Issue #2790
Multiple Phase 2 over Phase1 connections in Remote Access scenarios
Description
Hi,
I tried to configure two Strongswan machines (one is initiator and another one is responder) to negotiate one Phase 1 IPsec tunnel with two Phase 2 in remote access(with virtual ip). I don't know if this is supported by strongswan.
The negotiation is successful, but I am not satisfied with the fact that the second phase 2 has the same traffic selector as the first phase 2. According to the ISAKMP packets, the CREATE_CHILD_SA packets sent by the initiator for the second phase 2 is not containing the Configuration payload. It uses the same IP address obtained in the first phase 2 for the second phase 2.
This scenario with multiple phase 2 over single phase 1 is working in site-to-site.
The "ipsec statusall" output on initiator side is the following:
Connections:
tun1: 30.0.0.1...30.0.0.2 IKEv2
tun1: local: [30.0.0.1] uses pre-shared key authentication
tun1: remote: [30.0.0.2] uses pre-shared key authentication
tun1: child: 0.0.0.0/0 === 50.0.0.0/24 TUNNEL
tun1_1: child: 0.0.0.0/0 === 50.0.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
tun1[2]: ESTABLISHED 106 minutes ago, 30.0.0.1[30.0.0.1]...30.0.0.2[30.0.0.2]
tun1[2]: IKEv2 SPIs: f2932805a53acbfc_i* 9c48fab694726370_r, pre-shared key reauthentication in 55 minutes
tun1[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
tun1_1{13}: INSTALLED, TUNNEL, reqid 3, ESP SPIs: cd8213cf_i cd0f7182_o
tun1_1{13}: AES_CBC_128/HMAC_SHA2_512_256, 0 bytes_i, 0 bytes_o, rekeying in 21 minutes
tun1_1{13}: 150.0.0.1/32 === 50.0.1.0/24
tun1{14}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: ce96f964_i c1217712_o
tun1{14}: AES_CBC_128/HMAC_SHA2_512_256, 0 bytes_i, 0 bytes_o, rekeying in 30 minutes
tun1{14}: 150.0.0.1/32 === 50.0.0.0/24
The "ipsec statusall" output on responder side is the following:
Virtual IP pools (size/online/offline):
150.0.0.0/24: 254/1/1
Listening IP addresses:
30.0.0.2
Connections:
tun1: 30.0.0.2...30.0.0.1 IKEv2
tun1: local: [30.0.0.2] uses pre-shared key authentication
tun1: remote: [30.0.0.1] uses pre-shared key authentication
tun1: child: 50.0.0.0/24 === dynamic TUNNEL
tun2: child: 50.0.1.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
tun1[10]: ESTABLISHED 107 minutes ago, 30.0.0.2[30.0.0.2]...30.0.0.1[30.0.0.1]
tun1[10]: IKEv2 SPIs: f2932805a53acbfc_i 9c48fab694726370_r*, pre-shared key reauthentication in 63 minutes
tun1[10]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
tun2{23}: INSTALLED, TUNNEL, reqid 13, ESP SPIs: cd0f7182_i cd8213cf_o
tun2{23}: AES_CBC_128/HMAC_SHA2_512_256, 0 bytes_i, 0 bytes_o, rekeying in 20 minutes
tun2{23}: 50.0.1.0/24 === 150.0.0.1/32
tun1{24}: INSTALLED, TUNNEL, reqid 14, ESP SPIs: c1217712_i ce96f964_o
tun1{24}: AES_CBC_128/HMAC_SHA2_512_256, 0 bytes_i, 0 bytes_o, rekeying in 28 minutes
tun1{24}: 50.0.0.0/24 === 150.0.0.1/32
The configuration used on initiator side:
conn %default
keyingtries=3
mobike=no
auto=start
leftfirewall=yes
keyexchange=ikev2
ike=aes128-sha1-modp1024
esp=aes128-sha512
authby=secret
right=30.0.0.2
left=30.0.0.1
pfs=no
leftsubnet=0.0.0.0/0
conn tun1
rightsubnet=50.0.0.0/24
leftsourceip=%config
conn tun1_1
rightsubnet=50.0.1.0/24
leftsourceip=%config
The configuration used on responder side:
conn %default
keyingtries=3
mobike=no
auto=add
leftfirewall=yes
keyexchange=ikev2
ike=aes128-sha1-modp1024
esp=aes128-sha512
authby=secret
rightsourceip=150.0.0.0/24
# Scripted entries
conn tun1
right=30.0.0.1
left=30.0.0.2
leftsubnet=50.0.0.0/24
conn tun2
right=30.0.0.1
left=30.0.0.2
leftsubnet=50.0.1.0/24
My goal is to have 2 different virtual IPs assigned with 2 different subnets for those phase 2 tunnels.
Is this a normal behavior for strongswan or is a misconfiguration issue?
Thank you,
Bogdan
Related issues
History
#1 Updated by Tobias Brunner almost 7 years ago
- Status changed from New to Feedback
I tried to configure two Strongswan machines (one is initiator and another one is responder) to negotiate one Phase 1 IPsec tunnel with two Phase 2 in remote access(with virtual ip). I don't know if this is supported by strongswan.
strongSwan does not support requesting virtual IPs during CREATE_CHILD_SA exchanges (see #2705).
According to the ISAKMP packets,
Not ISAKMP, IKEv2.
the CREATE_CHILD_SA packets sent by the initiator for the second phase 2 is not containing the Configuration payload.
No, it will only request attributes during IKE_AUTH.
My goal is to have 2 different virtual IPs assigned with 2 different subnets for those phase 2 tunnels.
Why?
If you insist on doing that you'll currently have to create two separate IKE_SAs (disable charon.reuse_ikesa).
#2 Updated by Bogdan George almost 7 years ago
According to the ISAKMP packets,
Not ISAKMP, IKEv2.
Yes. I agree. Wireshark uses the same Protocol description for IKEv1/IKEv2 packets :)
My goal is to have 2 different virtual IPs assigned with 2 different subnets for those phase 2 tunnels.
Why?
I was wondering if it is possible to achieve this scenario. I saw that in site-to-site is working and then I tried in remote access, too. I don't know if someone really uses this type of scenario.
Thank you for the quick reply and for these useful information.
#3 Updated by Tobias Brunner almost 7 years ago
- Related to Issue #2705: Strongswan doesnt send CP in Create_Child_Sa added
#4 Updated by Tobias Brunner almost 7 years ago
My goal is to have 2 different virtual IPs assigned with 2 different subnets for those phase 2 tunnels.
Why?
I was wondering if it is possible to achieve this scenario. I saw that in site-to-site is working and then I tried in remote access, too.
Not with dynamic addresses as they are handled as a property of the IKE_SA (while multiple addresses can be requested by the client and assigned by the server, strongSwan currently only uses one of each address family and, as mentioned, requesting attributes during CREATE_CHILD_SA is currently not supported at all). But you could manually assign multiple internal IP addresses to a local interface and use them for different CHILD_SAs, just assign them in leftsubnet and remove leftsourceip (that's then a simple host-to-site config, with a tunnel IP != the IKE IP).
#5 Updated by Bogdan George almost 7 years ago
I understand. I will give a try with leftsubnet.
Thank you for the explanation.
#6 Updated by Tobias Brunner over 6 years ago
- Category set to configuration
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required