Project

General

Profile

Bug #94

roadwarrior can't pull modecfg for multiple connections with same peer

Added by Ray Kohler almost 11 years ago. Updated almost 11 years ago.

Status:
Closed
Priority:
Normal
Category:
pluto
Target version:
Start date:
30.09.2009
Due date:
Estimated time:
Affected version:
5.9.0
Resolution:

Description

If a roadwarrior config defines multiple connections (for different subnet tunnels) with the same peer, it is not possible to use leftsourceip=%modecfg with more than one of them. The first tunnel will come up correctly. Any additional tunnels won't send a modecfg pull request (since phase 1 is already up with that peer), but won't reuse the address received for the first tunnel either as it ought to. Instead it behaves as if I had configured leftsourceip="left". Phase 2 then fails since the peer won't do allow me to use my external IP when negotiating quick mode (which is what I'd expect the peer to do).

This is for ikev1.

multiple-modecfg.patch (1.01 KB) multiple-modecfg.patch allows multiple IPsec SAs with shared ModeCfg negotiation Andreas Steffen, 30.09.2009 22:15

History

#1 Updated by Andreas Steffen almost 11 years ago

Could you try the appended patch and check if it solves your problem?

Best regards

Andreas

#2 Updated by Ray Kohler almost 11 years ago

This patch does what it intends to do, but after the SAs are in place, I'm unable to get any routes added. I do not have this problem unless I actually configure for a shared modecfg, even with this patch attached. pluto logs the following when bringing up the first connection (I've trimmed the crypto and packet dumps out). Further tunnels can't get their routes installed either, as they appear to get stuck on the %hold added by this one. I'm unclear on whether, or how, this problem can be caused by this patch?

Sep 30 17:31:38 amaranth pluto7678: | our client is 172.31.25.84
Sep 30 17:31:38 amaranth pluto7678: | our client protocol/port is 0/0
Sep 30 17:31:38 amaranth pluto7678: | peer client is subnet 128.2.1.0/28
Sep 30 17:31:38 amaranth pluto7678: | peer client protocol/port is 0/0
Sep 30 17:31:38 amaranth pluto7678: | install_ipsec_sa() for #2: inbound and outbound
Sep 30 17:31:38 amaranth pluto7678: | route owner of "anycast" erouted HOLD: self; eroute owner: self
Sep 30 17:31:38 amaranth pluto7678: | configured authentication algorithm DES_MAC with key size 160
Sep 30 17:31:38 amaranth pluto7678: | configured esp encryption algorithm 3DES_CBC with key size 192
Sep 30 17:31:38 amaranth pluto7678: | add inbound eroute 128.2.1.0/28:0 -> 172.31.25.84/32:0 => :0
Sep 30 17:31:38 amaranth pluto7678: | configured authentication algorithm DES_MAC with key size 160
Sep 30 17:31:38 amaranth pluto7678: | configured esp encryption algorithm 3DES_CBC with key size 192
Sep 30 17:31:38 amaranth pluto7678: | sr for #2: erouted HOLD
Sep 30 17:31:38 amaranth pluto7678: | route owner of "anycast" erouted HOLD: self; eroute owner: self
Sep 30 17:31:38 amaranth pluto7678: | route_and_eroute with c: anycast (next: none) ero:anycast esr:{(nil)} ro:anycast rosr:{(nil)} and state: 2
Sep 30 17:31:38 amaranth pluto7678: | eroute_connection replace eroute 172.31.25.84/32:0 -> 128.2.1.0/28:0 => :0
Sep 30 17:31:38 amaranth pluto7678: | executing up-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='anycast' PLUTO_NEXT_HOP='192.168.1.1' PLUTO_INTERFACE='eth0' PLUTO_REQID='16397' PLUTO_ME='192.168.1.5' PLUTO_MY_ID='C=US, ST=Pennsylvania, L=Pittsburgh, O=Carnegie Mellon University, OU=vpn isam, CN=amaranth.isam.vpn.cmu.local' PLUTO_MY_CLIENT='172.31.25.84/32' PLUTO_MY_CLIENT_NET='172.31.25.84' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='128.2.5.228' PLUTO_PEER_ID='C=US, ST=Pennsylvania, L=Pittsburgh, O=Carnegie Mellon University, OU=Network Group, CN=vpn isam server1' PLUTO_PEER_CLIENT='128.2.1.0/28' PLUTO_PEER_CLIENT_NET='128.2.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.240' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=US, ST=Pennsylvania, L=Pittsburgh, O=Carnegie Mellon University, OU=Network Group, CN=vpn isam ca' PLUTO_MY_SOURCEIP='172.31.25.84' ipsec _updown
Sep 30 17:31:38 amaranth pluto7678: | route_and_eroute: firewall_notified: true
Sep 30 17:31:38 amaranth pluto7678: | route_and_eroute: instance "anycast", setting eroute_owner {spd=0xd1ee40,sr=0xd1ee40} to #2 (was #0) (newest_ipsec_sa=#0)
Sep 30 17:31:38 amaranth pluto7678: "anycast" #2: sent QI2, IPsec SA established {ESP=>0x262e29c8 <0xa3c6ff62 NATOA=0.0.0.0}
Sep 30 17:31:38 amaranth pluto7678: | next event EVENT_NAT_T_KEEPALIVE in 20 seconds
Sep 30 17:31:39 amaranth pluto7678: |
Sep 30 17:31:39 amaranth pluto7678: | *received kernel message
Sep 30 17:31:39 amaranth pluto7678: | netlink_get: XFRM_MSG_ACQUIRE message
Sep 30 17:31:39 amaranth pluto7678: | add bare shunt 0xd24c80 192.168.1.5/32:43565 -> 128.2.1.11/32:53 => %hold:17 0 %acquire-netlink
Sep 30 17:31:39 amaranth pluto7678: | initiate on demand from 192.168.1.5:43565 to 128.2.1.11:53 proto=17 state: fos_start because: whack
Sep 30 17:31:39 amaranth pluto7678: | find_connection: looking for policy for connection: 192.168.1.5:17/43565 -> 128.2.1.11:17/53
Sep 30 17:31:39 amaranth pluto7678: | find_connection: concluding with empty
Sep 30 17:31:39 amaranth pluto7678: | Can't Opportunistically initiate for 192.168.1.5 to 128.2.1.11: no routed Opportunistic template covers this pair
Sep 30 17:31:39 amaranth pluto7678: | no explicit failure shunt for 192.168.1.5 to 128.2.1.11; installing %pass
Sep 30 17:31:39 amaranth pluto7678: | no routed Opportunistic template covers this pair eroute 192.168.1.5/32:43565 -> 128.2.1.11/32:53 => :17
Sep 30 17:31:39 amaranth pluto7678: ERROR: netlink XFRM_MSG_DELPOLICY response for flow included errno 2: No such file or directory

#3 Updated by Ray Kohler almost 11 years ago

Ignore the previous message - I was trying to use auto=route and modecfg pulling on the same connection. Makes no sense, how can I install a route if I don't know the default gateway for it yet?

Using auto=add, and starting connections with "ipsec up", it is working fine on 2 of my 3 machines. I'll test the last one tomorrow, but since it has the same config as one of the first 2, I'm confident that it'll work.

Thanks for the very prompt fix! Will this make it into 4.3.5?

#4 Updated by Andreas Steffen almost 11 years ago

Yes, this patch will make it into 4.3.5.

#5 Updated by Andreas Steffen almost 11 years ago

  • Status changed from New to Closed
  • Target version set to 4.3.5

Also available in: Atom PDF