Re: [strongSwan] second connection from the same machine fails

[Christopher Bachner]

Hi Naveen,

I believe you need to set uniqueids = no in config setup. 

Cheers,

Christopher Bachner

On Mar 2, 2018 09:33, Naveen Neelakanta <naveen.b.neelaka...@gmail.com> wrote:

Hi Noel,

Need some guidance on the below issues using strongswan .

1) The second connection with the below configuration fails .

   

config setup

conn %default

        ikelifetime=8h

        keylife=8h

        rekeymargin=3m

        keyingtries=2

        keyexchange=ikev1

        authby=secret

        type=tunnel

        left=10.24.18.209

        leftsubnet=0.0.0.0/0

        ike=aes128-sha1-modp1024

        esp=null-md5-modp1024

conn net-net

        right=10.24.18.35

        rightsubnet=0.0.0.0/0

        mark_out=32

        auto=add

        installpolicy=yes

conn net1-net1

        right=10.24.18.36

        rightsubnet=0.0.0.0/0

        mark_out=33

        auto=add

        installpolicy=yes

#ipsec up net1-net1

unable to install policy 0.0.0.0/0 === 0.0.0.0/0 in for reqid 2, the same policy for reqid 1 exists

unable to install policy 0.0.0.0/0 === 0.0.0.0/0 fwd for reqid 2, the same policy for reqid 1 exists

unable to install IPsec policies (SPD) in kernel

establishing connection 'net1-net1' failed

2)  I intend to use marking as selector using VTI interface , i see that the packet gets encrypted and leave the machine, however my intention is identify return traffic after decryption to be marked with the same marking, so that i can route based on the marked packet to a specific interface, but i see that the inbound SA does not have the mark and the policy drops the return traffic . 

src 0.0.0.0/0 dst 0.0.0.0/0 

dir out priority 399999 

mark 32/0xffffffff

tmpl src 10.24.18.209 dst 10.24.18.35

proto esp spi 0xce437d69 reqid 1 mode tunnel

src 0.0.0.0/0 dst 0.0.0.0/0 

dir in priority 399999 

        mark 32/0xffffffff

tmpl src 10.24.18.35 dst 10.24.18.209

proto esp reqid 1 mode tunnel

 SADB:

src 10.24.18.209 dst 10.24.18.35

proto esp spi 0xce437d69 reqid 1 mode tunnel

replay-window 0 flag af-unspec

mark 32/0xffffffff

auth-trunc hmac(md5) 0x73f7dac6b9ef4de0dd6965ce30e2e548 96

enc ecb(cipher_null) 

src 10.24.18.35 dst 10.24.18.209

proto esp spi 0xca115267 reqid 1 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(md5) 0xcc44e5211adb4b23d281e9b94853b31c 96

enc ecb(cipher_null) 

How can i get the return traffic to be marked so that there is no policy mismatch. 

3) When i bring up the tunnel with the leftsubnet any and rightsubnet any , i lose ssh access, i have disabled route install from strongswan configuration file . 

conn %default

        ikelifetime=8h

        keylife=8h

        rekeymargin=3m

        keyingtries=2

        keyexchange=ikev1

        authby=secret

        type=tunnel

        left=10.24.18.209

        leftsubnet=0.0.0.0/0

        ike=aes128-sha1-modp1024

        esp=null-md5-modp1024

        installpolicy=no

conn net-net

        right=10.24.18.35

        rightsubnet=0.0.0.0/0

        mark_out=32

        auto=add

        installpolicy=yes

######### strongswan.conf #######

        interfaces_use = eth3

        install_routes = no

Please provide some light on the above issues.

Thanks,

Naveen