<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Noel,<br><br>I've modified my setup from GREv6 to 'traditional' site 2 site. I had a similar but a bit different problem [ traffic not getting encrypted - but simply vanishing in the linux ].<br><br>After looking at the routing table I've noticed this very wierd route in the table 220.<br><br>root@f-nccf-1a-de:/etc# ip -6 route show table 220<br>unreachable 2a00:c31:1ffe:fff::/64 dev lo proto static metric 1024 error -101<br><br>I've got rid of it and now it works.<br><br>Why strongswan is pushing a bogus ipv6 route? <br><br>Regards<br><br><div>> Date: Wed, 14 Jan 2015 20:23:10 +0100<br>> From: noel@familie-kuntze.de<br>> To: users@lists.strongswan.org<br>> Subject: Re: [strongSwan] ipv6 GRE sent in clear instead of getting encrypted<br>> <br>> <br>> -----BEGIN PGP SIGNED MESSAGE-----<br>> Hash: SHA256<br>> <br>> Hello Olivier,<br>> <br>> Does the traffic selector cover the IP addresses used in the IPv6 GRE tunnel configuration?<br>> <br>> Mit freundlichen Grüßen/Regards,<br>> Noel Kuntze<br>> <br>> GPG Key ID: 0x63EC6658<br>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>> <br>> Am 14.01.2015 um 08:02 schrieb Olivier PELERIN:<br>> > Any ideas why ipv6 GRE is sent in clear?<br>> ><br>> > -------------------------<br>> > From: olivier_pelerin@hotmail.com<br>> > To: users@lists.strongswan.org<br>> > Date: Fri, 19 Dec 2014 13:27:16 +0100<br>> > Subject: [strongSwan] ipv6 GRE sent in clear instead of getting encrypted<br>> ><br>> > Hello Strongswan Alias,<br>> ><br>> > I've the following problem:<br>> ><br>> > Trafffic from a remote device is properly decrypted [ transport is GREipv6 / overlay is ipv6]. Encrypted packet leave the ubuntu box un-encrypted.<br>> ><br>> > Either xfrm policies and state are looking right.<br>> ><br>> > ip xfrm policy<br>> > src 2b00:d31:e7e4:1b::1:201/128 dst 2b00:c31:e7e2:17::2:12/128 proto gre<br>> > dir fwd priority 1026<br>> > tmpl src 2b00:d31:e7e4:1b::1:201 dst 2b00:c31:e7e2:17::2:12<br>> > proto esp reqid 2687 mode tunnel<br>> > src 2b00:d31:e7e4:1b::1:201/128 dst 2b00:c31:e7e2:17::2:12/128 proto gre<br>> > dir in priority 1026<br>> > tmpl src 2b00:d31:e7e4:1b::1:201 dst 2b00:c31:e7e2:17::2:12<br>> > proto esp reqid 2687 mode tunnel<br>> > src 2b00:c31:e7e2:17::2:12/128 dst 2b00:d31:e7e4:1b::1:201/128 proto gre<br>> > dir out priority 1026<br>> > tmpl src 2b00:c31:e7e2:17::2:12 dst 2b00:d31:e7e4:1b::1:201<br>> > proto esp reqid 2687 mode tunnel<br>> > src 0.0.0.0/0 dst 0.0.0.0/0<br>> > socket in priority 0<br>> > src 0.0.0.0/0 dst 0.0.0.0/0<br>> > socket out priority 0<br>> > src 0.0.0.0/0 dst 0.0.0.0/0<br>> > socket in priority 0<br>> > src 0.0.0.0/0 dst 0.0.0.0/0<br>> > socket out priority 0<br>> > src ::/0 dst ::/0<br>> > socket in priority 0<br>> > src ::/0 dst ::/0<br>> > socket out priority 0<br>> > src ::/0 dst ::/0<br>> > socket in priority 0<br>> > src ::/0 dst ::/0<br>> > socket out priority 0<br>> ><br>> > root@zg-nccf-1a-hr:/home/localadmin# ip xfrm state<br>> > src 2b00:c31:e7e2:17::2:12 dst 2b00:d31:e7e4:1b::1:201<br>> > proto esp spi 0xb173226b reqid 2687 mode tunnel<br>> > replay-window 32 flag af-unspec<br>> > auth-trunc hmac(sha1) 0x630d4dae250e28a9dfd1184b20dfd0e33cda1665 96<br>> > enc cbc(aes) 0x3dc58789ace1be5fccdb4b2c42b3aa23<br>> > src 2b00:d31:e7e4:1b::1:201 dst 2b00:c31:e7e2:17::2:12<br>> > proto esp spi 0xccbc90f5 reqid 2687 mode tunnel<br>> > replay-window 32 flag af-unspec<br>> > auth-trunc hmac(sha1) 0xd7e81acb481eb00c2389bdfdc2e7fdc1ca0b6417 96<br>> > enc cbc(aes) 0x9e7d10c82aa14b562c541482d6b5933b<br>> ><br>> ><br>> > ipsec statusall<br>> > Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-32-generic, x86_64):<br>> > uptime: 7 minutes, since Dec 19 12:12:26 2014<br>> > malloc: sbrk 2568192, mmap 0, used 358352, free 2209840<br>> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2<br>> > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock<br>> > Listening IP addresses:<br>> > 2a00:c31:7fe2:17::1:11<br>> > ....<br>> > 2001::2<br>> > Connections:<br>> > CSR1000V: %any...2b00:d31:e7e4:1b::1:201 IKEv2<br>> > CSR1000V: local: [....] uses pre-shared key authentication<br>> > CSR1000V: remote: [....] uses pre-shared key authentication<br>> > CSR1000V: child: 2b00:c31:e7e2:17::2:12/128[gre] === 2b00:d31:e7e4:1b::1:201/128[gre] TUNNEL<br>> > Security Associations (1 up, 0 connecting):<br>> > CSR1000V[1]: ESTABLISHED 7 minutes ago, 2b00:c31:e7e2:17::2:12[]...2b00:d31:e7e4:1b::1:201[]<br>> > CSR1000V[1]: IKEv2 SPIs: db2eec9fddaea13f_i* 5b0acc0ed25bced5_r, pre-shared key reauthentication in 23 hours<br>> > CSR1000V[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024<br>> > CSR1000V{1}: INSTALLED, TUNNEL, ESP SPIs: c673e3d6_i 1e5da7b9_o<br>> > CSR1000V{1}: AES_CBC_128/HMAC_SHA1_96, 4512 bytes_i (34 pkts, 333s ago), 0 bytes_o, rekeying in 34 minutes<br>> > CSR1000V{1}: 2b00:c31:e7e2:17::2:12/128[gre] === 2b00:d31:e7e4:1b::1:201/128[gre]<br>> > root@zg-nccf-1a-hr:/home/localadmin#<br>> ><br>> > conn CSR1000V<br>> > keyexchange=ikev2<br>> > ikelifetime=1440m<br>> > keylife=60m<br>> > leftauth=psk<br>> > rightauth=psk<br>> > leftid=....<br>> > rightid=....<br>> > right=2b00:d31:e7e4:1b::1:201<br>> > leftsubnet=2b00:c31:e7e2:17::2:12/128[47]<br>> > rightsubnet=2b00:d31:e7e4:1b::1:201/128[47]<br>> > auto=start<br>> ><br>> > I've tried on my lab gentoo machine and there it works. Why GRE is not encrypted on this linux box?<br>> ><br>> > Regards,<br>> ><br>> > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users<br>> ><br>> ><br>> > _______________________________________________<br>> > Users mailing list<br>> > Users@lists.strongswan.org<br>> > https://lists.strongswan.org/mailman/listinfo/users<br>> <br>> -----BEGIN PGP SIGNATURE-----<br>> Version: GnuPG v2<br>> <br>> iQIcBAEBCAAGBQJUtsIbAAoJEDg5KY9j7GZYCUwP/R5/UK86Ec88qz/7vPHqpb0p<br>> jePO4Zg3jcDPzZbgzZN7oK9yTFhE7+T6oVkL3Vv/7yvB6vlkMumAFhHEdfS3GPlT<br>> p9iDaxbCEVT09GTXz5+gn/eU38L7R7rxb+yfYQNDDFht9hLZWR/1GYFB8edjgH7v<br>> mhPnXS8hRaKmOV6uo4PZczMAaaKCXfwbBeBwE7kV0/hmAFYRmH2EHqgUuQKrGb1c<br>> fsYuZF32tfj+DXG8ndXISjbfW1olsAEYc4cEUuo0FsOGugGa+4tgQ1Ep8btn7jI8<br>> yiwSStIIXtblQEf7Mk4kZm99QCtcFm2A4sRJAX20fSkVhicCvh5L++m0VSMrh6Q/<br>> PEg6mqtnaMksRZhjM66vNVdbZ3dEM53TZI2QuKdVYuQvSSW6bcywbhWnmw2cAWcD<br>> 8SXHB2Q4ai4JuQs7S2353gl+Kl7l74XFUJbu77HJjOTx6N786ZDIP+QgNguLGf7Y<br>> pO588dcgxDwnnnrgblW7mDM2EouVoNtGvh9HHCJSJlfJxqlLX08Z4ygbxwZNts9S<br>> MZ64VRT9NsANn1i5vsCBBdvTcSMHyJK528Z5zJ+gaPF0Xe9KBPGfP84wfmlUl+F9<br>> cEnm2LIXfPulxOKv8cFuCLduXpz98bhykDWWRbqZjpJqBXmugODqRva9CieyI3i2<br>> GMNbPZ7kSHur41AAKbYF<br>> =w0Gt<br>> -----END PGP SIGNATURE-----<br>> <br>> _______________________________________________<br>> Users mailing list<br>> Users@lists.strongswan.org<br>> https://lists.strongswan.org/mailman/listinfo/users<br></div> </div></body>
</html>