Re: [strongSwan] Creating two independent tunnels

Sat, 08 Feb 2014 10:14:32 -0800 

On 02/06/2014 08:10 PM, Mohamed EL HAJJ wrote:
> Hello everyone,
>
> I am trying to establish two different tunnels between 3 IPv6
> addresses on 2 Debian VMs:
> @1 == @2
> and
> @1 == @3
>
>        @1 = 2001:660:7301:51:5054:ff:fe0d:64d
>        @2 = 2001:660:7301:51:5054:ff:fe58:4606
>        @3 = 2001:db8:0:f101::1
>
> i tried different configurations and all i get is only one tunnel.

Have you tried to use two conn sections on each tunnel endpoint? I don't
think you can use multiple addresses in the parameters "left" and "right".

/Mikael

>
> please find below the ipsec.conf files of both machines
> (i followed these steps to configure ipsec,
> https://lists.strongswan.org/pipermail/users/2012-July/007826.html, i
> only replaced ipv4 addresses by ipv6 addresses)
>
>
> VM HA:
>
> config setup
>         # plutodebug=all
>         # crlcheckinterval=600
>         # strictcrlpolicy=yes
>         # cachecrls=yes
>         # nat_traversal=yes
>         charondebug="dmn 4, ike 4, knl 4, cfg 4, mgr 4, chd 4, net 4"
>         charonstart=yes
>         plutostart=no
>
> conn IKEv2-CERT-hostBatman-hostSuperman
>
>         ikelifetime=180m
>         lifetime=60m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         leftcert=supermanCert.der
>         left=2001:660:7301:51:5054:ff:fe0d:64d
>         right=2001:660:7301:51:5054:ff:fe58:4606,2001:db8:0:f101::1
>         #right=2001:db8:0:f101::1,2001:660:7301:51:5054:ff:fe58:4606
>         #right=%any
>         #rightid="C=DK, O=JusticeLeauge, CN=Gothman"
>         rightid=%any
>         leftsubnet=fd80:1914:eab2:11::/64
>         #leftsubnet=%any
>         #leftid="C=DK, O=JusticeLeauge, CN=Metropolis"
>         leftid=%any
>         #rightsubnet=%any
>         rightsubnet=fd80:1914:eab2:22::/64
>         auto=start
>
>
> VM MN:
>
> config setup
>         # strictcrlpolicy=yes
>         # uniqueids = no
>         charondebug="dmn 4, ike 4, knl 4, cfg 4, mgr 4, chd 4, net 4"
>         charonstart=yes
>         plutostart=no
>
> conn IKEv2-CERT-hostBatman-hostSuperman
>       ikelifetime=180m
>       lifetime=60m
>       rekeymargin=3m
>       keyingtries=1
>       keyexchange=ikev2
>       leftcert=BatmanCert.der
>       left=2001:660:7301:51:5054:ff:fe58:4606,2001:db8:0:f101::1
>       #left=2001:db8:0:f101::1,2001:db8:0:f101::1
>       leftid=%any
>       right=2001:660:7301:51:5054:ff:fe0d:64d
>       #rightid="C=DK, O=JusticeLeauge, CN=Metropolis"
>       rightid=%any
>       leftsubnet=fd80:1914:eab2:22::/64
>       #leftsubnet=%any
>       #leftid="C=DK, O=JusticeLeauge, CN=Gothman"
>       rightsubnet=fd80:1914:eab2:11::/64
>       #rightsubnet=%any
>       auto=star
>
> on eth0 of the VM MN i configured two global ipv6 addresses.
>
> here is the output of "ipsec statusall":
>
> Status of IKE charon daemon (strongSwan 5.1.1, Linux 3.2.0-4-amd64,
> x86_64):
>   uptime: 12 minutes, since Feb 06 13:42:40 2014
>   malloc: sbrk 389120, mmap 0, used 240800, free 148320
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 4
>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
> sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke updown xauth-generic
> Listening IP addresses:
>   10.51.0.79
>   2001:db8:0:f101::1
>   2001:660:7301:51:5054:ff:fe58:4606
>   fd80:1914:eab2:22::1
>   2001:db8:1234:abcd::1
> Connections:
> IKEv2-CERT-hostBatman-hostSuperman: 
> 2001:660:7301:51:5054:ff:fe58:4606...2001:660:7301:51:5054:ff:fe0d:64d  IKEv2
> IKEv2-CERT-hostBatman-hostSuperman:   local:  [C=DK, O=JusticeLeauge,
> CN=Gotham] uses public key authentication
> IKEv2-CERT-hostBatman-hostSuperman:    cert:  "C=DK, O=JusticeLeauge,
> CN=Gotham"
> IKEv2-CERT-hostBatman-hostSuperman:   remote: uses public key
> authentication
> IKEv2-CERT-hostBatman-hostSuperman:   child:  fd80:1914:eab2:22::/64
> === fd80:1914:eab2:11::/64 TUNNEL
> Security Associations (1 up, 0 connecting):
> IKEv2-CERT-hostBatman-hostSuperman[3]: ESTABLISHED 8 minutes ago,
> 2001:660:7301:51:5054:ff:fe58:4606[C=DK, O=JusticeLeauge,
> CN=Gotham]...2001:660:7301:51:5054:ff:fe0d:64d[C=DK, O=JusticeLeauge,
> CN=Metropolis]
> IKEv2-CERT-hostBatman-hostSuperman[3]: IKEv2 SPIs: 4d00edb16de7fda9_i
> 215ff75d996c0006_r*, public key reauthentication in 2 hours
> IKEv2-CERT-hostBatman-hostSuperman[3]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> IKEv2-CERT-hostBatman-hostSuperman{3}:  INSTALLED, TUNNEL, ESP SPIs:
> c87c1544_i c460d9aa_o
> IKEv2-CERT-hostBatman-hostSuperman{3}:  AES_CBC_128/HMAC_SHA1_96, 0
> bytes_i, 0 bytes_o, rekeying in 46 minutes
> IKEv2-CERT-hostBatman-hostSuperman{3}:   fd80:1914:eab2:22::/64 ===
> fd80:1914:eab2:11::/64
>
> it seems that changes should be done in the strongswan.conf file in
> order to create multiple tunnels, but i didn't understand how i should
> do it
>
> (i am using strongswan 5.1.1)
>
> Thank you for your help
>
>
> _______________________________________________
> Users mailing list
> [email protected]
> https://lists.strongswan.org/mailman/listinfo/users


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to