Project

General

Profile

Feature #463

per connection "uniqueids"

Added by Folke Ashberg about 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
charon
Target version:
Start date:
06.12.2013
Due date:
Estimated time:
Resolution:
Fixed

Description

Grüzi,

i'm running strongSwan with several net-net connections to some branches and also it's acting as a vpn concentrator for clients using ikev1/2 client.

For clients, authentication with radius behind, the option "uniqueids = yes" is bad because i want to allow several connections for each user simultaneously .

Then i have an IKEv2 net-net to a Sonicwall with 3 networks on _each_side. (9 SAs).

If i set "uniqueids" to "no" to archieve to multiple connections per user the sonnicwall connections drops packages after a couple of seconds with error messages like
unable to install policy 10.10.10.0/24 === 10.254.0.0/16 out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists

Setting "reqid=1337" at the sonicwall-connection builds 9 SAs with the same reqid. That's fine, but outgoing traffic is now sent with the wrong SPI which is not accepted by sonicwall.

Any workaround? Any reason why this option is not available on a per-connection base?

Kind Regards

Folke

Associated revisions

Revision 85489d39
Added by Martin Willi about 4 years ago

Merge branch 'reqid-alloc'

With these changes, charon dynamically allocates reqids for CHILD_SAs. This
allows the reuse of reqids for identical policies, and basically allows multiple
CHILD_SAs with the same selectors. As reqids do not uniquely define a CHILD_SA,
a new unique identifier for CHILD_SAs is introduced, and the kernel backends
use a proto/dst/SPI tuple to identify CHILD_SAs.

charon-tkm is not yet updated and expires are actually broken with this merge.
As some significant refactorings are required, this is fixed using a separate
merge.

References #422, #431, #463.

Revision 94eb09ac
Added by Martin Willi about 4 years ago

Merge branch 'reqid-alloc'

With these changes, charon dynamically allocates reqids for CHILD_SAs. This
allows the reuse of reqids for identical policies, and basically allows multiple
CHILD_SAs with the same selectors. As reqids do not uniquely define a CHILD_SA,
a new unique identifier for CHILD_SAs is introduced, and the kernel backends
use a proto/dst/SPI tuple to identify CHILD_SAs.

charon-tkm is not yet updated and expires are actually broken with this merge.
As some significant refactorings are required, this is fixed using a separate
merge.

References #422, #431, #463.

History

#1 Updated by Folke Ashberg about 5 years ago

Update: i had the same issue like #431 and already set reauth=no and rekey=no .
So it's not the rekeying, it's the peer which connects to me

#2 Updated by Martin Willi over 4 years ago

  • Tracker changed from Issue to Feature
  • Status changed from New to Closed
  • Assignee set to Martin Willi
  • Target version set to 5.2.0
  • Resolution set to Fixed

Any workaround? Any reason why this option is not available on a per-connection base?

It has historical reasons. Unlikely that we'll introduce a connection specific uniqueids option in ipsec.conf.

However, the new swanctl configuration backend in 5.2.0 will support per-connection unique policy using the unique keyword. Refer to the swanctl.conf(5) manpage if you want to give it a try.

Regards
Martin

#3 Updated by Martin Willi about 4 years ago

If i set "uniqueids" to "no" to archieve to multiple connections per user the sonnicwall connections drops packages after a couple of seconds with error messages like
unable to install policy 10.10.10.0/24 === 10.254.0.0/16 out (mark 0/0x00000000) for reqid 2, the same policy for reqid 1 exists

With the referenced merge of the reqid-alloc branch to master, strongSwan can now handle identical policies by reusing the same reqid. This allows identical CHILD_SAs: on on the outbound path the last SA is used. Not sure if this helps for your specific problem, but your feedback is welcome.

Regards
Martin

Also available in: Atom PDF