[strongSwan] strongswan-5.1.1 routing pb
s s
y52 at europe.com
Tue Dec 17 21:25:33 CET 2013
Hello,
We are migrating from strongswan-4.5 to strongswan-5.1.1 and currently running into the routing problems.
Could you help us to settle a weird situation with the strongswan-5.1.1, which we built on the Centos 5.3 distribution?
The configuration is quite classical: net-to-net ( 192.168.3.0/24 === 192.168.4.0/24 )
We need to tunnel the traffic in between the several private networks. The ipsec channels are well established:
[root at academ strongswan]# strongswan status
Security Associations (2 up, 0 connecting):
msc-hmnet[10]: ESTABLISHED 30 minutes ago, 195.91.195.62[certificate M]...82.239.221.28[certificate K]
msc-hmnet{5}: INSTALLED, TUNNEL, ESP SPIs: c5329687_i c0101bc4_o, IPCOMP CPIs: dcf5_i ab46_o
msc-hmnet{5}: 192.168.3.0/24 === 192.168.4.0/24
academ.certs.locally.stored[9]: ESTABLISHED 42 minutes ago, 195.91.195.62[certificate M]...88.174.230.112[certificate K]
academ.certs.locally.stored{4}: INSTALLED, TUNNEL, ESP SPIs: cedb5910_i cde12ee2_o, IPCOMP CPIs: 52c2_i 30be_o
academ.certs.locally.stored{4}: 192.168.3.0/24 === 192.168.169.0/24
[root at academ strongswan]# ip route list table 220
192.168.4.0/24 via 195.91.195.33 dev eth1 proto static src 192.168.3.56
192.168.169.0/24 via 195.91.195.33 dev eth1 proto static src 192.168.3.56
But out of the 2 tunnels only 1 is reachable. The other one doesn't ping.
[root at academ strongswan]# ping 192.168.169.60
PING 192.168.169.60 (192.168.169.60) 56(84) bytes of data.
64 bytes from 192.168.169.60: icmp_seq=1 ttl=63 time=104 ms
64 bytes from 192.168.169.60: icmp_seq=2 ttl=63 time=102 ms
--- 192.168.169.60 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 102.549/103.537/104.525/0.988 ms
[root at academ strongswan]# ping 192.168.4.10
PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data.
--- 192.168.4.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
If I set on the remote 192.168.4.10:
tcpdump -xnni eth1 "host (195.91.195.62 or 192.168.3.56)"
22:49:26.623874 IP 195.91.195.62.22 > 82.239.221.28.50977: P 5633:5729(96) ack 2400 win 1234 <nop,nop,timestamp 141662472 51284544>
0x0000: 4500 0094 cb44 4000 3406 c479 c35b c33e
22:49:26.623898 IP 82.239.221.28.50977 > 195.91.195.62.22: . ack 5729 win 502 <nop,nop,timestamp 51284641 141662472>
0x0000: 4510 0034 006e 4000 4006 83a0 52ef dd1c
22:49:26.624297 IP 195.91.195.62 > 82.239.221.28: ESP(spi=0xc0101bc4,seq=0x3), length 132
0x0000: 4500 0098 0600 4000 3432 898e c35b c33e
22:49:26.624381 IP 82.239.221.28 > 195.91.195.62: ICMP host 82.239.221.28 unreachable - admin prohibited, length 112
[root at academ strongswan]# iptables -L -n -v -t nat --line-numbers
Chain PREROUTING (policy ACCEPT 873K packets, 73M bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 192.168.3.0/24 0.0.0.0/0 policy match dir in pol ipsec proto 50
Chain POSTROUTING (policy ACCEPT 1579 packets, 137K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 192.168.4.0/24 0.0.0.0/0 policy match dir out pol ipsec proto 50
2 629 82417 ACCEPT all -- * * 192.168.0.0/16 192.168.0.0/16
3 6630 596K MASQUERADE !esp -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 6855 packets, 710K bytes)
num pkts bytes target prot opt in out source destination
[root at academ strongswan]# ping 192.168.4.10
PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data.
--- 192.168.4.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
[root at academ strongswan]# ip xfrm policy
src 192.168.169.0/24 dst 192.168.3.0/24
dir in priority 1859
tmpl src 88.174.230.112 dst 195.91.195.62
proto comp reqid 4 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 4 mode transport
src 192.168.3.0/24 dst 192.168.4.0/24
dir out priority 1859
tmpl src 195.91.195.62 dst 82.239.221.28
proto comp reqid 5 mode tunnel
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 5 mode transport
src 192.168.3.0/24 dst 192.168.169.0/24
dir out priority 1859
tmpl src 195.91.195.62 dst 88.174.230.112
proto comp reqid 4 mode tunnel
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 4 mode transport
src 192.168.169.0/24 dst 192.168.3.0/24
dir fwd priority 1859
tmpl src 88.174.230.112 dst 195.91.195.62
proto comp reqid 4 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 4 mode transport
And the things get worse even further once the server on the 192.168.3.0/24 network is set behind the NAT'ed provider's server (no access to public IP address):
The tunnels
academ.certs.locally.stored{4}: 192.168.3.0/24 === 192.168.169.0/24
msc-hmnet{22}: 192.168.4.0/24 === 192.168.3.0/24
are still listed under the "strongswan status", the
I am running out of the ideas what could be done and how to troubleshoot the configuration.
Could you prompt any solution?
Regards,
Serge
> ----- Original Message -----
> From: s s
> Sent: 12/08/13 10:19 PM
> To: andreas.steffen at strongswan.org
> Subject: strongswan-5.1.1 build
>
> Hello Andreas,
>
> I was trying to build strongswan-5.1.1 rpm package on Centos 5.3 distribution.
>
> I am stuck with the Make error
> make: *** [aclocal.m4] Error 127> Thank you in advance,
> Serge
More information about the Users
mailing list