Project

General

Profile

Issue #3616

With Strongswan 5.7.2 , unique=never not allowing multiple clients to establish tunnels with same identity

Added by Shanmukhasreedhar theerthala 6 months ago. Updated 6 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.7.2
Resolution:

Description

Expected behavior:
With Strongswan 5.7.2 , at server end, with unique=never should allow multiple clients to establish tunnels with same identity.
Issue:
Multiple clients with same identity are not establishing the tunnel with server

Steps to reproduce the issue:
1. Have same certs on all 3 test machines client1, client2 and server.
2. Client1 & Client2 does have same identities with no unique flag configured in swanctl.confs.
3. Unique flag in swanctl.conf at server should configured as never (unique=never)
4. Establish the tunnel between Client1 & server. Able to establish the tunnel and verified the same with list-sas and ip xfrm policy on both server and Client1 as in attached log files.
5. Establish the tunnel between Client2 & server. Client2 failed to establish the tunnel with server and besides existing tunnel between Client1 & server is vanished. Verified the same on both Client1 & server.

Impact:
We have use case of using self-signed test for internal testing for that testing is blocked with same certs across all machines.

client2.txt (4.87 KB) client2.txt client2 swanctl config file, charon log, ip ixfrm output Shanmukhasreedhar theerthala, 01.11.2020 07:41
client1.txt (6.71 KB) client1.txt client1 swanctl config file, charon log, ip ixfrm output Shanmukhasreedhar theerthala, 01.11.2020 07:41
server.txt (15.1 KB) server.txt server swanctl config file, charon log, ip ixfrm output Shanmukhasreedhar theerthala, 01.11.2020 07:41

History

#1 Updated by Tobias Brunner 6 months ago

  • Tracker changed from Bug to Issue
  • Status changed from New to Feedback
  • Priority changed from High to Normal
  • Start date deleted (01.11.2020)

You have the duplicheck plugin enabled.

#2 Updated by Shanmukhasreedhar theerthala 6 months ago

Shanmukhasreedhar theerthala wrote:

Expected behavior:
With Strongswan 5.7.2 , at server end, with unique=never should allow multiple clients to establish tunnels with same identity.
Issue:
Multiple clients with same identity are not establishing the tunnel with server

Steps to reproduce the issue:
1. Have same certs on all 3 test machines client1, client2 and server.
2. Client1 & Client2 does have same identities with no unique flag configured in swanctl.confs.
3. Unique flag in swanctl.conf at server should configured as never (unique=never)
4. Establish the tunnel between Client1 & server. Able to establish the tunnel and verified the same with list-sas and ip xfrm policy on both server and Client1 as in attached log files.
5. Establish the tunnel between Client2 & server. Client2 failed to establish the tunnel with server and besides existing tunnel between Client1 & server is vanished. Verified the same on both Client1 & server.

Impact:
We have use case of using self-signed test for internal testing for that testing is blocked with same certs across all machines.

Tobias Brunner wrote:

You have the duplicheck plugin enabled.

Hi Tobis,
Same feature was working with 5.3.2 without any change in plugin. May I know the reason behind explicitly disabling the duplicheck flag? Or is there any way to achieve the same without touch other flags?

#3 Updated by Tobias Brunner 6 months ago

Same feature was working with 5.3.2 without any change in plugin.

What feature? And are you sure you had the plugin enabled with that old version?

May I know the reason behind explicitly disabling the duplicheck flag?

Not sure what you mean. It does not what you want, so disable it if you have it loaded for some reason.

Or is there any way to achieve the same without touch other flags?

What do you mean?

#4 Updated by Shanmukhasreedhar theerthala 6 months ago

Hi Tobias,

Thanks for your reply.

Please find my in line comments

Tobias> What feature? And are you sure you had the plugin enabled with that old version?

1. The feature I was talking about was, With unique=never in swanctl.conf with strongswan-5.3.2 multiple clients having same identities able to establish tunnel without disabling duplicheck plugin at server end. Means all clients able to establish tunnel.
2. But when tried the same with 5.7.2 only one client was able to establish tunnel, means whatever the client contacted server recently that one only able to establish tunnel - new client is replacing the old one.
3. With 5.7.2 multiple clients are able to establish tunnel only after disabling the duplicheck plugin.

Tobias>Or is there any way to achieve the same without touch other flags?
1. With 5.7.2 multiple clients are able to establish tunnel only after disabling the duplicheck plugin. So question is without any change in config file, 5.3.2 version is working fine but why not 5.7.2?

#5 Updated by Tobias Brunner 6 months ago

1. The feature I was talking about was, With unique=never in swanctl.conf with strongswan-5.3.2 multiple clients having same identities able to establish tunnel without disabling duplicheck plugin at server end. Means all clients able to establish tunnel.

The option and the plugin are not related. unique is enforced by the daemon, while the plugin does not use that option.

1. With 5.7.2 multiple clients are able to establish tunnel only after disabling the duplicheck plugin. So question is without any change in config file, 5.3.2 version is working fine but why not 5.7.2?

You did not answer whether you had the duplicheck plugin enabled with the old version. It obviously worked correctly if you did not.

Also available in: Atom PDF