[strongSwan] Creating two independent tunnels

Thu, 06 Feb 2014 14:06:19 -0800 

Hello everyone,

I am trying to establish two different tunnels between 3 IPv6 addresses on
2 Debian VMs:
@1 == @2
and
@1 == @3

       @1 = 2001:660:7301:51:5054:ff:fe0d:64d
       @2 = 2001:660:7301:51:5054:ff:fe58:4606
       @3 = 2001:db8:0:f101::1

i tried different configurations and all i get is only one tunnel.

please find below the ipsec.conf files of both machines
(i followed these steps to configure ipsec,
https://lists.strongswan.org/pipermail/users/2012-July/007826.html, i only
replaced ipv4 addresses by ipv6 addresses)


VM HA:

config setup
        # plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        # nat_traversal=yes
        charondebug="dmn 4, ike 4, knl 4, cfg 4, mgr 4, chd 4, net 4"
        charonstart=yes
        plutostart=no

conn IKEv2-CERT-hostBatman-hostSuperman

        ikelifetime=180m
        lifetime=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        leftcert=supermanCert.der
        left=2001:660:7301:51:5054:ff:fe0d:64d
        right=2001:660:7301:51:5054:ff:fe58:4606,2001:db8:0:f101::1
        #right=2001:db8:0:f101::1,2001:660:7301:51:5054:ff:fe58:4606
        #right=%any
        #rightid="C=DK, O=JusticeLeauge, CN=Gothman"
        rightid=%any
        leftsubnet=fd80:1914:eab2:11::/64
        #leftsubnet=%any
        #leftid="C=DK, O=JusticeLeauge, CN=Metropolis"
        leftid=%any
        #rightsubnet=%any
        rightsubnet=fd80:1914:eab2:22::/64
        auto=start


VM MN:

config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="dmn 4, ike 4, knl 4, cfg 4, mgr 4, chd 4, net 4"
        charonstart=yes
        plutostart=no

conn IKEv2-CERT-hostBatman-hostSuperman
      ikelifetime=180m
      lifetime=60m
      rekeymargin=3m
      keyingtries=1
      keyexchange=ikev2
      leftcert=BatmanCert.der
      left=2001:660:7301:51:5054:ff:fe58:4606,2001:db8:0:f101::1
      #left=2001:db8:0:f101::1,2001:db8:0:f101::1
      leftid=%any
      right=2001:660:7301:51:5054:ff:fe0d:64d
      #rightid="C=DK, O=JusticeLeauge, CN=Metropolis"
      rightid=%any
      leftsubnet=fd80:1914:eab2:22::/64
      #leftsubnet=%any
      #leftid="C=DK, O=JusticeLeauge, CN=Gothman"
      rightsubnet=fd80:1914:eab2:11::/64
      #rightsubnet=%any
      auto=star

on eth0 of the VM MN i configured two global ipv6 addresses.

here is the output of "ipsec statusall":

Status of IKE charon daemon (strongSwan 5.1.1, Linux 3.2.0-4-amd64, x86_64):
  uptime: 12 minutes, since Feb 06 13:42:40 2014
  malloc: sbrk 389120, mmap 0, used 240800, free 148320
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default
stroke updown xauth-generic
Listening IP addresses:
  10.51.0.79
  2001:db8:0:f101::1
  2001:660:7301:51:5054:ff:fe58:4606
  fd80:1914:eab2:22::1
  2001:db8:1234:abcd::1
Connections:
IKEv2-CERT-hostBatman-hostSuperman:
2001:660:7301:51:5054:ff:fe58:4606...2001:660:7301:51:5054:ff:fe0d:64d
IKEv2
IKEv2-CERT-hostBatman-hostSuperman:   local:  [C=DK, O=JusticeLeauge,
CN=Gotham] uses public key authentication
IKEv2-CERT-hostBatman-hostSuperman:    cert:  "C=DK, O=JusticeLeauge,
CN=Gotham"
IKEv2-CERT-hostBatman-hostSuperman:   remote: uses public key authentication
IKEv2-CERT-hostBatman-hostSuperman:   child:  fd80:1914:eab2:22::/64 ===
fd80:1914:eab2:11::/64 TUNNEL
Security Associations (1 up, 0 connecting):
IKEv2-CERT-hostBatman-hostSuperman[3]: ESTABLISHED 8 minutes ago,
2001:660:7301:51:5054:ff:fe58:4606[C=DK, O=JusticeLeauge,
CN=Gotham]...2001:660:7301:51:5054:ff:fe0d:64d[C=DK, O=JusticeLeauge,
CN=Metropolis]
IKEv2-CERT-hostBatman-hostSuperman[3]: IKEv2 SPIs: 4d00edb16de7fda9_i
215ff75d996c0006_r*, public key reauthentication in 2 hours
IKEv2-CERT-hostBatman-hostSuperman[3]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
IKEv2-CERT-hostBatman-hostSuperman{3}:  INSTALLED, TUNNEL, ESP SPIs:
c87c1544_i c460d9aa_o
IKEv2-CERT-hostBatman-hostSuperman{3}:  AES_CBC_128/HMAC_SHA1_96, 0
bytes_i, 0 bytes_o, rekeying in 46 minutes
IKEv2-CERT-hostBatman-hostSuperman{3}:   fd80:1914:eab2:22::/64 ===
fd80:1914:eab2:11::/64

it seems that changes should be done in the strongswan.conf file in order
to create multiple tunnels, but i didn't understand how i should do it

(i am using strongswan 5.1.1)

Thank you for your help

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to