[strongSwan] Strongswan not forwarding ESP packets : Can anyone help?
Alan Evans
alanrevans at googlemail.com
Fri Jun 3 19:18:22 CEST 2011
Hello List,
I'm trying to setup Strongswan as a VPN Gateway. I'm getting very
close. I can see the ESP packets reaching the gateway but they are not
being forwarded to the end node.
Can anyone suggest what I might be doing wrong and what I should check.
Everything looks OK to me and I expect the TCP SYN being sent in the
ESP packet to be forwarded to the end node (10.10.50.51) via the
default g/w of the VPN (192.168.1.71).
But there is nothing being forwarded. The default g/w is pingable
My setup is a bit complicated as I have EAP-SIM in one direction and a
cert in the other. This part is all working as I can setup the IKE SA
and IPSEC SA without any problems. I've configured NULL encryption so
that wireshark can decode the ESP packets. I can see the TCP-SYN
inside the ESP packet.
I should also mention that this intial test setup is running on a
virtual machine.
Any suggestions of how to debug this problem would be very welcome.
Thanks in Advance
AlanE.
My ipsec.conf looks like this,
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
plutostart=no
charondebug = "ike 2, cfg 2, net 2, knl 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes128-sha1-modp1024!
esp=null-sha1-modp1024!
eap=radius
conn rw-eap
leftauth=pubkey
left=192.168.1.79
leftsubnet=10.10.50.0/24
leftid=@pilot.home
leftcert=Pilot.der
leftfirewall=yes
rightid=*@gan.mnc088.mcc310.3gppnetwork.org
rightsendcert=never
rightsourceip=10.1.0.0/24
rightauth=eap-radius
auto=add
Here are the outputs for the relevant commands.
[root at pilot ~]# ./info.sh
ipsec statusall...
============
Status of IKEv2 charon daemon (strongSwan 4.5.2rc1):
uptime: 21 minutes, since Jun 03 17:32:48 2011
malloc: sbrk 241664, mmap 0, used 105152, free 136512
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 15
loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation hmac xcbc stroke kernel-netlink socket-default fips-prf
eap-radius updown attr
Virtual IP pools (size/online/offline):
rw-eap: 255/1/0
Listening IP addresses:
192.168.1.79
Connections:
rw-eap: 192.168.1.79...%any
rw-eap: local: [pilot.home] uses public key authentication
rw-eap: cert: ""
rw-eap: remote: [*@gan.mnc088.mcc310.3gppnetwork.org] uses
EAP_RADIUS authentication
rw-eap: child: 10.10.50.0/24 === dynamic
Security Associations:
rw-eap[7]: ESTABLISHED 3 seconds ago,
192.168.1.79[pilot.home]...192.168.1.4[1310880000004009 at gan.mnc088.mcc310.3gppnetwork.org]
rw-eap[7]: IKE SPIs: 25742c4133de7e0e_i 81f5dff82b146e20_r*,
public key reauthentication in 54 minutes
rw-eap[7]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
rw-eap{7}: INSTALLED, TUNNEL, ESP SPIs: ce3816c5_i 40914057_o
rw-eap{7}: NULL/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in
15 minutes
rw-eap{7}: 10.10.50.0/24 === 10.1.0.1/32
ip xfrm policy...
===========
src 10.1.0.1/32 dst 10.10.50.0/24
dir fwd priority 1827 ptype main
tmpl src 192.168.1.4 dst 192.168.1.79
proto esp reqid 7 mode tunnel
src 10.1.0.1/32 dst 10.10.50.0/24
dir in priority 1827 ptype main
tmpl src 192.168.1.4 dst 192.168.1.79
proto esp reqid 7 mode tunnel
src 10.10.50.0/24 dst 10.1.0.1/32
dir out priority 1827 ptype main
tmpl src 192.168.1.79 dst 192.168.1.4
proto esp reqid 7 mode tunnel
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
ip xfrm state...
===========
src 192.168.1.79 dst 192.168.1.4
proto esp spi 0x40914057 reqid 7 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x6bb49a5881fec919aef52b4c6679277985701b05
enc ecb(cipher_null) 0x
src 192.168.1.4 dst 192.168.1.79
proto esp spi 0xce3816c5 reqid 7 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xd085aaf9ece2d08b957c0068c104c5bf61d08678
enc ecb(cipher_null) 0x
ip route list table 220...
=================
10.1.0.1 via 192.168.1.4 dev eth2 proto static src 10.10.50.50
iptables -L -vn...
============
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
2909 296K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
30 2533 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
313 19816 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:1812
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:1813
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
4 1280 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:4500
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:500
769 62226 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth2 * 10.1.0.1
10.10.50.0/24 policy match dir in pol ipsec reqid 7 proto 50
0 0 ACCEPT all -- * eth2 10.10.50.0/24
10.1.0.1 policy match dir out pol ipsec reqid 7 proto 50
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3199 packets, 317K bytes)
pkts bytes target prot opt in out source
destination
[root at pilot ~]#
More information about the Users
mailing list