Strongswan: several right subnets

Question

I have a Strongswan installation on CentOS7 connecting to a Palo Alto router. I have no access to the config on the remote router. I want to configure two subnets on the other side - one is only a single IP. I have this config in ipsec.conf:

conn %default
        keyexchange=ikev2
        authby=secret

conn net-net
        ike=aes256-sha512-modp2048!
        leftauth=psk
        left=xx.xx.xx.xx
        leftsubnet=10.255.1.0/24
        leftfirewall=yes
        rightauth=psk
        right=yy.yy.yy.yy
        auto=add
        rightsubnet=10.250.72.0/24,192.168.149.199/32

After starting the tunnel, I can only ping 192.168.149.199, but no hosts in 10.250.72.0/24. If I only configure the 10.250.72.0/24 subnet, ping works into it.

My version:

[root@ipsec01 strongswan]# strongswan --version
Linux strongSwan U5.4.0/K3.10.0-514.6.1.el7.x86_64

According to the manual, the comma separated notation should be correct. What configuration should I use?

You need not sign your posts. That's what the box in the corner is for — Fox, Mar 15 '17 at 20:54

score 9 · Accepted Answer · edited Jan 20 '18 at 13:07

9

According to the manual, the comma separated notation should be correct...

It is if the other peer supports multiple subnets per CHILD_SA. It's possible that that's not the case here. If so, you'd have to define multiple conn sections to initiate separate CHILD_SAs:

conn %default
        keyexchange=ikev2
        authby=secret

conn net-net
        ike=aes256-sha512-modp2048!
        leftauth=psk
        left=xx.xx.xx.xx
        leftsubnet=10.255.1.0/24
        leftfirewall=yes
        rightauth=psk
        right=yy.yy.yy.yy
        auto=add
        rightsubnet=10.250.72.0/24

conn net-host
        also=net-net
        rightsubnet=192.168.149.199/32

A "strongswan up net-net" succeeds, but after that a "strongswan up net-host" fails with "received INVALID_SYNTAX notify error". When I set net-host up first, this one succeeds and net-net fails after that. So the second one always fails...

It seems this peer also has issues if more than one CHILD_SA is created per IKE_SA (however, INVALID_SYNTAX is a strange error in that case). To avoid that charon.reuse_ikesa in strongswan.conf may be disabled. That way a new IKE_SA is created along with the second CHILD_SA.

The latter might cause problems if only one IKE_SA is allowed per peer. So yet another possible option (if the peer supports it) is to set rightsubnet=0.0.0.0/0 (only one conn section needed), then the other peer could narrow that down to the subnets it allows. However, that is kinda similar to your first try, so it might not work with peers that have problems with multiple subnets per CHILD_SA in the first place.

edited Jan 20 '18 at 13:07

Jeff Schaller

66,199
35
114
250

answered Mar 16 '17 at 07:28

ecdsa

809
4
7

I tried that. A "strongswan up net-net" succeeds, but after that a "strongswan up net-host" fails with "received INVALID_SYNTAX notify error". When I set net-host up first, this one succeeds and net-net fails after that. So the second one always fails... – Peter Mar 16 '17 at 11:42
Is there a way for finding out, wheater the other peer supports multiple subnets without having access to it? – Peter Mar 16 '17 at 12:09
Well, it would seem this particular peer does not (and apparently also has issues if more than one CHILD_SA is created, however, INVALID_SYNTAX is a strange error in that case). One other thing you could try is disabling _charon.reuse_ikesa_ in strongswan.conf. That way a new IKE_SA is created along with the second CHILD_SA. But that might cause other problems if only one IKE_SA is allowed per peer. So yet another thing you could try is setting _rightsubnet=0.0.0.0/0_ (only one conn section needed), then the other peer might narrow that down to the subnets it allows. – ecdsa Mar 16 '17 at 14:03
Great, I've added this to my answer. – ecdsa Mar 16 '17 at 14:50
"Invalid syntax" error might be the result of strongswan of too old version (prior to 5.2.0, see [here](https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf#Reusing-Existing-Parameters), strongswan did not allow reinstating parameters). The workaround is to move all info of subnets off main conn entry to children connections that refer to main one with `also`. MAYBE also you need to redefine both left/rightsubnet in each conn section due to some bugs/omissions. – Vesper Nov 29 '17 at 08:45

Strongswan: several right subnets

1 Answers1