Comments (5)
tobiasbrunner
commented on June 3, 2024
Tunnel hints are always built on the first IP
What do you mean? What are "tunnel hints"?
Note that configuring multiple IPs in left has no effect as initiator. It just restricts the IPs on which packets for this connections are accepted as responder. It does not influence the source address selection when sending packets, this is determined by the routing tables on your system, so I doubt "All my routes are based on the second IP as well" is the case. But you can check the log and should check your routing tables (see #196).
from strongswan.
HustMax
commented on June 3, 2024
When I set 10.184.128.188, 6.6.6.1 in left, although the packet goes out through the IP address 6.6.6.1 and the connection established successfully, it's different with the Peer'connection. The connection is established correctly, but the source IP addresses displayed on both sides are inconsistent
The local strongswan's log
...
<tunnel_test_1|1> parsed INFORMATIONAL_V1 request 868693074 [ HASH N(DPD) ]
<tunnel_test_1|1> generating INFORMATIONAL_V1 request 558943711 [ HASH N(DPD_ACK) ]
<tunnel_test_1|1> sending packet: from 10.184.128.188[4500] to 192.168.110.1[4500] (92 bytes)
<tunnel_test_1|1> received packet: from 192.168.110.1[4500] to 10.184.128.188[4500] (92 bytes)
<tunnel_test_1|1> parsed INFORMATIONAL_V1 request 2284381516 [ HASH N(DPD) ]
<tunnel_test_1|1> generating INFORMATIONAL_V1 request 3448618571 [ HASH N(DPD_ACK) ]
<tunnel_test_1|1> sending packet: from 10.184.128.188[4500] to 192.168.110.1[4500] (92 bytes)
...
local ipsec statusall
Status of IKE charon daemon (weakSwan 5.9.7, Linux 5.4.225+, aarch64):
uptime: 114 seconds, since Nov 16 16:59:52 2023
worker threads: 59 of 64 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes des sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc hmac kdf attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
192.168.188.1
192.168.253.1
192.168.115.1
10.184.128.188
2022:1001:1234:0:f275:43a9:e25a:36c9
6.6.6.1
12.12.12.1
12.12.12.1
12.12.12.1
Connections:
tunnel_test_1: 10.184.128.188,6.6.6.1...192.168.110.1 IKEv1, dpddelay=10s
tunnel_test_1: local: [10.184.128.188,6.6.6.1] uses pre-shared key authentication
tunnel_test_1: remote: uses pre-shared key authentication
tunnel_test_1: child: 192.168.114.0/24 === 192.168.111.0/24 TUNNEL, dpdaction=start
Security Associations (1 up, 0 connecting):
tunnel_test_1[1]: ESTABLISHED 114 seconds ago, 10.184.128.188[10.184.128.188,6.6.6.1]...192.168.110.1[192.168.110.1]
tunnel_test_1[1]: IKEv1 SPIs: 4aeac77bc9dcbcd9_i* cf5dc2fb73e78aba_r, pre-shared key reauthentication in 23 hours
tunnel_test_1[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768
tunnel_test_1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce5628de_i c6c43891_o
tunnel_test_1{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 57 minutes
tunnel_test_1{1}: 192.168.114.0/24 === 192.168.111.0/24
Peer ipsec statusall
Status of IKE charon daemon (weakSwan 5.9.7, Linux 5.4.225+, aarch64):
uptime: 4 minutes, since Nov 16 16:58:23 2023
worker threads: 59 of 64 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon aes des sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey pem fips-prf gmp xcbc hmac kdf attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
192.168.188.1
192.168.253.1
10.184.128.193
192.168.110.1
10.10.10.3
192.168.111.1
Connections:
tunnel_test_1: 0.0.0.0...0.0.0.0 IKEv1, dpddelay=10s
tunnel_test_1: local: uses pre-shared key authentication
tunnel_test_1: remote: uses pre-shared key authentication
tunnel_test_1: child: 192.168.111.0/24 === 0.0.0.0/0 TUNNEL, dpdaction=start
Security Associations (1 up, 0 connecting):
tunnel_test_1[4]: ESTABLISHED 3 minutes ago, 192.168.110.1[192.168.110.1]...6.6.6.1[10.184.128.188,6.6.6.1]
tunnel_test_1[4]: IKEv1 SPIs: 4aeac77bc9dcbcd9_i cf5dc2fb73e78aba_r*, rekeying disabled
tunnel_test_1[4]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768
tunnel_test_1{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c6c43891_i ce5628de_o
tunnel_test_1{3}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
tunnel_test_1{3}: 192.168.111.0/24 === 192.168.114.0/24
from strongswan.
tobiasbrunner
commented on June 3, 2024
Are you insane? Are you seriously using IKEv1 between two instances of strongSwan? (And you even have the charon.i_dont_care_about_security_and_use_aggressive_mode_psk option enabled for some reason so these instances run as weakSwan.)
Anyway, this sounds like you might have a NAT configured that maps 10.184.128.188 to 6.6.6.1.
from strongswan.
HustMax
commented on June 3, 2024
The IPs 10.184.128.188 and 6.6.6.1 are just the ip of my two NIC interfaces ,there will be no NAT configuration.
But what do you means run as weakSwan ? Any options I set wrong ?
from strongswan.
tobiasbrunner
commented on June 3, 2024
Just read what I wrote again, and also what's written in #196.
from strongswan.
Related Issues (20)
- Add ssl=on parameter to mysql plugin. HOT 6
- FORTIFY: pthread_mutex_lock called on a destroyed mutex HOT 1
- charon-systemd Preemptively Exiting on Kernel alg Debugging Messages HOT 1
- segfault when compiled with leak-detective enabled and systemd >=254 HOT 3
- potential automatic mangle rules issues w.r.t. mark_in and mark_out settings HOT 3
- StrongSwan 6 beta 5 | Failed to generate a common proposal even though there is an acceptable choice HOT 3
- StrongSwan 6 Beta 5 integration with liboqs 0.9.1 | Getting error "negotiated key exchange method KYBER_L3 not supported" HOT 2
- Allow comparing connection/child configuration with reported status HOT 1
- Restart router A. The process is successfully started and the configuration parameters are correct. However, the connection to IPsec server B fails. HOT 1
- Incomplete logging of log messages containing newlines when using `swanctl --initiate --loglevel 3/4` HOT 1
- Support systemd socket activation for charon HOT 3
- swanctl listing wrong data HOT 4
- Running suite 'rsa' hangs HOT 1
- Can't connect to StrongSwan VPN with Android 14 native client
- X509v3 Name Constraints incorrectly required on subordinate CAs in chain HOT 6
- StrongSwan Android 2.5.0 Start/Stop Profile Intent profile not found HOT 5
- Restoring EAP-TTLS (and PEAP) support on Android HOT 9
- F-Droid can't build HOT 6
- SecurityException for SCHEDULE_EXACT_ALARM HOT 3
- build project on CentOS failed
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strongswan.