Project

General

Profile

Issue #2184

Updated by Tobias Brunner over 4 years ago


problem description:


once I introduce the last 6 lines in the responder's config (the ikev2-internal conn profile), all the users that try to connect into the native_xauth_rsa_ikev1 conn profile are unable to establish a tunnel. if those last 6 configuration lines get removed from ipsec.conf then the native_xauth_rsa_ikev1 conn works again properly.



the server seems to send out apigen_server.crt instead of wildcard.cg-dialup.net.crt in the 'native_xauth_rsa_ikev1' conn, and thus the xauth+rsa ikev1 clients never get passed the CONNECTING stage.

so my question is this:


is this configuration in some way invalid from strongswan's perspective - especially can strongswan support two different profiles (ikev2-wildcard and ikev2-internal) that use different RSA keys in the same time?


responder conf:
<pre>


config setup
uniqueids = no

conn l2tp_psk
fragmentation=yes
authby=psk
type=transport
left=194.54.80.110
leftsubnet=%dynamic[udp/l2tp]
right=%any
rightsubnet=%dynamic[udp/%any]
dpdaction=clear
dpddelay=5s
dpdtimeout=20s
auto=add

conn native_xauth_rsa_ikev1
keyexchange=ikev1
fragmentation=yes
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=wildcard.cg-dialup.net.crt
leftid=@*.cg-dialup.net
leftupdown="/opt/bin/updown_c ipsec_native"
leftauth=pubkey
right=%any
rightsourceip=10.235.0.0/16
rightauth=pubkey
rightauth2=xauth-eap
rightdns=194.187.251.67,185.93.180.131
dpdaction=clear
dpddelay=30s
dpdtimeout=10m
auto=add
ikelifetime=40m
lifetime=40m
margintime=2m

conn native_xauth_psk_ikev1
keyexchange=ikev1
authby=xauthpsk
fragmentation=yes
left=%defaultroute
leftsubnet=0.0.0.0/0
leftid=@*.cg-dialup.net
leftauth=psk
leftupdown="/opt/bin/updown_c ipsec_native"
right=%any
rightsourceip=10.238.0.0/16
rightdns=194.187.251.67,185.93.180.131
rightauth=psk
rightauth2=xauth-eap
dpdaction=clear
dpddelay=5s
dpdtimeout=20s
auto=add

conn ikev2-base
keyexchange=ikev2
fragmentation=yes
left=%defaultroute
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftsendcert=always
leftupdown="/opt/bin/updown_c ipsec_native"
right=%any
rightdns=194.187.251.67,185.93.180.131
rightauth=eap-radius
rightsendcert=never
eap_identity=%any
esp=aes256-sha256,aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=10

conn ikev2-wildcard
also=ikev2-base
leftid=@*.cg-dialup.net
leftcert=wildcard.cg-dialup.net.crt
rightsourceip=10.239.0.0/16
auto=add

conn ikev2-internal
also=ikev2-base
leftid=@nikolaev-s01-i04.cg-dialup.net
leftcert=apigen_server.crt
rightsourceip=10.240.0.0/16
auto=add
</pre>


strongswan 5.3.5 was used and a 4.6.4 kernel.

we are no longer using this configuration since this bug was discovered. we decided to drop support for the ikev1+rsa+xauth profile - but the bug and my question still stands since adding those last 6 lines do still seem to have a negative impact on the number of users that are able to use our ipsec services. and we are using strongswan 5.5.0 now on the servers.

Back