[strongSwan] "unable to install policy" for clients some minutes after the first client has connected

Larsen Tue, 21 Jul 2015 01:56:19 -0700

Hello,

as newbies to IPsec we are using IPfire, so most of the configuration is
generated automatically. Clients can login at first, but the problem is that
after one client has been connected for some time (~30 to 70 minutes), no
further client can connect (error "Invalid payload received"). The initial
client is still connected.


Clients: Windows 7 SP1
Server: strongSwan U5.3.2/K3.14.43-ipfire-pae


# First client connects
Jul 20 21:36:12 ipfire charon: 11[NET] received packet: from 31.19.180.145[500] 
to y.y.y.y[500] (528 bytes)
Jul 20 21:36:12 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) ]
Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an IKE_SA
Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an IKE_SA
Jul 20 21:36:12 ipfire charon: 11[IKE] remote host is behind NAT
Jul 20 21:36:12 ipfire charon: 11[IKE] sending cert request for "C=DE, ST=mytown, 
L=mytown, O=mycompany, CN=mycompany CA, [email protected]"
Jul 20 21:36:12 ipfire charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 20 21:36:12 ipfire charon: 11[NET] sending packet: from y.y.y.y[500] to 
31.19.180.145[500] (337 bytes)
Jul 20 21:36:12 ipfire charon: 13[NET] received packet: from 
31.19.180.145[4500] to y.y.y.y[4500] (2480 bytes)
Jul 20 21:36:12 ipfire charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERT 
CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Jul 20 21:36:12 ipfire charon: 13[IKE] received cert request for "C=DE, ST=mytown, 
L=mytown, O=mycompany, CN=mycompany CA, [email protected]"
Jul 20 21:36:12 ipfire charon: 13[IKE] received 47 cert requests for an unknown 
ca
Jul 20 21:36:12 ipfire charon: 13[IKE] received end entity cert "C=DE, ST=mytown, 
O=mycompany, CN=alice"
Jul 20 21:36:12 ipfire charon: 13[CFG] looking for peer configs matching 
y.y.y.y[%any]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
Jul 20 21:36:12 ipfire charon: 13[CFG] selected peer config 'alice'
Jul 20 21:36:12 ipfire charon: 13[CFG]   using trusted ca certificate "C=DE, 
ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, [email protected]"
Jul 20 21:36:12 ipfire charon: 13[CFG] checking certificate status of "C=DE, 
ST=mytown, O=mycompany, CN=alice"
Jul 20 21:36:12 ipfire charon: 13[CFG] certificate status is not available
Jul 20 21:36:12 ipfire charon: 13[CFG]   reached self-signed root ca with a 
path length of 0
Jul 20 21:36:12 ipfire charon: 13[CFG]   using trusted certificate "C=DE, ST=mytown, 
O=mycompany, CN=alice"
Jul 20 21:36:12 ipfire charon: 13[IKE] authentication of 'C=DE, ST=mytown, 
O=mycompany, CN=alice' with RSA signature successful
Jul 20 21:36:13 ipfire charon: 13[IKE] peer supports MOBIKE
Jul 20 21:36:13 ipfire charon: 13[IKE] authentication of 'C=DE, ST=mytown, 
O=mycompany, CN=y.y.y.y' (myself) with RSA signature successful
Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established between 
y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, 
ST=mytown, O=mycompany, CN=alice]
Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established between 
y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, 
ST=mytown, O=mycompany, CN=alice]
Jul 20 21:36:13 ipfire charon: 13[IKE] sending end entity cert "C=DE, ST=mytown, 
O=mycompany, CN=y.y.y.y"
Jul 20 21:36:13 ipfire charon: 13[IKE] peer requested virtual IP %any
Jul 20 21:36:13 ipfire charon: 13[CFG] reassigning offline lease to 'C=DE, 
ST=mytown, O=mycompany, CN=alice'
Jul 20 21:36:13 ipfire charon: 13[IKE] assigning virtual IP 192.168.110.3 to 
peer 'C=DE, ST=mytown, O=mycompany, CN=alice'
Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established with SPIs 
ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established with SPIs 
ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:36:13 ipfire vpn: client+ C=DE, ST=mytown, O=mycompany, CN=alice 
192.168.110.0/24 == 31.19.180.145 -- y.y.y.y == 0.0.0.0/0
Jul 20 21:36:13 ipfire vpn: tunnel+ 31.19.180.145 -- y.y.y.y
Jul 20 21:36:13 ipfire vpn: snat+ red0-y.y.y.y : 192.168.110.0/24 - 
192.168.120.1
Jul 20 21:36:13 ipfire charon: 13[ENC] generating IKE_AUTH response 1 [ IDr 
CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 20 21:36:13 ipfire charon: 13[NET] sending packet: from y.y.y.y[4500] to 
31.19.180.145[4500] (1536 bytes)

# Further packets from first client
Jul 20 21:54:31 ipfire charon: 11[NET] received packet: from 
31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
Jul 20 21:54:32 ipfire charon: 11[ENC] parsed CREATE_CHILD_SA request 2 [ 
N(REKEY_SA) SA No TSi TSr ]
Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established with SPIs 
c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established with SPIs 
c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 11[ENC] generating CREATE_CHILD_SA response 2 [ 
SA No TSi TSr ]
Jul 20 21:54:32 ipfire charon: 11[NET] sending packet: from y.y.y.y[4500] to 
31.19.180.145[4500] (208 bytes)
Jul 20 21:54:32 ipfire charon: 16[NET] received packet: from 
31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
Jul 20 21:54:32 ipfire charon: 16[ENC] parsed INFORMATIONAL request 3 [ D ]
Jul 20 21:54:32 ipfire charon: 16[IKE] received DELETE for ESP CHILD_SA with 
SPI 86a1c9df
Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with SPIs 
ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS 0.0.0.0/0 === 
192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with SPIs 
ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS 0.0.0.0/0 === 
192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 16[IKE] sending DELETE for ESP CHILD_SA with SPI 
ca89176e
Jul 20 21:54:32 ipfire charon: 16[IKE] CHILD_SA closed
Jul 20 21:54:32 ipfire charon: 16[ENC] generating INFORMATIONAL response 3 [ D ]
Jul 20 21:54:32 ipfire charon: 16[NET] sending packet: from y.y.y.y[4500] to 
31.19.180.145[4500] (80 bytes)
Jul 20 22:01:13 ipfire charon: 04[NET] received packet: from 
31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
Jul 20 22:01:13 ipfire charon: 04[ENC] parsed CREATE_CHILD_SA request 4 [ 
N(REKEY_SA) SA No TSi TSr ]
Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established with SPIs 
c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established with SPIs 
c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 04[ENC] generating CREATE_CHILD_SA response 4 [ 
SA No TSi TSr ]
Jul 20 22:01:13 ipfire charon: 04[NET] sending packet: from y.y.y.y[4500] to 
31.19.180.145[4500] (208 bytes)
Jul 20 22:01:13 ipfire charon: 11[NET] received packet: from 
31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
Jul 20 22:01:13 ipfire charon: 11[ENC] parsed INFORMATIONAL request 5 [ D ]
Jul 20 22:01:13 ipfire charon: 11[IKE] received DELETE for ESP CHILD_SA with 
SPI 180e5730
Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with SPIs 
c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS 0.0.0.0/0 === 
192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with SPIs 
c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS 0.0.0.0/0 === 
192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 11[IKE] sending DELETE for ESP CHILD_SA with SPI 
c99d4e2d
Jul 20 22:01:13 ipfire charon: 11[IKE] CHILD_SA closed
Jul 20 22:01:13 ipfire charon: 11[ENC] generating INFORMATIONAL response 5 [ D ]
Jul 20 22:01:14 ipfire charon: 11[NET] sending packet: from y.y.y.y[4500] to 
31.19.180.145[4500] (80 bytes)
Jul 20 22:05:43 ipfire charon: 13[NET] received packet: from 
31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
Jul 20 22:05:43 ipfire charon: 13[ENC] parsed CREATE_CHILD_SA request 6 [ 
N(REKEY_SA) SA No TSi TSr ]
Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established with SPIs 
cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established with SPIs 
cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 13[ENC] generating CREATE_CHILD_SA response 6 [ 
SA No TSi TSr ]
Jul 20 22:05:43 ipfire charon: 13[NET] sending packet: from y.y.y.y[4500] to 
31.19.180.145[4500] (208 bytes)
Jul 20 22:05:43 ipfire charon: 12[NET] received packet: from 
31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
Jul 20 22:05:43 ipfire charon: 12[ENC] parsed INFORMATIONAL request 7 [ D ]
Jul 20 22:05:43 ipfire charon: 12[IKE] received DELETE for ESP CHILD_SA with 
SPI 92dd8be2
Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with SPIs 
c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS 0.0.0.0/0 === 
192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with SPIs 
c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS 0.0.0.0/0 === 
192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI 
c55279ed
Jul 20 22:05:43 ipfire charon: 12[IKE] CHILD_SA closed
Jul 20 22:05:43 ipfire charon: 12[ENC] generating INFORMATIONAL response 7 [ D ]
Jul 20 22:05:43 ipfire charon: 12[NET] sending packet: from y.y.y.y[4500] to 
31.19.180.145[4500] (80 bytes)

# Second client tries to connect and fails
Jul 20 22:08:50 ipfire charon: 11[NET] received packet: from 2.241.32.16[500] 
to y.y.y.y[500] (528 bytes)
Jul 20 22:08:50 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) ]
Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an IKE_SA
Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an IKE_SA
Jul 20 22:08:50 ipfire charon: 11[IKE] remote host is behind NAT
Jul 20 22:08:51 ipfire charon: 11[IKE] sending cert request for "C=DE, ST=mytown, 
L=mytown, O=mycompany, CN=mycompany CA, [email protected]"
Jul 20 22:08:51 ipfire charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 20 22:08:51 ipfire charon: 11[NET] sending packet: from y.y.y.y[500] to 
2.241.32.16[500] (337 bytes)
Jul 20 22:08:51 ipfire charon: 02[NET] received packet: from 2.241.32.16[4500] 
to y.y.y.y[4500] (2384 bytes)
Jul 20 22:08:51 ipfire charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi CERT 
CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Jul 20 22:08:51 ipfire charon: 02[IKE] received cert request for "C=DE, ST=mytown, 
L=mytown, O=mycompany, CN=mycompany CA, [email protected]"
Jul 20 22:08:51 ipfire charon: 02[IKE] received 42 cert requests for an unknown 
ca
Jul 20 22:08:51 ipfire charon: 02[IKE] received end entity cert "C=DE, ST=mytown, 
O=mycompany, CN=bob"
Jul 20 22:08:51 ipfire charon: 02[CFG] looking for peer configs matching 
y.y.y.y[%any]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:51 ipfire charon: 02[CFG] selected peer config 'bob'
Jul 20 22:08:51 ipfire charon: 02[CFG]   using trusted ca certificate "C=DE, 
ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, [email protected]"
Jul 20 22:08:51 ipfire charon: 02[CFG] checking certificate status of "C=DE, 
ST=mytown, O=mycompany, CN=bob"
Jul 20 22:08:51 ipfire charon: 02[CFG] certificate status is not available
Jul 20 22:08:51 ipfire charon: 02[CFG]   reached self-signed root ca with a 
path length of 0
Jul 20 22:08:51 ipfire charon: 02[CFG]   using trusted certificate "C=DE, ST=mytown, 
O=mycompany, CN=bob"
Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE, ST=mytown, 
O=mycompany, CN=bob' with RSA signature successful
Jul 20 22:08:51 ipfire charon: 02[IKE] peer supports MOBIKE
Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE, ST=mytown, 
O=mycompany, CN=y.y.y.y' (myself) with RSA signature successful
Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established between 
y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, 
ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established between 
y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, 
ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:51 ipfire charon: 02[IKE] sending end entity cert "C=DE, ST=mytown, 
O=mycompany, CN=y.y.y.y"
Jul 20 22:08:51 ipfire charon: 02[IKE] peer requested virtual IP %any
Jul 20 22:08:52 ipfire charon: 02[CFG] reassigning offline lease to 'C=DE, 
ST=mytown, O=mycompany, CN=bob'
Jul 20 22:08:52 ipfire charon: 02[IKE] assigning virtual IP 192.168.110.1 to 
peer 'C=DE, ST=mytown, O=mycompany, CN=bob'
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 0.0.0.0/0 === 
192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the same policy for reqid 
7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 
192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the same 
policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 
192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the same 
policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 0.0.0.0/0 === 
192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the same policy for reqid 
7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 
192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the same 
policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy 
192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the same 
policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[IKE] unable to install IPsec policies (SPD) 
in kernel
Jul 20 22:08:52 ipfire charon: 02[IKE] failed to establish CHILD_SA, keeping 
IKE_SA
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 === 
192.168.110.0/24 out failed, not found
Jul 20 22:08:52 ipfire charon: 04[MGR] ignoring request with ID 1, already 
processing
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 
0.0.0.0/0 in failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 
0.0.0.0/0 fwd failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 === 
192.168.110.0/24 out failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 
0.0.0.0/0 in failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24 === 
0.0.0.0/0 fwd failed, not found
Jul 20 22:08:52 ipfire charon: 02[ENC] generating IKE_AUTH response 1 [ IDr 
CERT AUTH CPRP(ADDR DNS) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) 
N(TS_UNACCEPT) ]
Jul 20 22:08:52 ipfire charon: 02[NET] sending packet: from y.y.y.y[4500] to 
2.241.32.16[4500] (1440 bytes)
Jul 20 22:08:52 ipfire charon: 12[NET] received packet: from 2.241.32.16[4500] 
to y.y.y.y[4500] (80 bytes)
Jul 20 22:08:52 ipfire charon: 12[ENC] parsed INFORMATIONAL request 2 [ D ]
Jul 20 22:08:52 ipfire charon: 12[IKE] received DELETE for IKE_SA bob[12]
Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between 
y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, 
ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between 
y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE, 
ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:52 ipfire charon: 12[IKE] IKE_SA deleted
Jul 20 22:08:53 ipfire charon: 12[IKE] IKE_SA deleted
Jul 20 22:08:53 ipfire charon: 12[ENC] generating INFORMATIONAL response 2 [ ]
Jul 20 22:08:53 ipfire charon: 12[NET] sending packet: from y.y.y.y[4500] to 
2.241.32.16[4500] (80 bytes)
Jul 20 22:08:53 ipfire charon: 12[CFG] lease 192.168.110.1 by 'C=DE, ST=mytown, 
O=mycompany, CN=bob' went offline



ipfire:~# ipsec status
Security Associations (1 up, 0 connecting):
    alice[10]: ESTABLISHED 33 minutes ago, y.y.y.y[C=DE, ST=mytown, 
O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
    alice{17}:  INSTALLED, TUNNEL, reqid 7, ESP in UDP SPIs: c91792eb_i 
85952394_o
    alice{17}:   0.0.0.0/0 === 192.168.110.0/24



# From /etc/ipsec.conf
# (also includes "ipsec.user-post.conf" at the end; conn for alice looks the 
same)
version 2

conn %default
    keyingtries=%forever

conn bob
    left=vpn.example.com
    leftsubnet=192.168.120.0/24
    leftfirewall=yes
    lefthostaccess=yes
    right=%any
    rightsubnet=vhost:%no,%priv
    leftcert=/var/ipfire/certs/hostcert.pem
    rightcert=/var/ipfire/certs/bobcert.pem
    
ike=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp4096,aes256-sha-modp3072,aes256-sha-modp2048,aes256-sha-modp1536,aes256-sha-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp4096,aes192-sha-modp3072,aes192-sha-modp2048,aes192-sha-modp1536,aes192-sha-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp4096,aes128-sha-modp3072

,aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024

    
esp=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp4096,aes256-sha1-modp3072,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp4096,aes192-sha1-modp3072,aes192-sha1-modp2048,aes192-sha1-modp1536,aes192-sha1-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp4096,aes128-s

ha1-modp3072,aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024

    keyexchange=ikev2
    ikelifetime=3h
    keylife=1h
    compress=yes
    dpdaction=clear
    dpddelay=30
    dpdtimeout=120
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    auto=add
    rightsourceip=
    fragmentation=yes


# From /etc/ipsec.user-post.conf
conn bob
    leftsubnet=0.0.0.0/0
    leftallowany=yes
    rightsubnet=192.168.110.0/24
    rightsourceip=192.168.110.0/24
    rekey=no


"rightsourceip" is set to "192.168.110.0/24" to get any IP from that range.
Our internal network is "192.168.120.0/24" while the IPsec-network is 
"192.168.110.0/24".
Clients connect from different outside IP adresses.

There is most certainly something wrong with the configuration, I guess.



Lars
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] "unable to install policy" for clients some minutes after the first client has connected

Reply via email to