-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Dhingsheng,
You have "rightsubnet=10.1.1.0/24" set in conn default, which makes the TS be "0.0.0.0/0 == 10.1.1.0/24". As you cannot have multiple policies with the same TS, it is obvious why it doesn't work. I figure your goal was to give clients to reach each other, as well as all hosts, but that is already achieved with "leftsubnet=0.0.0.0/0". Ommit rightsubnet completely to make the TS be "0.0.0.0/0 == IPGivenToTheClient/32". That will make it work. You do not need to set rightsubnet manually here. StrongSwan automaticly sets the rightsubnet to be the one IP that was given to the client. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 25.01.2015 um 04:07 schrieb Dongsheng Song: > Hi, > > I use strongswan 5.2.1, it only works one connection per user > simultaneously. I had set 'uniqueids' to 'never', but no lock. Here is > my configration: > > > $ cat /etc/ipsec.conf > config setup > uniqueids=never > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyingtries=1 > keyexchange=ikev2 > > conn default > leftsubnet=0.0.0.0/0 > [email protected] > leftcert=ipsecCert.cer > leftauth=pubkey > rightsourceip=10.1.1.0/24 > rightsubnet=10.1.1.0/24 > rightauth=eap-mschapv2 > rightsendcert=never > eap_identity=%any > auto=add > > $ cat /etc/strongswan.conf > charon { > load_modular = yes > > dns1 = 192.168.30.248 > dns2 = 8.8.8.8 > > plugins { > include strongswan.d/charon/*.conf > duplicheck.enable = no > } > > The server log said: > > ... > > 2015-01-25T11:03:39.466969+08:00 charon: 06[CFG] unable to install > policy 0.0.0.0/0 === 10.1.1.0/24 out (mark 0/0x00000000) for reqid 29, > the same policy for reqid 28 exists > 2015-01-25T11:03:39.466978+08:00 charon: 06[CFG] unable to install > policy 10.1.1.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 29, > the same policy for reqid 28 exists > 2015-01-25T11:03:39.466982+08:00 charon: 06[CFG] unable to install > policy 10.1.1.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 29, > the same policy for reqid 28 exists > 2015-01-25T11:03:39.466989+08:00 charon: 06[CFG] unable to install > policy 0.0.0.0/0 === 10.1.1.0/24 out (mark 0/0x00000000) for reqid 29, > the same policy for reqid 28 exists > 2015-01-25T11:03:39.467001+08:00 charon: 06[CFG] unable to install > policy 10.1.1.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 29, > the same policy for reqid 28 exists > 2015-01-25T11:03:39.467004+08:00 charon: 06[CFG] unable to install > policy 10.1.1.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 29, > the same policy for reqid 28 exists > 2015-01-25T11:03:39.467011+08:00 charon: 06[IKE] unable to install > IPsec policies (SPD) in kernel > 2015-01-25T11:03:39.467029+08:00 charon: 06[IKE] failed to establish > CHILD_SA, keeping IKE_SA > 2015-01-25T11:03:39.467052+08:00 charon: 06[KNL] deleting policy > 0.0.0.0/0 === 10.1.1.0/24 out failed, not found > 2015-01-25T11:03:39.467061+08:00 charon: 06[KNL] deleting policy > 10.1.1.0/24 === 0.0.0.0/0 in failed, not found > 2015-01-25T11:03:39.467063+08:00 charon: 06[KNL] deleting policy > 10.1.1.0/24 === 0.0.0.0/0 fwd failed, not found > 2015-01-25T11:03:39.467066+08:00 charon: 06[KNL] deleting policy > 0.0.0.0/0 === 10.1.1.0/24 out failed, not found > 2015-01-25T11:03:39.467080+08:00 charon: 06[KNL] deleting policy > 10.1.1.0/24 === 0.0.0.0/0 in failed, not found > 2015-01-25T11:03:39.467084+08:00 charon: 06[KNL] deleting policy > 10.1.1.0/24 === 0.0.0.0/0 fwd failed, not found > 2015-01-25T11:03:39.467122+08:00 charon: 06[ENC] generating IKE_AUTH > response 5 [ AUTH CPRP(ADDR DNS DNS) N(AUTH_LFT) N(MOBIKE_SUP) > N(ADD_4_ADDR) N(TS_UNACCEPT) ] > ... > > Thanks, > Dongsheng > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUxPhfAAoJEDg5KY9j7GZYpYAP/R4oayuHQi26WFzHmO1AJrzz i2jNgIuMV+z2HiW61dI2XUlEyhdq7ot2SnEfuBzg/JAmTH9OvhGCWDm7BbTVWFmk uTE9wr2v9XGMwiSBhURB/yT0I6VaEck4+gGUCHfg7KMfsmSy0qL5cvQmepRKEPNo xQFb6LBgbklLXN8DTL6x+8Qju8ftWA2pTtaYe4IGzfLrsFQUTBhWuORNwyLEeUqz BU0MTlkbooUHKsI0zLsHHH07o8Kp3wSu7JlpU0jQvDcM7XEEZ3NY9xbdqyvzdzcu Qsh7xGLn+W8aKCqw1bfxnqK+CCGSg42Ad3TcXNvFIlyojtFLJci1UP623sbTjIIx qOBYhFxcdPc080VSD1PdnSZqvdQo18qNBWf/ouk+iM6BtmRctdTr2VDGS/AjkysR o3NaqpRyv7pAox7DiYQnJv1PL1zcEz0uCwlIgaXYXfB0ECWrV/q+BMaezqB4wZoE CsrOc32fp1N7cWW3UtlPjx43OwM+DX2KzK3/XMIIMiSvlXnc7OKtvi/2tVsUA0OS vrIgwxhUJH61UKIiD5hY/e7zpqgAqbKFRHdlxBqZpO25NL1fZX5MOIxFetd2dfj1 L8ln+p7BecBJxPuhuNUS8xgPn2FlVE7Eu6YYRaQmWSgd1dpzvQTxGbz4OJqGR86z tuRXg5XTxfrF6YVDj3Jf =pePI -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
