[strongSwan] IKEv1 Routing Problem
Stephan Trebs
s.trebs at gesa-automation.de
Wed Nov 9 17:47:54 CET 2011
Greetings,
I have problems to set up an ikev1 net2net connection. (It works fine with ikev2, but I have to get it working with ikev1.)
Both gateways create successfully an IPSEC connection, but have routing problems. I can ping from sun to moon. But not from moon to sun.
The reason is that moon pings not through the tunnel, but directly in Internet direction where the packets are rejected.
There is a difference in the 'ipsec status' outputs. Sun seems to show only one connection 'client4', while moon seems to show two connections
'client4' and 'client4[1]'.
Both gateways run Debian Squeeze 6.0.3 with strongswan 4.4.1 (moon 192.168.88.2, sun 192.168.19.114). The connection is initiated by sun via 'ipsec up client4'.
Does anyone know what is wrong with the configuration?
Thanks for your help,
Stephan
--- start --- moon: ipsec.conf ----------------------------------------
config setup
plutodebug=all
nat_traversal=yes
charonstart=no
plutostart=yes
ca myca
cacert=/srv/pki/cacert.pem
conn client4
left=%defaultroute
leftid="C=DE,ST=XX,L=XXXXXXXX,O=XXXXXXXXXXXXXXXXXXXX,CN=router,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"
leftsubnet=192.168.88.2/24
leftcert=/srv/pki/router.pem
leftfirewall=yes
lefthostaccess=yes
right=%any
rightsubnet=192.168.19.114/24
rightid="C=DE,ST=XX,L=XXXXXXXX,O=XXXXXXXXXXXXXXXXXXXX,CN=client4,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"
rightcert=/srv/pki/client4.pem
auto=add
include /var/lib/strongswan/ipsec.conf.inc
---- end ---- moon: ipsec.conf ----------------------------------------
--- start --- moon: iptables -L ---------------------------------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- localnet/24 192.168.88.0/24 policy match dir in pol ipsec reqid 16389 proto esp
ACCEPT esp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:isakmp
ACCEPT udp -- anywhere anywhere udp spt:4500
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- localnet/24 192.168.88.0/24 policy match dir in pol ipsec reqid 16389 proto esp
ACCEPT all -- 192.168.88.0/24 localnet/24 policy match dir out pol ipsec reqid 16389 proto esp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.88.0/24 localnet/24 policy match dir out pol ipsec reqid 16389 proto esp
ACCEPT esp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:4500
---- end ---- moon: iptables -L ---------------------------------------
--- start --- moon: ipsec status --------------------------------------
000 "client4": 192.168.88.0/24===93.222.15.145[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=router, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]---217.0.119.78...%any[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=client4, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]===192.168.19.0/24; unrouted; eroute owner: #0
000 "client4": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "client4"[1]: 192.168.88.0/24===93.222.15.145:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=router, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]---217.0.119.78...217.92.154.243:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=client4, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]===192.168.19.0/24; erouted; eroute owner: #2
000 "client4"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2;
000
000 #2: "client4"[1] 217.92.154.243:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3094s; newest IPSEC; eroute owner
000 #2: "client4"[1] 217.92.154.243:4500 esp.3db9e893 at 217.92.154.243 (1260 bytes, 208s ago) esp.fa4f7fce at 93.222.15.145 (1260 bytes, 208s ago); tunnel
000 #1: "client4"[1] 217.92.154.243:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 10293s; newest ISAKMP
000
---- end ---- moon: ipsec status --------------------------------------
--- start --- moon: ip -s xfrm state ----------------------------------
src 93.222.15.145 dst 217.92.154.243
proto esp spi 0x3db9e893(1035593875) reqid 16389(0x00004005) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth hmac(sha1) 0xe9e7b3d81d48695264508789b93e7dc0e70892dd (160 bits)
enc cbc(aes) 0xb3a82d3a3159229bc7d2dfc29e6fb638 (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
1260(bytes), 15(packets)
add 2011-11-09 16:46:06 use 2011-11-09 16:46:20
stats:
replay-window 0 replay 0 failed 0
src 217.92.154.243 dst 93.222.15.145
proto esp spi 0xfa4f7fce(4199514062) reqid 16389(0x00004005) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth hmac(sha1) 0x8cdf75f409193832fe61c751edb2df1d3761ff32 (160 bits)
enc cbc(aes) 0x85b6e3417dc6fa2a8680d7f70c7c2d2c (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
1260(bytes), 15(packets)
add 2011-11-09 16:46:05 use 2011-11-09 16:46:20
stats:
replay-window 0 replay 0 failed 0
---- end ---- moon: ip -s xfrm state ---------------------------------------
--- start --- moon: ping 192.168.19.114 -c 2 -------------------------------
PING 192.168.19.114 (192.168.19.114) 56(84) bytes of data.
--- 192.168.19.114 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1006ms
---- end ---- moon: ping 192.168.19.114 -c 2 -------------------------------
--- start --- moon: tcpdump (from sun to moon) ------------------------------
17:01:35.328492 IP 192.168.19.114 > 192.168.88.2: ICMP echo request, id 1744, seq 1, length 64
---- end ---- moon: tcpdump (from sun to moon) ------------------------------
--- start --- moon: tcpdump (from moon to sun) ------------------------------
17:00:15.085651 IP p5DDE0F91.dip0.t-ipconnect.de > 192.168.19.114: ICMP echo request, id 12723, seq 70, length 64
---- end ---- moon: tcpdump (from moon to sun) -----------------------------
--- start ---- sun: ipsec.conf ----------------------------------------
config setup
plutodebug=all
nat_traversal=yes
charonstart=no
plutostart=yes
conn client4
left=%defaultroute
leftsubnet=192.168.19.114/24
lefthostaccess=yes
leftid="C=DE,ST=XX,L=XXXXXXXn,O=XXXXXXXXXXXXXXXXXXXX,CN=client4,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"
leftcert=/srv/pki/client4.pem
leftfirewall=yes
right=XXXXXXXXX.dyndns.org
rightsubnet=192.168.88.2/24
rightid="C=DE,ST=XX,L=XXXXXXXX,O=XXXXXXXXXXXXXXXXXXXX,CN=router,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"
rightcert=/srv/pki/router.pem
auto=add
include /var/lib/strongswan/ipsec.conf.inc
---- end ----- sun: ipsec.conf ----------------------------------------
--- start ---- sun: iptables -L ---------------------------------------
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.88.0/24 192.168.19.0/24 policy match dir in pol ipsec reqid 16385 proto esp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.88.0/24 192.168.19.0/24 policy match dir in pol ipsec reqid 16385 proto esp
ACCEPT all -- 192.168.19.0/24 192.168.88.0/24 policy match dir out pol ipsec reqid 16385 proto esp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.19.0/24 192.168.88.0/24 policy match dir out pol ipsec reqid 16385 proto esp
---- end ----- sun: iptables -L ---------------------------------------
--- start ---- sun: ipsec status --------------------------------------
000 "client4": 192.168.19.0/24===192.168.19.114:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=client4, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]---192.168.19.1...93.222.15.145:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=router, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]===192.168.88.0/24; erouted; eroute owner: #7
000 "client4": newest ISAKMP SA: #6; newest IPsec SA: #7;
000
000 #7: "client4" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2337s; newest IPSEC; eroute owner
000 #7: "client4" esp.fa4f7fce at 93.222.15.145 (1260 bytes, 514s ago) esp.3db9e893 at 192.168.19.114 (1260 bytes, 514s ago); tunnel
000 #6: "client4" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 9612s; newest ISAKMP
000
---- end ----- sun: ipsec status --------------------------------------
--- start ---- sun: ip -s xfrm state ----------------------------------
src 192.168.19.114 dst 93.222.15.145
proto esp spi 0xfa4f7fce(4199514062) reqid 16385(0x00004001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth hmac(sha1) 0x8cdf75f409193832fe61c751edb2df1d3761ff32 (160 bits)
enc cbc(aes) 0x85b6e3417dc6fa2a8680d7f70c7c2d2c (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
1260(bytes), 15(packets)
add 2011-11-09 16:46:05 use 2011-11-09 16:46:19
stats:
replay-window 0 replay 0 failed 0
src 93.222.15.145 dst 192.168.19.114
proto esp spi 0x3db9e893(1035593875) reqid 16385(0x00004001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth hmac(sha1) 0xe9e7b3d81d48695264508789b93e7dc0e70892dd (160 bits)
enc cbc(aes) 0xb3a82d3a3159229bc7d2dfc29e6fb638 (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
1260(bytes), 15(packets)
add 2011-11-09 16:46:05 use 2011-11-09 16:46:19
stats:
replay-window 0 replay 0 failed 0
---- end ----- sun: ip -s xfrm state ---------------------------------------
--- start ---- sun: ping 192.168.88.2 -c 2 ---------------------------------
PING 192.168.88.2 (192.168.88.2) 56(84) bytes of data.
64 bytes from 192.168.88.2: icmp_req=1 ttl=64 time=58.6 ms
64 bytes from 192.168.88.2: icmp_req=2 ttl=64 time=57.7 ms
--- 192.168.88.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 57.775/58.197/58.620/0.486 ms
---- end ----- sun: ping 192.168.88.2 -c 2 ---------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111109/0adfb4c6/attachment.html>
More information about the Users
mailing list