Project

General

Profile

Bug #577

Updated by Tobias Brunner over 6 years ago

Hello,

If the IP, that was assigned to a box is in a subnet of the rightsubnet option, the subnet appears twice in the TS.
Subsequently, if the subnet isn't in the rightsubnet option, it does not appear in the TS at all.
This bug is purely cosmetical. The tunnel works as intended.

Regards,
Noel Kuntze

example:


ipsec.conf on the initiator side:

<pre>

conn %default
$configurationfoo
conn home0
rightsubnet=192.168.178.0/24,192.168.179.0/24,172.16.20.0/24
leftsourceip=%config4
auto=add
</pre>

Corresponding snippet on the responder side:

<pre>

conn bla
$configurationfoo
rightsourceip=172.16.20.0/24
leftsubnet=0.0.0.0/0
</pre>


<pre>
# ipsec up home0
retransmit 1 of request with message ID 0
sending packet: from 141.79.49.235[500] to 109.192.100.16[500] (1060 bytes)
received packet: from 109.192.100.16[500] to 141.79.49.235[500] (373 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
remote host is behind NAT
received cert request for "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=ServerCA Layer 2, CN=ThermiCorp ServerCA Layer 2"
received cert request for "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=UserCA, CN=ThermiCorp UserCA Level 2"
received cert request for "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=Root CA, CN=ThermiCorp Root CA, E=noel.kuntze@googlemail.com"
sending cert request for "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=ServerCA Layer 2, CN=ThermiCorp ServerCA Layer 2"
sending cert request for "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=UserCA, CN=ThermiCorp UserCA Level 2"
sending cert request for "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=Root CA, CN=ThermiCorp Root CA, E=noel.kuntze@googlemail.com"
authentication of 'C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=Users, CN=Thermi Thinkpad, E=Thermi_Thinkpad@cdgsthermi.no-ip.org' (myself) with RSA signature successful
sending end entity cert "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=Users, CN=Thermi Thinkpad, E=Thermi_Thinkpad@cdgsthermi.no-ip.org"
establishing CHILD_SA home0
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 141.79.49.235[4500] to 109.192.100.16[4500] (2866 bytes)
received packet: from 109.192.100.16[4500] to 141.79.49.235[4500] (2644 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=IPsec VPN-Server, CN=cdgsthermi.no-ip.org"
using certificate "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=IPsec VPN-Server, CN=cdgsthermi.no-ip.org"
using trusted intermediate ca certificate "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=ServerCA Layer 2, CN=ThermiCorp ServerCA Layer 2"
checking certificate status of "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=IPsec VPN-Server, CN=cdgsthermi.no-ip.org"
certificate status is not available
using trusted ca certificate "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=Root CA, CN=ThermiCorp Root CA, E=noel.kuntze@googlemail.com"
checking certificate status of "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=ServerCA Layer 2, CN=ThermiCorp ServerCA Layer 2"
certificate status is not available
reached self-signed root ca with a path length of 1
authentication of 'cdgsthermi.no-ip.org' with RSA signature successful
IKE_SA home0[4] established between 141.79.49.235[C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=Users, CN=Thermi Thinkpad, E=Thermi_Thinkpad@cdgsthermi.no-ip.org]...109.192.100.16[cdgsthermi.no-ip.org]
scheduling rekeying in 3320s
maximum IKE_SA lifetime 3500s
installing new virtual IP 172.16.20.1
CHILD_SA home0{4} established with SPIs c6d67a15_i c9a487d4_o and TS 172.16.20.1/32 === 192.168.178.0/24 192.168.179.0/24 172.16.20.0/24 172.16.20.0/24
connection 'home0' established successfully
</pre>


<pre>
# ipsec status home0
Security Associations (1 up, 0 connecting):
home0[4]: ESTABLISHED 8 minutes ago, 141.79.49.235[C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=Users, CN=Thermi Thinkpad, E=Thermi_Thinkpad@cdgsthermi.no-ip.org]...109.192.100.16[cdgsthermi.no-ip.org]
home0{4}: INSTALLED, TUNNEL, ESP in UDP SPIs: c6d67a15_i c9a487d4_o
home0{4}: 172.16.20.1/32 === 192.168.178.0/24 192.168.179.0/24 172.16.20.0/24 172.16.20.0/24
</pre>


Without 172.16.20.0/24 in rightsubnet:

<pre>
# ipsec up home0
initiating IKE_SA home0[3] to 109.192.100.16
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
sending packet: from 141.79.49.235[500] to 109.192.100.16[500] (1060 bytes)
received packet: from 109.192.100.16[500] to 141.79.49.235[500] (373 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
remote host is behind NAT
received cert request for "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=ServerCA Layer 2, CN=ThermiCorp ServerCA Layer 2"
received cert request for "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=UserCA, CN=ThermiCorp UserCA Level 2"
received cert request for "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=Root CA, CN=ThermiCorp Root CA, E=noel.kuntze@googlemail.com"
sending cert request for "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=ServerCA Layer 2, CN=ThermiCorp ServerCA Layer 2"
sending cert request for "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=UserCA, CN=ThermiCorp UserCA Level 2"
sending cert request for "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=Root CA, CN=ThermiCorp Root CA, E=noel.kuntze@googlemail.com"
authentication of 'C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=Users, CN=Thermi Thinkpad, E=Thermi_Thinkpad@cdgsthermi.no-ip.org' (myself) with RSA signature successful
sending end entity cert "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=Users, CN=Thermi Thinkpad, E=Thermi_Thinkpad@cdgsthermi.no-ip.org"
establishing CHILD_SA home0
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 141.79.49.235[4500] to 109.192.100.16[4500] (2850 bytes)
received packet: from 109.192.100.16[4500] to 141.79.49.235[4500] (2612 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=IPsec VPN-Server, CN=cdgsthermi.no-ip.org"
using certificate "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=IPsec VPN-Server, CN=cdgsthermi.no-ip.org"
using trusted intermediate ca certificate "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=ServerCA Layer 2, CN=ThermiCorp ServerCA Layer 2"
checking certificate status of "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=IPsec VPN-Server, CN=cdgsthermi.no-ip.org"
certificate status is not available
using trusted ca certificate "C=DE, ST=Baden-W??rttemberg, L=Haslach, O=ThermiCorp, OU=Root CA, CN=ThermiCorp Root CA, E=noel.kuntze@googlemail.com"
checking certificate status of "C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=ServerCA Layer 2, CN=ThermiCorp ServerCA Layer 2"
certificate status is not available
reached self-signed root ca with a path length of 1
authentication of 'cdgsthermi.no-ip.org' with RSA signature successful
IKE_SA home0[3] established between 141.79.49.235[C=DE, ST=Baden-W??rttemberg, O=ThermiCorp, OU=Users, CN=Thermi Thinkpad, E=Thermi_Thinkpad@cdgsthermi.no-ip.org]...109.192.100.16[cdgsthermi.no-ip.org]
scheduling rekeying in 3406s
maximum IKE_SA lifetime 3586s
installing new virtual IP 172.16.20.1
CHILD_SA home0{3} established with SPIs c595e686_i c7e6eb4a_o and TS 172.16.20.1/32 === 192.168.178.0/24 192.168.179.0/24
connection 'home0' established successfully
</pre>

Back