[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 565) Re: Strongswan<->racoon problem with 2 tunnels

To: racoon@kame.net
Subject: (racoon 565) Re: Strongswan<->racoon problem with 2 tunnels
From: Charles-Edouard Ruault <ce@idtect.com>
Date: Mon, 5 Jul 2004 16:43:35 +0200
Cc: users@lists.strongswan.org
Delivered-to: racoon-archive@kame.net
Delivered-to: racoon-outgo@kame.net
Delivered-to: racoon@kame.net
In-reply-to: <40E94E96.8060901@gmc.lt>
References: <14AC8624-CE81-11D8-AA4B-000A95CFFC9C@idtect.com> <40E94E96.8060901@gmc.lt>
Reply-to: racoon@kame.net
Sender: owner-racoon@kame.net

Hello Aidas,
thanks a a lot for the anwser. This did it !
Now i've got my two tunnels working great.
By the way do you have an idea on how to fix the following problem :

When i run racoon anonymous mode with generate policy on i've got the following behaviour: - i establish a tunnel, both SPD and SAD are populated fine. The tunnel is up and running. - When SAs expire, they are renegociated by the two peers and SAD are updated but racoon has deleted the SPD entries without recreating them after renegociations and therefore the tunnel does not work anymore. I've seen other people on the list report this behaviour but no answer was provided. Thanks for your help. Regards

On Jul 5, 2004, at 2:50 PM, Aidas Kasparas wrote:

Change "require" to "unique". *Swan wants different SAs for different policies.

Charles-Edouard Ruault wrote:
Hi All, i'm facing the following annoying problem when trying to get racoon ( both 20040617a and 20040408a ) and strongswan 2.1.3. Here's the story : I have one VPN gateway ( FreeBSD running racoon ) behind which i have to subnets ( 10.1.0.0/24 and 10.2.0.0/24 ) that i want to access from another lan ( 10.0.0.0/24 ). The second lan is behind a Linux box ( kernel 2.4.26 ) running StrongSwan 2.1.3. 10.0.0.0/24 ---- StrongSwan ---- Internet --- Racoon -/ 10.2.0.0/24 \10.1.0.0/24 On the racoon side i've added SPD entries as follow : spdadd 10.1.0.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require; spdadd 10.0.0.0/24 10.1.0.0/24 any -P in ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require; spdadd 10.2.0.0/24 10.0.0.0/24 any -P out ipsec esp/tunnel/XX.XX.XX.XX-YY.YY.YY.YY/require; spdadd 10.0.0.0/24 10.2.0.0/24 any -P in ipsec esp/tunnel/YY.YY.YY.YY-XX.XX.XX.XX/require; On StrongSwan i have the following: conn one type=tunnel right=XX.XX.XX.XX rightid="right certificate info" rightsubnet=10.1.0.0/24 keylife=30m ikelifetime=73m auto=add conn two type=tunnel right=XX.XX.XX.XX rightid="right certificate info" rightsubnet=10.2.0.0/24 keylife=30m ikelifetime=73m auto=add When i start one the 2 tunnels, everything works fine. As soon a i start the second tunnel it works but the first one stops functionning ( no traffic goes through ). Wether is start first by tunnel one or two does not make a difference. Looking at the racoon side i have : With only one tunnel up: setkey -DP XX.XX.XX.XX YY.YY.YY.YY esp mode=tunnel spi=1653462100(0x628dd454) reqid=0(0x00000000) E: 3des-cbc 72fb2180 4181bafd 70ee6378 d86e35f2 cd5b9aac 9f440b5e A: hmac-sha1 7e25d6ed 2bab5035 87ed9586 db4170e6 055947f1 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jul 5 14:18:09 2004 current: Jul 5 14:18:12 2004 diff: 3(s) hard: 1800(s) soft: 1440(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=3 pid=10030 refcnt=1 YY.YY.YY.YY XX.XX.XX.XX esp mode=tunnel spi=7019507(0x006b1bf3) reqid=0(0x00000000) E: 3des-cbc 0a747a64 4565b2c1 c80dd1c1 291781b9 c392c813 e2815d04 A: hmac-sha1 af9cac86 8ce950a4 7e0b0f55 f6c8be34 cf476f07 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jul 5 14:18:09 2004 current: Jul 5 14:18:12 2004 diff: 3(s) hard: 1800(s) soft: 1440(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=10030 refcnt=1 With both tunnels up: XX.XX.XX.XX YY.YY.YY.YY esp mode=tunnel spi=1653462101(0x628dd455) reqid=0(0x00000000) E: 3des-cbc bf549e76 0294b12c c239cc81 94e3e4ef 37a1ed0f c07de5b6 A: hmac-sha1 b3059365 48509f24 f66ba245 1b727c17 946ec3ed seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jul 5 14:19:51 2004 current: Jul 5 14:19:56 2004 diff: 5(s) hard: 1800(s) soft: 1440(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=4 pid=10031 refcnt=1 XX.XX.XX.XX YY.YY.YY.YY esp mode=tunnel spi=1653462100(0x628dd454) reqid=0(0x00000000) E: 3des-cbc 72fb2180 4181bafd 70ee6378 d86e35f2 cd5b9aac 9f440b5e A: hmac-sha1 7e25d6ed 2bab5035 87ed9586 db4170e6 055947f1 seq=0x00000002 replay=4 flags=0x00000000 state=mature created: Jul 5 14:18:09 2004 current: Jul 5 14:19:56 2004 diff: 107(s) hard: 1800(s) soft: 1440(s) last: Jul 5 14:19:19 2004 hard: 0(s) soft: 0(s) current: 256(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 2 hard: 0 soft: 0 sadb_seq=3 pid=10031 refcnt=2 YY.YY.YY.YY XX.XX.XX.XX esp mode=tunnel spi=178408821(0x0aa24d75) reqid=0(0x00000000) E: 3des-cbc c2aa92fc 81a530ed 1c6acda9 3abca046 9be7e23d b50b3dfe A: hmac-sha1 af6e6ef5 a1726f61 e6c97c21 fb81069f 11b9ccc1 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jul 5 14:19:51 2004 current: Jul 5 14:19:56 2004 diff: 5(s) hard: 1800(s) soft: 1440(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=10031 refcnt=1 YY.YY.YY.YY XX.XX.XX.XX esp mode=tunnel spi=7019507(0x006b1bf3) reqid=0(0x00000000) E: 3des-cbc 0a747a64 4565b2c1 c80dd1c1 291781b9 c392c813 e2815d04 A: hmac-sha1 af9cac86 8ce950a4 7e0b0f55 f6c8be34 cf476f07 seq=0x00000002 replay=4 flags=0x00000000 state=mature created: Jul 5 14:18:09 2004 current: Jul 5 14:19:56 2004 diff: 107(s) hard: 1800(s) soft: 1440(s) last: Jul 5 14:19:19 2004 hard: 0(s) soft: 0(s) current: 152(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 2 hard: 0 soft: 0 sadb_seq=1 pid=10031 refcnt=1 on the StrongSwan side i have 10.0.0.0/24 -> 10.1.0.0/24 => tun0x1002@XX.XX.XX.XX esp0x6b1bf3@YY.YY.YY.YY (10) 10.0.0.0/24 -> 10.2.0.0/24 => tun0x1004@XX.XX.XX.XX esp0xaa24d75@YY.YY.YY.YY (1) esp0x628dd454@YY.YY.YY.YY ESP_3DES_HMAC_SHA1: dir=in src=XX.XX.XX.XX iv_bits=64bits iv=0xeb4390f9455f2e88 ooowin=64 seq=2 bit=0x3 alen=160 aklen=160 eklen=192 life(c,s,h)=bytes(192,0,0)addtime(310,0,0)usetime(305,0,0)packets(2,0, 0) idle=240 refcount=6 ref=8 esp0x628dd455@YY.YY.YY.YY ESP_3DES_HMAC_SHA1: dir=in src=XX.XX.XX.XX iv_bits=64bits iv=0xb356bd5ee60051d2 ooowin=64 seq=9 bit=0x1ff alen=160 aklen=160 eklen=192 life(c,s,h)=bytes(1312,0,0)addtime(208,0,0)usetime(174,0,0)packets(9,0 ,0 ) idle=47 refcount=13 ref=18 esp0x6b1bf3@XX.XX.XX.XX ESP_3DES_HMAC_SHA1: dir=out src=YY.YY.YY.YY iv_bits=64bits iv=0x099fd50360f5f8b9 ooowin=64 seq=10 alen=160 aklen=160 eklen=192 life(c,s,h)=bytes(1264,0,0)addtime(310,0,0)usetime(305,0,0)packets(10, 0, 0) idle=47 refcount=4 ref=13 esp0xaa24d75@XX.XX.XX.XX ESP_3DES_HMAC_SHA1: dir=out src=YY.YY.YY.YY iv_bits=64bits iv=0x79ee955945025c67 ooowin=64 seq=1 alen=160 aklen=160 eklen=192 life(c,s,h)=bytes(136,0,0)addtime(208,0,0)usetime(116,0,0) idle=116 refcount=4 ref=23 tun0x1001@YY.YY.YY.YY IPIP: dir=in src=XX.XX.XX.XX policy=10.1.0.0/24->10.0.0.0/24 flags=0x8<> life(c,s,h)=bytes(192,0,0)addtime(310,0,0)usetime(305,0,0)packets(2,0, 0) idle=240 refcount=4 ref=7 tun0x1002@XX.XX.XX.XX IPIP: dir=out src=YY.YY.YY.YY life(c,s,h)=bytes(944,0,0)addtime(310,0,0)usetime(305,0,0)packets(10,0 ,0 ) idle=47 refcount=4 ref=12 tun0x1003@YY.YY.YY.YY IPIP: dir=in src=XX.XX.XX.XX policy=10.2.0.0/24->10.0.0.0/24 flags=0x8<> life(c,s,h)=bytes(1312,0,0)addtime(208,0,0)usetime(174,0,0)packets(9,0 ,0 ) idle=47 refcount=4 ref=17 tun0x1004@XX.XX.XX.XX IPIP: dir=out src=YY.YY.YY.YY life(c,s,h)=bytes(104,0,0)addtime(208,0,0)usetime(116,0,0) idle=116 refcount=4 ref=22 From my (limited) knwoledge, everything looks ok. In this example i've brought up tunnel to 10.1.0.0/24 first and then tunnel to 10.2.0.0/24. When i ping a machine in the 10.1.0.0/24 network from 10.0.0.0/24 network i see this on the outgoing interface of the StrongSwan gateway: 14:19:57.375642 XX.XX.XX.XX > YY.YY.YY.YY: ESP(spi=0x006b1bf3,seq=0xf1) 14:19:57.432745 YY.YY.YY.YY > XX.XX.XX.XX: ESP(spi=0x628dd455,seq=0xf8) This means that traffic is going ok to Racoon and back Ok to StrongSwan ( both spis are ok and looking at cleartext traffic on both ends shows that icmp echo request makes it to the target machine and is sent back over the tunnel ) but the reply never makes it out of the ipsec0 interface. So i believe this is a problem on the StrongSwan side.... Has anyone seen this happening ? Any help would be greately appreciated ! Thanks in advance for any hint. Regards Charles-Edouard Ruault Idtect SA tel: +33-1-55-34-76-65 fax: +33-1-55-34-76-75 http://www.idtect.com
--
Aidas Kasparas
IT administrator
GM Consult Group, UAB

Charles-Edouard Ruault
Idtect SA
tel: +33-1-55-34-76-65
fax: +33-1-55-34-76-75
http://www.idtect.com

References:
- (racoon 563) Strongswan<->racoon problem with 2 tunnels
  - From: Charles-Edouard Ruault <ce@idtect.com>
- (racoon 564) Re: Strongswan<->racoon problem with 2 tunnels
  - From: Aidas Kasparas <a.kasparas@gmc.lt>

Prev by Date: (racoon 564) Re: Strongswan<->racoon problem with 2 tunnels
Next by Date: (racoon 566) DELETE-SA processing
Previous by thread: (racoon 564) Re: Strongswan<->racoon problem with 2 tunnels
Next by thread: (racoon 566) DELETE-SA processing
Index(es):
- Date
- Thread