[strongSwan] Kernel drops all client Packages with virtual IP

richard -rw- weinberger richard.weinberger at gmail.com
Wed Jan 2 11:31:25 CET 2013


On Wed, Jan 2, 2013 at 1:06 AM, Bharath Kumar <cbkumar at gmail.com> wrote:
> What is the log message in say /var/log/messages ?
>
> Also, please post the output of
>
> Ip xfrm policy
>
> Ip xfrm state
>
> Ipsec statusall

There you go:

# tail /var/log/secure
Jan  2 11:16:16 server pluto[27347]: packet from clientIP:500:
received Vendor ID payload [strongSwan]
Jan  2 11:16:16 server pluto[27347]: packet from clientIP:500:
ignoring Vendor ID payload [Cisco-Unity]
Jan  2 11:16:16 server pluto[27347]: packet from clientIP:500:
received Vendor ID payload [XAUTH]
Jan  2 11:16:16 server pluto[27347]: packet from clientIP:500:
received Vendor ID payload [Dead Peer Detection]
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: responding
to Main Mode from unknown peer clientIP
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: Peer ID is
ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=client'
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: crl not found
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: certificate
status unknown
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: we have a
cert and are sending it upon request
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sent MR3,
ISAKMP SA established
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sending XAUTH request
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: parsing XAUTH reply
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: extended
authentication was successful
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sending XAUTH status
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: parsing XAUTH ack
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: received
XAUTH ack, established
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: parsing
ModeCfg request
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: peer
requested virtual IP %any
Jan  2 11:16:16 server pluto[27347]: assigning new lease to 'test'
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: assigning
virtual IP 10.99.0.2 to peer
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sending ModeCfg reply
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sent
ModeCfg reply, established
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #2: responding
to Quick Mode
Jan  2 11:16:16 server pluto[27347]: "ios"[1] clientIP #2: IPsec SA
established {ESP=>0xc708c481 <0xcc3562f2}

# ip xfrm state
src serverIP dst clientIP
        proto esp spi 0xc708c481 reqid 16388 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0xe2b06cec53465fe81094ba6e012ccb8345f6cc7f
        enc cbc(aes) 0x6314df56e431a174b81c90b0fc85ed4c
src clientIP dst serverIP
        proto esp spi 0xcc3562f2 reqid 16388 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0x4f454e47213971dcdc764b802f49dccf251e67e8
        enc cbc(aes) 0xaf084c8f7ea79af98fe344eed3098fe4

# ip xfrm policy
src 0.0.0.0/0 dst 10.99.0.2/32
        dir out priority 1923 ptype main
        tmpl src serverIP dst clientIP
                proto esp reqid 16388 mode tunnel
src 10.99.0.2/32 dst 0.0.0.0/0
        dir fwd priority 1923 ptype main
        tmpl src clientIP dst serverIP
                proto esp reqid 16388 mode tunnel
src 10.99.0.2/32 dst 0.0.0.0/0
        dir in priority 1923 ptype main
        tmpl src clientIP dst serverIP
                proto esp reqid 16388 mode tunnel
src ::/0 dst ::/0
        dir 4 priority 0 ptype main
src ::/0 dst ::/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src ::/0 dst ::/0
        dir 3 priority 0 ptype main
src ::/0 dst ::/0
        dir 4 priority 0 ptype main
src ::/0 dst ::/0
        dir 3 priority 0 ptype main
src ::/0 dst ::/0
        dir 4 priority 0 ptype main
src ::/0 dst ::/0
        dir 3 priority 0 ptype main
src ::/0 dst ::/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        dir 4 priority 0 ptype main

 ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.6.4):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.0.255.252:4500
000 interface eth0/eth0 10.0.255.252:500
000 interface eth1/eth1 serverIP:4500
000 interface eth1/eth1 serverIP:500
000 interface tun0/tun0 10.7.0.1:4500
000 interface tun0/tun0 10.7.0.1:500
000 interface tun1/tun1 10.4.0.1:4500
000 interface tun1/tun1 10.4.0.1:500
000 interface tun2/tun2 10.8.0.1:4500
000 interface tun2/tun2 10.8.0.1:500
000 interface tun3/tun3 10.3.0.1:4500
000 interface tun3/tun3 10.3.0.1:500
000 interface tun4/tun4 10.6.0.1:4500
000 interface tun4/tun4 10.6.0.1:500
000 interface tun5/tun5 10.5.0.1:4500
000 interface tun5/tun5 10.5.0.1:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp
dnskey pem gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000 Virtual IP pools (size/online/offline):
000 "ios": 1/1/0
000
000 "ios": 0.0.0.0/0===serverIP[C=CH, O=strongSwan,
CN=my.serverfqdn.com]---95.130.255.1...%any[C=CH, O=strongSwan,
CN=client]===%ios; unrouted; eroute owner: #0
000 "ios":   CAs: "C=CH, O=strongSwan, CN=strongSwan CA"..."C=CH,
O=strongSwan, CN=strongSwan CA"
000 "ios":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "ios":   policy: ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER; prio:
0,24; interface: eth1;
000 "ios":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "ios"[1]: 0.0.0.0/0===serverIP[C=CH, O=strongSwan,
CN=my.serverfqdn.com]---95.130.255.1...clientIP[C=CH, O=strongSwan,
CN=client]===10.99.0.2/32; erouted; eroute owner: #2
000 "ios"[1]:   CAs: "C=CH, O=strongSwan, CN=strongSwan CA"..."C=CH,
O=strongSwan, CN=strongSwan CA"
000 "ios"[1]:   ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "ios"[1]:   policy: ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER; prio:
0,24; interface: eth1;
000 "ios"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "ios"[1]:   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_2048
000 "ios"[1]:   ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A>
000
000 #2: "ios"[1] clientIP STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3217s; newest IPSEC; eroute owner
000 #2: "ios"[1] clientIP esp.c708c481 at clientIP (0 bytes)
esp.cc3562f2 at serverIP (5333 bytes); tunnel
000 #1: "ios"[1] clientIP STATE_MODE_CFG_R1 (sent ModeCfg reply,
established); EVENT_SA_REPLACE in 10417s; newest ISAKMP
000
Status of IKEv2 charon daemon (strongSwan 4.6.4):
  uptime: 2 minutes, since Jan 02 11:15:54 2013
  malloc: sbrk 278528, mmap 0, used 161696, free 116832
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: aes des sha1 sha2 md5 random x509 revocation
constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc cmac hmac
attr kernel-netlink resolve socket-raw stroke updown
Virtual IP pools (size/online/offline):
  ios: 1/0/0
Listening IP addresses:
  10.0.255.252
  serverIP
  10.7.0.1
  10.4.0.1
  10.8.0.1
  10.3.0.1
  10.6.0.1
  10.5.0.1
Connections:
Security Associations (0 up, 0 connecting):
  none

-- 
Thanks,
//richard




More information about the Users mailing list