[strongSwan] Kernel drops all client Packages with virtual IP
richard -rw- weinberger
richard.weinberger at gmail.com
Sat Jan 5 11:51:28 CET 2013
On Wed, Jan 2, 2013 at 11:31 AM, richard -rw- weinberger
<richard.weinberger at gmail.com> wrote:
> On Wed, Jan 2, 2013 at 1:06 AM, Bharath Kumar <cbkumar at gmail.com> wrote:
>> What is the log message in say /var/log/messages ?
>>
>> Also, please post the output of
>>
>> Ip xfrm policy
>>
>> Ip xfrm state
>>
>> Ipsec statusall
>
> There you go:
>
> # tail /var/log/secure
> Jan 2 11:16:16 server pluto[27347]: packet from clientIP:500:
> received Vendor ID payload [strongSwan]
> Jan 2 11:16:16 server pluto[27347]: packet from clientIP:500:
> ignoring Vendor ID payload [Cisco-Unity]
> Jan 2 11:16:16 server pluto[27347]: packet from clientIP:500:
> received Vendor ID payload [XAUTH]
> Jan 2 11:16:16 server pluto[27347]: packet from clientIP:500:
> received Vendor ID payload [Dead Peer Detection]
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: responding
> to Main Mode from unknown peer clientIP
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: Peer ID is
> ID_DER_ASN1_DN: 'C=CH, O=strongSwan, CN=client'
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: crl not found
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: certificate
> status unknown
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: we have a
> cert and are sending it upon request
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sent MR3,
> ISAKMP SA established
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sending XAUTH request
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: parsing XAUTH reply
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: extended
> authentication was successful
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sending XAUTH status
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: parsing XAUTH ack
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: received
> XAUTH ack, established
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: parsing
> ModeCfg request
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: peer
> requested virtual IP %any
> Jan 2 11:16:16 server pluto[27347]: assigning new lease to 'test'
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: assigning
> virtual IP 10.99.0.2 to peer
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sending ModeCfg reply
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #1: sent
> ModeCfg reply, established
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #2: responding
> to Quick Mode
> Jan 2 11:16:16 server pluto[27347]: "ios"[1] clientIP #2: IPsec SA
> established {ESP=>0xc708c481 <0xcc3562f2}
>
> # ip xfrm state
> src serverIP dst clientIP
> proto esp spi 0xc708c481 reqid 16388 mode tunnel
> replay-window 32 flag 20
> auth hmac(sha1) 0xe2b06cec53465fe81094ba6e012ccb8345f6cc7f
> enc cbc(aes) 0x6314df56e431a174b81c90b0fc85ed4c
> src clientIP dst serverIP
> proto esp spi 0xcc3562f2 reqid 16388 mode tunnel
> replay-window 32 flag 20
> auth hmac(sha1) 0x4f454e47213971dcdc764b802f49dccf251e67e8
> enc cbc(aes) 0xaf084c8f7ea79af98fe344eed3098fe4
>
> # ip xfrm policy
> src 0.0.0.0/0 dst 10.99.0.2/32
> dir out priority 1923 ptype main
> tmpl src serverIP dst clientIP
> proto esp reqid 16388 mode tunnel
> src 10.99.0.2/32 dst 0.0.0.0/0
> dir fwd priority 1923 ptype main
> tmpl src clientIP dst serverIP
> proto esp reqid 16388 mode tunnel
> src 10.99.0.2/32 dst 0.0.0.0/0
> dir in priority 1923 ptype main
> tmpl src clientIP dst serverIP
> proto esp reqid 16388 mode tunnel
> src ::/0 dst ::/0
> dir 4 priority 0 ptype main
> src ::/0 dst ::/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src ::/0 dst ::/0
> dir 3 priority 0 ptype main
> src ::/0 dst ::/0
> dir 4 priority 0 ptype main
> src ::/0 dst ::/0
> dir 3 priority 0 ptype main
> src ::/0 dst ::/0
> dir 4 priority 0 ptype main
> src ::/0 dst ::/0
> dir 3 priority 0 ptype main
> src ::/0 dst ::/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 3 priority 0 ptype main
> src 0.0.0.0/0 dst 0.0.0.0/0
> dir 4 priority 0 ptype main
>
> ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.6.4):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:4500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth0/eth0 10.0.255.252:4500
> 000 interface eth0/eth0 10.0.255.252:500
> 000 interface eth1/eth1 serverIP:4500
> 000 interface eth1/eth1 serverIP:500
> 000 interface tun0/tun0 10.7.0.1:4500
> 000 interface tun0/tun0 10.7.0.1:500
> 000 interface tun1/tun1 10.4.0.1:4500
> 000 interface tun1/tun1 10.4.0.1:500
> 000 interface tun2/tun2 10.8.0.1:4500
> 000 interface tun2/tun2 10.8.0.1:500
> 000 interface tun3/tun3 10.3.0.1:4500
> 000 interface tun3/tun3 10.3.0.1:500
> 000 interface tun4/tun4 10.6.0.1:4500
> 000 interface tun4/tun4 10.6.0.1:500
> 000 interface tun5/tun5 10.5.0.1:4500
> 000 interface tun5/tun5 10.5.0.1:500
> 000 %myid = '%any'
> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp
> dnskey pem gmp hmac xauth attr kernel-netlink resolve
> 000 debug options: none
> 000 Virtual IP pools (size/online/offline):
> 000 "ios": 1/1/0
> 000
> 000 "ios": 0.0.0.0/0===serverIP[C=CH, O=strongSwan,
> CN=my.serverfqdn.com]---95.130.255.1...%any[C=CH, O=strongSwan,
> CN=client]===%ios; unrouted; eroute owner: #0
> 000 "ios": CAs: "C=CH, O=strongSwan, CN=strongSwan CA"..."C=CH,
> O=strongSwan, CN=strongSwan CA"
> 000 "ios": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 3
> 000 "ios": policy: ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER; prio:
> 0,24; interface: eth1;
> 000 "ios": newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "ios"[1]: 0.0.0.0/0===serverIP[C=CH, O=strongSwan,
> CN=my.serverfqdn.com]---95.130.255.1...clientIP[C=CH, O=strongSwan,
> CN=client]===10.99.0.2/32; erouted; eroute owner: #2
> 000 "ios"[1]: CAs: "C=CH, O=strongSwan, CN=strongSwan CA"..."C=CH,
> O=strongSwan, CN=strongSwan CA"
> 000 "ios"[1]: ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 3
> 000 "ios"[1]: policy: ENCRYPT+TUNNEL+XAUTHRSASIG+XAUTHSERVER; prio:
> 0,24; interface: eth1;
> 000 "ios"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2;
> 000 "ios"[1]: IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_2048
> 000 "ios"[1]: ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A>
> 000
> 000 #2: "ios"[1] clientIP STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 3217s; newest IPSEC; eroute owner
> 000 #2: "ios"[1] clientIP esp.c708c481 at clientIP (0 bytes)
> esp.cc3562f2 at serverIP (5333 bytes); tunnel
> 000 #1: "ios"[1] clientIP STATE_MODE_CFG_R1 (sent ModeCfg reply,
> established); EVENT_SA_REPLACE in 10417s; newest ISAKMP
> 000
> Status of IKEv2 charon daemon (strongSwan 4.6.4):
> uptime: 2 minutes, since Jan 02 11:15:54 2013
> malloc: sbrk 278528, mmap 0, used 161696, free 116832
> worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> loaded plugins: aes des sha1 sha2 md5 random x509 revocation
> constraints pubkey pkcs1 pkcs8 pgp pem fips-prf gmp xcbc cmac hmac
> attr kernel-netlink resolve socket-raw stroke updown
> Virtual IP pools (size/online/offline):
> ios: 1/0/0
> Listening IP addresses:
> 10.0.255.252
> serverIP
> 10.7.0.1
> 10.4.0.1
> 10.8.0.1
> 10.3.0.1
> 10.6.0.1
> 10.5.0.1
> Connections:
> Security Associations (0 up, 0 connecting):
> none
>
> --
> Thanks,
> //richard
Anyone?
--
Thanks,
//richard
More information about the Users
mailing list