[strongSwan] IKEv1 Routing Problem

Stephan Trebs s.trebs at gesa-automation.de
Wed Nov 9 17:47:54 CET 2011


Greetings,

I have problems to set up an ikev1 net2net connection. (It works fine with ikev2, but I have to get it working with ikev1.)
Both gateways create successfully an IPSEC connection, but have routing problems. I can ping from sun to moon. But not from moon to sun.
The reason is that moon pings not through the tunnel, but directly in Internet direction where the packets are rejected.

There is a difference in the 'ipsec status' outputs. Sun seems to show only one connection 'client4', while moon seems to show two connections
'client4' and 'client4[1]'.

Both gateways run Debian Squeeze 6.0.3 with strongswan 4.4.1 (moon 192.168.88.2, sun 192.168.19.114). The connection is initiated by sun via 'ipsec up client4'.

Does anyone know what is wrong with the configuration?

Thanks for your help,
Stephan

--- start --- moon: ipsec.conf ----------------------------------------
config setup
	plutodebug=all
	nat_traversal=yes
	charonstart=no
	plutostart=yes

ca myca
	cacert=/srv/pki/cacert.pem

conn client4
      left=%defaultroute
      leftid="C=DE,ST=XX,L=XXXXXXXX,O=XXXXXXXXXXXXXXXXXXXX,CN=router,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"
      leftsubnet=192.168.88.2/24
      leftcert=/srv/pki/router.pem
      leftfirewall=yes
      lefthostaccess=yes
      right=%any
      rightsubnet=192.168.19.114/24
      rightid="C=DE,ST=XX,L=XXXXXXXX,O=XXXXXXXXXXXXXXXXXXXX,CN=client4,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"
      rightcert=/srv/pki/client4.pem
      auto=add

include /var/lib/strongswan/ipsec.conf.inc
---- end ---- moon: ipsec.conf ----------------------------------------
--- start --- moon: iptables -L ---------------------------------------
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  localnet/24          192.168.88.0/24     policy match dir in pol ipsec reqid 16389 proto esp 
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp spt:isakmp 
ACCEPT     udp  --  anywhere             anywhere            udp spt:4500 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  localnet/24          192.168.88.0/24     policy match dir in pol ipsec reqid 16389 proto esp 
ACCEPT     all  --  192.168.88.0/24      localnet/24         policy match dir out pol ipsec reqid 16389 proto esp 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.88.0/24      localnet/24         policy match dir out pol ipsec reqid 16389 proto esp 
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4500 
---- end ---- moon: iptables -L ---------------------------------------
--- start --- moon: ipsec status --------------------------------------
000 "client4": 192.168.88.0/24===93.222.15.145[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=router, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]---217.0.119.78...%any[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=client4, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]===192.168.19.0/24; unrouted; eroute owner: #0
000 "client4":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "client4"[1]: 192.168.88.0/24===93.222.15.145:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=router, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]---217.0.119.78...217.92.154.243:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=client4, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]===192.168.19.0/24; erouted; eroute owner: #2
000 "client4"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #2; 
000 
000 #2: "client4"[1] 217.92.154.243:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3094s; newest IPSEC; eroute owner
000 #2: "client4"[1] 217.92.154.243:4500 esp.3db9e893 at 217.92.154.243 (1260 bytes, 208s ago) esp.fa4f7fce at 93.222.15.145 (1260 bytes, 208s ago); tunnel
000 #1: "client4"[1] 217.92.154.243:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 10293s; newest ISAKMP
000 
---- end ---- moon: ipsec status --------------------------------------
--- start --- moon: ip -s xfrm state ----------------------------------
src 93.222.15.145 dst 217.92.154.243
	proto esp spi 0x3db9e893(1035593875) reqid 16389(0x00004005) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth hmac(sha1) 0xe9e7b3d81d48695264508789b93e7dc0e70892dd (160 bits)
	enc cbc(aes) 0xb3a82d3a3159229bc7d2dfc29e6fb638 (128 bits)
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  1260(bytes), 15(packets)
	  add 2011-11-09 16:46:06 use 2011-11-09 16:46:20
	stats:
	  replay-window 0 replay 0 failed 0
src 217.92.154.243 dst 93.222.15.145
	proto esp spi 0xfa4f7fce(4199514062) reqid 16389(0x00004005) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth hmac(sha1) 0x8cdf75f409193832fe61c751edb2df1d3761ff32 (160 bits)
	enc cbc(aes) 0x85b6e3417dc6fa2a8680d7f70c7c2d2c (128 bits)
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  1260(bytes), 15(packets)
	  add 2011-11-09 16:46:05 use 2011-11-09 16:46:20
	stats:
	  replay-window 0 replay 0 failed 0
---- end ---- moon: ip -s xfrm state ---------------------------------------
--- start --- moon: ping 192.168.19.114 -c 2 -------------------------------
PING 192.168.19.114 (192.168.19.114) 56(84) bytes of data.

--- 192.168.19.114 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1006ms
---- end ---- moon: ping 192.168.19.114 -c 2 -------------------------------
--- start --- moon: tcpdump (from sun to moon) ------------------------------
17:01:35.328492 IP 192.168.19.114 > 192.168.88.2: ICMP echo request, id 1744, seq 1, length 64
---- end ---- moon: tcpdump (from sun to moon) ------------------------------
--- start --- moon: tcpdump (from moon to sun) ------------------------------
17:00:15.085651 IP p5DDE0F91.dip0.t-ipconnect.de > 192.168.19.114: ICMP echo request, id 12723, seq 70, length 64
---- end ---- moon: tcpdump (from moon to sun) -----------------------------




--- start ---- sun: ipsec.conf ----------------------------------------
config setup
	plutodebug=all
	nat_traversal=yes
	charonstart=no
	plutostart=yes

conn client4
	left=%defaultroute
	leftsubnet=192.168.19.114/24
	lefthostaccess=yes
	leftid="C=DE,ST=XX,L=XXXXXXXn,O=XXXXXXXXXXXXXXXXXXXX,CN=client4,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"
	leftcert=/srv/pki/client4.pem
	leftfirewall=yes
	right=XXXXXXXXX.dyndns.org
	rightsubnet=192.168.88.2/24
	rightid="C=DE,ST=XX,L=XXXXXXXX,O=XXXXXXXXXXXXXXXXXXXX,CN=router,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"
	rightcert=/srv/pki/router.pem
	auto=add

include /var/lib/strongswan/ipsec.conf.inc
---- end ----- sun: ipsec.conf ----------------------------------------
--- start ---- sun: iptables -L ---------------------------------------
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.88.0/24      192.168.19.0/24     policy match dir in pol ipsec reqid 16385 proto esp 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.88.0/24      192.168.19.0/24     policy match dir in pol ipsec reqid 16385 proto esp 
ACCEPT     all  --  192.168.19.0/24      192.168.88.0/24     policy match dir out pol ipsec reqid 16385 proto esp 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.19.0/24      192.168.88.0/24     policy match dir out pol ipsec reqid 16385 proto esp 
---- end ----- sun: iptables -L ---------------------------------------
--- start ---- sun: ipsec status --------------------------------------
000 "client4": 192.168.19.0/24===192.168.19.114:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=client4, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]---192.168.19.1...93.222.15.145:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=router, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]===192.168.88.0/24; erouted; eroute owner: #7
000 "client4":   newest ISAKMP SA: #6; newest IPsec SA: #7; 
000 
000 #7: "client4" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2337s; newest IPSEC; eroute owner
000 #7: "client4" esp.fa4f7fce at 93.222.15.145 (1260 bytes, 514s ago) esp.3db9e893 at 192.168.19.114 (1260 bytes, 514s ago); tunnel
000 #6: "client4" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 9612s; newest ISAKMP
000 
---- end ----- sun: ipsec status --------------------------------------
--- start ---- sun: ip -s xfrm state ----------------------------------
src 192.168.19.114 dst 93.222.15.145
	proto esp spi 0xfa4f7fce(4199514062) reqid 16385(0x00004001) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth hmac(sha1) 0x8cdf75f409193832fe61c751edb2df1d3761ff32 (160 bits)
	enc cbc(aes) 0x85b6e3417dc6fa2a8680d7f70c7c2d2c (128 bits)
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  1260(bytes), 15(packets)
	  add 2011-11-09 16:46:05 use 2011-11-09 16:46:19
	stats:
	  replay-window 0 replay 0 failed 0
src 93.222.15.145 dst 192.168.19.114
	proto esp spi 0x3db9e893(1035593875) reqid 16385(0x00004001) mode tunnel
	replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
	auth hmac(sha1) 0xe9e7b3d81d48695264508789b93e7dc0e70892dd (160 bits)
	enc cbc(aes) 0xb3a82d3a3159229bc7d2dfc29e6fb638 (128 bits)
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	lifetime config:
	  limit: soft (INF)(bytes), hard (INF)(bytes)
	  limit: soft (INF)(packets), hard (INF)(packets)
	  expire add: soft 0(sec), hard 0(sec)
	  expire use: soft 0(sec), hard 0(sec)
	lifetime current:
	  1260(bytes), 15(packets)
	  add 2011-11-09 16:46:05 use 2011-11-09 16:46:19
	stats:
	  replay-window 0 replay 0 failed 0
---- end ----- sun: ip -s xfrm state ---------------------------------------
--- start ---- sun: ping 192.168.88.2 -c 2 ---------------------------------
PING 192.168.88.2 (192.168.88.2) 56(84) bytes of data.
64 bytes from 192.168.88.2: icmp_req=1 ttl=64 time=58.6 ms
64 bytes from 192.168.88.2: icmp_req=2 ttl=64 time=57.7 ms

--- 192.168.88.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 57.775/58.197/58.620/0.486 ms
---- end ----- sun: ping 192.168.88.2 -c 2 ---------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111109/0adfb4c6/attachment.html>


More information about the Users mailing list