[Openswan Users] rightsubnetwithin broken in 2.6.31 ?

Francis GASCHET fg at numlog.fr
Thu Dec 16 12:29:54 EST 2010 

Hello,


We upgraded our gateway from U2.4.7/K to 2.6.31.

Until now we used the parameter rightsubnetwithin="a private C class" 
together with wildcards in the rightid (DERASN1) to deal with numerous 
road warriors connections via a single connection description.

It looks broken in 2.6.31 : even if the peer presents its /32 subnet, 
OpenSwan replaces it with the peer's public address. The eroute is 
established this way...

If I replace the "rightsubnetwithin" with a "rightsubnet=x.x.x.x/32", 
everything looks fine... But I've to create a connection description for 
each road warrior!
This is a severe issue for us : on another gateway we have 150 road 
warriors...

Thanks in advance for help.


ipsec.conf extract:

conn %default
        leftsubnet=192.168.13.0/24
        left=%defaultroute       
        leftrsasigkey=%cert      
        leftcert=numlog_VPNSRV.pem
        leftid=%fromcert         
        right=3.3.3.3
        rightrsasigkey=%cert     
        rightid="C=FR, O=NUMLOG, OU=Portail, CN=Firewall"
        keyingtries=0                                   
        type=tunnel                                     
        auth=esp                                        
        esp=aes256-sha1,aes128-sha1,3des-sha1,3des-md5  
        authby=rsasig                                   
        compress=yes                                    
        auto=start                                      

conn nomades
       right=%any
       rightsubnetwithin=192.168.14.0/24
       rightid="C=FR, O=NUMLOG, OU=*, CN=*"
       dpddelay=30
       dpdtimeout=65
       dpdaction=clear
       auto=add

log extract (1.1.1.1 and 2.2.2.2 are fake IPs !):

Dec 16 14:00:59 fw1 pluto[12486]: | ***parse ISAKMP Identification 
Payload (IPsec DOI):
Dec 16 14:00:59 fw1 pluto[12486]: |    next payload type: ISAKMP_NEXT_NONE
Dec 16 14:00:59 fw1 pluto[12486]: |    length: 16
Dec 16 14:00:59 fw1 pluto[12486]: |    ID type: ID_IPV4_ADDR_SUBNET
Dec 16 14:00:59 fw1 pluto[12486]: |    Protocol ID: 0
Dec 16 14:00:59 fw1 pluto[12486]: |    port: 0
Dec 16 14:00:59 fw1 pluto[12486]: |      obj:   c0 a8 0d 00  ff ff ff 
00  31 00 00 00  c4 73 1a 40
Dec 16 14:00:59 fw1 pluto[12486]: | HASH(1) computed:
Dec 16 14:00:59 fw1 pluto[12486]: |   77 8d f6 98  57 f4 89 cc  ed 13 08 
06  da 37 a3 f6
Dec 16 14:00:59 fw1 pluto[12486]: |   72 bc 75 55
Dec 16 14:00:59 fw1 pluto[12486]: | peer client is 192.168.14.3
Dec 16 14:00:59 fw1 pluto[12486]: | peer client protocol/port is 0/0
Dec 16 14:00:59 fw1 pluto[12486]: | our client is subnet 192.168.13.0/24
Dec 16 14:00:59 fw1 pluto[12486]: | our client protocol/port is 0/0
Dec 16 14:00:59 fw1 pluto[12486]: "nomades"[1] 2.2.2.2 #300: the peer 
proposed: 192.168.13.0/24:0/0 -> 192.168.14.3/32:0/0
Dec 16 14:00:59 fw1 pluto[12486]: | find_client_connection starting with 
nomades
Dec 16 14:00:59 fw1 pluto[12486]: |   looking for 192.168.13.0/24:0/0 -> 
192.168.14.3/32:0/0
Dec 16 14:00:59 fw1 pluto[12486]: |   concrete checking against sr#0 
192.168.13.0/24 -> 2.2.2.2/32
Dec 16 14:00:59 fw1 pluto[12486]: |    match_id a=C=FR, O=NUMLOG, 
OU=Direction, CN=Thomas
Dec 16 14:00:59 fw1 pluto[12486]: |             b=C=FR, O=NUMLOG, 
OU=Direction, CN=Thomas
Dec 16 14:00:59 fw1 pluto[12486]: |    results  matched
Dec 16 14:00:59 fw1 pluto[12486]: |   trusted_ca called with a=(empty) 
b=(empty)
Dec 16 14:00:59 fw1 pluto[12486]: |   fc_try trying 
nomades:192.168.13.0/24:0/0 -> 192.168.14.3/32:0/0 vs 
nomades:192.168.13.0/24:0/0 -> 2.2.2.2/32:0/0
Dec 16 14:00:59 fw1 pluto[12486]: |   fc_try concluding with none [0]
Dec 16 14:00:59 fw1 pluto[12486]: |   fc_try nomades gives none
Dec 16 14:00:59 fw1 pluto[12486]: | find_host_pair: comparing to 
1.1.1.1:500 0.0.0.0:500
Dec 16 14:00:59 fw1 pluto[12486]: |   checking hostpair 192.168.13.0/24 
-> 2.2.2.2/32 is found
Dec 16 14:00:59 fw1 pluto[12486]: |    match_id a=C=FR, O=NUMLOG, 
OU=Direction, CN=Thomas
Dec 16 14:00:59 fw1 pluto[12486]: |             b=C=FR, O=NUMLOG, OU=*, CN=*
Dec 16 14:00:59 fw1 pluto[12486]: |    results  matched
Dec 16 14:00:59 fw1 pluto[12486]: |   trusted_ca called with a=(empty) 
b=(empty)
.....
Dec 16 14:00:59 fw1 pluto[12486]: | install_inbound_ipsec_sa() checking 
if we can route
Dec 16 14:00:59 fw1 pluto[12486]: | route owner of "nomades"[1] 2.2.2.2 
unrouted: NULL; eroute owner: NULL
....
Dec 16 14:01:00 fw1 pluto[12486]: | add inbound eroute 2.2.2.2/32:0 
--0-> 192.168.13.0/24:0 => tun.1246 at 1.1.1.1 (raw_eroute)
....
Dec 16 14:01:00 fw1 pluto[12486]: | command executing up-client
Dec 16 14:01:00 fw1 pluto[12486]: |   trusted_ca called with a=C=FR, 
O=NUMLOG, OU=CA Trust center, CN=NUMLOG CA Root, E=support.vpn at numlog.fr 
b=(empty)
Dec 16 14:01:00 fw1 pluto[12486]: | executing up-client: 2>&1 
PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nomades' 
PLUTO_INTERFACE='ipsec0' PLUTO_NEXT_HOP='2.2.2.2' PLUTO_ME='1.1.1.1' 
PLUTO_MY_ID='C=FR, O=NUMLOG, OU=Internet, CN=VPN SERVER' 
PLUTO_MY_CLIENT='192.168.13.0/24' PLUTO_MY_CLIENT_NET='192.168.13.0' 
PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' 
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='2.2.2.2' PLUTO_PEER_ID='C=FR, 
O=NUMLOG, OU=Direction, CN=Thomas' PLUTO_PEER_CLIENT='2.2.2.2/32' 
PLUTO_PEER_CLIENT_NET='2.2.2.2' PLUTO_PEER_CLIENT_MASK='255.255.255.255' 
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=FR, 
O=NUMLOG, OU=CA Trust center, CN=NUMLOG CA Root, 
E=support.vpn at numlog.fr' PLUTO_STACK='klips'  
PLUTO_CONN_POLICY='RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+IKEv2ALLOW' 
PLUTO_XAUTH_USERNAME='' PLUTO_MY_SOURCEIP='192.168.13.254' 
PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' 
ipsec _updown

Same for prepare-client and route-client.

Best regards,

-- 
Francis GASCHET / NUMLOG
http://www.numlog.fr
Tel.: +33 (0) 130 791 616
Fax.: +33 (0) 130 819 286

More information about the Users mailing list