[strongSwan] strongswan-5.1.1 routing pb
s s
y52 at europe.com
Tue Dec 17 21:27:25 CET 2013
Hello,
We are migrating from strongswan-4.5 to strongswan-5.1.1 and currently running into the routing problems.
Could you help us to settle a weird situation with the strongswan-5.1.1, which we built on the Centos 5.3 distribution?
The configuration is quite classical: net-to-net ( 192.168.3.0/24 === 192.168.4.0/24 )
We need to tunnel the traffic in between the several private networks. The ipsec channels are well established:
[root at academ strongswan]# strongswan status
Security Associations (2 up, 0 connecting):
msc-hmnet[10]: ESTABLISHED 30 minutes ago, 195.91.195.62[certificate M]...82.239.221.28[certificate K]
msc-hmnet{5}: INSTALLED, TUNNEL, ESP SPIs: c5329687_i c0101bc4_o, IPCOMP CPIs: dcf5_i ab46_o
msc-hmnet{5}: 192.168.3.0/24 === 192.168.4.0/24
academ.certs.locally.stored[9]: ESTABLISHED 42 minutes ago, 195.91.195.62[certificate M]...88.174.230.112[certificate K]
academ.certs.locally.stored{4}: INSTALLED, TUNNEL, ESP SPIs: cedb5910_i cde12ee2_o, IPCOMP CPIs: 52c2_i 30be_o
academ.certs.locally.stored{4}: 192.168.3.0/24 === 192.168.169.0/24
[root at academ strongswan]# ip route list table 220
192.168.4.0/24 via 195.91.195.33 dev eth1 proto static src 192.168.3.56
192.168.169.0/24 via 195.91.195.33 dev eth1 proto static src 192.168.3.56
But out of the 2 tunnels only 1 is reachable. The other one doesn't ping.
[root at academ strongswan]# ping 192.168.169.60
PING 192.168.169.60 (192.168.169.60) 56(84) bytes of data.
64 bytes from 192.168.169.60: icmp_seq=1 ttl=63 time=104 ms
64 bytes from 192.168.169.60: icmp_seq=2 ttl=63 time=102 ms
--- 192.168.169.60 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 102.549/103.537/104.525/0.988 ms
[root at academ strongswan]# ping 192.168.4.10
PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data.
--- 192.168.4.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
If I set on the remote 192.168.4.10:
tcpdump -xnni eth1 "host (195.91.195.62 or 192.168.3.56)"
22:49:26.623874 IP 195.91.195.62.22 > 82.239.221.28.50977: P 5633:5729(96) ack 2400 win 1234 <nop,nop,timestamp 141662472 51284544>
0x0000: 4500 0094 cb44 4000 3406 c479 c35b c33e
22:49:26.623898 IP 82.239.221.28.50977 > 195.91.195.62.22: . ack 5729 win 502 <nop,nop,timestamp 51284641 141662472>
0x0000: 4510 0034 006e 4000 4006 83a0 52ef dd1c
22:49:26.624297 IP 195.91.195.62 > 82.239.221.28: ESP(spi=0xc0101bc4,seq=0x3), length 132
0x0000: 4500 0098 0600 4000 3432 898e c35b c33e
22:49:26.624381 IP 82.239.221.28 > 195.91.195.62: ICMP host 82.239.221.28 unreachable - admin prohibited, length 112
[root at academ strongswan]# iptables -L -n -v -t nat --line-numbers
Chain PREROUTING (policy ACCEPT 873K packets, 73M bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 192.168.3.0/24 0.0.0.0/0 policy match dir in pol ipsec proto 50
Chain POSTROUTING (policy ACCEPT 1579 packets, 137K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 192.168.4.0/24 0.0.0.0/0 policy match dir out pol ipsec proto 50
2 629 82417 ACCEPT all -- * * 192.168.0.0/16 192.168.0.0/16
3 6630 596K MASQUERADE !esp -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 6855 packets, 710K bytes)
num pkts bytes target prot opt in out source destination
[root at academ strongswan]# ping 192.168.4.10
PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data.
--- 192.168.4.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
[root at academ strongswan]# ip xfrm policy
src 192.168.169.0/24 dst 192.168.3.0/24
dir in priority 1859
tmpl src 88.174.230.112 dst 195.91.195.62
proto comp reqid 4 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 4 mode transport
src 192.168.3.0/24 dst 192.168.4.0/24
dir out priority 1859
tmpl src 195.91.195.62 dst 82.239.221.28
proto comp reqid 5 mode tunnel
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 5 mode transport
src 192.168.3.0/24 dst 192.168.169.0/24
dir out priority 1859
tmpl src 195.91.195.62 dst 88.174.230.112
proto comp reqid 4 mode tunnel
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 4 mode transport
src 192.168.169.0/24 dst 192.168.3.0/24
dir fwd priority 1859
tmpl src 88.174.230.112 dst 195.91.195.62
proto comp reqid 4 mode tunnel
level use
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 4 mode transport
And the things get worse even further once the server on the 192.168.3.0/24 network is set behind the NAT'ed provider's server (no access to public IP address):
The tunnels
academ.certs.locally.stored{4}: 192.168.3.0/24 === 192.168.169.0/24
msc-hmnet{22}: 192.168.4.0/24 === 192.168.3.0/24
are still listed under the "strongswan status", the
[root at academ strongswan]# ip route list table 220
192.168.4.0/24 via 195.91.195.33 dev eth1 proto static src 192.168.3.56
192.168.169.0/24 via 195.91.195.33 dev eth1 proto static src 192.168.3.56
But neither neither of the remote networks are reachable in both directions.
We are unable to reach the server 192.168.3.xx behind the NAT.
I am running out of the ideas what could be done and how to troubleshoot the configuration.
Could you prompt any solution?
Regards,
Serge
> ----- Original Message -----
> From: s s
> Sent: 12/08/13 10:19 PM
> To: andreas.steffen at strongswan.org
> Subject: strongswan-5.1.1 build
>
> Hello Andreas,
>
> I was trying to build strongswan-5.1.1 rpm package on Centos 5.3 distribution.
>
> I am stuck with the Make error
> make: *** [aclocal.m4] Error 127> Thank you in advance,
> Serge
More information about the Users
mailing list