[strongSwan] Testing ISAKMP datagrams (unanswered ARP requests)

strongswan at encambio.com strongswan at encambio.com
Wed Feb 6 17:13:53 CET 2013 

Hi Andreas,

On Tues., Feb. 06, 2013, Andreas Steffen wrote:
>On 02/05/2013 10:45 PM, strongswan at encambio.com wrote:
>> My goal is building a IPv4 IPSec tunnel using IKEv1.
>> 
>>   Ubuntu 12.10 GNU/Linux AMD64
>>   Strongswan 4.5.2
>> 
>If you change the setting in ipsec.conf to auto=start then
>
>  ipsec start
>
>will cause pluto to automatically negotiate the "here" connection
>and with auto=route
>
>  ipsec start
>
>will install a trap in the kernel and the first IP payload packet
>in direction to rightsubnet=192.168.1.0/24 will trigger
>the IKE negotiation.
>
Excellent answer, thank you. Finally pluto is encapsulating IP and
sending it to the 'right' place, but there's a new problem:

  # the host running pluto(8) connects to an remote LAN host over VPN
  192.168.0.22$ telnet 192.168.1.88 80

  192.168.0.1$ tcpdump -i wan  # the pluto's default router computer
  18:22:32.575725 IP 192.168.0.22.4500 > 12.34.56.78.4500: UDP-encap: ESP(spi=0xdeadbeef,seq=0x1), length 100

  12.34.56.78$ tcpdump -i wan  # the racoon's default router computer
  18:22:32.604422 IP [pluto's wan-public-address] > 12.34.56.78: ESP(spi=0xdeadbeef,seq=0x1), length 100

  192.168.1.1$ tcpdump -i lan  # the racoon computer's LAN subnet
  18:22:32.673240 IP 192.168.1.55.39347 > 192.168.1.88.80: Flags [S], seq 3091785373, win 14600, options [mss 1460,sackOK,TS val 5418801 ecr 0,nop,wscale 7], length 0
  18:22:32.678002 ARP, Request who-has 192.168.1.55 tell 192.168.1.88, length 46

If I telnet in the oppossite direction the same unanswered
ARP broadcasts appear.

PROBLEM

So it seems that either pluto(8) is not correctly describing it's
origin IP in the ESP headers or racoon(8) is not parsing this
information?

The computer running raccoon(8) is pfsense, and it clearly labels
all IPSec tunnels with the incoming IP except for this case it is
empty. This case is different because of NAT and using pluto(8)
instead of raccoon(8).

---- config ----

/etc/strongswan.conf:
  pluto {
      load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
  }

  libstrongswan {
      dh_exponent_ansi_x9_42 = no
  }

/etc/ipsec.conf:
  config setup
      charonstart=no
      plutostart=yes

  conn %default
      ikelifetime=60m
      keylife=20m
      rekeymargin=3m
      keyingtries=1
      keyexchange=ikev1
      authby=secret

  conn here
      left=%defaultroute        # 192.168.0.22
      leftsourceip=%modeconfig  # 192.168.1.55
      right=12.34.56.78
      rightsubnet=192.168.1.0/24
      auto=start

/etc/ipsec.secrets:
  12.34.56.78 : PSK "0000111122223333"

Any idea where the problem lies that ends with the ARP broadcast?

Regards,
Michael

More information about the Users mailing list