<div dir="ltr">Hi,<div><br></div><div>I am using following Setup in my Lab:</div><div><br></div><div>Host A<---->SeGW<-----(ESP Tunnel)---->(eth1)Strongswan (Linux PC) (eth0)<--->Host B</div><div><br></div><div>So there is one Tunnel Established between SeGW and Linux PC which is running Strongswan Stack v5.2.2.</div><div>The Linux is connected to SeGW via its eth1 interface </div><div>and Host B is connected via eth0 Interface.</div><div><br></div><div>What we want is that:</div><div>1. Any traffic that we want to send from Host A to Host B should go via SeGW where it is sent encrypted towards Linux Box. </div><div>2. The Linux Box running strongswan should then decrypt the traffic and route it to Host B</div><div>3. As expected, the reverse path to be followed for traffic from Host B to Host A.</div><div><br></div><div>What we observe is that:</div><div>1. SeGW is successfully able to encrypt the traffic and send ESP frames to Linux PC</div><div>2. the linux PC also decrypts it successfully</div><div>3. However after decryption <b>it is not able to route </b>the traffic towards interface connected to Host B. <b>On the contrary we see that decrypted traffic is seen on the same interface from which it received the ESP frames. i.e. the interface connected to SeGW. i.e. both Encrypted and decrypted packet seen on same interface.</b></div><div><br></div><div>The routing configured on Linux PC also looks to be correct as when I send ping traffic from Host A to Host B (this traffic is not encrypted), i see that Linux PC is correctly able to route this ICMP traffic towards Host B without any Issue.</div><div><br></div><div>Can you let me know what could be the possible issue here. Or provide some indication on how to debug it.</div><div><br></div><div>Below are the logs and configuration. Let me know if any additional detail is needed that i missed--:</div><div><br></div><div>Here is the ipsec.conf connection setting:</div><div><p class="MsoNormal"> </p>
<p class="MsoNormal">conn saM</p>
<p class="MsoNormal"> ikelifetime=24h</p>
<p class="MsoNormal"> keyexchange=ikev2</p>
<p class="MsoNormal">
keyingtries=%forever</p>
<p class="MsoNormal"> keylife=5m</p>
<p class="MsoNormal"> reauth=no</p>
<p class="MsoNormal"> rekey=yes</p>
<p class="MsoNormal"> mobike=no</p>
<p class="MsoNormal"> dpdaction=clear</p>
<p class="MsoNormal"> dpddelay=10</p>
<p class="MsoNormal"> rekeymargin=1m</p>
<p class="MsoNormal">
ike=aes128-sha1-modp1024,3des-sha1-modp1024!</p>
<p class="MsoNormal">
esp=aes128-sha1-modp1024,3des-sha1-modp1024!</p>
<p class="MsoNormal"> authby=rsasig</p>
<p class="MsoNormal"> left=31.31.31.22</p>
<p class="MsoNormal">
leftsubnet=<a href="http://0.0.0.0/32">0.0.0.0/32</a></p>
<p class="MsoNormal"> right=31.31.31.31</p>
<p class="MsoNormal">
rightsubnet=<a href="http://0.0.0.0/32">0.0.0.0/32</a></p>
<p class="MsoNormal">
leftprotoport=%any/%any</p>
<p class="MsoNormal">
rightprotoport=%any/%any</p>
<p class="MsoNormal">
leftcert=/usr/local/etc/ipsec.d/certs/linux.pem</p>
<p class="MsoNormal"> rightid=%any</p>
<p class="MsoNormal"> auto=add</p><p class="MsoNormal"><br></p><p class="MsoNormal">Host A IP: 172.18.21.232</p><p class="MsoNormal">Host B IP: 10.3.4.22</p><p class="MsoNormal"><br></p><p class="MsoNormal"><b>Routing Table on Linux PC:</b></p><p class="MsoNormal"><br></p><p class="MsoNormal">Kernel IP routing table</p><p class="MsoNormal">Destination Gateway Genmask Flags Metric Ref Use Iface</p><p class="MsoNormal">172.18.21.0 * 255.255.255.0 U 0 0 0 eth1</p><p class="MsoNormal"><b>10.3.4.0 * 255.255.255.0 U 1 0 0 eth0 <<<this route should have worked</b></p><p class="MsoNormal">192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0</p><p class="MsoNormal">31.31.31.0 * 255.255.255.0 U 0 0 0 eth1</p><p class="MsoNormal">172.18.0.0 * 255.255.0.0 U 0 0 0 eth1</p><p class="MsoNormal">default 10.3.4.1 0.0.0.0 UG 0 0 0 eth0</p><p class="MsoNormal">default 10.3.4.1 0.0.0.0 UG 0 0 0 eth0</p></div><div><br></div><div><b>ifconfig output:</b></div><div><div>[root@root ~]# ifconfig</div><div>eth0 Link encap:Ethernet HWaddr A4:1F:72:8E:66:F5</div><div> inet addr:10.3.4.139 Bcast:10.3.4.255 Mask:255.255.255.0</div><div> inet6 addr: fe80::a61f:72ff:fe8e:66f5/64 Scope:Link</div><div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div><div> RX packets:33355 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:32425 errors:0 dropped:0 overruns:0 carrier:0</div><div> collisions:0 txqueuelen:1000</div><div> RX bytes:18132226 (17.2 MiB) TX bytes:28624412 (27.2 MiB)</div><div> Interrupt:46 Base address:0x2000</div><div><br></div><div>eth1 Link encap:Ethernet HWaddr 00:0A:F7:16:7E:5D</div><div> inet addr:31.31.31.22 Bcast:31.31.31.255 Mask:255.255.255.0</div><div> inet6 addr: fe80::20a:f7ff:fe16:7e5d/64 Scope:Link</div><div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div><div> RX packets:2807 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:265 errors:0 dropped:0 overruns:0 carrier:0</div><div> collisions:0 txqueuelen:1000</div><div> RX bytes:395217 (385.9 KiB) TX bytes:35486 (34.6 KiB)</div><div> Interrupt:17</div><div><br></div><div>eth1:1 Link encap:Ethernet HWaddr 00:0A:F7:16:7E:5D</div><div> inet addr:172.18.21.1 Bcast:172.18.255.255 Mask:255.255.0.0</div><div> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1</div><div> Interrupt:17</div><div style="font-weight:bold"><br></div></div><div>Wireshark logs captured on eth1 interface are attached, which show both encrypted and decrypted packets on same interface.</div><div><b><br></b></div><div>Thanks and Regards</div><div>Sajal</div><div><br></div></div>