<div dir="ltr">Hi Noel,<div><br></div><div>I hope it is ok that I'm attaching these two files, as they were a bit too large to paste in here otherwise.</div><div><br></div><div>If that's not ok, please let me know and I paste them in here anyway.</div><div><br></div><div>Many Thanks,</div><div>Houman</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 18 Jul 2019 at 10:04, Noel Kuntze <noel.kuntze@thermi.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hello Houman,<br>
<br>
Those are still not all the IPv4 *and IPv6* routing tables.<br>
Use `ip route show table all` for IPv4 and `ip -6 route show table all` for IPv6.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
Am 18.07.19 um 10:29 schrieb Houman:<br>
> Hello Noel.<br>
><br>
> Sorry, it's still too early in the morning for me.<br>
><br>
> *> netstat -rn*<br>
> *<br>
> *<br>
> Kernel IP routing table<br>
> Destination Gateway Genmask Flags MSS Window irtt Iface<br>
> 0.0.0.0 136.243.104.xxx 0.0.0.0 UG 0 0 0 enp2s0<br>
><br>
> *> route -n*<br>
> Kernel IP routing table<br>
> Destination Gateway Genmask Flags Metric Ref Use Iface<br>
> 0.0.0.0 136.243.104.xxx 0.0.0.0 UG 0 0 0 enp2s0<br>
><br>
> *> iproute*<br>
> default via 136.243.104.xxx dev enp2s0 proto static onlink<br>
><br>
> If I have missed anything please let me know,<br>
><br>
> Many Thanks,<br>
> Houman<br>
><br>
><br>
> On Thu, 18 Jul 2019 at 08:07, Noel Kuntze <noel.kuntze@thermi.consulting> wrote:<br>
><br>
> Hello Houman,<br>
><br>
> Those are not *routing* tables. Those are your *iptables* rules.<br>
><br>
> Kind regards<br>
><br>
> Noel<br>
><br>
> Am 18.07.19 um 09:02 schrieb Houman:<br>
> > Hello Noel,<br>
> ><br>
> > You're right. It's interesting that I always get the following error right after that. "unable to install source route for %any".<br>
> ><br>
> > Please find both the IPv4 and IPv6 routing tables as well as the ipsec.conf below.<br>
> ><br>
> > Please note that IPv6 is disabled since my configuration wasn't entirely supported on the latest Ubuntu 18.04 as we had established previously.<br>
> ><br>
> > *IPv4*<br>
> ><br>
> > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019<br>
> > *filter<br>
> > :INPUT DROP [2615693:262169077]<br>
> > :FORWARD DROP [4655474:1206379130]<br>
> > :OUTPUT ACCEPT [8219816926:9451426041332]<br>
> > -A INPUT -i lo -j ACCEPT<br>
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br>
> > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT<br>
> > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT<br>
> > -A INPUT -p udp -m udp --dport 500 -j ACCEPT<br>
> > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT<br>
> > -A FORWARD -s <a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">10.10.0.0/17</a> <<a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">http://10.10.0.0/17</a>> <<a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">http://10.10.0.0/17</a>> -d <a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">10.10.0.0/17</a> <<a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">http://10.10.0.0/17</a>> <<a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">http://10.10.0.0/17</a>> -j DROP<br>
> > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT<br>
> > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT<br>
> > COMMIT<br>
> > # Completed on Thu Jul 18 06:54:18 2019<br>
> > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019<br>
> > *nat<br>
> > :PREROUTING ACCEPT [212142454:17804580572]<br>
> > :INPUT ACCEPT [1326262:431133155]<br>
> > :OUTPUT ACCEPT [174309:20072403]<br>
> > :POSTROUTING ACCEPT [174309:20072403]<br>
> > -A POSTROUTING -s <a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">10.10.0.0/17</a> <<a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">http://10.10.0.0/17</a>> <<a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">http://10.10.0.0/17</a>> -o enp2s0 -m policy --dir out --pol ipsec -j ACCEPT<br>
> > -A POSTROUTING -s <a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">10.10.0.0/17</a> <<a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">http://10.10.0.0/17</a>> <<a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">http://10.10.0.0/17</a>> -o enp2s0 -j MASQUERADE<br>
> > COMMIT<br>
> > # Completed on Thu Jul 18 06:54:18 2019<br>
> > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019<br>
> > *mangle<br>
> > :PREROUTING ACCEPT [78101233478:52605889723396]<br>
> > :INPUT ACCEPT [28473561018:8872181346525]<br>
> > :FORWARD ACCEPT [49618124462:43732105143957]<br>
> > :OUTPUT ACCEPT [34893259071:40508743962892]<br>
> > :POSTROUTING ACCEPT [84492095926:84235652892511]<br>
> > -A FORWARD -s <a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">10.10.0.0/17</a> <<a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">http://10.10.0.0/17</a>> <<a href="http://10.10.0.0/17" rel="noreferrer" target="_blank">http://10.10.0.0/17</a>> -o enp2s0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360<br>
> > COMMIT<br>
> > # Completed on Thu Jul 18 06:54:18 2019<br>
> ><br>
> > *and IPv6*<br>
> ><br>
> > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019<br>
> > *filter<br>
> > :INPUT DROP [53380:3843262]<br>
> > :FORWARD DROP [0:0]<br>
> > :OUTPUT ACCEPT [54922:3965190]<br>
> > -A INPUT -i lo -j ACCEPT<br>
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br>
> > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT<br>
> > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT<br>
> > -A INPUT -p udp -m udp --dport 500 -j ACCEPT<br>
> > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT<br>
> > -A FORWARD -s fdd2:54c4:4c90:1::/113 -d fdd2:54c4:4c90:1::/113 -j DROP<br>
> > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT<br>
> > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT<br>
> > COMMIT<br>
> > # Completed on Thu Jul 18 06:55:55 2019<br>
> > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019<br>
> > *nat<br>
> > :PREROUTING ACCEPT [16411485:1786456120]<br>
> > :INPUT ACCEPT [2:392]<br>
> > :OUTPUT ACCEPT [232:18788]<br>
> > :POSTROUTING ACCEPT [232:18788]<br>
> > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT<br>
> > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -j MASQUERADE<br>
> > COMMIT<br>
> > # Completed on Thu Jul 18 06:55:55 2019<br>
> ><br>
> > *and ipsec.conf*<br>
> ><br>
> > config setup<br>
> > strictcrlpolicy=yes<br>
> > uniqueids=never<br>
> > conn Falkenstein-2<br>
> > auto=add<br>
> > compress=no<br>
> > type=tunnel<br>
> > keyexchange=ikev2<br>
> > fragmentation=yes<br>
> > forceencaps=yes<br>
> > ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048, aes256-sha256-ecp521-ecp256-modp4096-modp2048!<br>
> > esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!<br>
> > dpdaction=clear<br>
> > dpddelay=180s<br>
> > dpdtimeout=3600s<br>
> > rekey=no<br>
> > left=%any<br>
> > leftid=@<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">de-fsn-2.xxxxx.net</a> <<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">http://de-fsn-2.xxxxx.net</a>> <<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">http://de-fsn-2.xxxxx.net</a>><br>
> > leftcert=cert.pem<br>
> > leftsendcert=always<br>
> > leftsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>>, ::/0<br>
> > right=%any<br>
> > rightid=%any<br>
> > rightauth=eap-radius<br>
> > eap_identity=%any<br>
> > rightdns=8.8.8.8,8.8.4.4<br>
> > rightsourceip=<a href="http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113" rel="noreferrer" target="_blank">10.10.10.0/17,fdd2:54c4:4c90:1::300/113</a> <<a href="http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113" rel="noreferrer" target="_blank">http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113</a>> <<a href="http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113" rel="noreferrer" target="_blank">http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113</a>><br>
> > leftfirewall=no<br>
> ><br>
> ><br>
> > Many Thanks,<br>
> > Houman<br>
> ><br>
> > On Thu, 18 Jul 2019 at 07:42, Noel Kuntze <noel.kuntze@thermi.consulting> wrote:<br>
> ><br>
> > Hello Houman,<br>
> ><br>
> > That happens when the main routing table (Or other tables in newer kernels) does not have any routes that allow the new route to be installed (next hop is not reachable over a local interface).<br>
> > For the exact reason, you'd need to at least provide the IPv6 routing tables.<br>
> ><br>
> > Kind regards<br>
> ><br>
> > Noel<br>
> ><br>
> > Am 18.07.19 um 00:47 schrieb Houman:<br>
> > > Hello,<br>
> > ><br>
> > > I'm getting this error in the syslog.<br>
> > ><br>
> > > It still connects but I keep getting this error sometimes:<br>
> > > *charon: 15[KNL] received netlink error: Network is unreachable (101)*<br>
> > ><br>
> > > Why is that?<br>
> > ><br>
> > > *Syslog:*<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline lease to 'c8c09c88-8a67-4af6-8620-xxxxxx'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual IP 10.10.55.127 to peer 'c8c09c88-8a67-4af6-8620-xxxxxx'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] peer requested virtual IP %any6<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline lease to 'c8c09c88-8a67-4af6-8620-xxxxxx'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual IP fdd2:54c4:4c90:1::307f to peer 'c8c09c88-8a67-4af6-8620-xxxxxx'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] received netlink error: Network is unreachable (101)<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] unable to install source route for %any<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] CHILD_SA Falkenstein-2{455771} established with SPIs c6b5caac_i 0c8a8cdf_o and TS <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> ::/0 === <a href="http://10.10.55.127/32" rel="noreferrer" target="_blank">10.10.55.127/32</a> <<a href="http://10.10.55.127/32" rel="noreferrer" target="_blank">http://10.10.55.127/32</a>> <<a href="http://10.10.55.127/32" rel="noreferrer" target="_blank">http://10.10.55.127/32</a>> <<a href="http://10.10.55.127/32" rel="noreferrer" target="_blank">http://10.10.55.127/32</a>> fdd2:54c4:4c90:1::307f/128<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] sending RADIUS Accounting-Request to server 'server-a'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[NET] received packet: from 109.177.xx.xxx[4500] to 136.243.xxx.xxx[4500] (112 bytes)<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] received RADIUS Accounting-Response from server 'server-a'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] parsed IKE_AUTH request 6 [ AUTH ]<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[NET] sending packet: from 136.243.xxx.xxx[4500] to 86.97.xx.xxx[4500] (368 bytes)<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] authentication of 'VPN' with EAP successful<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] authentication of '<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">de-fsn-2.xxxxx.net</a> <<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">http://de-fsn-2.xxxxx.net</a>> <<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">http://de-fsn-2.xxxxx.net</a>> <<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">http://de-fsn-2.xxxxx.net</a>>' (myself) with EAP<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] IKE_SA Falkenstein-2[549905] established between 136.243.xxx.xxx[<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">de-fsn-2.xxxxx.net</a> <<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">http://de-fsn-2.xxxxx.net</a>> <<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">http://de-fsn-2.xxxxx.net</a>> <<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">http://de-fsn-2.xxxxx.net</a>>]...109.177.xx.xxx[VPN]<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer requested virtual IP %any<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning offline lease to 'b05ccf72-7bad-425e-95e0-xxxxx'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning virtual IP 10.10.50.102 to peer 'b05ccf72-7bad-425e-95e0-xxxxx'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer requested virtual IP %any6<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning offline lease to 'b05ccf72-7bad-425e-95e0-xxxxx'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning virtual IP fdd2:54c4:4c90:1::2b66 to peer 'b05ccf72-7bad-425e-95e0-xxxxx'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] received netlink error: Network is unreachable (101)<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] unable to install source route for %any<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] CHILD_SA Falkenstein-2{455772} established with SPIs c23f2271_i 07d2a903_o and TS <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>> ::/0 === <a href="http://10.10.50.102/32" rel="noreferrer" target="_blank">10.10.50.102/32</a> <<a href="http://10.10.50.102/32" rel="noreferrer" target="_blank">http://10.10.50.102/32</a>> <<a href="http://10.10.50.102/32" rel="noreferrer" target="_blank">http://10.10.50.102/32</a>> <<a href="http://10.10.50.102/32" rel="noreferrer" target="_blank">http://10.10.50.102/32</a>> fdd2:54c4:4c90:1::2b66/128<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] sending RADIUS Accounting-Request to server 'server-a'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 13[NET] received packet: from 94.206.xxx.xxx[4500] to 136.243.xxx.xxx[4500] (368 bytes)<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] received RADIUS Accounting-Response from server 'server-a'<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] generating IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] unknown attribute type (25)<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[NET] sending packet: from 136.243.xxx.xxx[4500] to 109.177.xx.xxx[4500] (368 bytes)<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] looking for peer configs matching 136.243.xxx.xxx[<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">de-fsn-2.xxxxx.net</a> <<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">http://de-fsn-2.xxxxx.net</a>> <<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">http://de-fsn-2.xxxxx.net</a>> <<a href="http://de-fsn-2.xxxxx.net" rel="noreferrer" target="_blank">http://de-fsn-2.xxxxx.net</a>>]...94.206.xxx.xxx[VPN]<br>
> > ><br>
> > > Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] selected peer config 'Falkenstein-2'<br>
> > ><br>
> > ><br>
> > > Many Thanks,<br>
> > ><br>
> > > Houman<br>
> > ><br>
> ><br>
> > --<br>
> > Noel Kuntze<br>
> > IT security consultant<br>
> ><br>
> > GPG Key ID: 0x0739AD6C<br>
> > Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C<br>
> ><br>
> ><br>
><br>
> -- <br>
> Noel Kuntze<br>
> IT security consultant<br>
><br>
> GPG Key ID: 0x0739AD6C<br>
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C<br>
><br>
><br>
<br>
-- <br>
Noel Kuntze<br>
IT security consultant<br>
<br>
GPG Key ID: 0x0739AD6C<br>
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C<br>
<br>
<br>
</blockquote></div>