[strongSwan] ipv6 GRE sent in clear instead of getting encrypted
Olivier PELERIN
olivier_pelerin at hotmail.com
Fri Dec 19 13:27:16 CET 2014
Hello Strongswan Alias,
I've the following problem:
Trafffic from a remote device is properly decrypted [ transport is GREipv6 / overlay is ipv6]. Encrypted packet leave the ubuntu box un-encrypted.
Either xfrm policies and state are looking right.
ip xfrm policy
src 2b00:d31:e7e4:1b::1:201/128 dst 2b00:c31:e7e2:17::2:12/128 proto gre
dir fwd priority 1026
tmpl src 2b00:d31:e7e4:1b::1:201 dst 2b00:c31:e7e2:17::2:12
proto esp reqid 2687 mode tunnel
src 2b00:d31:e7e4:1b::1:201/128 dst 2b00:c31:e7e2:17::2:12/128 proto gre
dir in priority 1026
tmpl src 2b00:d31:e7e4:1b::1:201 dst 2b00:c31:e7e2:17::2:12
proto esp reqid 2687 mode tunnel
src 2b00:c31:e7e2:17::2:12/128 dst 2b00:d31:e7e4:1b::1:201/128 proto gre
dir out priority 1026
tmpl src 2b00:c31:e7e2:17::2:12 dst 2b00:d31:e7e4:1b::1:201
proto esp reqid 2687 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
root at zg-nccf-1a-hr:/home/localadmin# ip xfrm state
src 2b00:c31:e7e2:17::2:12 dst 2b00:d31:e7e4:1b::1:201
proto esp spi 0xb173226b reqid 2687 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x630d4dae250e28a9dfd1184b20dfd0e33cda1665 96
enc cbc(aes) 0x3dc58789ace1be5fccdb4b2c42b3aa23
src 2b00:d31:e7e4:1b::1:201 dst 2b00:c31:e7e2:17::2:12
proto esp spi 0xccbc90f5 reqid 2687 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xd7e81acb481eb00c2389bdfdc2e7fdc1ca0b6417 96
enc cbc(aes) 0x9e7d10c82aa14b562c541482d6b5933b
ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-32-generic, x86_64):
uptime: 7 minutes, since Dec 19 12:12:26 2014
malloc: sbrk 2568192, mmap 0, used 358352, free 2209840
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
Listening IP addresses:
2a00:c31:7fe2:17::1:11
....
2001::2
Connections:
CSR1000V: %any...2b00:d31:e7e4:1b::1:201 IKEv2
CSR1000V: local: [....] uses pre-shared key authentication
CSR1000V: remote: [....] uses pre-shared key authentication
CSR1000V: child: 2b00:c31:e7e2:17::2:12/128[gre] === 2b00:d31:e7e4:1b::1:201/128[gre] TUNNEL
Security Associations (1 up, 0 connecting):
CSR1000V[1]: ESTABLISHED 7 minutes ago, 2b00:c31:e7e2:17::2:12[]...2b00:d31:e7e4:1b::1:201[]
CSR1000V[1]: IKEv2 SPIs: db2eec9fddaea13f_i* 5b0acc0ed25bced5_r, pre-shared key reauthentication in 23 hours
CSR1000V[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
CSR1000V{1}: INSTALLED, TUNNEL, ESP SPIs: c673e3d6_i 1e5da7b9_o
CSR1000V{1}: AES_CBC_128/HMAC_SHA1_96, 4512 bytes_i (34 pkts, 333s ago), 0 bytes_o, rekeying in 34 minutes
CSR1000V{1}: 2b00:c31:e7e2:17::2:12/128[gre] === 2b00:d31:e7e4:1b::1:201/128[gre]
root at zg-nccf-1a-hr:/home/localadmin#
conn CSR1000V
keyexchange=ikev2
ikelifetime=1440m
keylife=60m
leftauth=psk
rightauth=psk
leftid=....
rightid=....
right=2b00:d31:e7e4:1b::1:201
leftsubnet=2b00:c31:e7e2:17::2:12/128[47]
rightsubnet=2b00:d31:e7e4:1b::1:201/128[47]
auto=start
I've tried on my lab gentoo machine and there it works. Why GRE is not encrypted on this linux box?
Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141219/ca6baeed/attachment.html>
More information about the Users
mailing list