[strongSwan] Problems with StrongSWAN ESP on FreeBSD 10.1

Göran Löwkrantz goran.lowkrantz at ismobile.com
Mon Dec 15 12:09:15 CET 2014 

Trying to setup an ESP tunnel on FreeBSD 10.1 using StrongSwan 5.1.0 
(latest in FreeBSD ports.)

Putting up an ESP tunnel between 192.168.2.0/24 and 192.168.40.8/29 over 
endpoints X and W. The outgoing traffic is passed through a DMZ and exists 
on my side through a firewall with inner address Y and outer address U. 
Target at W is a Clavister Virtual Server V9.

I have made two attempts, without and with userland ipsec lib.

First build is with ports default + CURL and IKEv1:
After a random time, individual hosts on the 2.0/24 net get all there 
traffic redirected out via X even when the src/dst do not match the SPD 
entries. When the packets reach Y, the firewall sends a redirect ICMP back 
to X. Only way to clean seems to be reboot of the gateway, as stopping 
StrongSWAN and flushing the SAD and SPD entries does not fix the problem. 
Also, it seems like the tunnel is going up and down but we have not had 
time to verify how often.

Second build is with ports default + CURL, IKEv1 and IPSec userland backend:
Dec 15 10:59:08 gw01 charon: 12[ENC] parsed QUICK_MODE response 1016645214 
[ HASH SA No KE ID ID ]
Dec 15 10:59:08 gw01 charon: 12[KNL] adding PF_ROUTE route failed: Network 
is unreachable
Dec 15 10:59:08 gw01 charon: 12[KNL] installing route failed: 
192.168.45.129/32 src 192.168.2.1 dev tun3
Dec 15 10:59:08 gw01 charon: 12[KNL] adding PF_ROUTE route failed: Network 
is unreachable
Dec 15 10:59:08 gw01 charon: 12[KNL] installing route failed: 
192.168.45.129/32 src 192.168.2.1 dev tun3
Dec 15 10:59:08 gw01 charon: 12[IKE] unable to install IPsec policies (SPD) 
in kernel

and after adding the routes I would expect is failing:
route add 192.168.45.129/32 -interface tun3
route add 192.168.45.130/32 -interface tun3
route add 192.168.40.8/29 -interface tun3

still no traffic going through the tunnel.

I will try a 5.1 later today as that version went into ports yesterday but 
if anyone has any ideas about what is going on, please help out.

/glz



"There are no solved problems; there are only problems that are more
or less solved" -- Henri Poincare

More information about the Users mailing list