[Openswan Users] modecfg supplied IP address and multiple subnets

[Northfield Stuart]

I have a configuration where openswan is talking to a pfsense firewall where I am attempting to use the pfsense mobile client ipsec connection which has been carefully configured to work with iOS/Mac Cisco IPSec client mode of operation.

The pfsense ipsec endpoint is providing access to three different subnets within our company, configured as multiple phase 2 associations under a common phase 1 definition.

I have successfully configured my linux test environment to connect and authenticate with the pfsense box and all three phase 2 associations are brought up (configured as multiple subnets in a single conn entry in ipsec.conf - see below), but I can only access some of the remote subnets.

I observe (from the pfsense diagnostics) that two of the three SPDs are being defined (at the pfsense end) with the source as the subnet declared at the client end rather than the virtual IP address issued by the gateway via modecfg (which does appear on the third subnet SPD).

Having turned the logging up at the linux client end, I also observe that the modecfg supplied IP address is only being set as the client address on one of the three associations (the one which was used to initially bring the overall connection up).

Is this right? The iOS/Mac ipsec clients appear to use the modecfg supplied IP address across all three subnet SPDs, which is I think what I would expect - i.e. the linux client should also apply the IP address to all three phase 2 associations.

If I adjust my ipsec.conf such that leftsubnet/leftsourceip match the modecfg supplied IP (not practical in production use as it's a dymanic value from a pool of addresses) then all subnets are accessible :)

I don't yet have anonymised logging, but the client end configuration included below (in case I have missed something obvious - have been trying to resolve this for a couple of days now).

Regards

Stu

# /etc/ipsec.conf - Openswan IPsec configuration file

version	2.0

config setup
       interfaces=%defaultroute
       nat_traversal=yes
       oe=off
       protostack=netkey
       plutodebug=all

conn metanate
     type=tunnel
     left=%defaultroute
     leftnexthop=%defaultroute
     leftsubnet=192.168.88.130/32
     leftsourceip=192.168.88.130
     leftxauthclient=yes
     leftcert=machine.pem
     leftca=ca.pem
     leftid=%fromcert
     leftrsasigkey=%cert
     leftsendcert=always
     leftxauthusername=<user>
     leftmodecfgclient=yes
     right=<our gateway IP>
     rightsubnets={192.168.88.0/25 <our class C>/24 192.168.100.0/24}
     rightmodecfgserver=yes
     modecfgpull=yes
     authby=rsasig
     ike=aes256-sha1;modp1536
     phase2alg=aes256-sha1;modp1536
     keyexchange=ike
     pfs=yes
     rekey=no
     auto=start

--
Stuart Northfield
+44 (0) 1223 566759 (Direct), +44 (0) 1223 566727 (Fax)
Metanate Limited. Registered in England No 4046086 at:
Lincoln House, Station Court, Great Shelford, Cambridge CB22 5NE, UK
www.metanate.com (Consultancy) www.schemus.com (Data synchronisation)

This e-mail and all attachments it may contain is confidential and
intended solely for the use of the individual to whom it is addressed.
Any views or opinions presented are those of the author and do not
necessarily represent those of Metanate Ltd.  If you are not the
intended recipient, be advised that you have received this e-mail in
error and that any use, dissemination, printing, forwarding or copying
of this e-mail is strictly prohibited.  Please contact the sender if
you have received this e-mail in error.