Hi, requesting virtual addresses is currently unsupported in ikev2 plugin.
I have created jira ticket to track this issue: https://jira.fd.io/browse/VPP-1912 Thanks, Filip ________________________________ From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of gte...@telco.com <gte...@telco.com> Sent: Tuesday, June 16, 2020 12:52 PM To: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> Subject: [vpp-dev] IKEv2/IPSEC with VPP initiator and Strongswan responder #vnet #ipsec Hi, My setup is is a Strongswan responder and a VPP initiator, i don't have right subnet but i want, the VPP initiator to get virtual IP from the Strongswan responder. In phase1 negotiaon everything seems to be working fine, but in phase 2, can't figure out what is going wrong. I assume that it is the VPP local-ts since i don't have right subnet and I'm not sure what is the equevalent of Strongswan's "remote_ts = dynamic", in VPP. Also there is no difference in /var/log/syslog, if the crypto and auth algorithm's match or differentiate, I get the same logs. VPP config: ikev2 profile add pr1 ikev2 profile set pr1 auth shared-key-mic string test ikev2 profile set pr1 id local ip4-addr 10.3.198.133 ikev2 profile set pr1 id remote ip4-addr 10.3.198.241 ikev2 profile set pr1 traffic-selector remote ip-range 192.168.122.0 - 192.168.122.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 traffic-selector local ip-range 0.0.0.0 - 255.255.255.255 port-range 0 - 65535 protocol 0 ikev2 profile set pr1 responder loop0 10.3.198.241 ikev2 profile set pr1 ike-crypto-alg aes-cbc 192 ike-integ-alg hmac-sha2-256-128 ike-dh modp-3072 ikev2 profile set pr1 esp-crypto-alg aes-cbc 128 esp-integ-alg sha1-96 esp-dh ecp-256 ikev2 initiate sa-init pr1 Strongswan, /etc/swanctl/swanctl.conf: connections { ch_vti0 { version = 2 proposals = aes192-sha256-modp3072 send_cert = always encap = yes pools = pools_users #aggressive = yes local { round = 1 id = 10.3.198.241 auth = psk certs = } remote { auth = psk id = 10.3.198.133 certs = } children { ch_vti0 { sha256_96 = yes local_ts = 192.168.122.0/24 remote_ts = dynamic inactivity = 60s mode = tunnel esp_proposals = aes128-sha1-ecp256 start_action = start } } } } pools { pools_users { addrs = 172.13.14.3/24 } } secrets { xauth-ucpe { id = secret = } xauth-tester { id = test2 secret = } ike-sec { id = 10.3.198.133 #id = %any secret = "test" } ike-local { id = 10.3.198.241 secret = "test" } } Strongswan /var/log/syslog: Jun 16 10:24:53 strongswan-ipsec charon: 10[NET] received packet: from 10.3.198.133[500] to 10.3.198.241[500] (576 bytes) Jun 16 10:24:53 strongswan-ipsec charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] Jun 16 10:24:53 strongswan-ipsec charon: 10[IKE] 10.3.198.133 is initiating an IKE_SA Jun 16 10:24:53 strongswan-ipsec charon: 10[IKE] local host is behind NAT, sending keep alives Jun 16 10:24:53 strongswan-ipsec charon: 10[IKE] remote host is behind NAT Jun 16 10:24:53 strongswan-ipsec charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] Jun 16 10:24:53 strongswan-ipsec charon: 10[NET] sending packet: from 10.3.198.241[500] to 10.3.198.133[500] (582 bytes) Jun 16 10:24:53 strongswan-ipsec charon: 12[NET] received packet: from 10.3.198.133[500] to 10.3.198.241[500] (224 bytes) Jun 16 10:24:53 strongswan-ipsec charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ] Jun 16 10:24:53 strongswan-ipsec charon: 12[CFG] looking for peer configs matching 10.3.198.241[%any]...10.3.198.133[10.3.198.133] Jun 16 10:24:53 strongswan-ipsec charon: 12[CFG] selected peer config 'ch_vti0' Jun 16 10:24:53 strongswan-ipsec charon: 12[IKE] authentication of '10.3.198.133' with pre-shared key successful Jun 16 10:24:53 strongswan-ipsec charon: 12[IKE] authentication of '10.3.198.241' (myself) with pre-shared key Jun 16 10:24:53 strongswan-ipsec charon: 12[IKE] IKE_SA ch_vti0[7] established between 10.3.198.241[10.3.198.241]...10.3.198.133[10.3.198.133] Jun 16 10:24:53 strongswan-ipsec charon: 12[IKE] scheduling rekeying in 13381s Jun 16 10:24:53 strongswan-ipsec charon: 12[IKE] maximum IKE_SA lifetime 14821s Jun 16 10:24:53 strongswan-ipsec charon: 12[IKE] expected a virtual IP request, sending FAILED_CP_REQUIRED Jun 16 10:24:53 strongswan-ipsec charon: 12[IKE] configuration payload negotiation failed, no CHILD_SA built Jun 16 10:24:53 strongswan-ipsec charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA Jun 16 10:24:53 strongswan-ipsec charon: 12[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(FAIL_CP_REQ) ] Jun 16 10:24:53 strongswan-ipsec charon: 12[NET] sending packet: from 10.3.198.241[500] to 10.3.198.133[500] (128 bytes) ipsec statusall: Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-101-generic, x86_64): uptime: 102 minutes, since Jun 16 08:53:04 2020 malloc: sbrk 2699264, mmap 0, used 757216, free 1942048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 18 loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown eap-mschapv2 xauth-generic counters Listening IP addresses: 10.3.198.241 fdc8:c2cb:4586:c:ffff:ffff:fe2c:9b98 192.168.122.151 Connections: ch_vti0: %any...%any IKEv2 ch_vti0: local: [10.3.198.241] uses pre-shared key authentication ch_vti0: remote: [10.3.198.133] uses pre-shared key authentication ch_vti0: child: 192.168.122.0/24 === dynamic TUNNEL Security Associations (6 up, 0 connecting): ch_vti0[7]: ESTABLISHED 10 minutes ago, 10.3.198.241[10.3.198.241]...10.3.198.133[10.3.198.133] ch_vti0[7]: IKEv2 SPIs: da7685641481a9f1_i b22329b36499b902_r*, rekeying in 3 hours ch_vti0[7]: IKE proposal: AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 ch_vti0[6]: ESTABLISHED 11 minutes ago, 10.3.198.241[10.3.198.241]...10.3.198.133[10.3.198.133] ch_vti0[6]: IKEv2 SPIs: 216438486e37639f_i fbf88fd2c41c5287_r*, rekeying in 3 hours ch_vti0[6]: IKE proposal: AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 ch_vti0[5]: ESTABLISHED 12 minutes ago, 10.3.198.241[10.3.198.241]...10.3.198.133[10.3.198.133] ch_vti0[5]: IKEv2 SPIs: 236b054d085c07fc_i 2ef3108009189adf_r*, rekeying in 3 hours ch_vti0[5]: IKE proposal: AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 ch_vti0[4]: ESTABLISHED 98 minutes ago, 10.3.198.241[10.3.198.241]...10.3.198.133[10.3.198.133] ch_vti0[4]: IKEv2 SPIs: 7d772a1e78f74db4_i dea9cdffd8e27afd_r*, rekeying in 2 hours ch_vti0[4]: IKE proposal: AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 ch_vti0[3]: ESTABLISHED 99 minutes ago, 10.3.198.241[10.3.198.241]...10.3.198.133[10.3.198.133] ch_vti0[3]: IKEv2 SPIs: 3e77f062f658970f_i 006b0f321eb63d56_r*, rekeying in 2 hours ch_vti0[3]: IKE proposal: AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 ch_vti0[2]: ESTABLISHED 101 minutes ago, 10.3.198.241[10.3.198.241]...10.3.198.133[10.3.198.133] ch_vti0[2]: IKEv2 SPIs: 0a34e37b7fbcad3b_i 05a50fdb420d8b1d_r*, rekeying in 2 hours ch_vti0[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#16740): https://lists.fd.io/g/vpp-dev/message/16740 Mute This Topic: https://lists.fd.io/mt/74913520/21656 Mute #vnet: https://lists.fd.io/g/fdio+vpp-dev/mutehashtag/vnet Mute #ipsec: https://lists.fd.io/g/fdio+vpp-dev/mutehashtag/ipsec Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
