[strongSwan] ipv6 GRE sent in clear instead of getting encrypted

Olivier PELERIN olivier_pelerin at hotmail.com
Wed Feb 25 16:38:48 CET 2015 

Noel,

I've modified my setup from GREv6 to 'traditional' site 2 site. I had a similar but a bit different  problem [ traffic not getting encrypted - but simply vanishing in the linux ].

After looking at the routing table I've noticed this very wierd route in the table 220.

root at f-nccf-1a-de:/etc# ip -6  route show table 220
unreachable 2a00:c31:1ffe:fff::/64 dev lo  proto static  metric 1024  error -101

I've got rid of it and now it works.

Why strongswan is pushing a bogus ipv6 route? 

Regards

> Date: Wed, 14 Jan 2015 20:23:10 +0100
> From: noel at familie-kuntze.de
> To: users at lists.strongswan.org
> Subject: Re: [strongSwan] ipv6 GRE sent in clear instead of getting encrypted
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello Olivier,
> 
> Does the traffic selector cover the IP addresses used in the IPv6 GRE tunnel configuration?
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 14.01.2015 um 08:02 schrieb Olivier PELERIN:
> > Any ideas why ipv6 GRE is sent in clear?
> >
> > -------------------------
> > From: olivier_pelerin at hotmail.com
> > To: users at lists.strongswan.org
> > Date: Fri, 19 Dec 2014 13:27:16 +0100
> > Subject: [strongSwan] ipv6 GRE sent in clear instead of getting encrypted
> >
> > Hello Strongswan Alias,
> >
> > I've the following problem:
> >
> > Trafffic from a remote device is properly decrypted [ transport is GREipv6 / overlay is ipv6]. Encrypted packet leave the ubuntu box un-encrypted.
> >
> > Either xfrm policies and state are looking right.
> >
> >  ip xfrm policy
> > src 2b00:d31:e7e4:1b::1:201/128 dst 2b00:c31:e7e2:17::2:12/128 proto gre
> > dir fwd priority 1026
> > tmpl src 2b00:d31:e7e4:1b::1:201 dst 2b00:c31:e7e2:17::2:12
> > proto esp reqid 2687 mode tunnel
> > src 2b00:d31:e7e4:1b::1:201/128 dst 2b00:c31:e7e2:17::2:12/128 proto gre
> > dir in priority 1026
> > tmpl src 2b00:d31:e7e4:1b::1:201 dst 2b00:c31:e7e2:17::2:12
> > proto esp reqid 2687 mode tunnel
> > src 2b00:c31:e7e2:17::2:12/128 dst 2b00:d31:e7e4:1b::1:201/128 proto gre
> > dir out priority 1026
> > tmpl src 2b00:c31:e7e2:17::2:12 dst 2b00:d31:e7e4:1b::1:201
> > proto esp reqid 2687 mode tunnel
> > src 0.0.0.0/0 dst 0.0.0.0/0
> > socket in priority 0
> > src 0.0.0.0/0 dst 0.0.0.0/0
> > socket out priority 0
> > src 0.0.0.0/0 dst 0.0.0.0/0
> > socket in priority 0
> > src 0.0.0.0/0 dst 0.0.0.0/0
> > socket out priority 0
> > src ::/0 dst ::/0
> > socket in priority 0
> > src ::/0 dst ::/0
> > socket out priority 0
> > src ::/0 dst ::/0
> > socket in priority 0
> > src ::/0 dst ::/0
> > socket out priority 0
> >
> > root at zg-nccf-1a-hr:/home/localadmin# ip xfrm state
> > src 2b00:c31:e7e2:17::2:12 dst 2b00:d31:e7e4:1b::1:201
> > proto esp spi 0xb173226b reqid 2687 mode tunnel
> > replay-window 32 flag af-unspec
> > auth-trunc hmac(sha1) 0x630d4dae250e28a9dfd1184b20dfd0e33cda1665 96
> > enc cbc(aes) 0x3dc58789ace1be5fccdb4b2c42b3aa23
> > src 2b00:d31:e7e4:1b::1:201 dst 2b00:c31:e7e2:17::2:12
> > proto esp spi 0xccbc90f5 reqid 2687 mode tunnel
> > replay-window 32 flag af-unspec
> > auth-trunc hmac(sha1) 0xd7e81acb481eb00c2389bdfdc2e7fdc1ca0b6417 96
> > enc cbc(aes) 0x9e7d10c82aa14b562c541482d6b5933b
> >
> >
> > ipsec statusall
> > Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-32-generic, x86_64):
> >   uptime: 7 minutes, since Dec 19 12:12:26 2014
> >   malloc: sbrk 2568192, mmap 0, used 358352, free 2209840
> >   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
> >   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
> > Listening IP addresses:
> >   2a00:c31:7fe2:17::1:11
> >   ....
> >   2001::2
> > Connections:
> >     CSR1000V:  %any...2b00:d31:e7e4:1b::1:201  IKEv2
> >     CSR1000V:   local:  [....] uses pre-shared key authentication
> >     CSR1000V:   remote: [....] uses pre-shared key authentication
> >     CSR1000V:   child:  2b00:c31:e7e2:17::2:12/128[gre] === 2b00:d31:e7e4:1b::1:201/128[gre] TUNNEL
> > Security Associations (1 up, 0 connecting):
> >     CSR1000V[1]: ESTABLISHED 7 minutes ago, 2b00:c31:e7e2:17::2:12[]...2b00:d31:e7e4:1b::1:201[]
> >     CSR1000V[1]: IKEv2 SPIs: db2eec9fddaea13f_i* 5b0acc0ed25bced5_r, pre-shared key reauthentication in 23 hours
> >     CSR1000V[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> >     CSR1000V{1}:  INSTALLED, TUNNEL, ESP SPIs: c673e3d6_i 1e5da7b9_o
> >     CSR1000V{1}:  AES_CBC_128/HMAC_SHA1_96, 4512 bytes_i (34 pkts, 333s ago), 0 bytes_o, rekeying in 34 minutes
> >     CSR1000V{1}:   2b00:c31:e7e2:17::2:12/128[gre] === 2b00:d31:e7e4:1b::1:201/128[gre]
> > root at zg-nccf-1a-hr:/home/localadmin#
> >
> > conn CSR1000V
> >     keyexchange=ikev2
> >     ikelifetime=1440m
> >     keylife=60m
> >     leftauth=psk
> >     rightauth=psk
> >     leftid=....
> >     rightid=....
> >     right=2b00:d31:e7e4:1b::1:201
> >     leftsubnet=2b00:c31:e7e2:17::2:12/128[47]
> >     rightsubnet=2b00:d31:e7e4:1b::1:201/128[47]
> >     auto=start
> >
> > I've tried on my lab gentoo machine and there it works. Why GRE is not encrypted on this linux box?
> >
> > Regards,
> >
> > _______________________________________________ Users mailing list Users at lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJUtsIbAAoJEDg5KY9j7GZYCUwP/R5/UK86Ec88qz/7vPHqpb0p
> jePO4Zg3jcDPzZbgzZN7oK9yTFhE7+T6oVkL3Vv/7yvB6vlkMumAFhHEdfS3GPlT
> p9iDaxbCEVT09GTXz5+gn/eU38L7R7rxb+yfYQNDDFht9hLZWR/1GYFB8edjgH7v
> mhPnXS8hRaKmOV6uo4PZczMAaaKCXfwbBeBwE7kV0/hmAFYRmH2EHqgUuQKrGb1c
> fsYuZF32tfj+DXG8ndXISjbfW1olsAEYc4cEUuo0FsOGugGa+4tgQ1Ep8btn7jI8
> yiwSStIIXtblQEf7Mk4kZm99QCtcFm2A4sRJAX20fSkVhicCvh5L++m0VSMrh6Q/
> PEg6mqtnaMksRZhjM66vNVdbZ3dEM53TZI2QuKdVYuQvSSW6bcywbhWnmw2cAWcD
> 8SXHB2Q4ai4JuQs7S2353gl+Kl7l74XFUJbu77HJjOTx6N786ZDIP+QgNguLGf7Y
> pO588dcgxDwnnnrgblW7mDM2EouVoNtGvh9HHCJSJlfJxqlLX08Z4ygbxwZNts9S
> MZ64VRT9NsANn1i5vsCBBdvTcSMHyJK528Z5zJ+gaPF0Xe9KBPGfP84wfmlUl+F9
> cEnm2LIXfPulxOKv8cFuCLduXpz98bhykDWWRbqZjpJqBXmugODqRva9CieyI3i2
> GMNbPZ7kSHur41AAKbYF
> =w0Gt
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150225/edfcb1e1/attachment.html>

More information about the Users mailing list