<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
hi </div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
i have installed strongswan 5.8.4 on centos 8 </div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
after configured roadwarrior configuration i'v used exact example configuration with required modification and i got this error . </div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<p style="margin: 0.0px 0.0px 0.0px 0.0px; font: 9.0px Menlo; color: #ffffff; background-color: #000000; background-color: rgba(0, 0, 0, 0.81)">
<span style="font-variant-ligatures: no-common-ligatures">swanctl[40987]: no files found matching '/etc/strongswan/strongswan.conf'</span></p>
<br>
</div>
<div>
<div id="appendonsend"></div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
can you please explain .</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
almost one month im stuck on it im new on linux .</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Users <users-bounces@lists.strongswan.org> on behalf of users-request@lists.strongswan.org <users-request@lists.strongswan.org><br>
<b>Sent:</b> Saturday, June 27, 2020 1:36 AM<br>
<b>To:</b> users@lists.strongswan.org <users@lists.strongswan.org><br>
<b>Subject:</b> Users Digest, Vol 125, Issue 34</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="PlainText">Send Users mailing list submissions to<br>
users@lists.strongswan.org<br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a><br>
or, via email, send a message with subject or body 'help' to<br>
users-request@lists.strongswan.org<br>
<br>
You can reach the person managing the list at<br>
users-owner@lists.strongswan.org<br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: StrongSwan w/ multiple local subnets. (TomK)<br>
2. Re: remote_ts to catch in 'updown' - how? (lejeczek)<br>
3. Re: StrongSwan w/ multiple local subnets. (TomK)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 26 Jun 2020 10:04:06 -0400<br>
From: TomK <tomkcpr@mdevsys.com><br>
To: Tobias Brunner <tobias@strongswan.org>, users@lists.strongswan.org<br>
Subject: Re: [strongSwan] StrongSwan w/ multiple local subnets.<br>
Message-ID: <24bc9046-d69d-8830-9415-02f4e456baf3@mdevsys.com><br>
Content-Type: text/plain; charset=utf-8; format=flowed<br>
<br>
On 6/24/2020 10:40 AM, TomK wrote:<br>
> On 6/24/2020 9:19 AM, Tobias Brunner wrote:<br>
>> Hi Tom,<br>
>><br>
>>> May I ask which exact line above told you I'm missing sfrm_user? The<br>
>>> ones that start with CUSTOM?<br>
>><br>
>> Yes, the first one is logged after the kernel-netlink plugin failed to<br>
>> open a Netlink/XFRM socket, plus it is obviously missing in the module<br>
>> lists you posted after that.<br>
> <br>
> Kool<br>
> <br>
>><br>
>>> This is DD-WRT so it's a minimized router kernel. I was surprised as the<br>
>>> next guy learning that module isn't available.<br>
>><br>
>> Yeah, makes not much sense to enable the other IPsec-related modules<br>
>> without a means to actually use them. But why did you use the 2.6.23<br>
>> kernel sources to build the missing module if your router uses a 4.4.190<br>
>> kernel?<br>
> <br>
> Was questions my sanity around that as well but initially only found the <br>
> wiki page for 2.6.33 . The SVN appeared a bit messy to me, probably <br>
> because I'm not familiar with it yet, so wasn't sure if they just reused <br>
> the folder name or if it was truly for Linux 2.6.33. And couldn't find <br>
> the Linux 4.4's at the time until I rummaged through the SVN the next day.<br>
> <br>
> Look further down on the post. I've tried the Linux 4.4 branch but <br>
> couldn't get that to work. There's some missing Makefiles.<br>
> <br>
>><br>
>>> I tinkered around with this at some point. I had it originating from<br>
>>> 192.168.0.6 > 10.10.0.4 but same results. Based on what you wrote,<br>
>>> unless I get xfrm_user module installed, this won't work regardless of<br>
>>> what source IP it's coming from?<br>
>><br>
>> No, that's unrelated. You need that module to use the IPsec stack in<br>
>> the kernel (i.e. to run without kernel-libipsec or ipsec0 interface).<br>
>> The whole point of the userland IPsec stack is that it bypasses the<br>
>> kernel and can run with reduced privileges (e.g. on Android where apps<br>
>> can create TUN devices via VpnService API but can't access the kernel's<br>
>> IPsec stack via Netlink/XFRM).<br>
>><br>
>>> instead of originating from the WAN IP. No reply of course. My routes<br>
>><br>
>> Are ESP packets sent? If yes, are any returned? If not, then this<br>
>> seems to be an issue on the other end. So try to follow the traffic <br>
>> there.<br>
> <br>
> That is what I'm not sure about. Between StrongSwan (SSW) and Azure VPN <br>
> Gateway, I'm not able to find which one is it. I've setup a packet <br>
> trace from the Azure VPN Gateway but the only option it gave me as a <br>
> target was against one of the Azure VM's. Not between Azure VPN Gateway <br>
> and the on-prem gateway.<br>
> <br>
> So in the least I was hoping to confirm if everything was sent correctly <br>
> from SSW then I'll be more sure that the issue is really with Azure VPN <br>
> Gateway blocking traffic.<br>
> <br>
> What I do know is that I can ping from the Azure VM's back down to my <br>
> on-prem VLAN (192.168.0.X/24 ) but NOT FROM my router that's running <br>
> SSW. In other words, traffic flows only one way. Down.<br>
> <br>
> So to me this looked like an issue where:<br>
> <br>
> 1) Like you said, ESP packets are not getting sent properly from SSW to <br>
> Azure VPN Gateway. ( How do I confirm this with 100% certainty? What <br>
> should I look for to determine if there's any dropped packets on my <br>
> on-prem F/W that's on this router? )<br>
> <br>
> 2) The Azure VPN Gateway is blocking on-prem to itself. I've made sure <br>
> the F/W on the Azure side is not an issue.<br>
> <br>
> <br>
> <br>
>><br>
>>> root@DD-WRT:~# ip route<br>
>><br>
>> Again, strongSwan installs its routes in table 220, that is, use `ip<br>
>> route show table 220` (or `all`).<br>
> <br>
> root@DD-WRT:~# ip route show table all<br>
> default via 100.100.100.50 dev vlan2<br>
> 10.0.0.0/24 via 192.168.0.1 dev br0 metric 20<br>
> 10.1.0.0/24 via 192.168.0.1 dev br0 metric 20<br>
> 10.1.1.0/24 dev tun2 scope link src 10.1.1.1<br>
> 10.2.0.0/24 via 192.168.0.1 dev br0 metric 20<br>
> 10.3.0.0/24 via 192.168.0.1 dev br0 metric 20<br>
> 100.100.100.75/27 dev vlan2 scope link src 100.100.100.100<br>
> 127.0.0.0/8 dev lo scope link<br>
> 192.168.0.0/24 dev br0 scope link src 192.168.0.6<br>
> 192.168.45.0/24 dev wl0.1 scope link src 192.168.45.1<br>
> 192.168.75.0/24 dev wl1.1 scope link src 192.168.75.1<br>
> broadcast 10.1.1.0 dev tun2 table local scope link src 10.1.1.1<br>
> local 10.1.1.1 dev tun2 table local scope host src 10.1.1.1<br>
> broadcast 10.1.1.255 dev tun2 table local scope link src 10.1.1.1<br>
> broadcast 100.100.100.75 dev vlan2 table local scope link src <br>
> 100.100.100.100<br>
> local 100.100.100.100 dev vlan2 table local scope host src 100.100.100.100<br>
> broadcast 100.100.100.25 dev vlan2 table local scope link src <br>
> 100.100.100.100<br>
> broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1<br>
> local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1<br>
> local 127.0.0.1 dev lo table local scope host src 127.0.0.1<br>
> broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1<br>
> broadcast 192.168.0.0 dev br0 table local scope link src 192.168.0.6<br>
> local 192.168.0.6 dev br0 table local scope host src 192.168.0.6<br>
> broadcast 192.168.0.255 dev br0 table local scope link src 192.168.0.6<br>
> broadcast 192.168.45.0 dev wl0.1 table local scope link src 192.168.45.1<br>
> local 192.168.45.1 dev wl0.1 table local scope host src 192.168.45.1<br>
> broadcast 192.168.45.255 dev wl0.1 table local scope link src 192.168.45.1<br>
> broadcast 192.168.75.0 dev wl1.1 table local scope link src 192.168.75.1<br>
> local 192.168.75.1 dev wl1.1 table local scope host src 192.168.75.1<br>
> broadcast 192.168.75.255 dev wl1.1 table local scope link src 192.168.75.1<br>
> root@DD-WRT:~#<br>
> <br>
> <br>
> root@DD-WRT:~# ip route show table 220<br>
> root@DD-WRT:~#<br>
> <br>
> <br>
> ( Redacted the IP hence why you see 100.100.100.X for the ISP GW )<br>
> <br>
>><br>
>> Regards,<br>
>> Tobias<br>
>><br>
> <br>
> <br>
<br>
What are the dependencies of all these modules listed here? I'm close <br>
and was able to load quite a few:<br>
<br>
<a href="https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1209261#1209261">https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1209261#1209261</a><br>
<br>
<a href="https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules">https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules</a><br>
<br>
but xfrm_user.ko doesn't insert and suspecting due to missing dependencies:<br>
<br>
root@DD-WRT:/opt/xfrm4# lsmod<br>
Module Size Used by<br>
tunnel6 1691 0<br>
xfrm4_mode_tunnel 1354 0<br>
xfrm4_mode_transport 778 0<br>
xfrm4_mode_beet 1418 0<br>
ah4 4540 0<br>
esp4 5175 0<br>
xfrm_ipcomp 2853 0<br>
xfrm4_tunnel 1368 0<br>
xfrm_algo 3645 3 ah4,esp4,xfrm_ipcomp<br>
ip_tunnel 10496 0<br>
tunnel4 1692 1 xfrm4_tunnel<br>
ext4 319105 1<br>
jbd2 50250 1 ext4<br>
mbcache 7009 1 ext4<br>
crc16 1060 1 ext4<br>
vhci_hcd 12705 0<br>
usbip_host 12201 0<br>
usbip_core 4593 2 vhci_hcd,usbip_host<br>
usblp 8913 0<br>
usb_storage 37587 1<br>
sr_mod 11005 0<br>
cdrom 24153 1 sr_mod<br>
sd_mod 24627 1<br>
scsi_mod 83966 3 usb_storage,sr_mod,sd_mod<br>
xhci_plat_hcd 2116 0<br>
xhci_pci 2632 0<br>
xhci_hcd 84444 2 xhci_plat_hcd,xhci_pci<br>
ohci_pci 2157 0<br>
ohci_hcd 23292 1 ohci_pci<br>
ehci_pci 2829 0<br>
ehci_hcd 33905 1 ehci_pci<br>
usbcore 127988 12 <br>
vhci_hcd,usbip_host,usblp,usb_storage,xhci_plat_hcd,xhci_pci,xhci_hcd,ohci_pci,ohci_hcd,ehci_pci,ehci_hcd<br>
usb_common 1589 2 vhci_hcd,usbcore<br>
ip6_tables 9261 0<br>
xt_ndpi 344541 0<br>
tun 15569 4<br>
fast_classifier 138897 0<br>
jffs2 92216 1<br>
lzo_decompress 1764 0<br>
lzo_compress 1828 0<br>
lzma_decompress 8228 1 jffs2<br>
lzma_compress 23664 1 jffs2<br>
wl 4384906 0<br>
switch_robo 13611 0<br>
switch_core 5449 1 switch_robo<br>
et 42648 0<br>
root@DD-WRT:/opt/xfrm4#<br>
<br>
<br>
All others insert just fine as long as they are added in a specific <br>
sequence:<br>
<br>
<br>
root@DD-WRT:/opt/xfrm4# for mods in $(echo tunnel4.ko ip_tunnel.ko <br>
xfrm_algo.ko xfrm4_tunnel.ko xfrm_ipcomp.ko esp4.ko ah4.ko <br>
xfrm4_mode_beet.ko xfrm4<br>
_mode_beet.ko xfrm4_mode_transport.ko xfrm4_mode_tunnel.ko <br>
xfrm_user.ko); do insmod $mods; done<br>
insmod: cannot insert 'tunnel4.ko': File exists<br>
insmod: cannot insert 'ip_tunnel.ko': File exists<br>
insmod: cannot insert 'xfrm_algo.ko': File exists<br>
insmod: cannot insert 'xfrm4_tunnel.ko': File exists<br>
insmod: cannot insert 'xfrm_ipcomp.ko': File exists<br>
insmod: cannot insert 'esp4.ko': File exists<br>
insmod: cannot insert 'ah4.ko': File exists<br>
insmod: cannot insert 'xfrm4_mode_beet.ko': File exists<br>
insmod: cannot insert 'xfrm4_mode_beet.ko': File exists<br>
insmod: cannot insert 'xfrm4_mode_transport.ko': File exists<br>
insmod: cannot insert 'xfrm4_mode_tunnel.ko': File exists<br>
insmod: cannot insert 'xfrm_user.ko': unknown symbol in module<br>
root@DD-WRT:/opt/xfrm4#<br>
<br>
<br>
root@DD-WRT:/opt/xfrm4# strings xfrm_user.ko|grep -Ei depends<br>
depends=xfrm_algo<br>
root@DD-WRT:/opt/xfrm4# insmod xfrm_algo.ko<br>
insmod: cannot insert 'xfrm_algo.ko': File exists<br>
root@DD-WRT:/opt/xfrm4# lsmod|grep xfrm_algo<br>
xfrm_algo 3645 3 ah4,esp4,xfrm_ipcomp<br>
root@DD-WRT:/opt/xfrm4#<br>
<br>
<br>
<br>
-- <br>
Thx,<br>
TK.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 26 Jun 2020 23:24:22 +0100<br>
From: lejeczek <peljasz@yahoo.co.uk><br>
To: users@lists.strongswan.org<br>
Subject: Re: [strongSwan] remote_ts to catch in 'updown' - how?<br>
Message-ID: <28c1e89f-4014-0810-4a47-f30e467e0633@yahoo.co.uk><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
<br>
<br>
On 25/06/2020 08:50, Tobias Brunner wrote:<br>
> Hi,<br>
><br>
>> But I see it appear only once with the latter IP/net.<br>
> Then you either use IKEv1, or your peer narrowed the traffic selectors<br>
> (due to its configuration or maybe because it only supports a single TS<br>
> per CHILD_SA), check the log for details.<br>
><br>
> Regards,<br>
> Tobias<br>
Could it be buggy Strongswan, the version I have?<br>
<br>
$ swanctl --list-conn<br>
muni: IKEv2, no reauthentication, rekeying every 14400s<br>
local: %any<br>
remote:....<br>
....<br>
muni: TUNNEL, rekeying every 3600s<br>
local: dynamic<br>
remote: 10.5.4.204/32 172.16.0.0/12<br>
<br>
And my 'updown':<br>
----<br>
set -o nounset<br>
set -o errexit<br>
<br>
VTI_IF="vti${PLUTO_UNIQUEID}"<br>
<br>
_vtiLog="/var/log/vti-iface.log"<br>
_serverClient=${1}<br>
_myLocalIP=$(hostname -i)<br>
<br>
echo -ne "\n----RUN\n${VTI_IF} - ${PLUTO_VERB}\n" >> ${_vtiLog}<br>
<br>
case "${PLUTO_VERB}" in<br>
up-client)<br>
ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote<br>
"${PLUTO_PEER}" mode vti key "${PLUTO_MARK_OUT%%/*}"<br>
echo ip tunnel add "${VTI_IF}" local "${PLUTO_ME}"<br>
remote "${PLUTO_PEER}" mode vti key "${PLUTO_MARK_OUT%%/*}"<br>
>> ${_vtiLog}<br>
ip link set "${VTI_IF}" mtu 1400 up >> ${_vtiLog}<br>
echo ip link set "${VTI_IF}" mtu 1400 up >> ${_vtiLog}<br>
>> ${_vtiLog}<br>
if [ ${_serverClient} = "roadwarrior" ]; then<br>
ip addr add "${PLUTO_MY_SOURCEIP}" dev "${VTI_IF}"<br>
echo ip route add "${PLUTO_PEER_CLIENT}" dev<br>
"${VTI_IF}" >> ${_vtiLog}<br>
ip route add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}"<br>
firewall-cmd --zone=strongswan --add-interface="${VTI_IF}"<br>
elif [ ${_serverClient} = "server" ]; then<br>
ip route add "${PLUTO_PEER_SOURCEIP}" dev "${VTI_IF}"<br>
src ${_myLocalIP}<br>
echo ip route add "${PLUTO_PEER_SOURCEIP}" dev<br>
"${VTI_IF}" src ${_myLocalIP} >> ${_vtiLog}<br>
fi<br>
sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"<br>
echo sysctl -w<br>
"net.ipv4.conf.${VTI_IF}.disable_policy=1" >> ${_vtiLog}<br>
;;<br>
down-client)<br>
ip tunnel del "${VTI_IF}"<br>
echo ip tunnel del "${VTI_IF}" >> ${_vtiLog}<br>
firewall-cmd --zone=strongswan<br>
--remove-interface="${VTI_IF}"<br>
;;<br>
esac<br>
----<br>
<br>
And the log's content:<br>
<br>
----RUN<br>
vti2 - up-client<br>
ip tunnel add vti2 local _IPa remote _IPb mode vti key 12<br>
ip link set vti2 mtu 1400 up<br>
ip addr add 172.16.32.59 dev vti2<br>
ip route add 10.5.4.204/32 dev vti2<br>
sysctl -w net.ipv4.conf.vti2.disable_policy=1<br>
<br>
----RUN<br>
vti2 - up-client<br>
(here I'd expect something but it's where the file ends)<br>
<br>
<br>
ps. One thing I should mention with I realize seems odd:<br>
10.5.4.204/32 - in reality is a public IP and in swanctl<br>
conf no matter how I put it:<br>
...<br>
remote_ts = "10.5.4.204/32,172.16.0.0/12"<br>
or<br>
remote_ts = "172.16.0.0/12,10.5.4.204/32"<br>
<br>
I always get that "public IP" only, whereas before I thought<br>
I got it only when it was specified as last one in the pack.<br>
<br>
thanks, L<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Fri, 26 Jun 2020 18:36:12 -0400<br>
From: TomK <tomkcpr@mdevsys.com><br>
To: Tobias Brunner <tobias@strongswan.org>, users@lists.strongswan.org<br>
Subject: Re: [strongSwan] StrongSwan w/ multiple local subnets.<br>
Message-ID: <de7e6c3f-6367-86f5-f5c8-d95f7dade76a@mdevsys.com><br>
Content-Type: text/plain; charset=utf-8; format=flowed<br>
<br>
On 6/26/2020 10:04 AM, TomK wrote:<br>
> On 6/24/2020 10:40 AM, TomK wrote:<br>
>> On 6/24/2020 9:19 AM, Tobias Brunner wrote:<br>
>>> Hi Tom,<br>
>>><br>
>>>> May I ask which exact line above told you I'm missing sfrm_user? The<br>
>>>> ones that start with CUSTOM?<br>
>>><br>
>>> Yes, the first one is logged after the kernel-netlink plugin failed to<br>
>>> open a Netlink/XFRM socket, plus it is obviously missing in the module<br>
>>> lists you posted after that.<br>
>><br>
>> Kool<br>
>><br>
>>><br>
>>>> This is DD-WRT so it's a minimized router kernel. I was surprised as <br>
>>>> the<br>
>>>> next guy learning that module isn't available.<br>
>>><br>
>>> Yeah, makes not much sense to enable the other IPsec-related modules<br>
>>> without a means to actually use them. But why did you use the 2.6.23<br>
>>> kernel sources to build the missing module if your router uses a 4.4.190<br>
>>> kernel?<br>
>><br>
>> Was questions my sanity around that as well but initially only found <br>
>> the wiki page for 2.6.33 . The SVN appeared a bit messy to me, <br>
>> probably because I'm not familiar with it yet, so wasn't sure if they <br>
>> just reused the folder name or if it was truly for Linux 2.6.33. And <br>
>> couldn't find the Linux 4.4's at the time until I rummaged through the <br>
>> SVN the next day.<br>
>><br>
>> Look further down on the post. I've tried the Linux 4.4 branch but <br>
>> couldn't get that to work. There's some missing Makefiles.<br>
>><br>
>>><br>
>>>> I tinkered around with this at some point. I had it originating from<br>
>>>> 192.168.0.6 > 10.10.0.4 but same results. Based on what you wrote,<br>
>>>> unless I get xfrm_user module installed, this won't work regardless of<br>
>>>> what source IP it's coming from?<br>
>>><br>
>>> No, that's unrelated. You need that module to use the IPsec stack in<br>
>>> the kernel (i.e. to run without kernel-libipsec or ipsec0 interface).<br>
>>> The whole point of the userland IPsec stack is that it bypasses the<br>
>>> kernel and can run with reduced privileges (e.g. on Android where apps<br>
>>> can create TUN devices via VpnService API but can't access the kernel's<br>
>>> IPsec stack via Netlink/XFRM).<br>
>>><br>
>>>> instead of originating from the WAN IP. No reply of course. My routes<br>
>>><br>
>>> Are ESP packets sent? If yes, are any returned? If not, then this<br>
>>> seems to be an issue on the other end. So try to follow the traffic <br>
>>> there.<br>
>><br>
>> That is what I'm not sure about. Between StrongSwan (SSW) and Azure <br>
>> VPN Gateway, I'm not able to find which one is it. I've setup a <br>
>> packet trace from the Azure VPN Gateway but the only option it gave me <br>
>> as a target was against one of the Azure VM's. Not between Azure VPN <br>
>> Gateway and the on-prem gateway.<br>
>><br>
>> So in the least I was hoping to confirm if everything was sent <br>
>> correctly from SSW then I'll be more sure that the issue is really <br>
>> with Azure VPN Gateway blocking traffic.<br>
>><br>
>> What I do know is that I can ping from the Azure VM's back down to my <br>
>> on-prem VLAN (192.168.0.X/24 ) but NOT FROM my router that's running <br>
>> SSW. In other words, traffic flows only one way. Down.<br>
>><br>
>> So to me this looked like an issue where:<br>
>><br>
>> 1) Like you said, ESP packets are not getting sent properly from SSW <br>
>> to Azure VPN Gateway. ( How do I confirm this with 100% certainty? <br>
>> What should I look for to determine if there's any dropped packets on <br>
>> my on-prem F/W that's on this router? )<br>
>><br>
>> 2) The Azure VPN Gateway is blocking on-prem to itself. I've made <br>
>> sure the F/W on the Azure side is not an issue.<br>
>><br>
>><br>
>><br>
>>><br>
>>>> root@DD-WRT:~# ip route<br>
>>><br>
>>> Again, strongSwan installs its routes in table 220, that is, use `ip<br>
>>> route show table 220` (or `all`).<br>
>><br>
>> root@DD-WRT:~# ip route show table all<br>
>> default via 100.100.100.50 dev vlan2<br>
>> 10.0.0.0/24 via 192.168.0.1 dev br0 metric 20<br>
>> 10.1.0.0/24 via 192.168.0.1 dev br0 metric 20<br>
>> 10.1.1.0/24 dev tun2 scope link src 10.1.1.1<br>
>> 10.2.0.0/24 via 192.168.0.1 dev br0 metric 20<br>
>> 10.3.0.0/24 via 192.168.0.1 dev br0 metric 20<br>
>> 100.100.100.75/27 dev vlan2 scope link src 100.100.100.100<br>
>> 127.0.0.0/8 dev lo scope link<br>
>> 192.168.0.0/24 dev br0 scope link src 192.168.0.6<br>
>> 192.168.45.0/24 dev wl0.1 scope link src 192.168.45.1<br>
>> 192.168.75.0/24 dev wl1.1 scope link src 192.168.75.1<br>
>> broadcast 10.1.1.0 dev tun2 table local scope link src 10.1.1.1<br>
>> local 10.1.1.1 dev tun2 table local scope host src 10.1.1.1<br>
>> broadcast 10.1.1.255 dev tun2 table local scope link src 10.1.1.1<br>
>> broadcast 100.100.100.75 dev vlan2 table local scope link src <br>
>> 100.100.100.100<br>
>> local 100.100.100.100 dev vlan2 table local scope host src <br>
>> 100.100.100.100<br>
>> broadcast 100.100.100.25 dev vlan2 table local scope link src <br>
>> 100.100.100.100<br>
>> broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1<br>
>> local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1<br>
>> local 127.0.0.1 dev lo table local scope host src 127.0.0.1<br>
>> broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1<br>
>> broadcast 192.168.0.0 dev br0 table local scope link src 192.168.0.6<br>
>> local 192.168.0.6 dev br0 table local scope host src 192.168.0.6<br>
>> broadcast 192.168.0.255 dev br0 table local scope link src 192.168.0.6<br>
>> broadcast 192.168.45.0 dev wl0.1 table local scope link src 192.168.45.1<br>
>> local 192.168.45.1 dev wl0.1 table local scope host src 192.168.45.1<br>
>> broadcast 192.168.45.255 dev wl0.1 table local scope link src <br>
>> 192.168.45.1<br>
>> broadcast 192.168.75.0 dev wl1.1 table local scope link src 192.168.75.1<br>
>> local 192.168.75.1 dev wl1.1 table local scope host src 192.168.75.1<br>
>> broadcast 192.168.75.255 dev wl1.1 table local scope link src <br>
>> 192.168.75.1<br>
>> root@DD-WRT:~#<br>
>><br>
>><br>
>> root@DD-WRT:~# ip route show table 220<br>
>> root@DD-WRT:~#<br>
>><br>
>><br>
>> ( Redacted the IP hence why you see 100.100.100.X for the ISP GW )<br>
>><br>
>>><br>
>>> Regards,<br>
>>> Tobias<br>
>>><br>
>><br>
>><br>
> <br>
> What are the dependencies of all these modules listed here? I'm close <br>
> and was able to load quite a few:<br>
> <br>
> <a href="https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1209261#1209261">https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1209261#1209261</a><br>
> <br>
> <a href="https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules">https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules</a><br>
> <br>
> but xfrm_user.ko doesn't insert and suspecting due to missing dependencies:<br>
> <br>
> root@DD-WRT:/opt/xfrm4# lsmod<br>
> Module Size Used by<br>
> tunnel6 1691 0<br>
> xfrm4_mode_tunnel 1354 0<br>
> xfrm4_mode_transport 778 0<br>
> xfrm4_mode_beet 1418 0<br>
> ah4 4540 0<br>
> esp4 5175 0<br>
> xfrm_ipcomp 2853 0<br>
> xfrm4_tunnel 1368 0<br>
> xfrm_algo 3645 3 ah4,esp4,xfrm_ipcomp<br>
> ip_tunnel 10496 0<br>
> tunnel4 1692 1 xfrm4_tunnel<br>
> ext4 319105 1<br>
> jbd2 50250 1 ext4<br>
> mbcache 7009 1 ext4<br>
> crc16 1060 1 ext4<br>
> vhci_hcd 12705 0<br>
> usbip_host 12201 0<br>
> usbip_core 4593 2 vhci_hcd,usbip_host<br>
> usblp 8913 0<br>
> usb_storage 37587 1<br>
> sr_mod 11005 0<br>
> cdrom 24153 1 sr_mod<br>
> sd_mod 24627 1<br>
> scsi_mod 83966 3 usb_storage,sr_mod,sd_mod<br>
> xhci_plat_hcd 2116 0<br>
> xhci_pci 2632 0<br>
> xhci_hcd 84444 2 xhci_plat_hcd,xhci_pci<br>
> ohci_pci 2157 0<br>
> ohci_hcd 23292 1 ohci_pci<br>
> ehci_pci 2829 0<br>
> ehci_hcd 33905 1 ehci_pci<br>
> usbcore 127988 12 <br>
> vhci_hcd,usbip_host,usblp,usb_storage,xhci_plat_hcd,xhci_pci,xhci_hcd,ohci_pci,ohci_hcd,ehci_pci,ehci_hcd
<br>
> <br>
> usb_common 1589 2 vhci_hcd,usbcore<br>
> ip6_tables 9261 0<br>
> xt_ndpi 344541 0<br>
> tun 15569 4<br>
> fast_classifier 138897 0<br>
> jffs2 92216 1<br>
> lzo_decompress 1764 0<br>
> lzo_compress 1828 0<br>
> lzma_decompress 8228 1 jffs2<br>
> lzma_compress 23664 1 jffs2<br>
> wl 4384906 0<br>
> switch_robo 13611 0<br>
> switch_core 5449 1 switch_robo<br>
> et 42648 0<br>
> root@DD-WRT:/opt/xfrm4#<br>
> <br>
> <br>
> All others insert just fine as long as they are added in a specific <br>
> sequence:<br>
> <br>
> <br>
> root@DD-WRT:/opt/xfrm4# for mods in $(echo tunnel4.ko ip_tunnel.ko <br>
> xfrm_algo.ko xfrm4_tunnel.ko xfrm_ipcomp.ko esp4.ko ah4.ko <br>
> xfrm4_mode_beet.ko xfrm4<br>
> _mode_beet.ko xfrm4_mode_transport.ko xfrm4_mode_tunnel.ko <br>
> xfrm_user.ko); do insmod $mods; done<br>
> insmod: cannot insert 'tunnel4.ko': File exists<br>
> insmod: cannot insert 'ip_tunnel.ko': File exists<br>
> insmod: cannot insert 'xfrm_algo.ko': File exists<br>
> insmod: cannot insert 'xfrm4_tunnel.ko': File exists<br>
> insmod: cannot insert 'xfrm_ipcomp.ko': File exists<br>
> insmod: cannot insert 'esp4.ko': File exists<br>
> insmod: cannot insert 'ah4.ko': File exists<br>
> insmod: cannot insert 'xfrm4_mode_beet.ko': File exists<br>
> insmod: cannot insert 'xfrm4_mode_beet.ko': File exists<br>
> insmod: cannot insert 'xfrm4_mode_transport.ko': File exists<br>
> insmod: cannot insert 'xfrm4_mode_tunnel.ko': File exists<br>
> insmod: cannot insert 'xfrm_user.ko': unknown symbol in module<br>
> root@DD-WRT:/opt/xfrm4#<br>
> <br>
> <br>
> root@DD-WRT:/opt/xfrm4# strings xfrm_user.ko|grep -Ei depends<br>
> depends=xfrm_algo<br>
> root@DD-WRT:/opt/xfrm4# insmod xfrm_algo.ko<br>
> insmod: cannot insert 'xfrm_algo.ko': File exists<br>
> root@DD-WRT:/opt/xfrm4# lsmod|grep xfrm_algo<br>
> xfrm_algo 3645 3 ah4,esp4,xfrm_ipcomp<br>
> root@DD-WRT:/opt/xfrm4#<br>
> <br>
> <br>
> <br>
<br>
Is the xfrm_user.ko module used for both traffic going out and coming <br>
back in via StrongSwan / IPSEC ?<br>
<br>
<br>
<br>
-- <br>
Thx,<br>
TK.<br>
<br>
<br>
End of Users Digest, Vol 125, Issue 34<br>
**************************************<br>
</div>
</span></font></div>
</div>
</body>
</html>