'[strongSwan] Problems with Strongswan 2.0.2 and'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] Problems with Strongswan 2.0.2 and
From:       a.bertacca () vva ! de (Ariano Bertacca)
Date:       2004-05-11 14:52:33
Message-ID: 1084279845.2460.26.camel () grautvornix ! intern ! vva ! de
[Download RAW message or body]

On Sun, 2004-05-09 at 13:54, Andreas Steffen wrote:
> Ariano Bertacca wrote:
> 
> > Hello!
> > 
> > I've got some trouble while trying to use dhcp over ipsec using
> > strongswan 2.0.2 on redhat 9. I was already using freeswan before, so
> > the general config with x509 support isn't new to me.
> > I used most of the info on
> > http://www.strongsec.com/freeswan/dhcprelay/ipsec-dhcp-howto.html which
> > where quite useful, but i still don't get any clients to use a vip.
> > 
> > I'm running a dhcpd, offering addresses from 192.168.0.241-254. Access
> > is limited using the class syntax from the howto above.
> > dhcprelay ist installed and working.
> > The protected intranet is 192.168.0.0/16.
> > 
> > My ipsec.conf contains:
> > 
> > conn %default
> >         ike=aes128-md5,3des-md5
> >         esp=aes128-md5,3des-md5
> >         left=x.x.x.x
> >         leftnexthop=x.x.x.x
> >         leftid="xxx"
> >         leftrsasigkey=%cert
> >         leftcert=xxx.pem
> >         right=%any
> >         rightrsasigkey=%cert
> >         auto=add
> > 
> > conn dhcp
> >         rekey=no
> >         keylife=30s
> >         rekeymargin=15s
> >         leftsubnet=0.0.0.0/0
> >         leftprotoport=udp/bootps
> >         rightprotoport=udp/bootpc
> > 
> > conn remote
> >         leftsubnet=192.168.0.0/16
> >         rightsubnetwithin=192.168.0.240/28
> >         auto=add
> > 
> > conn remote-sentinel
> >         leftsubnet=0.0.0.0/0
> >         rightsubnetwithin=192.168.0.240/28
> >         auto=add
> > 
> > There's some more, but this is the stuff that won't run as expected. 
> > When i set up ssh sentinel to use a vip and tell him to use
> > 192.168.0.241 everything runs fine and the connection comes up
> > instantly.
> > 
> > Changing from manually set vip to dhcp i get the following:
> > 
> > (195.158.129.147 is the dial up ip i tested with - direct internet
> > connection via isdn)
> > 
> > x pluto[11889]: packet from 195.158.129.147:500: ignoring Vendor ID
> > payload [SSH Sentinel 1.4.1]
> > x pluto[11889]: packet from 195.158.129.147:500: ignoring Vendor ID
> > payload [XAUTH]
> > x pluto[11889]: "dhcp"[1] 195.158.129.147 #27: responding to Main Mode
> > from unknown peer 195.158.129.147
> > x pluto[11889]: "dhcp"[1] 195.158.129.147 #27: ignoring informational
> > payload, type IPSEC_INITIAL_CONTACT
> > x pluto[11889]: "dhcp"[1] 195.158.129.147 #27: Peer ID is
> > ID_DER_ASN1_DN: 'xxx'
> > x pluto[11889]: "dhcp"[2] 195.158.129.147 #27: deleting connection
> > "dhcp" instance with peer 195.158.129.147 {isakmp=#0/ipsec=#0}
> > x pluto[11889]: "dhcp"[2] 195.158.129.147 #27: sent MR3, ISAKMP SA
> > established
> > x pluto[11889]: "dhcp"[2] 195.158.129.147 #27: cannot respond to IPsec
> > SA request because no connection is known for
> > 192.168.0.0/16===x.x.x.x[xxx]:17/67...195.158.129.147[xxx]:17/68
> > x pluto[11889]: "dhcp"[2] 195.158.129.147 #27: sending encrypted
> > notification INVALID_ID_INFORMATION to 195.158.129.147:500
> 
> It is strange that the DHCP SA wants leftsubnet=192.168.0.0/16 instead
> of leftsubnet=0.0.0.0/0 as defined by the DHCP-over-IPsec RFC.
> What happens if you set leftsubnet=192.168.0.0/16 in conn dhcp?

Actually i had not time to follow this anymore, but i'll try again soon.
I also found that i missed some serious problems on my ip setup. I'll
change some data (new dhcp subnet and some more) and post again once i
tested that.

Thanks so far.

Regards,

Ariano Bertacca

> 
> > Actually i might be blind, but i don't know what to add to the config to
> > get that working as expected.
> > 
> > Again - once i change to manually set vip the connection works
> > perfectly. Every other static connection works as well (the system is
> > used as a vpn gateway with lots of tunnel configs) and i'm always
> > authenticating users/systems with x509 certs.
> > 
> > Any hints would be great.
> > 
> > Regards,
> > 
> > Ariano Bertacca
> 
> Andreas
> 
> =======================================================================
> Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
> strongSec GmbH                    home:   http://www.strongsec.com
> Alter Z?richweg 20                phone:  +41 1 730 80 64
> CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
> ==========================================[strong internet security]===
-- 
VVA Kommunikation 
: medien mit zukunft 

Ariano Bertacca | Systemmanagement | Netzwerktechnik | IT-Security 

VVA Kommunikation 
H?herweg 278 | 40231 D?sseldorf 
fon: 0211 7357-834 | Fax: 0211 7357-859 

a.bertacca@vva.de

PGP KeyID: 0x081E5E62
PGP Fingerprint: EAD0 4BAD 0819 5079 96AC  3DC4 CB54 F02F 081E 5E62

----------------------------------------------------------------------- 
Any opinions expressed in this message are those of the individual 
and not necessarily the company. This message and any files transmitted 
with it are confidential and solely for the use of the intended 
recipient. If you are not the intended recipient or the person 
responsible for delivering to the intended recipient, be advised that 
you have received this message in error and that any use is strictly 
prohibited.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic