[Openswan Users] Ike Mode Config and virtual IP
Andreas Steffen
andreas.steffen at strongsec.net
Wed Feb 8 19:14:27 CET 2006
strongSwan's configuration setup for an IKE Mode Config server is
quite different from Openswan's.
Here is an example taken from
http://www.strongswan.org/uml/testresults/mode-config/
------------------------------------------------------------------------
# /etc/ipsec.conf - strongSwan IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification
config setup
crlcheckinterval=180
strictcrlpolicy=no
conn %default
left=192.168.0.1
leftsubnet=10.1.0.0/16
leftsourceip=10.1.0.1
leftnexthop=%direct
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftupdown=/etc/ipsec.updown
conn rw-carol
right=%any
rightid=carol at strongswan.org
rightsourceip=10.3.0.1 # virtual IP reserved for carol
auto=add
conn rw-dave
right=%any
rightid=dave at strongswan.org
rightsourceip=10.3.0.2 # virtual IP reserved for dave
auto=add
------------------------------------------------------------------------
Relevant excerpt from the log:
...
: "rw-dave"[2] 192.168.0.200 #3: Peer ID is ID_USER_FQDN:
'dave at strongswan.org'
: "rw-dave"[2] 192.168.0.200 #3: we have a cert and are sending it
: "rw-dave"[2] 192.168.0.200 #3: sent MR3, ISAKMP SA established
: "rw-dave"[2] 192.168.0.200 #3: modecfg_inR0 ok
: "rw-dave"[2] 192.168.0.200 #3: sent ModeCfg reply
: "rw-dave"[2] 192.168.0.200 #4: responding to Quick Mode
...
With strongSwan
right|leftsourceip=x.x.x.x automatically implies
right|leftsubnet=x.x.x.x/32 if subnet is not defined
whereas Openswan requires an explicit subnet definition.
Regards
Andreas
Marco Berizzi wrote:
>
> Andreas Steffen wrote:
>
>> The NCP Secure Entry Client works perfectly with
>> strongSswan as IKE Mode Config server.
>>
>> http://www.ncp.de/english/home/index.html
>
>
> Hi Andreas,
> thanks for the reply. I did try NCP: it's working with
> strongSswan ;-))
> Just for record: the same ipsec.conf with OSW 2.4.5rc4
> doesn't work with NCP. Here is ipsec.conf and log:
>
> conn IMCFG
> left=%any
> leftid=10.1.2.1
> leftsourceip=172.31.254.55
> right=10.1.2.10
> rightid=10.1.2.10
> rightsubnet=172.16.1.0/24
> authby=secret
> auto=add
> pfs=yes
> compress=yes
> leftrsasigkey=none
> rightrsasigkey=none
> keyingtries=0
> rightupdown=/usr/local/lib/ipsec/_updown_x509
>
> Feb 8 11:36:58 Calimero pluto[7788]: packet from 10.1.2.1:500: ignoring
> unknown Vendor ID payload [da8e937880010000]
> Feb 8 11:36:58 Calimero pluto[7788]: packet from 10.1.2.1:500: received
> Vendor ID payload [XAUTH]
> Feb 8 11:36:58 Calimero pluto[7788]: packet from 10.1.2.1:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port
> floating is off
> Feb 8 11:36:58 Calimero pluto[7788]: packet from 10.1.2.1:500: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
> floating is off
> Feb 8 11:36:58 Calimero pluto[7788]: packet from 10.1.2.1:500: ignoring
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Feb 8 11:36:58 Calimero pluto[7788]: packet from 10.1.2.1:500: received
> Vendor ID payload [RFC 3947] meth=109, but port floating is off
> Feb 8 11:36:58 Calimero pluto[7788]: packet from 10.1.2.1:500: received
> Vendor ID payload [Dead Peer Detection]
> Feb 8 11:36:58 Calimero pluto[7788]: packet from 10.1.2.1:500: ignoring
> unknown Vendor ID payload [eb4c1b788afd4a9cb7730a68d56d088b]
> Feb 8 11:36:58 Calimero pluto[7788]: packet from 10.1.2.1:500: received
> Vendor ID payload [Cisco-Unity]
> Feb 8 11:36:58 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1: responding
> to Main Mode from unknown peer 10.1.2.1
> Feb 8 11:36:58 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1: transition
> from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Feb 8 11:36:58 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Feb 8 11:36:59 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1: transition
> from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Feb 8 11:36:59 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Feb 8 11:36:59 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1: ignoring
> informational payload, type IPSEC_INITIAL_CONTACT
> Feb 8 11:36:59 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1: Main mode
> peer ID is ID_IPV4_ADDR: '10.1.2.1'
> Feb 8 11:36:59 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1: I did not
> send a certificate because I do not have one.
> Feb 8 11:36:59 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1: transition
> from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Feb 8 11:36:59 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
> group=modp1024}
> Feb 8 11:36:59 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1: received
> MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client
> Feb 8 11:37:08 Calimero last message repeated 3 times
> Feb 8 11:37:11 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1 #1: received
> Delete SA payload: deleting ISAKMP State #1
> Feb 8 11:37:11 Calimero pluto[7788]: "IMCFG"[1] 10.1.2.1: deleting
> connection "IMCFG" instance with peer 10.1.2.1 {isakmp=#0/ipsec=#0}
> Feb 8 11:37:11 Calimero pluto[7788]: packet from 10.1.2.1:500: received
> and ignored informational message
=======================================================================
Andreas Steffen e-mail: andreas.steffen at strongsec.com
strongSec GmbH home: http://www.strongsec.com
Alter Zürichweg 20 phone: +41 1 730 80 64
CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65
==========================================[strong internet security]===
More information about the Users
mailing list