[strongSwan] libipsec/net2net-cert: Ipsec tunnel UP but decrypted traffic does not reach beyond GW: /etc/updown: no such file or directory

Shahreen Ahmed sahmed at adax.co.uk
Thu Jul 10 14:53:03 CEST 2014 

Hi Noel,

Thank you for your reply.

I have compiled with the option you specified and now I don't see the 
'/etc/updown: no such file or directory' in the log But still the 
behaviour is same i,e iptables rules are not populated. Rather flow in 
opposite direction is quite odd.

To make sure my setup's routing is correct I have tested a scenario with 
traditional way of non TUN based setup with pre-shared key and AES 
cryptography and I can pass bidirectional traffic.

What is happening now is that, for the below mentioned setup:


Host 1<------------------->    GW   sun <----------------------------> 
GW moon<---------------------->Host 2
                         eth1          eth0            eth0           eth2
10.0.0.103           10.0.0.101     12.0.0.167         12.0.0.189      
11.0.0.189            11.0.0.101


1) If I send traffic (UDP) from Host 2, traffic is seen in eth2 of moon 
GW but nothing is gone to eth0 of the same GW, let alone 
encryption/decryption.

2) If I send traffic from Host 1, traffic is encrypted an decrypted in 
eth0 or sun GW and moon GW respectively, but that traffic is not seen in 
eth2 of moon GW.

The configuration looks like:

moon:

#cat ipsec.conf
config setup

conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev2
         mobike=no

conn test
         left=12.0.0.189
         leftcert=moonCert.pem
         leftsubnet=11.0.0.0/24
         leftid=moon at test.org
         leftupdown=/var/lib/strongswan/_updown
         right=12.0.0.167
         rightcert=sunCert.pem
         rightsubnet=10.0.0.0/24
         rightid=sun at test.org
         auto=add

#ip route list table 220
10.0.0.0/24 dev ipsec0  proto static  src 11.0.0.189


#cat strongswan.conf
charon {
    load = aes des rc2 sha1 sha2 md5 random nonce x509 revocation 
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem 
fips-prf gmp xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve 
socket-default stroke updown xauth-generic
   multiple_authentication = no
   debug = 4
}

sun:

cat ipsec.conf
config setup

conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev2
         mobike=no

conn test
         left=12.0.0.167
         leftcert=sunCert.pem
         leftsubnet=10.0.0.0/24
         leftid=sun at test.org
         leftupdown=/var/lib/strongswan/_updown
         right=12.0.0.189
         rightcert=moonCert.pem
         rightsubnet=11.0.0.0/24
         rightid=moon at test.org
         auto=add

ip route list table 220
11.0.0.0/24 via 12.0.0.189 dev eth0  proto static  src 10.0.0.101

same strongswan.conf.

How should we populate the Iptable rules?

Thanks,
Shahreen

Shahreen Noor Ahmed
Network Support Department
Adax Europe Ltd
url: www.adax.com
e-mail: sahmed at adax.co.uk
Direct line: +44(0)118 952 2804

On 09/07/2014 12:33, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello,
>
> You probably didn't run ./configure with the correct parameters and set "--with-ipsecdir=/usr/lib/strongswan".
>
> Regards,
> Noel Kuntze
>
> GPG Key id: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 09.07.2014 13:29, schrieb Shahreen Ahmed:
>> Hi,
>>
>> Can you please help in this regard?
>>
>> I want to test max throughput based on Ipsec ESP userland encryption with libipsec.
>>
>> I configured Strongswan 5.1.3 with following option:
>> --enable-kernel-libipsec
>>
>> While trying to make a setup following below link:
>>
>> http://www.strongswan.org/uml/testresults/libipsec/net2net-cert/
>>
>> It seems that even though a Tunnel is UP based on X.509 authentication and a TUN interface 'ipsec0' is injected, NO firewall rules are present for routing through 'ipsec0' and encrypted traffic that is decrypted by the peer
>> IPsec GW never reaches the site beyond that GW.
>>
>> Following log is visible in one of the GW's:
>>
>> Jul  9 11:46:25 ZNYX9210 charon: 08[IKE] restarting CHILD_SA test
>> Jul  9 11:46:25 ZNYX9210 charon: 08[IKE] initiating IKE_SA test[2] to 12.0.0.167
>> Jul  9 11:46:25 ZNYX9210 charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> Jul  9 11:46:25 ZNYX9210 charon: 08[NET] sending packet: from 12.0.0.189[500] to 12.0.0.167[500] (708 bytes)
>> Jul  9 11:46:25 ZNYX9210 charon: 14[NET] received packet: from 12.0.0.167[500] to 12.0.0.189[500] (457 bytes)
>> Jul  9 11:46:25 ZNYX9210 charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
>> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] remote host is behind NAT
>> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] received cert request for "C=CA, ST=PB, O=strongswan org, OU=strongswan root, CN=CA at test.org"
>> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] sending cert request for "C=CA, ST=PB, O=strongswan org, OU=strongswan root, CN=CA at test.org"
>> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] authentication of 'C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, CN=moon at test.org' (myself) with RSA signature successful
>> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] sending end entity cert "C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, CN=moon at test.org"
>> Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] establishing CHILD_SA test{1}
>> Jul  9 11:46:25 ZNYX9210 charon: 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
>> Jul  9 11:46:25 ZNYX9210 charon: 14[NET] sending packet: from 12.0.0.189[4500] to 12.0.0.167[4500] (1564 bytes)
>> Jul  9 11:46:25 ZNYX9210 charon: 09[NET] received packet: from 12.0.0.167[4500] to 12.0.0.189[4500] (1276 bytes)
>> Jul  9 11:46:25 ZNYX9210 charon: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
>> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] received end entity cert "C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org"
>> Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   using trusted ca certificate "C=CA, ST=PB, O=strongswan org, OU=strongswan root, CN=CA at test.org"
>> Jul  9 11:46:25 ZNYX9210 charon: 09[CFG] checking certificate status of "C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org"
>> Jul  9 11:46:25 ZNYX9210 charon: 09[CFG] certificate status is not available
>> Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   reached self-signed root ca with a path length of 0
>> Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   using trusted certificate "C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org"
>> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] authentication of 'C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org' with RSA signature successful
>> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] IKE_SA test[2] established between 12.0.0.189[C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, CN=moon at test.org]...12.0.0.167[C=CA, ST=PB, O=strongswan org, OU=strongswan peer1, CN=sun at test.org]
>> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] scheduling reauthentication in 3420s
>> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] maximum IKE_SA lifetime 3600s
>> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] CHILD_SA test{1} established with SPIs 213dcf52_i c9b38fce_o and TS 11.0.0.0/24 === 10.0.0.0/24
>> *Jul  9 11:46:25 ZNYX9210 charon: 09[CHD] updown: sh: /etc/updown: No such file or directory*
>> Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] received AUTH_LIFETIME of 3311s, scheduling reauthentication in 3131s
>>
>>
>> Can you please let us know why this /etc/updown file is missing and where should we get it from?
>>
>> Thanks,
>> Shahreen
>> --
>>
>> Shahreen Noor Ahmed
>> Network Support Department
>> Adax Europe Ltd
>> url: www.adax.com
>> e-mail: sahmed at adax.co.uk
>> Direct line: +44(0)118 952 2804
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTvSh6AAoJEDg5KY9j7GZYTxYP/2GxFCPL6gPQ1xtJiMniGfhn
> 8yCHCiW1nrL+O3ZHLxT/hpGEHoztTbGn/XnZg9Rgpa4BKtrCvFb1kwiuVaOrb5BI
> JnYJ80pWJfzamE87KhwdDwWnWfORgtcqt6XwwBPtd9Y7XkdRvONt1NIZFWHhxCXg
> kqRGBb2UCXXwezybegZ7WdUXUbQ+jwYtc0S7ScJ+PNStGY642oxVoXnQjkV94LmY
> +zC7ukGaNqp4i2F6nmK24buYTRg+FPZiIKdRFXTErlBXRy4RK1kz6UDVO5wd/+df
> LHuuwXx0JXykSCZ+t96xaxpwUtwIyTN2QPkugeY5qRxPE6N7jyQ16oeV4claduHB
> V0kwrDtnbsMou1WaBE3659I4KFnQ1Uj89PGkA6yuGmjjmV4yHB2QgabZCp95v9WB
> NrU6EVxLyn737MoGWek3ljHOwKk55IikDpBAfI5gF9oyXsJfrc++tHh5enxajzkp
> oGDyXOIwfUPhZSLL/zCkcY0huEeHeYbazc0XFaiZT79IeFLKI31eBQdvA7DKNdxJ
> +p4G2ezXoUt1s2rdLhchcXh+7wEn3Fw5HZyj7vFkFqF4wfnEpByZ6jczJqg50LoK
> x0Rk2hXO7gmu0NGiriBORqLGAInY11+nDBRfGcOjmO1j1WGqR//x/lYkC+6wNwCP
> IWxYd98nzj4pYj8y9aHy
> =vZUM
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list