Re: [strongSwan] "unable to install policy" for clients some minutes after the first client has connected

[Larsen]

Hello Noel,

we´ve adhered to the examples and threads from the IPfire project.
So, if rightsubnet is removed from the conf, what IP will clients get?
Also, "rightsubnet=vhost:%no,%priv" is generated from IPfire  
automatically. This has to be removed as well?


Lars


On Tue, 21 Jul 2015 11:13:38 +0200, Noel Kuntze <n...@familie-kuntze.de>  
wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Larsen,

Stop using rightsubnet for roadwarrior connections. That's what is wrong.
If you don't know what you're doing, then adhere to the examples in the  
wiki.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 21.07.2015 um 10:55 schrieb Larsen:
Hello,

as newbies to IPsec we are using IPfire, so most of the configuration is
generated automatically. Clients can login at first, but the problem is  
that
after one client has been connected for some time (~30 to 70 minutes),  
no
further client can connect (error "Invalid payload received"). The  
initial
client is still connected.

Clients: Windows 7 SP1
Server: strongSwan U5.3.2/K3.14.43-ipfire-pae


# First client connects
Jul 20 21:36:12 ipfire charon: 11[NET] received packet: from  
31.19.180.145[500] to y.y.y.y[500] (528 bytes)
Jul 20 21:36:12 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [  
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an  
IKE_SA
Jul 20 21:36:12 ipfire charon: 11[IKE] 31.19.180.145 is initiating an  
IKE_SA
Jul 20 21:36:12 ipfire charon: 11[IKE] remote host is behind NAT
Jul 20 21:36:12 ipfire charon: 11[IKE] sending cert request for "C=DE,  
ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=sys...@example.com"
Jul 20 21:36:12 ipfire charon: 11[ENC] generating IKE_SA_INIT response  
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 20 21:36:12 ipfire charon: 11[NET] sending packet: from  
y.y.y.y[500] to 31.19.180.145[500] (337 bytes)
Jul 20 21:36:12 ipfire charon: 13[NET] received packet: from  
31.19.180.145[4500] to y.y.y.y[4500] (2480 bytes)
Jul 20 21:36:12 ipfire charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi  
CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Jul 20 21:36:12 ipfire charon: 13[IKE] received cert request for "C=DE,  
ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=sys...@example.com"
Jul 20 21:36:12 ipfire charon: 13[IKE] received 47 cert requests for an  
unknown ca
Jul 20 21:36:12 ipfire charon: 13[IKE] received end entity cert "C=DE,  
ST=mytown, O=mycompany, CN=alice"
Jul 20 21:36:12 ipfire charon: 13[CFG] looking for peer configs  
matching y.y.y.y[%any]...31.19.180.145[C=DE, ST=mytown, O=mycompany,  
CN=alice]
Jul 20 21:36:12 ipfire charon: 13[CFG] selected peer config 'alice'
Jul 20 21:36:12 ipfire charon: 13[CFG]   using trusted ca certificate  
"C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA,  
E=sys...@example.com"
Jul 20 21:36:12 ipfire charon: 13[CFG] checking certificate status of  
"C=DE, ST=mytown, O=mycompany, CN=alice"
Jul 20 21:36:12 ipfire charon: 13[CFG] certificate status is not  
available
Jul 20 21:36:12 ipfire charon: 13[CFG]   reached self-signed root ca  
with a path length of 0
Jul 20 21:36:12 ipfire charon: 13[CFG]   using trusted certificate  
"C=DE, ST=mytown, O=mycompany, CN=alice"
Jul 20 21:36:12 ipfire charon: 13[IKE] authentication of 'C=DE,  
ST=mytown, O=mycompany, CN=alice' with RSA signature successful
Jul 20 21:36:13 ipfire charon: 13[IKE] peer supports MOBIKE
Jul 20 21:36:13 ipfire charon: 13[IKE] authentication of 'C=DE,  
ST=mytown, O=mycompany, CN=y.y.y.y' (myself) with RSA signature  
successful
Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established  
between y.y.y.y[C=DE, ST=mytown, O=mycompany,  
CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
Jul 20 21:36:13 ipfire charon: 13[IKE] IKE_SA alice[10] established  
between y.y.y.y[C=DE, ST=mytown, O=mycompany,  
CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany, CN=alice]
Jul 20 21:36:13 ipfire charon: 13[IKE] sending end entity cert "C=DE,  
ST=mytown, O=mycompany, CN=y.y.y.y"
Jul 20 21:36:13 ipfire charon: 13[IKE] peer requested virtual IP %any
Jul 20 21:36:13 ipfire charon: 13[CFG] reassigning offline lease to  
'C=DE, ST=mytown, O=mycompany, CN=alice'
Jul 20 21:36:13 ipfire charon: 13[IKE] assigning virtual IP  
192.168.110.3 to peer 'C=DE, ST=mytown, O=mycompany, CN=alice'
Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established  
with SPIs ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:36:13 ipfire charon: 13[IKE] CHILD_SA alice{12} established  
with SPIs ca89176e_i 86a1c9df_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:36:13 ipfire vpn: client+ C=DE, ST=mytown, O=mycompany,  
CN=alice 192.168.110.0/24 == 31.19.180.145 -- y.y.y.y == 0.0.0.0/0
Jul 20 21:36:13 ipfire vpn: tunnel+ 31.19.180.145 -- y.y.y.y
Jul 20 21:36:13 ipfire vpn: snat+ red0-y.y.y.y : 192.168.110.0/24 -  
192.168.120.1
Jul 20 21:36:13 ipfire charon: 13[ENC] generating IKE_AUTH response 1 [  
IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)  
N(ADD_4_ADDR) ]
Jul 20 21:36:13 ipfire charon: 13[NET] sending packet: from  
y.y.y.y[4500] to 31.19.180.145[4500] (1536 bytes)

# Further packets from first client
Jul 20 21:54:31 ipfire charon: 11[NET] received packet: from  
31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
Jul 20 21:54:32 ipfire charon: 11[ENC] parsed CREATE_CHILD_SA request 2  
[ N(REKEY_SA) SA No TSi TSr ]
Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established  
with SPIs c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 11[IKE] CHILD_SA alice{13} established  
with SPIs c99d4e2d_i 180e5730_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 11[ENC] generating CREATE_CHILD_SA  
response 2 [ SA No TSi TSr ]
Jul 20 21:54:32 ipfire charon: 11[NET] sending packet: from  
y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
Jul 20 21:54:32 ipfire charon: 16[NET] received packet: from  
31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
Jul 20 21:54:32 ipfire charon: 16[ENC] parsed INFORMATIONAL request 3 [  
D ]
Jul 20 21:54:32 ipfire charon: 16[IKE] received DELETE for ESP CHILD_SA  
with SPI 86a1c9df
Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with  
SPIs ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS  
0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 16[IKE] closing CHILD_SA alice{12} with  
SPIs ca89176e_i (5025099 bytes) 86a1c9df_o (188085730 bytes) and TS  
0.0.0.0/0 === 192.168.110.0/24
Jul 20 21:54:32 ipfire charon: 16[IKE] sending DELETE for ESP CHILD_SA  
with SPI ca89176e
Jul 20 21:54:32 ipfire charon: 16[IKE] CHILD_SA closed
Jul 20 21:54:32 ipfire charon: 16[ENC] generating INFORMATIONAL  
response 3 [ D ]
Jul 20 21:54:32 ipfire charon: 16[NET] sending packet: from  
y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
Jul 20 22:01:13 ipfire charon: 04[NET] received packet: from  
31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
Jul 20 22:01:13 ipfire charon: 04[ENC] parsed CREATE_CHILD_SA request 4  
[ N(REKEY_SA) SA No TSi TSr ]
Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established  
with SPIs c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 04[IKE] CHILD_SA alice{14} established  
with SPIs c55279ed_i 92dd8be2_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 04[ENC] generating CREATE_CHILD_SA  
response 4 [ SA No TSi TSr ]
Jul 20 22:01:13 ipfire charon: 04[NET] sending packet: from  
y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
Jul 20 22:01:13 ipfire charon: 11[NET] received packet: from  
31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
Jul 20 22:01:13 ipfire charon: 11[ENC] parsed INFORMATIONAL request 5 [  
D ]
Jul 20 22:01:13 ipfire charon: 11[IKE] received DELETE for ESP CHILD_SA  
with SPI 180e5730
Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with  
SPIs c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS  
0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 11[IKE] closing CHILD_SA alice{13} with  
SPIs c99d4e2d_i (3061812 bytes) 180e5730_o (125342786 bytes) and TS  
0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:01:13 ipfire charon: 11[IKE] sending DELETE for ESP CHILD_SA  
with SPI c99d4e2d
Jul 20 22:01:13 ipfire charon: 11[IKE] CHILD_SA closed
Jul 20 22:01:13 ipfire charon: 11[ENC] generating INFORMATIONAL  
response 5 [ D ]
Jul 20 22:01:14 ipfire charon: 11[NET] sending packet: from  
y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)
Jul 20 22:05:43 ipfire charon: 13[NET] received packet: from  
31.19.180.145[4500] to y.y.y.y[4500] (272 bytes)
Jul 20 22:05:43 ipfire charon: 13[ENC] parsed CREATE_CHILD_SA request 6  
[ N(REKEY_SA) SA No TSi TSr ]
Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established  
with SPIs cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 13[IKE] CHILD_SA alice{15} established  
with SPIs cda81ea9_i 3227ad0c_o and TS 0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 13[ENC] generating CREATE_CHILD_SA  
response 6 [ SA No TSi TSr ]
Jul 20 22:05:43 ipfire charon: 13[NET] sending packet: from  
y.y.y.y[4500] to 31.19.180.145[4500] (208 bytes)
Jul 20 22:05:43 ipfire charon: 12[NET] received packet: from  
31.19.180.145[4500] to y.y.y.y[4500] (80 bytes)
Jul 20 22:05:43 ipfire charon: 12[ENC] parsed INFORMATIONAL request 7 [  
D ]
Jul 20 22:05:43 ipfire charon: 12[IKE] received DELETE for ESP CHILD_SA  
with SPI 92dd8be2
Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with  
SPIs c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS  
0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 12[IKE] closing CHILD_SA alice{14} with  
SPIs c55279ed_i (2855665 bytes) 92dd8be2_o (125427168 bytes) and TS  
0.0.0.0/0 === 192.168.110.0/24
Jul 20 22:05:43 ipfire charon: 12[IKE] sending DELETE for ESP CHILD_SA  
with SPI c55279ed
Jul 20 22:05:43 ipfire charon: 12[IKE] CHILD_SA closed
Jul 20 22:05:43 ipfire charon: 12[ENC] generating INFORMATIONAL  
response 7 [ D ]
Jul 20 22:05:43 ipfire charon: 12[NET] sending packet: from  
y.y.y.y[4500] to 31.19.180.145[4500] (80 bytes)

# Second client tries to connect and fails
Jul 20 22:08:50 ipfire charon: 11[NET] received packet: from  
2.241.32.16[500] to y.y.y.y[500] (528 bytes)
Jul 20 22:08:50 ipfire charon: 11[ENC] parsed IKE_SA_INIT request 0 [  
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an  
IKE_SA
Jul 20 22:08:50 ipfire charon: 11[IKE] 2.241.32.16 is initiating an  
IKE_SA
Jul 20 22:08:50 ipfire charon: 11[IKE] remote host is behind NAT
Jul 20 22:08:51 ipfire charon: 11[IKE] sending cert request for "C=DE,  
ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=sys...@example.com"
Jul 20 22:08:51 ipfire charon: 11[ENC] generating IKE_SA_INIT response  
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul 20 22:08:51 ipfire charon: 11[NET] sending packet: from  
y.y.y.y[500] to 2.241.32.16[500] (337 bytes)
Jul 20 22:08:51 ipfire charon: 02[NET] received packet: from  
2.241.32.16[4500] to y.y.y.y[4500] (2384 bytes)
Jul 20 22:08:51 ipfire charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi  
CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Jul 20 22:08:51 ipfire charon: 02[IKE] received cert request for "C=DE,  
ST=mytown, L=mytown, O=mycompany, CN=mycompany CA, E=sys...@example.com"
Jul 20 22:08:51 ipfire charon: 02[IKE] received 42 cert requests for an  
unknown ca
Jul 20 22:08:51 ipfire charon: 02[IKE] received end entity cert "C=DE,  
ST=mytown, O=mycompany, CN=bob"
Jul 20 22:08:51 ipfire charon: 02[CFG] looking for peer configs  
matching y.y.y.y[%any]...2.241.32.16[C=DE, ST=mytown, O=mycompany,  
CN=bob]
Jul 20 22:08:51 ipfire charon: 02[CFG] selected peer config 'bob'
Jul 20 22:08:51 ipfire charon: 02[CFG]   using trusted ca certificate  
"C=DE, ST=mytown, L=mytown, O=mycompany, CN=mycompany CA,  
E=sys...@example.com"
Jul 20 22:08:51 ipfire charon: 02[CFG] checking certificate status of  
"C=DE, ST=mytown, O=mycompany, CN=bob"
Jul 20 22:08:51 ipfire charon: 02[CFG] certificate status is not  
available
Jul 20 22:08:51 ipfire charon: 02[CFG]   reached self-signed root ca  
with a path length of 0
Jul 20 22:08:51 ipfire charon: 02[CFG]   using trusted certificate  
"C=DE, ST=mytown, O=mycompany, CN=bob"
Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE,  
ST=mytown, O=mycompany, CN=bob' with RSA signature successful
Jul 20 22:08:51 ipfire charon: 02[IKE] peer supports MOBIKE
Jul 20 22:08:51 ipfire charon: 02[IKE] authentication of 'C=DE,  
ST=mytown, O=mycompany, CN=y.y.y.y' (myself) with RSA signature  
successful
Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established  
between y.y.y.y[C=DE, ST=mytown, O=mycompany,  
CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:51 ipfire charon: 02[IKE] IKE_SA bob[12] established  
between y.y.y.y[C=DE, ST=mytown, O=mycompany,  
CN=y.y.y.y]...2.241.32.16[C=DE, ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:51 ipfire charon: 02[IKE] sending end entity cert "C=DE,  
ST=mytown, O=mycompany, CN=y.y.y.y"
Jul 20 22:08:51 ipfire charon: 02[IKE] peer requested virtual IP %any
Jul 20 22:08:52 ipfire charon: 02[CFG] reassigning offline lease to  
'C=DE, ST=mytown, O=mycompany, CN=bob'
Jul 20 22:08:52 ipfire charon: 02[IKE] assigning virtual IP  
192.168.110.1 to peer 'C=DE, ST=mytown, O=mycompany, CN=bob'
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
0.0.0.0/0 === 192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the  
same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the  
same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the  
same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
0.0.0.0/0 === 192.168.110.0/24 out (mark 0/0x00000000) for reqid 8, the  
same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
192.168.110.0/24 === 0.0.0.0/0 in (mark 0/0x00000000) for reqid 8, the  
same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[CFG] unable to install policy  
192.168.110.0/24 === 0.0.0.0/0 fwd (mark 0/0x00000000) for reqid 8, the  
same policy for reqid 7 exists
Jul 20 22:08:52 ipfire charon: 02[IKE] unable to install IPsec policies  
(SPD) in kernel
Jul 20 22:08:52 ipfire charon: 02[IKE] failed to establish CHILD_SA,  
keeping IKE_SA
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 ===  
192.168.110.0/24 out failed, not found
Jul 20 22:08:52 ipfire charon: 04[MGR] ignoring request with ID 1,  
already processing
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24  
=== 0.0.0.0/0 in failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24  
=== 0.0.0.0/0 fwd failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 0.0.0.0/0 ===  
192.168.110.0/24 out failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24  
=== 0.0.0.0/0 in failed, not found
Jul 20 22:08:52 ipfire charon: 02[KNL] deleting policy 192.168.110.0/24  
=== 0.0.0.0/0 fwd failed, not found
Jul 20 22:08:52 ipfire charon: 02[ENC] generating IKE_AUTH response 1 [  
IDr CERT AUTH CPRP(ADDR DNS) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)  
N(TS_UNACCEPT) ]
Jul 20 22:08:52 ipfire charon: 02[NET] sending packet: from  
y.y.y.y[4500] to 2.241.32.16[4500] (1440 bytes)
Jul 20 22:08:52 ipfire charon: 12[NET] received packet: from  
2.241.32.16[4500] to y.y.y.y[4500] (80 bytes)
Jul 20 22:08:52 ipfire charon: 12[ENC] parsed INFORMATIONAL request 2 [  
D ]
Jul 20 22:08:52 ipfire charon: 12[IKE] received DELETE for IKE_SA  
bob[12]
Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between  
y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE,  
ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:52 ipfire charon: 12[IKE] deleting IKE_SA bob[12] between  
y.y.y.y[C=DE, ST=mytown, O=mycompany, CN=y.y.y.y]...2.241.32.16[C=DE,  
ST=mytown, O=mycompany, CN=bob]
Jul 20 22:08:52 ipfire charon: 12[IKE] IKE_SA deleted
Jul 20 22:08:53 ipfire charon: 12[IKE] IKE_SA deleted
Jul 20 22:08:53 ipfire charon: 12[ENC] generating INFORMATIONAL  
response 2 [ ]
Jul 20 22:08:53 ipfire charon: 12[NET] sending packet: from  
y.y.y.y[4500] to 2.241.32.16[4500] (80 bytes)
Jul 20 22:08:53 ipfire charon: 12[CFG] lease 192.168.110.1 by 'C=DE,  
ST=mytown, O=mycompany, CN=bob' went offline



ipfire:~# ipsec status
Security Associations (1 up, 0 connecting):
    alice[10]: ESTABLISHED 33 minutes ago, y.y.y.y[C=DE, ST=mytown,  
O=mycompany, CN=y.y.y.y]...31.19.180.145[C=DE, ST=mytown, O=mycompany,  
CN=alice]
    alice{17}:  INSTALLED, TUNNEL, reqid 7, ESP in UDP SPIs: c91792eb_i  
85952394_o
    alice{17}:   0.0.0.0/0 === 192.168.110.0/24



# From /etc/ipsec.conf
# (also includes "ipsec.user-post.conf" at the end; conn for alice  
looks the same)
version 2

conn %default
    keyingtries=%forever

conn bob
    left=vpn.example.com
    leftsubnet=192.168.120.0/24
    leftfirewall=yes
    lefthostaccess=yes
    right=%any
    rightsubnet=vhost:%no,%priv
    leftcert=/var/ipfire/certs/hostcert.pem
    rightcert=/var/ipfire/certs/bobcert.pem

ike=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha-modp4096,aes256-sha-modp3072,aes256-sha-modp2048,aes256-sha-modp1536,aes256-sha-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha-modp4096,aes192-sha-modp3072,aes192-sha-modp2048,aes192-sha-modp1536,aes192-sha-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha-modp4096,aes128-sha-modp3072
,aes128-sha-modp2048,aes128-sha-modp1536,aes128-sha-modp1024

esp=aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_512-modp1536,aes256-sha2_512-modp1024,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp4096,aes256-sha1-modp3072,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_512-modp1536,aes192-sha2_512-modp1024,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes192-sha2_256-modp1536,aes192-sha2_256-modp1024,aes192-sha1-modp4096,aes192-sha1-modp3072,aes192-sha1-modp2048,aes192-sha1-modp1536,aes192-sha1-modp1024,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_512-modp1536,aes128-sha2_512-modp1024,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048,aes128-sha2_256-modp1536,aes128-sha2_256-modp1024,aes128-sha1-modp4096,aes128-s
ha1-modp3072,aes128-sha1-modp2048,aes128-sha1-modp1536,aes128-sha1-modp1024
    keyexchange=ikev2
    ikelifetime=3h
    keylife=1h
    compress=yes
    dpdaction=clear
    dpddelay=30
    dpdtimeout=120
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    auto=add
    rightsourceip=
    fragmentation=yes


# From /etc/ipsec.user-post.conf
conn bob
    leftsubnet=0.0.0.0/0
    leftallowany=yes
    rightsubnet=192.168.110.0/24
    rightsourceip=192.168.110.0/24
    rekey=no


"rightsourceip" is set to "192.168.110.0/24" to get any IP from that  
range.
Our internal network is "192.168.120.0/24" while the IPsec-network is  
"192.168.110.0/24".
Clients connect from different outside IP adresses.

There is most certainly something wrong with the configuration, I guess.



Lars
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVrg0/AAoJEDg5KY9j7GZY7oQP/0k+aSPtBZ8hKEjTPdqTCSGO
l4Y5LcUB7leQl/1nYDGvYHN4fbHdbkaFyOyj76il7seFScE147GB4rcIHgV30M8+
z4vgzZ1DmpClNEo8wivBXoVVumBqRpS0H6DWiYeYx1iQknq1gXt6habhKkztoh18
3+uZjhY0YVvY/zVI8KJqgSnfwysnsE7rarBrVPAsfmvIFX5bKKncyCCeTg1YbfN5
/iBKdFlkG67Cf18RYL2KlkjoN0Tf07qRiks++hg8UsF3zKMs4d6t2tCbM0NDAshu
Fp6oKQNBHc1q4JUfEKe9+9Th47sRczqFm/ucEO0iysMmuB2ghN8WiUmNeb+R4I/F
Mb5waXbGOL3pesoiCUq2iGSKHMR78Z7nocT/i3nCzHL+pZvL3JZuHQ0J53sWvB7b
92CrWh2ZyjlFNqwWMdox2an8onvtY7YtkQrXUEFA4uNlcm1XSXgf46m23auDGFOm
gBNn50F3wC7g6E2Btq8dmJHos/abhV+PJ6U2q24ZUnRb+kC0dOLMw7iNjHFXoZhP
VsogWi8vyWGWhyFbWhDcX5sO96U03eKngIg/bt7X0bcQ1yuq7ipfm2TQgNL+rAmG
h6+InWePlTpn8Hu9T5dL4jrxZAVa/hc3JMo8Kpgu2pm3NVmNIqGzJVD9hztUkNWB
CDz3w5OVtYfl89pJ+7RU
=nRBd
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users