[strongSwan] strongswan-5.1.1 routing pb

s s y52 at europe.com
Tue Dec 17 21:25:33 CET 2013


Hello,

We are migrating from strongswan-4.5 to strongswan-5.1.1 and currently running into the routing problems.
Could you help us to settle a weird situation with the strongswan-5.1.1, which we built on the Centos 5.3 distribution?

The configuration is quite classical: net-to-net ( 192.168.3.0/24 === 192.168.4.0/24 )
We need to tunnel the traffic in between the several private networks. The ipsec channels are well established:

[root at academ strongswan]# strongswan status
Security Associations (2 up, 0 connecting):
   msc-hmnet[10]: ESTABLISHED 30 minutes ago, 195.91.195.62[certificate M]...82.239.221.28[certificate K]
   msc-hmnet{5}:  INSTALLED, TUNNEL, ESP SPIs: c5329687_i c0101bc4_o, IPCOMP CPIs: dcf5_i ab46_o
   msc-hmnet{5}:   192.168.3.0/24 === 192.168.4.0/24 
academ.certs.locally.stored[9]: ESTABLISHED 42 minutes ago, 195.91.195.62[certificate M]...88.174.230.112[certificate K]
academ.certs.locally.stored{4}:  INSTALLED, TUNNEL, ESP SPIs: cedb5910_i cde12ee2_o, IPCOMP CPIs: 52c2_i 30be_o
academ.certs.locally.stored{4}:   192.168.3.0/24 === 192.168.169.0/24 


[root at academ strongswan]# ip route list table 220
192.168.4.0/24 via 195.91.195.33 dev eth1  proto static  src 192.168.3.56 
192.168.169.0/24 via 195.91.195.33 dev eth1  proto static  src 192.168.3.56 

But out of the 2 tunnels only 1 is reachable. The other one doesn't ping.

[root at academ strongswan]# ping 192.168.169.60
PING 192.168.169.60 (192.168.169.60) 56(84) bytes of data.
64 bytes from 192.168.169.60: icmp_seq=1 ttl=63 time=104 ms
64 bytes from 192.168.169.60: icmp_seq=2 ttl=63 time=102 ms

--- 192.168.169.60 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 102.549/103.537/104.525/0.988 ms
[root at academ strongswan]# ping 192.168.4.10
PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data.

--- 192.168.4.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

If I set on the remote 192.168.4.10:
tcpdump -xnni eth1 "host (195.91.195.62 or 192.168.3.56)"

22:49:26.623874 IP 195.91.195.62.22 > 82.239.221.28.50977: P 5633:5729(96) ack 2400 win 1234 <nop,nop,timestamp 141662472 51284544>
        0x0000:  4500 0094 cb44 4000 3406 c479 c35b c33e
22:49:26.623898 IP 82.239.221.28.50977 > 195.91.195.62.22: . ack 5729 win 502 <nop,nop,timestamp 51284641 141662472>
        0x0000:  4510 0034 006e 4000 4006 83a0 52ef dd1c
22:49:26.624297 IP 195.91.195.62 > 82.239.221.28: ESP(spi=0xc0101bc4,seq=0x3), length 132
        0x0000:  4500 0098 0600 4000 3432 898e c35b c33e
22:49:26.624381 IP 82.239.221.28 > 195.91.195.62: ICMP host 82.239.221.28 unreachable - admin prohibited, length 112



[root at academ strongswan]# iptables -L -n -v -t nat  --line-numbers
Chain PREROUTING (policy ACCEPT 873K packets, 73M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      *       192.168.3.0/24       0.0.0.0/0           policy match dir in pol ipsec proto 50 

Chain POSTROUTING (policy ACCEPT 1579 packets, 137K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      *       192.168.4.0/24       0.0.0.0/0           policy match dir out pol ipsec proto 50 
2      629 82417 ACCEPT     all  --  *      *       192.168.0.0/16       192.168.0.0/16      
3     6630  596K MASQUERADE !esp  --  *      eth1    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 6855 packets, 710K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
[root at academ strongswan]# ping 192.168.4.10
PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data.

--- 192.168.4.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

[root at academ strongswan]# ip xfrm policy
src 192.168.169.0/24 dst 192.168.3.0/24 
        dir in priority 1859 
        tmpl src 88.174.230.112 dst 195.91.195.62
                proto comp reqid 4 mode tunnel
                level use 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 4 mode transport
src 192.168.3.0/24 dst 192.168.4.0/24 
        dir out priority 1859 
        tmpl src 195.91.195.62 dst 82.239.221.28
                proto comp reqid 5 mode tunnel
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 5 mode transport
src 192.168.3.0/24 dst 192.168.169.0/24 
        dir out priority 1859 
        tmpl src 195.91.195.62 dst 88.174.230.112
                proto comp reqid 4 mode tunnel
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 4 mode transport
src 192.168.169.0/24 dst 192.168.3.0/24 
        dir fwd priority 1859 
        tmpl src 88.174.230.112 dst 195.91.195.62
                proto comp reqid 4 mode tunnel
                level use 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 4 mode transport


And the things get worse even further once the server on the 192.168.3.0/24 network is set behind the NAT'ed provider's server (no access to public IP address):
The tunnels 
academ.certs.locally.stored{4}:   192.168.3.0/24 === 192.168.169.0/24 
msc-hmnet{22}:   192.168.4.0/24 === 192.168.3.0/24  
are still listed under the "strongswan status", the 




I am running out of the ideas what could be done and how to troubleshoot the configuration.
Could you prompt any solution?
Regards,
Serge

> ----- Original Message -----
> From: s s
> Sent: 12/08/13 10:19 PM
> To: andreas.steffen at strongswan.org
> Subject: strongswan-5.1.1 build
> 
> Hello Andreas,
> 
> I was trying to build strongswan-5.1.1 rpm package on Centos 5.3 distribution.
> 
> I am stuck with the Make error
> make: *** [aclocal.m4] Error 127> Thank you in advance,
> Serge




More information about the Users mailing list