Project

General

Profile

Issue #2916

more specific conn (rightid) not selected

Added by Florian K over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.7.1
Resolution:
Duplicate

Description

I have roadwarriors that shall establish a VPN connection using IKEv2 and Windows 10. (That works already.) I am using pfSense 2.4.4 - but because pfSense writes the config files as I would expect, I came here to look for help...
`ipsec --version` outputs "FreeBSD strongSwan U5.7.1/K11.2-RELEASE-p6"

The Problem: I want to assign most of my roadwarriors an IP of 192.168.6.0/24 - the remaining ones shall geht 192.168.7.0/24.
(In order to apply different firewall rules)

Unfortunately this does not work. My test-client always gets a 192.168.6.x IP.

ipsec.conf:

# This file is automatically generated. Do not edit
config setup
        uniqueids = yes

conn bypasslan
        leftsubnet = 10.8.0.0/16
        rightsubnet = 10.8.0.0/16
        authby = never
        type = passthrough
        auto = route

conn con-mobile
        fragmentation = yes
        keyexchange = ikev2
        reauth = yes
        forceencaps = no
        mobike = yes

        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = clear
        dpddelay = 10s
        dpdtimeout = 60s
        auto = add
        left = 145.REMOVED...
        right = %any
        leftid = fqdn:test.REMOVED
        ikelifetime = 28800s
        lifetime = 3600s
        rightsourceip = 192.168.6.0/24
        rightdns = 10.8.1.11
        ike = aes256-sha384-ecp384!
        esp = aes256-sha256-ecp384,aes256-sha384-ecp384!
        eap_identity=%any
        leftauth=pubkey
        rightauth=eap-mschapv2
        leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
        leftsendcert=always
        leftsubnet = 10.8.0.0/16

conn mobile-1
        also = con-mobile
        eap_identity = "foo@bar.com" 
        rightsourceip = 192.168.7.0/24
        rightid = "foo@bar.com" 

As I understand the answer on https://serverfault.com/questions/709228/when-and-with-which-parameters-does-strongswan-select-a-connection Strongswan should re-evaluate which conn to use after it authenticated the rightid. However, I can't find anything in the logs that it tries to do that. Even with CFG logging at maximum. On first connect, it selects con-mobile (which is correct at that moment) - and then it sticks to it forever.

How can I get it to use "mobile-1"? Thank you!

Relevant log entries:

Feb 7 22:26:38     charon         10[CFG] <3> looking for peer configs matching 145.REMOVED[%any]...46.REMOVED[192.168.189.34]
Feb 7 22:26:38     charon         10[CFG] <3> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Feb 7 22:26:38     charon         10[CFG] <3> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
Feb 7 22:26:38     charon         10[CFG] <con-mobile|3> selected peer config 'con-mobile'
Feb 7 22:26:38     charon         10[IKE] <con-mobile|3> initiating EAP_IDENTITY method (id 0x00)
Feb 7 22:26:38     charon         10[IKE] <con-mobile|3> peer supports MOBIKE
Feb 7 22:26:38     charon         10[IKE] <con-mobile|3> authentication of 'test.REMOVED' (myself) with RSA signature successful
Feb 7 22:26:38     charon         10[IKE] <con-mobile|3> sending end entity cert "C=DE, O=REMOVED, CN=test.REMOVED" 
Feb 7 22:26:38     charon         10[ENC] <con-mobile|3> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Feb 7 22:26:38     charon         10[ENC] <con-mobile|3> splitting IKE message (1560 bytes) into 2 fragments
Feb 7 22:26:38     charon         10[ENC] <con-mobile|3> generating IKE_AUTH response 1 [ EF(1/2) ]
Feb 7 22:26:38     charon         10[ENC] <con-mobile|3> generating IKE_AUTH response 1 [ EF(2/2) ]
Feb 7 22:26:38     charon         10[NET] <con-mobile|3> sending packet: from 145.REMOVED[4500] to 46.REMOVED[63541] (1244 bytes)
Feb 7 22:26:38     charon         10[NET] <con-mobile|3> sending packet: from 145.REMOVED[4500] to 46.REMOVED[63541] (396 bytes)
Feb 7 22:26:38     charon         10[NET] <con-mobile|3> received packet: from 46.REMOVED[63541] to 145.REMOVED[4500] (104 bytes)
Feb 7 22:26:38     charon         10[ENC] <con-mobile|3> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Feb 7 22:26:38     charon         10[IKE] <con-mobile|3> received EAP identity 'foo@bar.com'
Feb 7 22:26:38     charon         10[IKE] <con-mobile|3> initiating EAP_MSCHAPV2 method (id 0x1E)
Feb 7 22:26:38     charon         10[ENC] <con-mobile|3> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 7 22:26:38     charon         10[NET] <con-mobile|3> sending packet: from 145.REMOVED[4500] to 46.REMOVED[63541] (120 bytes)
Feb 7 22:26:39     charon         10[NET] <con-mobile|3> received packet: from 46.REMOVED[63541] to 145.REMOVED[4500] (152 bytes)
Feb 7 22:26:39     charon         10[ENC] <con-mobile|3> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 7 22:26:39     charon         10[ENC] <con-mobile|3> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Feb 7 22:26:39     charon         10[NET] <con-mobile|3> sending packet: from 145.REMOVED[4500] to 46.REMOVED[63541] (152 bytes)
Feb 7 22:26:39     charon         10[NET] <con-mobile|3> received packet: from 46.REMOVED[63541] to 145.REMOVED[4500] (88 bytes)
Feb 7 22:26:39     charon         10[ENC] <con-mobile|3> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Feb 7 22:26:39     charon         10[IKE] <con-mobile|3> EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 7 22:26:39     charon         10[ENC] <con-mobile|3> generating IKE_AUTH response 4 [ EAP/SUCC ]
Feb 7 22:26:39     charon         10[NET] <con-mobile|3> sending packet: from 145.REMOVED[4500] to 46.REMOVED[63541] (88 bytes)
Feb 7 22:26:39     charon         10[NET] <con-mobile|3> received packet: from 46.REMOVED[63541] to 145.REMOVED[4500] (136 bytes)
Feb 7 22:26:39     charon         10[ENC] <con-mobile|3> parsed IKE_AUTH request 5 [ AUTH ]
Feb 7 22:26:39     charon         10[IKE] <con-mobile|3> authentication of '192.168.189.34' with EAP successful
Feb 7 22:26:39     charon         10[IKE] <con-mobile|3> authentication of 'test.REMOVED' (myself) with EAP
Feb 7 22:26:39     charon         10[IKE] <con-mobile|3> IKE_SA con-mobile[3] established between 145.REMOVED[test.REMOVED]...46.REMOVED[192.168.189.34]
Feb 7 22:26:39     charon         10[IKE] <con-mobile|3> scheduling reauthentication in 27974s
Feb 7 22:26:39     charon         10[IKE] <con-mobile|3> maximum IKE_SA lifetime 28514s
Feb 7 22:26:39     charon         10[IKE] <con-mobile|3> peer requested virtual IP %any
Feb 7 22:26:39     charon         10[CFG] <con-mobile|3> reassigning offline lease to 'foo@bar.com'
Feb 7 22:26:39     charon         10[IKE] <con-mobile|3> assigning virtual IP 192.168.6.1 to peer 'foo@bar.com' 

The second last line here says "reassigning offline lease" so I also just tried a brand new account. It does not change anything:

Feb 7 22:31:24     charon         01[CFG] <con-mobile|4> assigning new lease to 'bli@bla'
Feb 7 22:31:24     charon         01[IKE] <con-mobile|4> assigning virtual IP 192.168.6.2 to peer 'bli@bla' 

My expectation would have been, that somewhere after "authentication of '192.168.189.34' with EAP successful" there would be another line saying "looking for peer configs matching...".
(Or maybe even already after "received EAP identity ''")
And then the "mobile-1" conn would match because it is more specific.


Related issues

Related to Issue #2719: Windows - Different peer configs per identityClosed
Is duplicate of Feature #1057: conn switching based on eap identityNew06.08.2015

History

#1 Updated by Tobias Brunner over 2 years ago

  • Category set to configuration
  • Status changed from New to Closed
  • Resolution set to Duplicate

#2 Updated by Tobias Brunner over 2 years ago

  • Is duplicate of Feature #1057: conn switching based on eap identity added

#3 Updated by Tobias Brunner over 2 years ago

  • Related to Issue #2719: Windows - Different peer configs per identity added

Also available in: Atom PDF