<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
Hi<br>
<br>
I have a test server set up to use ikev2 and I can successfully
connect and get it to assign me an ip address etc if and only if I
have one single subnet on my left/right config. I need to route 3 of
them and I can do any one of them but not more. I have tried various
syntaxes from {left,right}subnets="172.x.x.x/24 10.x.x.x/24
10.y.x.x/24" either comma or space separated, changing the "" to {},
nesting "{}" and none of those work. When I restart the server end,
the daemon starts up but the connection is not started and there are
no errors anywhere that I have found that tell me why (checked
/var/log/messages,secure} and journalctl -u ipsec). I am using
libreswan-4.9-4.el9_2.x86_64 on a fully updated Rocky Linux 9.2 VM
on both ends. <br>
<br>
I have also tried adding 3 separate conn subnet{1,2,3}'s just
containing also=mainconn rightsubnet= and that starts up but won't
let me connect.<br>
<br>
So this works with just one subnet on the left.<br>
<pre>conn mainconn
ikev2=insist
mobike=yes
fragmentation=yes
left=%defaultroute
leftsourceip=192.168.19.11
#leftsubnets={10.x.0.0/16 10.y.0.0/16 192.16.12.0/23}
leftsubnet=192.168.12.0/23
leftid=93.x.x.x
leftxauthserver=yes
leftmodecfgserver=yes
leftupdown=""
right=%any
rightaddresspool=192.168.19.128-192.168.19.192
modecfgdns="192.168.12.x, 192.168.12.y"
modecfgdomains="company.com"
rightxauthclient=yes
rightmodecfgclient=yes
authby=secret
auto=add
retransmit-timeout=1m
</pre>
<br>
If I comment the leftsubnet and uncomment the leftsubnets line then
the conn silently fails to start. If I comment both leftsub* lines
and add the following prior to conn mainconn then the server side
connection starts automatically but the client side gets
TS_UNACCEPTABLE<br>
<br>
<pre>conn subnet1
also=mainconn
rightsubnet=192.168.12.0/23
conn subnet2
also=mainconn
rightsubnet=10.x.0.0/16
conn subnet3
also=mainconn
rightsubnet=10.y.0.0/16
</pre>
Client side, also Rocky 9.2, looks like<br>
<br>
<pre>conn subnet1
also=mainconn
rightsubnet=192.168.12.0/23
conn subnet2
also=mainconn
rightsubnet=10.x.0.0/16
conn subnet3
also=mainconn
rightsubnet=10.y.0.0/16
conn mainconn
ikev2=insist
mobike=yes
fragmentation=yes
left=%defaultroute
#rightsubnet=192.168.12.0/23
#rightsubnets={192.168.12.0/23,10.x.0.0/16,10.y.0.0/16}
leftid=82.x.x.x
leftmodecfgclient=yes
leftxauthclient=yes
leftusername=mytestuser
right=93.x.x.x
authby=secret
modecfgpull=yes
auto=add
</pre>
<br>
<br>
181 "mainconn" #1: initiating IKEv2 connection<br>
181 "mainconn" #1: sent IKE_SA_INIT request to 93.x.x.x:500<br>
182 "mainconn" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256
integ=n/a prf=HMAC_SHA2_512 group=DH19}<br>
003 "mainconn" #1: initiator established IKE SA; authenticated peer
using authby=secret and ID_IPV4_ADDR '93.x.x.x'<br>
002 "mainconn" #2: received INTERNAL_IP4_ADDRESS x<br>
002 "mainconn" #2: received INTERNAL_IP4_DNS x<br>
002 "mainconn" #2: received INTERNAL_IP4_DNS x<br>
005 "mainconn" #2: Received INTERNAL_DNS_DOMAIN: company.com<br>
003 "mainconn" #2: CHILD SA failed: TS_UNACCEPTABLE<br>
003 "mainconn" #1: IKE SA established but initiator rejected Child
SA response<br>
002 "mainconn" #2: deleting larval Child SA using IKE SA #1<br>
003 ERROR: "mainconn" #2: netlink response for Del SA
<a class="moz-txt-link-abbreviated" href="mailto:esp.d379a01c@93.x.x.x">esp.d379a01c@93.x.x.x</a>: No such process (errno 3)<br>
<br>
Server side I see this in /var/log/secure<br>
<pre>Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256;DH=MODP2048;DH=CURVE25519;DH=ECP_384;DH=ECP_521;DH=MODP3072;DH=MODP4096;DH=MODP8192[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256;DH=MODP2048;DH=CURVE25519;DH=EC>
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: responder established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '82.x.x.x'
Jun 5 19:38:42 rocky9 pluto[32013]: | pool 192.168.19.128-192.168.19.192: growing address pool from 0 to 1
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #2: proposal 1:ESP=AES_GCM_C_256-ENABLED SPI=4318e7e4 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=ENABLED;ESN=DISABLED[first-match] 2:ESP:ENCR=CHACHA20_POLY1305;ESN=ENABLED;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA1_96;INTEG=HMAC_SHA2_256_128;ESN=ENABLED;ESN=DISABLED 4:ESP:ENCR=AES_GCM_C_128;ESN=ENABLED;ESN=DISA>
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #2: responder established Child SA using #1; IPsec tunnel [192.168.12.0-192.168.13.255:0-65535 0] -> [192.168.19.128-192.168.19.128:0-65535 0] {ESPinUDP/ESN=>0x4318e7e4 <0xd379a01c xfrm=AES_GCM_16_256-NONE NATD=82.x.x.x:4500 DPD=passive}
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #2: ESP traffic information: in=0B out=0B</pre>
<br>
What am I doing wrong and what do I need to change to make this
work. The goal is that on the client side, I get routes added for
all 3 subnets on connect.<br>
<br>
Thanks for any guidance<br>
<br>
Trevor<br>
</body>
</html>