[strongSwan] libipsec/net2net-cert: Ipsec tunnel UP but decrypted traffic does not reach beyond GW: /etc/updown: no such file or directory

Shahreen Ahmed sahmed at adax.co.uk
Wed Jul 9 13:29:16 CEST 2014 

Hi,

Can you please help in this regard?

I want to test max throughput based on Ipsec ESP userland encryption 
with libipsec.

I configured Strongswan 5.1.3 with following option:

--enable-kernel-libipsec

While trying to make a setup following below link:

http://www.strongswan.org/uml/testresults/libipsec/net2net-cert/

It seems that even though a Tunnel is UP based on X.509 authentication and a TUN interface 'ipsec0' is injected, NO firewall rules are present for routing through 'ipsec0' and encrypted traffic that is decrypted by the peer
IPsec GW never reaches the site beyond that GW.

Following log is visible in one of the GW's:

Jul  9 11:46:25 ZNYX9210 charon: 08[IKE] restarting CHILD_SA test
Jul  9 11:46:25 ZNYX9210 charon: 08[IKE] initiating IKE_SA test[2] to 12.0.0.167
Jul  9 11:46:25 ZNYX9210 charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul  9 11:46:25 ZNYX9210 charon: 08[NET] sending packet: from 12.0.0.189[500] to 12.0.0.167[500] (708 bytes)
Jul  9 11:46:25 ZNYX9210 charon: 14[NET] received packet: from 12.0.0.167[500] to 12.0.0.189[500] (457 bytes)
Jul  9 11:46:25 ZNYX9210 charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] remote host is behind NAT
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] received cert request for "C=CA, ST=PB, O=strongswan org, OU=strongswan root, CN=CA at test.org"
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] sending cert request for "C=CA, ST=PB, O=strongswan org, OU=strongswan root, CN=CA at test.org"
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] authentication of 'C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, CN=moon at test.org' (myself) with RSA signature successful
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] sending end entity cert "C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, CN=moon at test.org"
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] establishing CHILD_SA test{1}
Jul  9 11:46:25 ZNYX9210 charon: 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
Jul  9 11:46:25 ZNYX9210 charon: 14[NET] sending packet: from 12.0.0.189[4500] to 12.0.0.167[4500] (1564 bytes)
Jul  9 11:46:25 ZNYX9210 charon: 09[NET] received packet: from 12.0.0.167[4500] to 12.0.0.189[4500] (1276 bytes)
Jul  9 11:46:25 ZNYX9210 charon: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] received end entity cert "C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org"
Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   using trusted ca certificate "C=CA, ST=PB, O=strongswan org, OU=strongswan root, CN=CA at test.org"
Jul  9 11:46:25 ZNYX9210 charon: 09[CFG] checking certificate status of "C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org"
Jul  9 11:46:25 ZNYX9210 charon: 09[CFG] certificate status is not available
Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   reached self-signed root ca with a path length of 0
Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   using trusted certificate "C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org"
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] authentication of 'C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org' with RSA signature successful
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] IKE_SA test[2] established between 12.0.0.189[C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, CN=moon at test.org]...12.0.0.167[C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org]
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] scheduling reauthentication in 3420s
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] maximum IKE_SA lifetime 3600s
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] CHILD_SA test{1} established with SPIs 213dcf52_i c9b38fce_o and TS 11.0.0.0/24 === 10.0.0.0/24
*Jul  9 11:46:25 ZNYX9210 charon: 09[CHD] updown: sh: /etc/updown: No such file or directory*
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] received AUTH_LIFETIME of 3311s, scheduling reauthentication in 3131s


Can you please let us know why this /etc/updown file is missing and where should we get it from?

Thanks,
Shahreen

-- 

Shahreen Noor Ahmed
Network Support Department
Adax Europe Ltd
url: www.adax.com
e-mail: sahmed at adax.co.uk
Direct line: +44(0)118 952 2804

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140709/6b93f2bf/attachment.html>

More information about the Users mailing list