[strongSwan] strongswan + 3rd VPN router - no traffic
NADASI Peter
peter at citynet.hu
Thu May 13 17:30:28 CEST 2010
Hi,
I'm planning to replace my old zywall VPN concentrator with a linux box
using strongswan.
I struggling with almost the same problem like Francois with the Cisco
IOS...
The tunnel has been successfully established, but no ping, no traffic at
all. Neither from local, nor from remote.
The linux box has an external IP: 217.27.211.17 on eth0 and
IP:192.168.129.180 on eth1 as internal. there is a server on the internal
subnet (192.168.129.181) which should be reached from the VPN. this server
has a default gateway set to 192.168.129.180 (strongswan linux box internal)
The remote VPN device is a Check Point VPN-1 Edge router. I also tried
with a cheap Draytek Vigor VPN router, and experienced the same situation.
Tunnel established, no traffic.
Strongswan 4.2.9-1
Ubuntu 9.04
/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
plutodebug=control
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
charonstart=yes
plutostart=yes
strictcrlpolicy=no
conn tunnelipsec
type=tunnel
authby=secret
left=217.27.211.17
leftsubnet=192.168.129.0/24
leftnexthop=217.27.211.62
#leftsourceip=192.168.129.180
leftfirewall=yes
right=%any
rightsubnetwithin=192.168.0.0/16
#rightnexthop=%defaultroute
rightfirewall=yes
esp=3des-md5
keyexchange=ike
pfs=no
auto=add
I use right=%any because there will be more than 20 peers and I would like
to use one generic community, that's why i'm using rightsubnetwithin= too.
I have no iptables rules except the automatic rules made by strongswan.
root at vpn:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.180.0/24 192.168.129.0/24 policy match
dir in pol ipsec reqid 16389 proto 50
ACCEPT all -- 192.168.129.0/24 192.168.180.0/24 policy match
dir out pol ipsec reqid 16389 proto 50
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I made a NAT rule on 217.27.211.17 to provide internet access for
192.168.129.181.
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -s 192.168.129.0/24 -j SNAT --to
217.27.211.17
iptables -t nat -I POSTROUTING 1 -s 192.168.129.0/24 -o eth1 -m policy
--dir out --pol ipsec --proto esp -j ACCEPT
root at vpn:~# iptables -L -t nat -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.129.0/24 0.0.0.0/0 policy match
dir out pol ipsec proto 50
SNAT all -- 192.168.129.0/24 0.0.0.0/0
to:217.27.211.17
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I'm stucked here. Googled a day and played with leftnexthop=%defaultroute
and %direct, but no changes.
If you have any idea how to proceed...
Thank you
Peter Nadasi
here are my logs below
tail -f /var/log/syslog
May 13 17:23:47 vpn charon: 01[KNL] listening on interfaces:
May 13 17:23:47 vpn charon: 01[KNL] eth0
May 13 17:23:47 vpn charon: 01[KNL] 217.27.211.17
May 13 17:23:48 vpn charon: 01[KNL] fe80::20c:29ff:feb0:67dd
May 13 17:23:48 vpn charon: 01[KNL] eth1
May 13 17:23:48 vpn charon: 01[KNL] 192.168.129.180
May 13 17:23:48 vpn charon: 01[KNL] fe80::20c:29ff:feb0:67e7
May 13 17:23:48 vpn charon: 01[JOB] spawning 16 worker threads
May 13 17:23:48 vpn charon: 07[CFG] received stroke: add connection
'tunnelipsec'
May 13 17:23:48 vpn charon: 07[CFG] added configuration 'tunnelipsec':
217.27.211.17[217.27.211.17]...%any[%any]
May 13 17:24:31 vpn vpn: + 78.131.79.59 192.168.180.0/24 == 78.131.79.59
-- 217.27.211.17 == 192.168.129.0/24
root at vpn:~# ipsec statusall
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 217.27.211.17:4500
000 interface eth0/eth0 217.27.211.17:500
000 interface eth1/eth1 192.168.129.180:4500
000 interface eth1/eth1 192.168.129.180:500
000 %myid = (none)
000 debug control
000
000 "tunnelipsec":
192.168.129.0/24===217.27.211.17---217.27.211.62...%any==={192.168.0.0/16};
unrouted; eroute owner: #0
000 "tunnelipsec": ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "tunnelipsec": policy: PSK+ENCRYPT+TUNNEL; prio: 24,16; interface:
eth0;
000 "tunnelipsec": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "tunnelipsec": IKE algorithms wanted: 7_128-2-14,
000 "tunnelipsec": IKE algorithms found: 7_128-2_160-14,
000 "tunnelipsec": ESP algorithms wanted: 3_000-1,
000 "tunnelipsec": ESP algorithms loaded: 3_192-1_128,
000 "tunnelipsec"[1]:
192.168.129.0/24===217.27.211.17---217.27.211.62...78.131.79.59===192.168.180.0/24;
erouted; eroute owner: #2
000 "tunnelipsec"[1]: ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "tunnelipsec"[1]: policy: PSK+ENCRYPT+TUNNEL; prio: 24,16;
interface: eth0;
000 "tunnelipsec"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "tunnelipsec"[1]: IKE algorithms wanted: 7_128-2-14,
000 "tunnelipsec"[1]: IKE algorithms found: 7_128-2_160-14,
000 "tunnelipsec"[1]: IKE algorithm newest: AES_CBC_256-SHA-MODP1024
000 "tunnelipsec"[1]: ESP algorithms wanted: 3_000-1,
000 "tunnelipsec"[1]: ESP algorithms loaded: 3_192-1_128,
000 "tunnelipsec"[1]: ESP algorithm newest: 3DES_0-HMAC_SHA1;
pfsgroup=<N/A>
000
000 #2: "tunnelipsec"[1] 78.131.79.59 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3234s; newest IPSEC; eroute owner
000 #2: "tunnelipsec"[1] 78.131.79.59 esp.af1c53b7 at 78.131.79.59 (0 bytes)
esp.b2745537 at 217.27.211.17 (0 bytes); tunnel
000 #1: "tunnelipsec"[1] 78.131.79.59 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 10432s; newest ISAKMP
000
Performance:
uptime: 2 minutes, since May 13 17:23:47 2010
worker threads: 10 idle of 16, job queue load: 1, scheduled events: 0
loaded plugins: curl ldap random x509 pubkey xcbc hmac openssl agent gmp
kernel-netlink stroke updown
Listening IP addresses:
217.27.211.17
192.168.129.180
Connections:
Security Associations:
none
root at vpn:~# ip -s xfrm state
src 217.27.211.17 dst 78.131.79.59
proto esp spi 0xaf1c53b7(2937869239) reqid 16389(0x00004005) mode
tunnel
replay-window 32 seq 0x00000000 flag (0x00000000)
auth hmac(sha1) 0x6cdd823153b19b6e713ee9ec47b621bbb0ead0a0 (160
bits)
enc cbc(des3_ede)
0x207a804cefa2770ff56e9f32d23b49339384fc60cc284d79 (192 bits)
sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:24:31 use -
stats:
replay-window 0 replay 0 failed 0
src 78.131.79.59 dst 217.27.211.17
proto esp spi 0xb2745537(2993968439) reqid 16389(0x00004005) mode
tunnel
replay-window 32 seq 0x00000000 flag (0x00000000)
auth hmac(sha1) 0xaaac52c8adb933bdb84c09f3f36a8689b4b54f66 (160
bits)
enc cbc(des3_ede)
0x98d0c03fead9bd1c0c0244adba0c615254e9431ea97f9146 (192 bits)
sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:24:30 use -
stats:
replay-window 0 replay 0 failed 0
root at vpn:~#
ip -s xfrm policy
src 192.168.129.0/24 dst 192.168.180.0/24 uid 0
dir out action allow index 2473 priority 2344 share any flag
(0x0000000
0)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:24:31 use -
tmpl src 217.27.211.17 dst 78.131.79.59
proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.180.0/24 dst 192.168.129.0/24 uid 0
dir fwd action allow index 2466 priority 2344 share any flag
(0x0000000
0)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:24:30 use -
tmpl src 78.131.79.59 dst 217.27.211.17
proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.180.0/24 dst 192.168.129.0/24 uid 0
dir in action allow index 2456 priority 2344 share any flag
(0x00000000
)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:24:30 use -
tmpl src 78.131.79.59 dst 217.27.211.17
proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src ::/0 dst ::/0 uid 0
dir 4 action allow index 2452 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src ::/0 dst ::/0 uid 0
dir 3 action allow index 2443 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 2436 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 2427 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 2420 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 2411 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 2404 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 2395 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 2388 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use 2010-05-13 17:24:30
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 2379 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use 2010-05-13 17:24:31
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 2372 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 2363 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 2356 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 2347 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:48 use -
src ::/0 dst ::/0 uid 0
dir 3 action allow index 2339 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use -
src ::/0 dst ::/0 uid 0
dir 4 action allow index 2332 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 2323 priority 0 share any flag
(0x00000000) lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 2316 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use -
src ::/0 dst ::/0 uid 0
dir 3 action allow index 2307 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use -
src ::/0 dst ::/0 uid 0
dir 4 action allow index 2300 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 2291 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 2284 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use -
src ::/0 dst ::/0 uid 0
dir 3 action allow index 2275 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use -
src ::/0 dst ::/0 uid 0
dir 4 action allow index 2268 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 3 action allow index 2259 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use 2010-05-13 17:28:59
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
dir 4 action allow index 2252 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010-05-13 17:23:47 use -
More information about the Users
mailing list