Project

General

Profile

Bug #356

Updated by Tobias Brunner about 7 years ago

Hello,

When Strongswan encounters "handling UNITY_LOCAL_LAN attribute failed" when initiating a IKEv1 SA, then it doesn't set the route defined in rightsubnet, but sets the default route to go through the Tunnel.
I don't think this is intended.

Regards,
Noel

ipsec.conf:
<pre>
conn fh
xauth_identity=nkuntze
leftauth=psk
leftauth2=xauth
leftid=$INITIATOR_ID
leftsourceip=%config
rightauth=psk
rightid=$RESPONDER_ID
right=$RESPONDER
rightsubnet=141.79.0.0/16
keyexchange=ikev1
ike=aes256-sha1-modp1024
esp=aes256-sha1
aggressive=yes
compress=no
auto=add
inactivity=0
ikelifetime=30m
#marginbytes=3000000000
#marginpackets=150000
leftupdown=/usr/lib/strongswan/fh.sh # this is my own hook to set up SNAT for that route
dpdaction=restart
</pre>


command:
<pre>
# ipsec up fh
initiating Aggressive Mode IKE_SA fh[2] to 193.197.x.x
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.178.48[500] to 193.197.x.x[500] (403 bytes)
received packet: from 193.197.x.x[500] to 192.168.178.48[500] (478 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 69:dd:00:4f:ef:7a:c1:1f:72:39:5c:80:c1:36:7d:81
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from 192.168.178.48[4500] to 193.197.x.x[4500] (108 bytes)
received packet: from 193.197.x.x[4500] to 192.168.178.48[4500] (76 bytes)
parsed TRANSACTION request 2312482182 [ HASH CP ]
generating TRANSACTION response 2312482182 [ HASH CP ]
sending packet: from 192.168.178.48[4500] to 193.197.x.x[4500] (92 bytes)
received packet: from 193.197.x.x[4500] to 192.168.178.48[4500] (76 bytes)
parsed TRANSACTION request 2655167844 [ HASH CP ]
XAuth authentication of 'nkuntze' (myself) successful
IKE_SA fh[2] established between 192.168.178.48[$INITIATOR_ID]...193.197.x.x[$RESPONDER_ID]
scheduling reauthentication in 1591s
maximum IKE_SA lifetime 1771s
generating TRANSACTION response 2655167844 [ HASH CP ]
sending packet: from 192.168.178.48[4500] to 193.197.x.x[4500] (76 bytes)
generating TRANSACTION request 122847407 [ HASH CP ]
sending packet: from 192.168.178.48[4500] to 193.197.x.x[4500] (92 bytes)
received packet: from 193.197.x.x[4500] to 192.168.178.48[4500] (108 bytes)
parsed TRANSACTION response 122847407 [ HASH CP ]
installing DNS server 141.79.128.10 via resolvconf
installing DNS server 141.79.128.4 via resolvconf
handling UNITY_LOCAL_LAN attribute failed
installing new virtual IP 141.79.x.x
generating QUICK_MODE request 2883248040 [ HASH SA No ID ID ]
sending packet: from 192.168.178.48[4500] to 193.197.x.x[4500] (204 bytes)
received packet: from 193.197.x.x[4500] to 192.168.178.48[4500] (188 bytes)
parsed QUICK_MODE response 2883248040 [ HASH SA No ID ID N((24576)) ]
CHILD_SA fh{2} established with SPIs c53bfdf0_i 74550fcb_o and TS 141.79.x.x/32 === 0.0.0.0/0
connection 'fh' established successfully
</pre>

Log:
<pre>
charon[30143]: 03[CFG] received stroke: initiate 'fh'
charon[30143]: 05[IKE] initiating Aggressive Mode IKE_SA fh[1] to 193.197.x.x
charon[30143]: 02[IKE] IKE_SA fh[1] established between 192.168.178.48[$INITIATOR_ID]...193.197.x.x[$RESPONDER_ID]
charon[30143]: 15[CFG] handling UNITY_LOCAL_LAN attribute failed
charon[30143]: 01[IKE] CHILD_SA fh{1} established with SPIs c6e6abc0_i d8536829_o and TS 141.79.x.x/32 === 0.0.0.0/0
charon[30143]: 16[CFG] received stroke: terminate 'fh'
charon[30143]: 02[IKE] closing CHILD_SA fh{1} with SPIs c6e6abc0_i (524 bytes) d8536829_o (375 bytes) and TS 141.79.x.x/32 === 0.0.0.0/0
charon[30143]: 02[IKE] deleting IKE_SA fh[1] between 192.168.178.48[$INITIATOR_ID]...193.197.x.x[$RESPONDER_ID]
</pre>

Back