-iwf charon: 10[IKE] CHILD_SA rw-carol{1} > established with SPIs c0401f84_i c445a329_o and TS 10.9.8.0/24 === > 10.46.212.196/32 > > Jul 29 15:44:33 sit-iwf charon: 10[ENC] generating IKE_AUTH response 1 > [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) > N(ADD_4_ADDR) N(ADD_6_ADDR) ] > > Jul 29 15:44:33 sit-iwf charon: 10[NET] sending packet: from > 10.41.73.71[4500] to 10.46.212.196[4500] > > > > ================== carol's eth0 before VPN setup, syslog during VPN > setup, eth0 after VPN setup ================== > > [zmao@as3-iwf118 sbin]$ /sbin/ip addr > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > valid_lft forever preferred_lft forever > > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > qlen 1000 > > link/ether 78:e7:d1:ca:6f:b8 brd ff:ff:ff:ff:ff:ff > > inet 10.46.212.196/27 brd 10.46.212.223 scope global eth0 > > inet6 2002:c023:9c17:21b::a2e:d4c4/64 scope global > > valid_lft forever preferred_lft forever > > inet6 fe80::7ae7:d1ff:feca:6fb8/64 scope link > > valid_lft forever preferred_lft forever > > 3: sit0: <NOARP> mtu 1480 qdisc noop > > link/sit 0.0.0.0 brd 0.0.0.0 > > 442: ppp0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop qlen 3 > > link/ppp > > > > Jul 29 15:44:32 as3-iwf118 charon: 00[DMN] Starting IKE charon daemon > (strongSwan 5.0.0, Linux 2.6.18-238.el5, x86_64) > > Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] listening on interfaces: > > Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] eth0 > > Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] 10.46.212.196 > > Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] 2002:c023:9c17:21b::a2e:d4c4 > > Jul 29 15:44:32 as3-iwf118 charon: 00[KNL] fe80::7ae7:d1ff:feca:6fb8 > > Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading ca certificates > from '/usr/local/etc/ipsec.d/cacerts' > > Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading aa certificates > from '/usr/local/etc/ipsec.d/aacerts' > > Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading ocsp signer > certificates from '/usr/local/etc/ipsec.d/ocspcerts' > > Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading attribute > certificates from '/usr/local/etc/ipsec.d/acerts' > > Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading crls from > '/usr/local/etc/ipsec.d/crls' > > Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loading secrets from > '/usr/local/etc/ipsec.secrets' > > Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loaded IKE secret for > [email protected] <mailto:[email protected]> > > Jul 29 15:44:32 as3-iwf118 charon: 00[CFG] loaded IKE secret for > [email protected] <mailto:[email protected]> > > Jul 29 15:44:32 as3-iwf118 charon: 00[DMN] loaded plugins: charon aes > des sha1 sha2 md5 random nonce x509 revocation constraints pubkey > pkcs1 > pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink > resolve socket-default stroke updown xauth-generic > > Jul 29 15:44:32 as3-iwf118 charon: 00[JOB] spawning 16 worker threads > > Jul 29 15:44:32 as3-iwf118 charon: 05[CFG] received stroke: add > connection 'home' > > Jul 29 15:44:32 as3-iwf118 charon: 05[CFG] added configuration 'home' > > Jul 29 15:44:32 as3-iwf118 charon: 07[CFG] received stroke: initiate 'home' > > Jul 29 15:44:32 as3-iwf118 charon: 07[IKE] initiating IKE_SA home[1] > to > 10.41.73.71 > > Jul 29 15:44:32 as3-iwf118 charon: 07[ENC] generating IKE_SA_INIT > request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > > Jul 29 15:44:32 as3-iwf118 charon: 07[NET] sending packet: from > 10.46.212.196[500] to 10.41.73.71[500] > > Jul 29 15:44:32 as3-iwf118 charon: 09[NET] received packet: from > 10.41.73.71[500] to 10.46.212.196[500] > > Jul 29 15:44:32 as3-iwf118 charon: 09[ENC] parsed IKE_SA_INIT response > 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] > > Jul 29 15:44:32 as3-iwf118 charon: 09[IKE] authentication of > '[email protected]' (myself) with pre-shared key > > Jul 29 15:44:32 as3-iwf118 charon: 09[IKE] establishing CHILD_SA home > > Jul 29 15:44:32 as3-iwf118 charon: 09[ENC] generating IKE_AUTH request > 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) > N(ADD_6_ADDR) > N(MULT_AUTH) N(EAP_ONLY) ] > > Jul 29 15:44:32 as3-iwf118 charon: 09[NET] sending packet: from > 10.46.212.196[4500] to 10.41.73.71[4500] > > Jul 29 15:44:33 as3-iwf118 charon: 10[NET] received packet: from > 10.41.73.71[4500] to 10.46.212.196[4500] > > Jul 29 15:44:33 as3-iwf118 charon: 10[ENC] parsed IKE_AUTH response 1 > [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) > N(ADD_4_ADDR) N(ADD_6_ADDR) ] > > Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] authentication of > '[email protected]' with pre-shared key successful > > Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] IKE_SA home[1] established > between 10.46.212.196[carol@strongswan > .org]...10.41.73.71[[email protected]] > > Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] scheduling reauthentication > in 3386s > > Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] maximum IKE_SA lifetime > 3566s > > Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] CHILD_SA home{1} > established with SPIs c445a329_i c0401f84_o and TS 10.46.212.196/32 > === 10.9.8.0/24 > > Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] received AUTH_LIFETIME of > 3400s, scheduling reauthentication in 3220s > > Jul 29 15:44:33 as3-iwf118 charon: 10[IKE] peer supports MOBIKE > > > > [zmao@as3-iwf118 sbin]$ /sbin/ip addr > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue > > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > > inet 127.0.0.1/8 scope host lo > > inet6 ::1/128 scope host > > valid_lft forever preferred_lft forever > > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > qlen 1000 > > link/ether 78:e7:d1:ca:6f:b8 brd ff:ff:ff:ff:ff:ff > > inet 10.46.212.196/27 brd 10.46.212.223 scope global eth0 > > inet6 2002:c023:9c17:21b::a2e:d4c4/64 scope global > > valid_lft forever preferred_lft forever > > inet6 fe80::7ae7:d1ff:feca:6fb8/64 scope link > > valid_lft forever preferred_lft forever > > 3: sit0: <NOARP> mtu 1480 qdisc noop > > link/sit 0.0.0.0 brd 0.0.0.0 > > 442: ppp0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop qlen 3 > > link/ppp ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
