Hi Team,
Linux strongSwan U*4.5.3*/K2.6.32.60-2-fblfs130450-ci1-fct Issue: *Tunnel* is getting established with “*ByPass/PassThrough*” policy on one end and “*Protect*” policy on other. *Local End: Device A* *Bypass/PassThrough policy: Configured with local IP (20.20.20.141) to any(0.0.0.0)* */etc/ipsec.conf:* config setup plutostart=yes plutodebug=none nat_traversal=yes uniqueids=no charonstart=yes charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc -1, lib -1" conn %default leftcert=/etc/ipsec.d/certs/btsCert.pem auto=start pfs=no keyingtries=%forever mobike=no *conn conn11* * type=passthrough* * leftsubnet=20.20.20.141/32 <http://20.20.20.141/32>* * rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>* *ipsec status* Connections: conn11: %any...%any conn11: local: [CN=RY110409750.nokiasiemensnetworks.com, O=Nokia Siemens Networks] uses public key authentication conn11: cert: "CN=RY110409750.nokiasiemensnetworks.com, O=Nokia Siemens Networks" conn11: remote: [%any] uses any authentication conn11: child: 20.20.20.141/32 === 0.0.0.0/0 PASS Security Associations (1 up, 0 connecting): conn11[2]: ESTABLISHED 5 minutes ago, 20.20.20.141[CN= RY110409750.nokiasiemensnetworks.com, O=Nokia Siemens Networks]...20.20.20.142[CN=RY110409750.nokiasiemensnetworks.com, O=Nokia Siemens Networks] conn11[2]: IKE SPIs: 9dcf651b52418115_i 8ca0aedc28cc36db_r*, public key reauthentication in 2 hours conn11[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 conn11{1}: INSTALLED, TUNNEL, ESP SPIs: c9508643_i c1500df6_o conn11{1}: AES_CBC_128/HMAC_SHA1_96, 38136 bytes_i (1s ago), 38136 bytes_o (1s ago), rekeying in 45 minutes conn11{1}: 20.20.20.141/32 === 20.20.20.142/32 emo *RemoteEnd: Device B* *Protect Policy : Local IP to remote IP* */etc/ipsec.conf:* config setup plutostart=yes plutodebug=none nat_traversal=yes uniqueids=no charonstart=yes charondebug="dmn 1, mgr 1, ike 0, chd 1, job 0, cfg 0, knl 0, net 0, enc -1, lib -1" conn %default leftcert=/etc/ipsec.d/certs/btsCert.pem auto=start pfs=no keyingtries=%forever mobike=no *conn conn11* *type=tunnel* * leftsubnet=20.20.20.142/32 <http://20.20.20.142/32>* * rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>* left=20.20.20.142 right=20.20.20.141 keyexchange=ikev2 reauth=no ike=aes128-sha1-modp1024,3des-sha1-modp1024! ikelifetime=84437s esp=aes128-sha1,3des-sha1! authby=pubkey rightid=%any keylife=86400s dpdaction=restart dpddelay=10 dpdtimeout=120 rekeyfuzz=50% rekeymargin=180s *ipsec status* Connections: conn11: 20.20.20.142...20.20.20.141, dpddelay=10s conn11: local: [CN=RY110409750.nokiasiemensnetworks.com, O=Nokia Siemens Networks] uses public key authentication conn11: cert: "CN=RY110409750.nokiasiemensnetworks.com, O=Nokia Siemens Networks" conn11: remote: [%any] uses any authentication conn11: child: 20.20.20.142/32 === 0.0.0.0/0 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): conn11[2]: ESTABLISHED 5 minutes ago, 20.20.20.142[CN= RY110409750.nokiasiemensnetworks.com, O=Nokia Siemens Networks]...20.20.20.141[CN=RY110409750.nokiasiemensnetworks.com, O=Nokia Siemens Networks] conn11[2]: IKE SPIs: 9dcf651b52418115_i* 8ca0aedc28cc36db_r, rekeying in 23 hours, public key reauthentication in 2 hours conn11[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 conn11{2}: INSTALLED, TUNNEL, ESP SPIs: c1500df6_i c9508643_o conn11{2}: AES_CBC_128/HMAC_SHA1_96, 40236 bytes_i (14s ago), 40236 bytes_o (13s ago), rekeying in 23 hours conn11{2}: 20.20.20.142/32 === 20.20.20.141/32 Only issue is why is tunnel is getting established when we have bypass policy at one end and protect policy on other end. Please let me know if any other information required. Thanks & Regards, Deepak Vashisht
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
