[strongSwan] Traffic is not sent through the tunnel.
Maillist
maillist at justinwoodman.com
Thu Jan 17 00:47:39 CET 2013
I'm having trouble getting my traffic to go through the tunnel. The
network route is added by strongswan, and send the traffic out through
the wan interface(vlan500), but the traffic is not encapsulated.
Basically it just forwards/routes the traffic on to the wan interface.
The tunnel is up. I'm running Ubuntu Quanzel x64 on both sides, and both
are using 802.1Q vlan tags on a bond aggregated interface. I never get
errors in charon process. It appears everything is fine. The remote side
is a dynamic ip home/small business type of circuit and it initiates the
tunnel. Both devices have public ip addresses on the internal
interfaces, and do not require nat traversal. iptables rules do exists,
but I really have no outbound restriction configured, and nothing is
getting logged that it was dropped. At the bottom, I have a ping from
the gwy host using 10.199.22.5, ping 10.135.200.1 on the other side of
the tunnel, and its just routing the packet out to the isp as a icmp
packet, not 500/4500udp. Now that does mean its using the route from
strongswan (10.135.200/24) and not the 10/8, which is a different
interface. It seems the kernel is not doing its part. Strongswan,
ipsec-tools packages are the base Ubuntu repository versions. Any help
would be appreciated. The current configuration is basic, preshared key
with ike2 and only two subnets on either side. I'm just trying to get
this working.
Thanks,
Justin
This is one side of the tunnel, gwy machine. Its connected to metro
ethernet circuit, which has a group of public static ip address. Domains
and public ip addresses have been masked.
~# uname -a
Linux gwy 3.5.0-21-generic #32-Ubuntu SMP Tue Dec 11 18:51:59 UTC 2012
x86_64 x86_64 x86_64 GNU/Linux
# ip xfrm policy
src 10.135.199.24/30 dst 10.135.199.48/29
dir fwd priority 1815
tmpl src 71.#.#.# dst 50.#.#.#
proto esp reqid 4 mode tunnel
src 10.135.199.24/30 dst 10.135.199.48/29
dir in priority 1815
tmpl src 71.#.#.# dst 50.#.#.#
proto esp reqid 4 mode tunnel
src 10.135.199.48/29 dst 10.135.199.24/30
dir out priority 1815
tmpl src 50.#.#.# dst 71.#.#.#
proto esp reqid 4 mode tunnel
src 10.135.200.0/25 dst 10.135.199.48/29
dir fwd priority 1835
tmpl src 71.#.#.# dst 50.#.#.#
proto esp reqid 4 mode tunnel
src 10.135.200.0/25 dst 10.135.199.48/29
dir in priority 1835
tmpl src 71.#.#.# dst 50.#.#.#
proto esp reqid 4 mode tunnel
src 10.135.199.48/29 dst 10.135.200.0/25
dir out priority 1835
tmpl src 50.#.#.# dst 71.#.#.#
proto esp reqid 4 mode tunnel
src 10.135.199.24/30 dst 10.199.22.0/24
dir fwd priority 1835
tmpl src 71.#.#.# dst 50.#.#.#
proto esp reqid 4 mode tunnel
src 10.135.199.24/30 dst 10.199.22.0/24
dir in priority 1835
tmpl src 71.#.#.# dst 50.#.#.#
proto esp reqid 4 mode tunnel
src 10.199.22.0/24 dst 10.135.199.24/30
dir out priority 1835
tmpl src 50.#.#.# dst 71.#.#.#
proto esp reqid 4 mode tunnel
src 10.135.200.0/25 dst 10.199.22.0/24
dir fwd priority 1855
tmpl src 71.#.#.# dst 50.#.#.#
proto esp reqid 4 mode tunnel
src 10.135.200.0/25 dst 10.199.22.0/24
dir in priority 1855
tmpl src 71.#.#.# dst 50.#.#.#
proto esp reqid 4 mode tunnel
src 10.199.22.0/24 dst 10.135.200.0/25
dir out priority 1855
tmpl src 50.#.#.# dst 71.#.#.#
proto esp reqid 4 mode tunnel
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
# ip xfrm state
src 50.#.#.# dst 71.#.#.#
proto esp spi 0xc22405d4 reqid 4 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xa5771e4f716e716b001c52fd90b12a210ee2dab7 96
enc cbc(aes) 0xfd6ee6a0a9ab2c1db7e351b9739a79a7
src 71.#.#.# dst 50.#.#.#
proto esp spi 0xcd8b52fd reqid 4 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xda85d162a41455b1329466c4b6bb5f3597a6d446 96
enc cbc(aes) 0xd50d85e47023c1a447c6296fa6c7589a
# ipsec status
Security Associations:
gwy-remote[4]: ESTABLISHED 22 minutes ago,
50.#.#.#[gwy.domain.local]...71.#.#.#[remote.domain.local]
gwy-remote{4}: INSTALLED, TUNNEL, ESP SPIs: cd8b52fd_i c22405d4_o
gwy-remote{4}: 10.199.22.0/24 10.135.199.48/29 ===
10.135.200.0/25 10.135.199.24/30
# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 2 hours, since Jan 16 14:04:25 2013
malloc: sbrk 270336, mmap 0, used 243136, free 27200
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 2
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp
agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve
socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc
eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
10.135.199.50
10.135.199.54
10.199.22.5
50.#.#.#
192.168.1.9
Connections:
gwy-remote: 50.#.#.#...%any
gwy-remote: local: [gwy.domain.local] uses pre-shared key
authentication
gwy-remote: remote: [remote.domain.local] uses any authentication
gwy-remote: child: 10.199.22.0/24 10.135.199.48/29 ===
10.135.200.0/24 10.135.199.24/30
Security Associations:
gwy-remote[4]: ESTABLISHED 22 minutes ago,
50.#.#.#[gwy.domain.local]...71.#.#.#[remote.domain.local]
gwy-remote[4]: IKE SPIs: a3ec70e87850dc8a_i 2b9eb2678dba2782_r*,
pre-shared key reauthentication in 33 minutes
gwy-remote[4]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
gwy-remote{4}: INSTALLED, TUNNEL, ESP SPIs: cd8b52fd_i c22405d4_o
gwy-remote{4}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 9 minutes
gwy-remote{4}: 10.199.22.0/24 10.135.199.48/29 ===
10.135.200.0/25 10.135.199.24/30
# ipsec listall
List of registered IKEv2 Algorithms:
encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des]
CAMELLIA_CBC[openssl] RC5_CBC[openssl]
IDEA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl]
NULL[openssl] AES_CTR[ctr] CAMELLIA_CTR[ctr]
integrity: AES_XCBC_96[xcbc] CAMELLIA_XCBC_96[xcbc]
HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac]
HMAC_SHA2_256_128[hmac] HMAC_SHA2_256_256[hmac]
HMAC_MD5_96[hmac] HMAC_MD5_128[hmac]
HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac]
HMAC_SHA2_512_256[hmac]
aead: AES_CCM_8[ccm] AES_CCM_12[ccm] AES_CCM_16[ccm]
CAMELLIA_CCM_8[ccm] CAMELLIA_CCM_12[ccm]
CAMELLIA_CCM_16[ccm] AES_GCM_8[gcm] AES_GCM_12[gcm]
AES_GCM_16[gcm]
hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2]
HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
HASH_MD2[openssl] HASH_MD4[openssl]
prf: PRF_KEYED_SHA1[sha1] PRF_FIPS_SHA1_160[fips-prf]
PRF_AES128_XCBC[xcbc] PRF_CAMELLIA128_XCBC[xcbc]
PRF_HMAC_SHA1[hmac] PRF_HMAC_SHA2_256[hmac]
PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_384[hmac]
PRF_HMAC_SHA2_512[hmac]
dh-group: MODP_2048[openssl] MODP_2048_224[openssl]
MODP_2048_256[openssl] MODP_1536[openssl] ECP_256[openssl]
ECP_384[openssl] ECP_521[openssl] ECP_224[openssl]
ECP_192[openssl] MODP_3072[openssl] MODP_4096[openssl]
MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl]
MODP_1024_160[openssl] MODP_768[openssl]
MODP_CUSTOM[openssl]
random-gen: RNG_STRONG[random] RNG_TRUE[random]
# ip route show table 0
10.135.199.24/30 via 50.#.#.# dev vlan500 table 220 proto static src
10.199.22.5
10.135.200.0/25 via 50.#.#.# dev vlan500 table 220 proto static src
10.199.22.5
default via 50.#.#.# dev vlan500 metric 1
10.0.0.0/8 via 10.199.22.1 dev vlan22
10.135.199.48/30 dev dummy0 proto kernel scope link src 10.135.199.50
10.135.199.52/30 dev dummy1 proto kernel scope link src 10.135.199.54
10.199.22.0/24 dev vlan22 proto kernel scope link src 10.199.22.5
50.#.#.#/28 dev vlan500 proto kernel scope link src 50.#.#.#
172.16.0.0/12 via 10.199.22.1 dev vlan22
192.168.0.0/16 via 10.199.22.1 dev vlan22
192.168.1.0/24 dev vlan999 proto kernel scope link src 192.168.1.9
default via 192.168.1.1 dev vlan999 table gwy metric 1
10.0.0.0/8 via 10.199.22.1 dev vlan22 table backupisp
10.135.199.48/30 via 10.135.199.50 dev dummy0 table backupisp
10.135.199.52/30 via 10.135.199.54 dev dummy1 table backupisp
172.16.0.0/12 via 10.199.22.1 dev vlan22 table backupisp
192.168.0.0/16 via 10.199.22.1 dev vlan22 table backupisp
192.168.1.0/24 via 192.168.1.1 dev vlan999 table backupisp
192.168.100.0/24 via 192.168.1.1 dev vlan999 table backupisp
broadcast 10.135.199.48 dev dummy0 table local proto kernel scope
link src 10.135.199.50
local 10.135.199.50 dev dummy0 table local proto kernel scope host
src 10.135.199.50
broadcast 10.135.199.51 dev dummy0 table local proto kernel scope
link src 10.135.199.50
broadcast 10.135.199.52 dev dummy1 table local proto kernel scope
link src 10.135.199.54
local 10.135.199.54 dev dummy1 table local proto kernel scope host
src 10.135.199.54
broadcast 10.135.199.55 dev dummy1 table local proto kernel scope
link src 10.135.199.54
broadcast 10.199.22.0 dev vlan22 table local proto kernel scope link
src 10.199.22.5
local 10.199.22.5 dev vlan22 table local proto kernel scope host src
10.199.22.5
broadcast 10.199.22.255 dev vlan22 table local proto kernel scope
link src 10.199.22.5
broadcast 50.#.#.# dev vlan500 table local proto kernel scope link
src 50.#.#.#
local 50.#.#.# dev vlan500 table local proto kernel scope host src
50.#.#.#
broadcast 50.#.#.# dev vlan500 table local proto kernel scope link
src 50.#.#.#
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link
src 127.0.0.1
broadcast 192.168.1.0 dev vlan999 table local proto kernel scope
link src 192.168.1.9
local 192.168.1.9 dev vlan999 table local proto kernel scope host src
192.168.1.9
broadcast 192.168.1.255 dev vlan999 table local proto kernel scope
link src 192.168.1.9
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 hoplimit 255
fe80::/64 dev dummy0 proto kernel metric 256
fe80::/64 dev dummy1 proto kernel metric 256
fe80::/64 dev bond0 proto kernel metric 256
fe80::/64 dev vlan22 proto kernel metric 256
fe80::/64 dev vlan500 proto kernel metric 256
fe80::/64 dev vlan999 proto kernel metric 256
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0
local fe80::221:5eff:fe4e:1866 via :: dev lo table local proto none
metric 0
local fe80::221:5eff:fe4e:1866 via :: dev lo table local proto none
metric 0
local fe80::221:5eff:fe4e:1866 via :: dev lo table local proto none
metric 0
local fe80::221:5eff:fe4e:1866 via :: dev lo table local proto none
metric 0
local fe80::6898:afff:fef6:114a via :: dev lo table local proto none
metric 0
local fe80::ec5a:49ff:fef8:b4f8 via :: dev lo table local proto none
metric 0
ff00::/8 dev dummy0 table local metric 256
ff00::/8 dev dummy1 table local metric 256
ff00::/8 dev bond0 table local metric 256
ff00::/8 dev vlan22 table local metric 256
ff00::/8 dev vlan500 table local metric 256
ff00::/8 dev vlan999 table local metric 256
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101 hoplimit 255
# ifconfig
bond0 Link encap:Ethernet HWaddr 00:21:5e:4e:18:66
inet6 addr: fe80::221:5eff:fe4e:1866/64 Scope:Link
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:18122288 errors:0 dropped:61 overruns:0 frame:0
TX packets:24415306 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4279573573 (4.2 GB) TX bytes:24257093551 (24.2 GB)
dummy0 Link encap:Ethernet HWaddr ee:5a:49:f8:b4:f8
inet addr:10.135.199.50 Bcast:10.135.199.51 Mask:255.255.255.252
inet6 addr: fe80::ec5a:49ff:fef8:b4f8/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:601 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:80944 (80.9 KB)
dummy1 Link encap:Ethernet HWaddr 6a:98:af:f6:11:4a
inet addr:10.135.199.54 Bcast:10.135.199.55 Mask:255.255.255.252
inet6 addr: fe80::6898:afff:fef6:114a/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:601 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:80944 (80.9 KB)
eth0 Link encap:Ethernet HWaddr 00:21:5e:4e:18:66
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:7365088 errors:0 dropped:0 overruns:0 frame:0
TX packets:23792925 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2333826703 (2.3 GB) TX bytes:23564935618 (23.5 GB)
Interrupt:16
eth1 Link encap:Ethernet HWaddr 00:21:5e:4e:18:66
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:10757200 errors:0 dropped:1 overruns:0 frame:0
TX packets:622381 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1945746870 (1.9 GB) TX bytes:692157933 (692.1 MB)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:104753 errors:0 dropped:0 overruns:0 frame:0
TX packets:104753 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:17687477 (17.6 MB) TX bytes:17687477 (17.6 MB)
vlan22 Link encap:Ethernet HWaddr 00:21:5e:4e:18:66
inet addr:10.199.22.5 Bcast:10.199.22.255 Mask:255.255.255.0
inet6 addr: fe80::221:5eff:fe4e:1866/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8718897 errors:0 dropped:22 overruns:0 frame:0
TX packets:3287037 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:705368516 (705.3 MB) TX bytes:22418161386 (22.4 GB)
vlan500 Link encap:Ethernet HWaddr 00:21:5e:4e:18:66
inet addr:50.#.#.# Bcast:50.#.#.# Mask:255.255.255.240
inet6 addr: fe80::221:5eff:fe4e:1866/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9164712 errors:0 dropped:0 overruns:0 frame:0
TX packets:8337045 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3155201423 (3.1 GB) TX bytes:950913512 (950.9 MB)
vlan999 Link encap:Ethernet HWaddr 00:21:5e:4e:18:66
inet addr:192.168.1.9 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::221:5eff:fe4e:1866/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:97708 errors:0 dropped:0 overruns:0 frame:0
TX packets:8809 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8986395 (8.9 MB) TX bytes:800192 (800.1 KB)
# lsmod
Module Size Used by
xt_policy 12582 8
authenc 17535 3
xfrm6_mode_tunnel 12639 3
xfrm4_mode_tunnel 12639 6
xfrm_user 31124 2
xfrm4_tunnel 12857 0
tunnel4 13252 1 xfrm4_tunnel
ipcomp 12661 0
xfrm_ipcomp 13413 1 ipcomp
esp4 17139 3
ah4 13044 0
deflate 12617 0
zlib_deflate 26914 1 deflate
twofish_generic 16635 0
ctr 13005 0
twofish_x86_64_3way 29721 0
twofish_x86_64 12867 1 twofish_x86_64_3way
twofish_common 21113 3
twofish_generic,twofish_x86_64_3way,twofish_x86_64
camellia_generic 29348 0
camellia_x86_64 55261 0
serpent_sse2_x86_64 54423 0
cryptd 20403 1 serpent_sse2_x86_64
lrw 13286 3
twofish_x86_64_3way,camellia_x86_64,serpent_sse2_x86_64
serpent_generic 25724 1 serpent_sse2_x86_64
xts 12880 3
twofish_x86_64_3way,camellia_x86_64,serpent_sse2_x86_64
gf128mul 14951 2 lrw,xts
blowfish_generic 12530 0
blowfish_x86_64 21381 0
blowfish_common 16699 2 blowfish_generic,blowfish_x86_64
cast5 25112 0
des_generic 21415 0
xcbc 12815 0
rmd160 16744 0
sha512_generic 12796 0
crypto_null 12918 0
af_key 36052 0
xfrm_algo 15464 5 xfrm_user,xfrm_ipcomp,esp4,ah4,af_key
8021q 24154 0
garp 14424 1 8021q
stp 12931 1 garp
llc 14552 2 garp,stp
ip6table_filter 12815 1
ip6_tables 27207 1 ip6table_filter
ipt_MASQUERADE 12759 16
iptable_nat 13182 1
nf_nat 25254 2 ipt_MASQUERADE,iptable_nat
ipt_REJECT 12541 40
xt_tcpudp 12603 972
xt_LOG 17349 66
xt_limit 12711 76
nf_conntrack_ipv4 14480 1020 iptable_nat,nf_nat
nf_defrag_ipv4 12729 1 nf_conntrack_ipv4
xt_state 12578 1017
nf_conntrack 82633 5
ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state
iptable_filter 12810 1
ip_tables 26995 2 iptable_nat,iptable_filter
x_tables 29711 12
xt_policy,ip6table_filter,ip6_tables,ipt_MASQUERADE,iptable_nat,ipt_REJECT,xt_tcpudp,xt_LOG,xt_limit,xt_state,iptable_filter,ip_tables
radeon 895692 1
gpio_ich 13383 0
coretemp 13400 0
kvm_intel 132759 0
ttm 83595 1 radeon
kvm 414070 1 kvm_intel
drm_kms_helper 49112 1 radeon
drm 288670 3 radeon,ttm,drm_kms_helper
i5000_edac 17497 0
edac_core 52451 3 i5000_edac
i5k_amb 13190 0
lpc_ich 17061 0
i2c_algo_bit 13413 1 radeon
ppdev 17073 0
psmouse 95552 0
microcode 22803 0
shpchp 37108 0
serio_raw 13215 0
joydev 17457 0
mac_hid 13205 0
dummy 12957 0
parport_pc 32688 1
bonding 107986 0
lp 17759 0
parport 46345 3 ppdev,parport_pc,lp
ses 17363 0
enclosure 15165 1 ses
hid_generic 12493 0
usbhid 46947 0
hid 100366 2 hid_generic,usbhid
tg3 148780 0
aacraid 91468 4
# cat /var/log/syslog |grep charon
Jan 16 14:04:21 gwy charon: 00[DMN] signal of type SIGINT received.
Shutting down
Jan 16 14:04:21 gwy charon: 00[IKE] deleting IKE_SA gwy-remote[5]
between 50.#.#.#[gwy.domain.local]...71.#.#.#[remote.domain.local]
Jan 16 14:04:21 gwy charon: 00[IKE] sending DELETE for IKE_SA gwy-remote[5]
Jan 16 14:04:21 gwy charon: 00[ENC] generating INFORMATIONAL request 0 [ D ]
Jan 16 14:04:21 gwy charon: 00[NET] sending packet: from 50.#.#.#[4500]
to 71.#.#.#[4500]
Jan 16 14:04:24 gwy charon: 00[DMN] Starting IKEv2 charon daemon
(strongSwan 4.5.2)
Jan 16 14:04:24 gwy charon: 00[KNL] listening on interfaces:
Jan 16 14:04:24 gwy charon: 00[KNL] eth0
Jan 16 14:04:24 gwy charon: 00[KNL] eth1
Jan 16 14:04:24 gwy charon: 00[KNL] bond0
Jan 16 14:04:24 gwy charon: 00[KNL] fe80::221:5eff:fe4e:1866
Jan 16 14:04:24 gwy charon: 00[KNL] dummy0
Jan 16 14:04:24 gwy charon: 00[KNL] 10.135.199.50
Jan 16 14:04:24 gwy charon: 00[KNL] fe80::ec5a:49ff:fef8:b4f8
Jan 16 14:04:24 gwy charon: 00[KNL] dummy1
Jan 16 14:04:24 gwy charon: 00[KNL] 10.135.199.54
Jan 16 14:04:24 gwy charon: 00[KNL] fe80::6898:afff:fef6:114a
Jan 16 14:04:24 gwy charon: 00[KNL] vlan22
Jan 16 14:04:24 gwy charon: 00[KNL] 10.199.22.5
Jan 16 14:04:24 gwy charon: 00[KNL] fe80::221:5eff:fe4e:1866
Jan 16 14:04:24 gwy charon: 00[KNL] vlan500
Jan 16 14:04:24 gwy charon: 00[KNL] 50.#.#.#
Jan 16 14:04:24 gwy charon: 00[KNL] fe80::221:5eff:fe4e:1866
Jan 16 14:04:24 gwy charon: 00[KNL] vlan999
Jan 16 14:04:24 gwy charon: 00[KNL] 192.168.1.9
Jan 16 14:04:24 gwy charon: 00[KNL] fe80::221:5eff:fe4e:1866
Jan 16 14:04:24 gwy charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jan 16 14:04:24 gwy charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jan 16 14:04:24 gwy charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Jan 16 14:04:24 gwy charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Jan 16 14:04:24 gwy charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 16 14:04:24 gwy charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jan 16 14:04:24 gwy charon: 00[CFG] loaded IKE secret for
@remote.domain.local @gwy.domain.local
Jan 16 14:04:24 gwy charon: 00[CFG] loaded IKE secret for
@gwy.domain.local @remote.domain.local
Jan 16 14:04:24 gwy charon: 00[CFG] sql plugin: database URI not set
Jan 16 14:04:24 gwy charon: 00[LIB] plugin 'sql': failed to load -
sql_plugin_create returned NULL
Jan 16 14:04:24 gwy charon: 00[CFG] loaded 0 RADIUS server configurations
Jan 16 14:04:24 gwy charon: 00[LIB] plugin 'medsrv' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-medsrv.so: cannot open shared
object file: No such file or directory
Jan 16 14:04:24 gwy charon: 00[CFG] mediation client database URI not
defined, skipped
Jan 16 14:04:24 gwy charon: 00[LIB] plugin 'medcli': failed to load -
medcli_plugin_create returned NULL
Jan 16 14:04:24 gwy charon: 00[LIB] plugin 'nm' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared object
file: No such file or directory
Jan 16 14:04:24 gwy charon: 00[CFG] HA config misses local/remote address
Jan 16 14:04:24 gwy charon: 00[LIB] plugin 'ha': failed to load -
ha_plugin_create returned NULL
Jan 16 14:04:24 gwy charon: 00[DMN] loaded plugins: test-vectors curl
ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey
pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm
attr kernel-netlink resolve socket-raw farp stroke updown eap-identity
eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc
dhcp led addrblock
Jan 16 14:04:24 gwy charon: 00[JOB] spawning 16 worker threads
Jan 16 14:04:24 gwy charon: 10[CFG] received stroke: add connection
'gwy-remote'
Jan 16 14:04:24 gwy charon: 10[CFG] added configuration 'gwy-remote'
Jan 16 14:05:32 gwy charon: 11[NET] received packet: from 71.#.#.#[500]
to 50.#.#.#[500]
Jan 16 14:05:32 gwy charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 16 14:05:32 gwy charon: 11[IKE] 71.#.#.# is initiating an IKE_SA
Jan 16 14:05:32 gwy charon: 11[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jan 16 14:05:32 gwy charon: 11[NET] sending packet: from 50.#.#.#[500]
to 71.#.#.#[500]
Jan 16 14:05:32 gwy charon: 12[NET] received packet: from 71.#.#.#[4500]
to 50.#.#.#[4500]
Jan 16 14:05:32 gwy charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jan 16 14:05:32 gwy charon: 12[CFG] looking for peer configs matching
50.#.#.#[gwy.domain.local]...71.#.#.#[remote.domain.local]
Jan 16 14:05:32 gwy charon: 12[CFG] selected peer config 'gwy-remote'
Jan 16 14:05:32 gwy charon: 12[IKE] authentication of
'remote.domain.local' with pre-shared key successful
Jan 16 14:05:32 gwy charon: 12[IKE] peer supports MOBIKE
Jan 16 14:05:32 gwy charon: 12[IKE] authentication of 'gwy.domain.local'
(myself) with pre-shared key
Jan 16 14:05:32 gwy charon: 12[IKE] IKE_SA gwy-remote[1] established
between 50.#.#.#[gwy.domain.local]...71.#.#.#[remote.domain.local]
Jan 16 14:05:32 gwy charon: 12[IKE] scheduling reauthentication in 3284s
Jan 16 14:05:32 gwy charon: 12[IKE] maximum IKE_SA lifetime 3464s
<snip>
# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charonstart=yes
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=psk
left=50.#.#.#
leftid=@gwy.domain.local
leftsubnet=10.199.22.0/24,10.135.199.48/29
leftfirewall=yes
conn gwy-remote
right=%any
rightid=@remote.domain.local
rightsubnet=10.135.200.0/24,10.135.199.24/30
type=tunnel
auto=add
# cat /etc/strongswan.conf This is the default file that is installed.
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database =
mysql://user:password@localhost/database
}
}
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
# cat /etc/ipsec.secrets
@remote.domain.local @gwy.domain.local : PSK *A KEY*
@gwy.domain.local @remote.domain.local : PSK *A KEY*
#
# ping 10.135.200.1 -I 10.199.22.5
PING 10.135.200.1 (10.135.200.1) from 10.199.22.5 : 56(84) bytes of data.
^C
--- 10.135.200.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4031ms
TShark from another host with a mirror/monitor port on vlan500, wan
network. This should not be here. ISP is not going to know what to do
with this.
18.825033 50.#.#.# -> 10.135.200.1 ICMP 98 Echo (ping) request
id=0x23e6,seq=91/23296, ttl=64
19.824563 50.#.#.# -> 10.135.200.1 ICMP 98 Echo (ping) request
id=0x23e6,seq=92/23552, ttl=64
19.824565 50.#.#.# -> 10.135.200.1 ICMP 98 Echo (ping) request
id=0x23e6,seq=92/23552, ttl=64
More information about the Users
mailing list