Issue #328: multiple clients strongswan-4.5.2 - strongSwan

Issue #328

multiple clients strongswan-4.5.2

Added by wm.xie wm.xie over 12 years ago. Updated over 12 years ago.

Status:

Closed

Priority:

High

Assignee:

Tobias Brunner

Category:

pluto

Affected version:

4.5.2

Resolution:

Description

more /etc/ipsec.conf

config setup
 plutostart=yes
 nat_traversal=yes
conn ios
 keyexchange=ikev1
 authby=xauthrsasig
 xauth=server
 left=%defaultroute
 leftsubnet=0.0.0.0/0
 leftfirewall=yes
 leftcert=serverCert.pem
 right=%any
 rightsubnet=10.1.0.0/16
 rightsourceip=10.1.0.0/16
 rightcert=clientCert.pem
 pfs=no
 auto=add

At present, a lot of debug client if it is the same IP can connect more;
After client IP connection cannot be connected at the same time, the different connection than can discount before connection;

Apr 17 11:50:04 localhost vpn: + C=CN, O=Flashapp, CN=Flashapp 10.1.0.1/32 == 182.18.19.212 -- 221.204.223.244 == 0.0.0.0/0
Apr 17 11:50:28 localhost vpn: - C=CN, O=Flashapp, CN=Flashapp 10.1.0.1/32 == 182.18.19.212 -- 221.204.223.244 == 0.0.0.0/0
Apr 17 11:50:29 localhost vpn: + C=CN, O=Flashapp, CN=Flashapp 10.1.0.3/32 == 61.148.242.43 -- 221.204.223.244 == 0.0.0.0/0
Apr 17 11:50:37 localhost vpn: - C=CN, O=Flashapp, CN=Flashapp 10.1.0.3/32 == 61.148.242.43 -- 221.204.223.244 == 0.0.0.0/0
Apr 17 11:50:38 localhost vpn: + C=CN, O=Flashapp, CN=Flashapp 10.1.0.2/32 == 182.18.19.212 -- 221.204.223.244 == 0.0.0.0/0

Apr 17 11:50:03 localhost pluto[6979]: "ios"[9] 182.18.19.212 #24: we have a cert and are sending it upon request
Apr 17 11:50:03 localhost pluto[6979]: | NAT-T: new mapping 182.18.19.212:500/4500)
Apr 17 11:50:03 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: sent MR3, ISAKMP SA established
Apr 17 11:50:03 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: sending XAUTH request
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: parsing XAUTH reply
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: extended authentication was successful
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: sending XAUTH status
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: parsing XAUTH ack
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: received XAUTH ack, established
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: parsing ModeCfg request
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: unknown attribute type (28683)
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: peer requested virtual IP %any
Apr 17 11:50:04 localhost pluto[6979]: reassigning offline lease to 'flashapp'
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: assigning virtual IP 10.1.0.1 to peer
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: sending ModeCfg reply
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #24: sent ModeCfg reply, established
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #25: responding to Quick Mode
Apr 17 11:50:04 localhost pluto[6979]: "ios"[9] 182.18.19.212:4500 #25: IPsec SA established {ESP=>0x0bece085 <0xc01839f1 NATOA=0.0.0.0}
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: received Vendor ID payload [RFC 3947]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: received Vendor ID payload [XAUTH]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: ignoring Vendor ID payload [Cisco-Unity]
Apr 17 11:50:26 localhost pluto[6979]: packet from 61.148.242.43:2396: received Vendor ID payload [Dead Peer Detection]
Apr 17 11:50:26 localhost pluto[6979]: "ios"[10] 61.148.242.43:2396 #26: responding to Main Mode from unknown peer 61.148.242.43:2396
Apr 17 11:50:26 localhost pluto[6979]: "ios"[10] 61.148.242.43:2396 #26: NAT-Traversal: Result using RFC 3947: peer is NATed
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:2396 #26: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:2396 #26: Peer ID is ID_DER_ASN1_DN: 'C=CN, O=Flashapp, CN=Flashapp'
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:2396 #26: crl not found
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:2396 #26: certificate status unknown
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:2396 #26: we have a cert and are sending it upon request
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:2396 #26: deleting connection "ios" instance with peer 182.18.19.212 {isakmp=#24/ipsec=#25}
Apr 17 11:50:28 localhost pluto[6979]: "ios" #25: deleting state (STATE_QUICK_R2)
Apr 17 11:50:28 localhost pluto[6979]: "ios" #24: deleting state (STATE_MODE_CFG_R1)
Apr 17 11:50:28 localhost pluto[6979]: lease 10.1.0.1 by 'flashapp' went offline
Apr 17 11:50:28 localhost pluto[6979]: | NAT-T: new mapping 61.148.242.43:2396/52969)
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: sent MR3, ISAKMP SA established
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: sending XAUTH request
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: parsing XAUTH reply
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: extended authentication was successful
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: sending XAUTH status
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: parsing XAUTH ack
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: received XAUTH ack, established
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: parsing ModeCfg request
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: unknown attribute type (28683)
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: peer requested virtual IP %any
Apr 17 11:50:28 localhost pluto[6979]: reassigning offline lease to 'flashapp'
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: assigning virtual IP 10.1.0.3 to peer
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: sending ModeCfg reply
Apr 17 11:50:28 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #26: sent ModeCfg reply, established
Apr 17 11:50:29 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #27: responding to Quick Mode
Apr 17 11:50:29 localhost pluto[6979]: "ios"[10] 61.148.242.43:52969 #27: IPsec SA established {ESP=>0x0498aeea <0xcfb2ff06 NATOA=0.0.0.0}
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: received Vendor ID payload [RFC 3947]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: received Vendor ID payload [XAUTH]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: ignoring Vendor ID payload [Cisco-Unity]
Apr 17 11:50:35 localhost pluto[6979]: packet from 182.18.19.212:500: received Vendor ID payload [Dead Peer Detection]
Apr 17 11:50:35 localhost pluto[6979]: "ios"[11] 182.18.19.212 #28: responding to Main Mode from unknown peer 182.18.19.212
Apr 17 11:50:36 localhost pluto[6979]: "ios"[11] 182.18.19.212 #28: NAT-Traversal: Result using RFC 3947: peer is NATed
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212 #28: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212 #28: Peer ID is ID_DER_ASN1_DN: 'C=CN, O=Flashapp, CN=Flashapp'
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212 #28: crl not found
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212 #28: certificate status unknown
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212 #28: we have a cert and are sending it upon request
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212 #28: deleting connection "ios" instance with peer 61.148.242.43 {isakmp=#26/ipsec=#27}
Apr 17 11:50:37 localhost pluto[6979]: "ios" #27: deleting state (STATE_QUICK_R2)
Apr 17 11:50:37 localhost pluto[6979]: "ios" #26: deleting state (STATE_MODE_CFG_R1)
Apr 17 11:50:37 localhost pluto[6979]: lease 10.1.0.3 by 'flashapp' went offline
Apr 17 11:50:37 localhost pluto[6979]: | NAT-T: new mapping 182.18.19.212:500/4500)
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: sent MR3, ISAKMP SA established
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: sending XAUTH request
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: parsing XAUTH reply
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: extended authentication was successful
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: sending XAUTH status
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: parsing XAUTH ack
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: received XAUTH ack, established
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: parsing ModeCfg request
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: unknown attribute type (28683)
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: peer requested virtual IP %any
Apr 17 11:50:37 localhost pluto[6979]: reassigning offline lease to 'flashapp'
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: assigning virtual IP 10.1.0.2 to peer
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: sending ModeCfg reply
Apr 17 11:50:37 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #28: sent ModeCfg reply, established
Apr 17 11:50:38 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #29: responding to Quick Mode
Apr 17 11:50:38 localhost pluto[6979]: "ios"[11] 182.18.19.212:4500 #29: IPsec SA established {ESP=>0x03a95d42 <0xc844a8d9 NATOA=0.0.0.0}
[root@localhost certs]#

History

#1 Updated by Tobias Brunner over 12 years ago

Description updated (diff)
Category set to pluto
Status changed from New to Feedback

You should have a look at the uniqueids config setup option.

#2 Updated by wm.xie wm.xie over 12 years ago

hi,Tobias Brunner
add uniqueids=no
Through the test is working properly, thank you very much. I love you.

#3 Updated by Andreas Steffen over 12 years ago

Tracker changed from Bug to Issue
Status changed from Feedback to Closed

#4 Updated by Andreas Steffen over 12 years ago

Assignee set to Tobias Brunner

Project

General

Profile

strongSwan