LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-03-2018, 04:17 AM   #1
Lockywolf
Member
 
Registered: Jul 2007
Posts: 106

Rep: Reputation: 22
StrongSwan give strange IP addresses.


Hello, everyone.

I have the following strongSwan config file:

Code:
config setup

conn %default
    keyexchange=ikev2
    leftid=my.domain
    leftcert=serverCert.pem
    leftsubnet=0.0.0.0/0
    right=%any
    rightsourceip=10.9.0.0/24
    rightdns=8.8.8.8
    dpdaction=clear

conn client
    leftsendcert=always
    rightauth=eap-mschapv2
    eap_identity=%identity
    auto=add
quite minimalistic, right?

Indeed, my client interface has ip 10.9.0.2.

But the addresses on the server are strange:

Quote:
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1769 bytes 222050 (216.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
As you see, neither 10.8.0.1 nor 10.8.0.2 are present anywhere in the config file. I can ping 10.8.0.1 from my client, but not 10.8.0.2 and I don't seem to be able to find any interface.

On the client I have:

Quote:
tun1 Link encap:UNSPEC
inet addr:10.9.0.1 P-t-P:10.9.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING MTU:1400 Metric:1
RX packets:1207 errors:0 dropped:0 overruns:0 frame:0
TX packets:1381 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:742062 TX bytes:214694
Why does it have two identical addresses?

If anyone could explain me what's going on here?
Thanks a lot.
 
Old 03-07-2018, 02:47 PM   #2
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,593

Rep: Reputation: 138Reputation: 138
What is tunnel type, site-to-site or remote access?
 
Old 03-07-2018, 08:03 PM   #3
Lockywolf
Member
 
Registered: Jul 2007
Posts: 106

Original Poster
Rep: Reputation: 22
Quote:
Originally Posted by nini09 View Post
What is tunnel type, site-to-site or remote access?
Sorry, I don't understand your question well enough to answer...

If you tell me where to look for this information, I'll post it here.

The usage of this VPN is typical. I have a server (the 'left' machine) through which I transmit all the information from the client. I.e. when I want to access Google on the client, I make it through the server.
 
Old 03-08-2018, 03:18 PM   #4
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,593

Rep: Reputation: 138Reputation: 138
Based on your description, tunnel type look like remote access, client-server mode. The ipsec.conf you upload, is the file on server or client?
 
Old 03-08-2018, 07:39 PM   #5
Lockywolf
Member
 
Registered: Jul 2007
Posts: 106

Original Poster
Rep: Reputation: 22
This file is on the server.

On the client I have and standard (From Google Play) Android client of strongSwan, in which I only had to set up the username, password, IP and port.

I can also post my strongswan.conf (although it unmodified) and the certificate/key files, if needed.
 
Old 03-13-2018, 03:00 PM   #6
nini09
Senior Member
 
Registered: Apr 2009
Posts: 1,593

Rep: Reputation: 138Reputation: 138
ipsec.conf should be like following
Quote:
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn rw-eap
left=192.168.0.1
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
leftcert=moonCert.pem
leftauth=pubkey
leftfirewall=yes
right=%any
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
Right is client and left is gateway. 192.168.0.1 is interface IP address for right side and 10.1.0.0/16 is network of left side.
 
Old 03-26-2018, 04:19 PM   #7
erabaddosi-2116
LQ Newbie
 
Registered: Mar 2018
Posts: 20

Rep: Reputation: Disabled
I recommend not posting key files in order to maintain your own security.

10.8.0.x are default IP addresses that openvpn uses for establishment of links.

On your "tun1" connection, it indicates that it is a "point-to-point" connection (that's what the "P-t-P" refers to), which has no particular need of IP addresses, if I didn't send it, the other side must have (though usually IP addresses will be assigned). Openvpn will frequently allocate 10.8.0.1 to the "server" side of the connection and 10.8.0.2+ to the various connecting clients, depending upon the specific config of the openvpn server. Granted, most of this is probably trivia - but just some answers to your questions!

I have a small concern that the IP address you selected (192.168.0.1) is on a completely different subnet configured (10.1.x.x/16)...but I am not as familiar with strongSwan, so someone familiar with that should probably offer better advice, here...

You *WILL* likely have a TUNNEL IP (10.8.x.y or 10.9.x.y) - one on the client side and one on the server side. You will *ALSO* likely have a subnet on the server side and it looks like you have one on the client side, too.

Does this help at all?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Strongswan IKEv2 - clients can access everything BUT strongswan machine itself - "truncated-udp length 0" psycroptic Linux - Networking 3 05-27-2017 03:41 AM
Strongswan-to-Strongswan IPsec VPN - slow with pure ESP, fast w/UDP encapsulation? psycroptic Linux - Networking 0 11-20-2014 07:44 AM
Need to give input as addresses to a tool through awk vinaytp Linux - Newbie 3 02-07-2011 09:17 AM
? dhcpcd and dhclient give me two different IP addresses; static IP while using DHCP Lunixer Linux - Networking 4 03-17-2008 04:03 AM
How to give an authenticated access to a web site for some IP addresses sharad Linux - Security 5 06-01-2006 07:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration