Hi, Use the site-to-site config for IKEv1 and two subnets from the UsableExamples page on the wiki.
Kind regards Noel On 04.01.2018 17:53, Loic Chabert wrote: > Hello Strongswan list, > > I have a trouble with an IPSEC site-to-site VPN from a Cisco ASA and > strongswan version 5.5.3, Linux 3.10.0-327.10.1.el7.x86_64. > > With Strongwan, i want to send two subnet: 172.16.5.0/24 > <http://172.16.5.0/24> and 192.168.1.0/24 <http://192.168.1.0/24>. > When i start strongswan, no error, all ping pass throught ipsec tunnel and no > problem. > After 7h (probably after a re-auth), two tunnels are inserted for the same > subnet. The other subnet continue to work as expected. Only one "crash". One > ping over two has been drop. > > Please find below output command of "statusall": > > /#strongswan statusall > Status of IKE charon daemon (strongSwan 5.5.3, Linux > 3.10.0-327.10.1.el7.x86_64, x86_64): > uptime: 26 hours, since Jan 03 14:53:30 2018 > malloc: sbrk 1622016, mmap 0, used 529568, free 1092448 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 8 > loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 > revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem > openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr > kernel-netlink resolve socket-default farp stroke vici updown eap-identity > eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic > xauth-eap xauth-pam xauth-noauth dhcp unity > Listening IP addresses: > 185.119.XXX.XXX > 172.16.0.0 > 2a06:8bc0:XXX > 10.8.0.1 > Connections: > conn-1: ///185.119.XXX.YYY/...46.31.ZZ.ZZ IKEv1 > ///conn/-1: local: [////185.119.XXX.YYY/./] uses pre-shared key > authentication > ///conn/-1: remote: [///46.31.ZZ.ZZ/] uses pre-shared key authentication > ///conn/-1: child: 192.168.1.0/24 <http://192.168.1.0/24> === > 10.2.1.192/29 <http://10.2.1.192/29> TUNNEL > ///conn/-2: child: 172.16.5.0/24 <http://172.16.5.0/24> === > 10.2.1.192/29 <http://10.2.1.192/29> TUNNEL > Security Associations (1 up, 0 connecting): > ///conn/-1[7]: ESTABLISHED 2 hours ago, > ////185.119.XXX.YYY/./[////185.119.XXX.YYY/./]...///46.31.ZZ.ZZ/[///46.31.ZZ.ZZ/] > ///conn/-1[7]: IKEv1 SPIs: f8490bafd768b806_i* 86c5c1b6cb09c905_r, > pre-shared key reauthentication in 5 hours > ///conn/-1[7]: IKE proposal: > AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 > ///conn/-2{817}: INSTALLED, TUNNEL, reqid 71, ESP SPIs: c70f39e7_i > 474d86cc_o > ///conn/-2{817}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 65021 bytes_i (1413 > pkts, 27s ago), 1535741 bytes_o (3046 pkts, 27s ago), rekeying in 6 hours > ///conn/-2{817}: 172.16.5.0/24 <http://172.16.5.0/24> === 10.2.1.192/29 > <http://10.2.1.192/29> > * *//*/conn/-1{867}: INSTALLED, TUNNEL, reqid 69, ESP SPIs: cf6a0fee_i > 4d77c585_o > *//*/conn/-1{867}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 > bytes_o, rekeying in 6 hours > *//*/conn/-1{867}: 192.168.1.0/24 <http://192.168.1.0/24> === > 10.2.1.192/29 <http://10.2.1.192/29> > *//*/conn/-1{869}: INSTALLED, TUNNEL, reqid 69, ESP SPIs: c3e3a651_i > 7d5fc4f2_o > *//*/conn/-1{869}: AES_CBC_256/HMAC_SHA1_96/MODP_1024, 4441746 bytes_i > (3181 pkts, 419s ago), 54984 bytes_o (1373 pkts, 419s ago), rekeying in 6 > hours > *//*/conn/-1{869}: 192.168.1.0/24 <http://192.168.1.0/24> === > 10.2.1.192/29 <http://10.2.1.192/29>* > > / > / > / > Here my configuration: > > /# ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > # strictcrlpolicy=yes > charondebug="cfg 2, chd 1, dmn 1, ike 1, knl 1, net 1" > # uniqueids = no > > # Add connections here. > > # Sample VPN connections > conn conn--1 > auto=start > rightsubnet=192.168.1.0/24 <http://192.168.1.0/24> > authby=secret > compress=no > closeaction=restart > mobike=no > keyexchange=ikev1 > keyingtries=1 > rekeymargin=3m > ike=aes256-sha-modp1536 > esp=aes256-sha-modp1024 > ikelifetime=28800s > lifetime=28800s > left=46.31.ZZ.ZZ > right=185.119.XXX.YYY > leftsubnet=10.2.1.192/29 <http://10.2.1.192/29> > leftid=46.31.ZZ.ZZ > rightid=185.119.XXX.YYY > > conn conn-2 > auto=start > rightsubnet=172.16.5.0/24 <http://172.16.5.0/24> > authby=secret > compress=no > closeaction=restart > mobike=no > rekeymargin=3m > keyexchange=ikev1 > ike=aes256-sha-modp1536 > esp=aes256-sha-modp1024 > ikelifetime=28800s > keyingtries=1 > lifetime=28800s > left=46.31.ZZ.ZZ > right=185.119.XXX.YYY > leftsubnet=10.2.1.192/29 <http://10.2.1.192/29> > leftid=46.31.ZZ.ZZ/ > / > / > / > / > If i set rightsubnet, separared by a comma, only one subnet over two is UP. > I have disable cisco_unity plugin (same behaviour if this plugin is enabled). > > Do you have any hint to mount an IPSEC site-to-site, with two subnet, working > even after a rekey or reauth ? > Any logging lines can help me ? > > Thanks in advance, > Regards. > -- > > *Loïc CHABERT - Responsable technique** > **Voxity - Libérez vos Télécoms > * > > 85 Rue des Alliés 38100 Grenoble > Tel : 0975181257 - Fax : 04.816.801.14 > Email : [email protected] <mailto:[email protected]> > > Restons connectés : Site Web <http://www.voxity.fr> - Twitter > <http://twitter.com/voxity> - Facebook <http://www.facebook.com/voxity> - > LinkedIn <https://www.linkedin.com/profile/view?id=25351096> > *Nouveau !* Découvrez Voxity en vidéo : Youtube > <https://www.youtube.com/watch?v=nUVL5fTNmVU>
signature.asc
Description: OpenPGP digital signature
