[strongSwan] libipsec/net2net-cert: Ipsec tunnel UP but decrypted traffic does not reach beyond GW: /etc/updown: no such file or directory

Noel Kuntze noel at familie-kuntze.de
Wed Jul 9 13:33:14 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

You probably didn't run ./configure with the correct parameters and set "--with-ipsecdir=/usr/lib/strongswan".

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 09.07.2014 13:29, schrieb Shahreen Ahmed:
> Hi,
>
> Can you please help in this regard?
>
> I want to test max throughput based on Ipsec ESP userland encryption with libipsec.
>
> I configured Strongswan 5.1.3 with following option:
> --enable-kernel-libipsec
>
> While trying to make a setup following below link:
>
> http://www.strongswan.org/uml/testresults/libipsec/net2net-cert/
>
> It seems that even though a Tunnel is UP based on X.509 authentication and a TUN interface 'ipsec0' is injected, NO firewall rules are present for routing through 'ipsec0' and encrypted traffic that is decrypted by the peer
> IPsec GW never reaches the site beyond that GW.
>
> Following log is visible in one of the GW's:
>
> Jul  9 11:46:25 ZNYX9210 charon: 08[IKE] restarting CHILD_SA test
> Jul  9 11:46:25 ZNYX9210 charon: 08[IKE] initiating IKE_SA test[2] to 12.0.0.167
> Jul  9 11:46:25 ZNYX9210 charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Jul  9 11:46:25 ZNYX9210 charon: 08[NET] sending packet: from 12.0.0.189[500] to 12.0.0.167[500] (708 bytes)
> Jul  9 11:46:25 ZNYX9210 charon: 14[NET] received packet: from 12.0.0.167[500] to 12.0.0.189[500] (457 bytes)
> Jul  9 11:46:25 ZNYX9210 charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] remote host is behind NAT
> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] received cert request for "C=CA, ST=PB, O=strongswan org, OU=strongswan root, CN=CA at test.org"
> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] sending cert request for "C=CA, ST=PB, O=strongswan org, OU=strongswan root, CN=CA at test.org"
> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] authentication of 'C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, CN=moon at test.org' (myself) with RSA signature successful
> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] sending end entity cert "C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, CN=moon at test.org"
> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] establishing CHILD_SA test{1}
> Jul  9 11:46:25 ZNYX9210 charon: 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
> Jul  9 11:46:25 ZNYX9210 charon: 14[NET] sending packet: from 12.0.0.189[4500] to 12.0.0.167[4500] (1564 bytes)
> Jul  9 11:46:25 ZNYX9210 charon: 09[NET] received packet: from 12.0.0.167[4500] to 12.0.0.189[4500] (1276 bytes)
> Jul  9 11:46:25 ZNYX9210 charon: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] received end entity cert "C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org"
> Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   using trusted ca certificate "C=CA, ST=PB, O=strongswan org, OU=strongswan root, CN=CA at test.org"
> Jul  9 11:46:25 ZNYX9210 charon: 09[CFG] checking certificate status of "C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org"
> Jul  9 11:46:25 ZNYX9210 charon: 09[CFG] certificate status is not available
> Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   reached self-signed root ca with a path length of 0
> Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   using trusted certificate "C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org"
> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] authentication of 'C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org' with RSA signature successful
> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] IKE_SA test[2] established between 12.0.0.189[C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, CN=moon at test.org]...12.0.0.167[C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org]
> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] scheduling reauthentication in 3420s
> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] maximum IKE_SA lifetime 3600s
> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] CHILD_SA test{1} established with SPIs 213dcf52_i c9b38fce_o and TS 11.0.0.0/24 === 10.0.0.0/24
> *Jul  9 11:46:25 ZNYX9210 charon: 09[CHD] updown: sh: /etc/updown: No such file or directory*
> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] received AUTH_LIFETIME of 3311s, scheduling reauthentication in 3131s
>
>
> Can you please let us know why this /etc/updown file is missing and where should we get it from?
>
> Thanks,
> Shahreen
> --
>
> Shahreen Noor Ahmed
> Network Support Department
> Adax Europe Ltd
> url: www.adax.com
> e-mail: sahmed at adax.co.uk
> Direct line: +44(0)118 952 2804
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTvSh6AAoJEDg5KY9j7GZYTxYP/2GxFCPL6gPQ1xtJiMniGfhn
8yCHCiW1nrL+O3ZHLxT/hpGEHoztTbGn/XnZg9Rgpa4BKtrCvFb1kwiuVaOrb5BI
JnYJ80pWJfzamE87KhwdDwWnWfORgtcqt6XwwBPtd9Y7XkdRvONt1NIZFWHhxCXg
kqRGBb2UCXXwezybegZ7WdUXUbQ+jwYtc0S7ScJ+PNStGY642oxVoXnQjkV94LmY
+zC7ukGaNqp4i2F6nmK24buYTRg+FPZiIKdRFXTErlBXRy4RK1kz6UDVO5wd/+df
LHuuwXx0JXykSCZ+t96xaxpwUtwIyTN2QPkugeY5qRxPE6N7jyQ16oeV4claduHB
V0kwrDtnbsMou1WaBE3659I4KFnQ1Uj89PGkA6yuGmjjmV4yHB2QgabZCp95v9WB
NrU6EVxLyn737MoGWek3ljHOwKk55IikDpBAfI5gF9oyXsJfrc++tHh5enxajzkp
oGDyXOIwfUPhZSLL/zCkcY0huEeHeYbazc0XFaiZT79IeFLKI31eBQdvA7DKNdxJ
+p4G2ezXoUt1s2rdLhchcXh+7wEn3Fw5HZyj7vFkFqF4wfnEpByZ6jczJqg50LoK
x0Rk2hXO7gmu0NGiriBORqLGAInY11+nDBRfGcOjmO1j1WGqR//x/lYkC+6wNwCP
IWxYd98nzj4pYj8y9aHy
=vZUM
-----END PGP SIGNATURE-----

More information about the Users mailing list