[strongSwan] Inter-tunnel routing
Jeroen J.A.W. Hermans
j.hermans at epsys.nl
Wed Jun 26 19:44:49 CEST 2013
Hello all,
I have been working on this for another day straight. I still have
exactly the same problem. I have attached my configuration. I have
highlighted the parts that i suspect to be the problem. Certificates
donnot seem to be a problem as the tunnels are up and can ping the other
tunnel endpoint.
I would REALLY appreciate it if someone could help me with this.
Trank you very much.
Kind regards,
Jeroen Hermans
config setup
uniqueids = no
strictcrlpolicy=no
conn %default
rekeymargin=3m
keyingtries=1
conn rw
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=server.2048.crt
leftfirewall=yes
auto=add
dpddelay=30
dpdtimeout=120
dpdaction=clear
* #left=%defaultroute
leftsubnet=192.168.0.0/24 (also tried:
192.168.0.0/24,192.168.51.0/24)**
** leftsourceip=xxx.xxx.xxx.xxx (ext. ip)**
** right=%any**
** rightsourceip=192.168.2.0/24**
** rightsubnet=192.168.2.0/24**
* rightid="C=NL, ST=L, L=etcetc, O=etcetcetc, CN=emailadres,
E=emailadres"
keyingtries=3
conn 51
type=tunnel
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=server.1024.crt
leftfirewall=yes
auto=add
dpddelay=30
dpdtimeout=120
dpdaction=clear
* #left=%defaultroute
leftsubnet=192.168.0.0/24 (also tried:
192.168.2.0/24,192.168.51.0/24)**
** leftsourceip=xxx.xxx.xxx.xxx (ext. ip)**
** right=%any**
** rightsubnet=192.168.51.0/24**
* keyingtries=3
esp=aes256-sha1-modp2048
On 26-6-2013 13:52, Noel Kuntze wrote:
> Hello Jeroen,
>
> In Strongswan 5.0, IPs are installed on the physical interface thus is
> no problem. I hope you find a solution. If you do, please tell me
> about it.
>
> Regards,
> Noel
>
>
>
> "Jeroen J.A.W. Hermans" <j.hermans at epsys.nl> schrieb:
>
> Hello Noel,
>
> The other peers ("51" and "rw") have routes to each other indeed.
> "51" knows how to reach "rw", but i don't see the icmp reply in
> the tcpdump. I also donnot see the icmp-request going out to "51"
> in tcpdump, so i expect this to be a Strongswan/routing problem.
> I have no ipsec* interfaces. Is this a problem or new in
> Strongswan 5.0 ?
>
> Btw Andy: forwarding is indeed enabled.
> Thank you both for replying so fast.
> Kind regards,
>
> Jeroen Hermans
>
> On 26-6-2013 11:58, Noel Kuntze wrote:
>> Ps: Do you actually give the other peers a routw to the rest of
>> it? If not, then please do so, so they actually know where to
>> send the packets to.
>>
>> Regards,
>> Noel
>>
>> "Jeroen J.A.W. Hermans" <j.hermans at epsys.nl> schrieb:
>>
>> Hello Noel,
>>
>> You are completely right. I did enable global forwarding:
>>
>> *$ sysctl -a|grep forward**
>> *net.ipv4.conf.all.forwarding = 1
>> net.ipv4.conf.all.mc_forwarding = 0
>> net.ipv4.conf.default.forwarding = 1
>> net.ipv4.conf.default.mc_forwarding = 0
>> net.ipv4.conf.lo.forwarding = 1
>> net.ipv4.conf.lo.mc_forwarding = 0
>> net.ipv4.conf.eth0.forwarding = 1
>> net.ipv4.conf.eth0.mc_forwarding = 0
>> *net.ipv4.ip_forward = 1**
>> *net.ipv6.conf.all.forwarding = 0
>> net.ipv6.conf.all.mc_forwarding = 0
>> net.ipv6.conf.default.forwarding = 0
>> net.ipv6.conf.default.mc_forwarding = 0
>> net.ipv6.conf.lo.forwarding = 0
>> net.ipv6.conf.lo.mc_forwarding = 0
>> net.ipv6.conf.eth0.forwarding = 0
>> net.ipv6.conf.eth0.mc_forwarding = 0
>>
>> I would expect this to enable routing between the tunnels.
>> I don't have virtual interfaces (except for the eth0:0 which
>> is the "local" Strongswan interface):
>>
>> *$ ifconfig -a**
>> *eth0 Link encap:Ethernet HWaddr 00:1A:4A:15:F7:16
>> inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.255
>> Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:1363008 errors:0 dropped:0 overruns:0
>> frame:0
>> TX packets:463833 errors:0 dropped:0 overruns:0
>> carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:402878767 (384.2 MiB) TX bytes:74609564
>> (71.1 MiB)
>>
>> eth0:0 Link encap:Ethernet HWaddr 00:1A:4A:15:F7:16
>> inet addr:192.168.0.1 Bcast:192.168.0.255
>> Mask:255.255.255.0
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>
>> lo Link encap:Local Loopback
>> inet addr:127.0.0.1 Mask:255.0.0.0
>> inet6 addr: ::1/128 Scope:Host
>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>> RX packets:1020 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:1020 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:112933 (110.2 KiB) TX bytes:112933 (110.2
>> KiB)
>>
>> Thank you for your fast reply!
>> Kind regards,
>>
>> Jeroen Hermans
>>
>> On 26-6-2013 11:39, Noel Kuntze wrote:
>>> Hello Jeroen,
>>>
>>> Did you enable forwarding on the strongswan host? If not,
>>> then do so for your virtual interfaces, and if that doesn't
>>> work, try to do it globally.
>>>
>>> Regards,
>>> Noel
>>>
>>>
>>>
>>> "Jeroen J.A.W. Hermans" <j.hermans at epsys.nl> schrieb:
>>>
>>> Dear all,
>>>
>>> I have a question about a test-scenario i am setting up.
>>> I have two tunnels:
>>> "rw" - laptop with Shrewsoft VPN client
>>> ip: 192.168.2.1/32
>>> external-ip: yyy.yyy.yyy.yyy (behind NAT, internal ip:
>>> 10.1.2.39)
>>>
>>> "51" - Draytek Vigor 2910 (no pc's connected to Vigor yet)
>>> ip-range: 192.168.51.1/24
>>> external-ip: yyy.yyy.yyy.yyy (behind NAT, internal ip:
>>> 10.1.2.38)
>>>
>>> The central location is a linux server running
>>> Strongswan 5.0.0:
>>> ip-range: 192.168.0.1/24
>>> external ip: xxx.xxx.xxx.xxx
>>>
>>> When i ping from the "51" Draytek (itself) to
>>> 192.168.0.1 (Strongswan) it works.
>>> When i ping from the "rw" laptop to 192.168.0.1
>>> (Strongswan) it works
>>> When i ping from the "rw" laptop to 192.168.51.1 (tunnel
>>> "51") i get no reply
>>> When i ping from the "51" Draytek to 192.168.2.1 (tunnel
>>> "rw") i get no reply
>>>
>>> I have policies in the Draytek and Shrewsoft laptop for
>>> all subnets. This can be seen in the tcpdump, where the
>>> packets for the remote subnet of the other tunnel arrive
>>> at the Strongswan, but are not forwarded.
>>> I have included as much information as possible. I hope
>>> someone can help me with this problem.
>>> Thank you very much.
>>> Kind regards,
>>>
>>> Jeroen Hermans
>>>
>>>
>>> *$ sudo ip route list table 220**
>>> *192.168.2.1 via <first-hop-router> dev eth0 proto
>>> static src 192.168.0.1
>>> 192.168.51.0/24 via <first-hop-router> dev eth0 proto
>>> static src 192.168.0.1
>>>
>>> *$ sudo tcpdump -i eth0 not ip6 and not port 22 and not
>>> port domain**
>>> *tcpdump: verbose output suppressed, use -v or -vv for
>>> full protocol decode
>>> listening on eth0, link-type EN10MB (Ethernet), capture
>>> size 65535 bytes
>>> /"rw" pings one time to 192.168.0.1/
>>> 11:11:40.410505 IP yyy.yyy.yyy.yyy.ipsec-nat-t >
>>> xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap:
>>> ESP(spi=0xc8587ff2,seq=0x3), length 100
>>> 11:11:40.410572 IP 192.168.2.1 > 192.168.0.1: ICMP echo
>>> request, id 1, seq 234, length 40
>>> 11:11:40.410655 IP xxx.xxx.xxx.xxx.ipsec-nat-t >
>>> yyy.yyy.yyy.yyy.ipsec-nat-t: UDP-encap:
>>> ESP(spi=0xba5fa761,seq=0x3), length 100
>>> /"rw" pings one time to 192.168/.51.1
>>> 11:11:43.377246 IP yyy.yyy.yyy.yyy.ipsec-nat-t >
>>> xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap:
>>> ESP(spi=0xc04f2330,seq=0x2), length 100
>>> 11:11:43.377331 IP 192.168.2.1 > 192.168.51.1: ICMP echo
>>> request, id 1, seq 236, length 40
>>> 11:11:43.377367 IP 192.168.2.1 > 192.168.51.1: ICMP echo
>>> request, id 1, seq 236, length 40
>>>
>>>
>>> *$ sudo ip xfrm policy**
>>> *src 192.168.51.0/24 dst 192.168.0.0/24
>>> dir fwd priority 1859 ptype main
>>> tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
>>> proto esp reqid 393 mode tunnel
>>> src 192.168.51.0/24 dst 192.168.0.0/24
>>> dir in priority 1859 ptype main
>>> tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
>>> proto esp reqid 393 mode tunnel
>>> src 192.168.0.0/24 dst 192.168.51.0/24
>>> dir out priority 1859 ptype main
>>> tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy
>>> proto esp reqid 393 mode tunnel
>>> src 192.168.2.1/32 dst 192.168.51.0/24
>>> dir fwd priority 1827 ptype main
>>> tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
>>> proto esp reqid 391 mode tunnel
>>> src 192.168.2.1/32 dst 192.168.51.0/24
>>> dir in priority 1827 ptype main
>>> tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
>>> proto esp reqid 391 mode tunnel
>>> src 192.168.51.0/24 dst 192.168.2.1/32
>>> dir out priority 1827 ptype main
>>> tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy
>>> proto esp reqid 391 mode tunnel
>>> src 192.168.2.1/32 dst 192.168.0.0/24
>>> dir fwd priority 1827 ptype main
>>> tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
>>> proto esp reqid 390 mode tunnel
>>> src 192.168.2.1/32 dst 192.168.0.0/24
>>> dir in priority 1827 ptype main
>>> tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
>>> proto esp reqid 390 mode tunnel
>>> src 192.168.0.0/24 dst 192.168.2.1/32
>>> dir out priority 1827 ptype main
>>> tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy
>>> proto esp reqid 390 mode tunnel
>>>
>>>
>>> *$ sudo iptables-save**
>>> **filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [518:38392]
>>> :OUTPUT ACCEPT [39692:7545269]
>>> -A INPUT -p tcp -m tcp --dport 443:453 -j ACCEPT
>>> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>>> -A INPUT -p udp -m udp --dport 53 -j ACCEPT
>>> -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
>>> -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
>>> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> -A INPUT -p icmp -j ACCEPT
>>> -A INPUT -i lo -j ACCEPT
>>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22
>>> -j ACCEPT
>>> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
>>> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
>>> -A INPUT -i eth0 -p esp -j ACCEPT
>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>> -A OUTPUT -o eth0 -p esp -j ACCEPT
>>> COMMIT
>>> *mangle
>>> :PREROUTING ACCEPT [34286:3954457]
>>> :INPUT ACCEPT [33100:3886019]
>>> :FORWARD ACCEPT [518:38392]
>>> :OUTPUT ACCEPT [39696:7546309]
>>> :POSTROUTING ACCEPT [40214:7584701]
>>> COMMIT
>>> *nat
>>> :PREROUTING ACCEPT [1646:110154]
>>> :POSTROUTING ACCEPT [2019:153411]
>>> :OUTPUT ACCEPT [1961:146461]
>>> COMMIT
>>>
>>> ------------------------------------------------------------------------
>>>
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>>
>>> --
>>> Diese Nachricht wurde von meinem Android-Mobiltelefon mit
>>> K-9 Mail gesendet.
>>
>>
>> --
>> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9
>> Mail gesendet.
>
>
> --
> Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
> gesendet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130626/7d44efaf/attachment.html>
More information about the Users
mailing list