[strongSwan] unable to ping local gateway in roadwarrior configuration

Mihai Ordean social at mihaiordean.com
Wed Jan 21 15:17:03 CET 2015 

Hey Martin

For reference I am reattaching the network setup from the previous email:

RoadWarrior(x.x.x.a) <==> RemoteROUTER<x.x.x.b>/<y.y.y.y> <==INTERNET==> SkyRouter (DDNS and DMZ) <z.z.z.z>/<192.168.47.1/30> <==> Server <192.168.47.2>/<192.168.7.1> <==> LAN

I have updated strongswan to listen on the external interface of the server (192.168.47.2) and disabled all port-forwarding. I have also disabled the dhcp plugin and I am now using the virtual network 10.3.0.0/26.

the iptables setup is:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

The route does get added now:

root at machine ~ # ip route show table 220
10.3.0.1 via 192.168.47.1 dev eth0  proto static

the new ipsec.conf is:

conn roadwarrior-eap
   keyexchange=ikev2
   leftauth=pubkey
   leftcert=vpn-Cert.pem
   leftid= dnsname.com
   left=%dnsname.com
   #left=192.168.47.2 #this one works also
   leftsubnet=0.0.0.0/0
   right=%any
   rightsourceip=10.3.0.0/26
   rightdns=8.8.8.8
   #rightsourceip=%dhcp
   rightauth=eap-mschapv2
   rightsendcert=never
   forceencaps=yes
   eap_identity=%any
   auto=add
   esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096
   ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096

and 

root at machine ~ # ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.10.17-g86ce428, armv7l):
  uptime: 106 minutes, since Jan 21 12:09:43 2015
  malloc: sbrk 1216512, mmap 0, used 211864, free 1004648
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity eap-mschapv2 addrblock
Virtual IP pools (size/online/offline):
  10.3.0.0/26: 62/1/0
Listening IP addresses:
  192.168.47.2
Connections:
roadwarrior-eap: dnsname.com,0.0.0.0/0,::/0...%any  IKEv2
roadwarrior-eap:   local:  [dnsname.com] uses public key authentication
roadwarrior-eap:    cert:  "C=UK, O=dnsname.com, CN= dnsname.com"
roadwarrior-eap:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
roadwarrior-eap:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
roadwarrior-eap[1]: ESTABLISHED 2 minutes ago, 192.168.47.2[dnsname.com]...147.188.254.135[10.6.118.141]
roadwarrior-eap[1]: Remote EAP identity: somename
roadwarrior-eap[1]: IKEv2 SPIs: ae2b182a7100b33e_i 155be7ef72e35b59_r*, public key reauthentication in 2 hours
roadwarrior-eap[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
roadwarrior-eap{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c64d7dd3_i a0f33cd4_o
roadwarrior-eap{1}:  AES_CBC_256/HMAC_SHA1_96, 122816 bytes_i (690 pkts, 3s ago), 188596 bytes_o (562 pkts, 3s ago), rekeying in 47 minutes
roadwarrior-eap{1}:   0.0.0.0/0 === 10.3.0.1/32

the full output for /var/log/syslog:

05[IKE] authentication of '10.6.118.141' with EAP successful
05[IKE] authentication of dnsname.com' (myself) with EAP
05[IKE] IKE_SA roadwarrior-eap[3] established between 192.168.47.2[dnsname.com]...147.188.254.135[10.6.118.141]
05[IKE] scheduling reauthentication in 10047s
...
05[IKE] assigning virtual IP 10.3.0.1 to peer 'somename'
05[IKE] peer requested virtual IP %any6
05[IKE] no virtual IP found for %any6 requested by 'somename'
...
05[KNL] adding policy 0.0.0.0/0 === 10.3.0.1/32 out  (mark 0/0x00000000)
05[KNL] adding policy 10.3.0.1/32 === 0.0.0.0/0 in  (mark 0/0x00000000)
05[KNL] adding policy 10.3.0.1/32 === 0.0.0.0/0 fwd  (mark 0/0x00000000)
05[KNL] getting a local address in traffic selector 0.0.0.0/0
05[KNL] using host %any
05[KNL] using 192.168.47.1 as nexthop to reach 147.188.254.135
05[KNL] 192.168.47.2 is on interface eth0
05[KNL] installing route: 10.3.0.1/32 via 192.168.47.1 src %any dev eth0
05[KNL] getting iface index for eth0
05[KNL] policy 0.0.0.0/0 === 10.3.0.1/32 out  (mark 0/0x00000000) already exists, increasing refcount
05[KNL] updating policy 0.0.0.0/0 === 10.3.0.1/32 out  (mark 0/0x00000000)
05[KNL] policy 10.3.0.1/32 === 0.0.0.0/0 in  (mark 0/0x00000000) already exists, increasing refcount
05[KNL] updating policy 10.3.0.1/32 === 0.0.0.0/0 in  (mark 0/0x00000000)
05[KNL] policy 10.3.0.1/32 === 0.0.0.0/0 fwd  (mark 0/0x00000000) already exists, increasing refcount
05[KNL] updating policy 10.3.0.1/32 === 0.0.0.0/0 fwd  (mark 0/0x00000000)
05[KNL] getting a local address in traffic selector 0.0.0.0/0
05[KNL] using host %any
05[KNL] using 192.168.47.1 as nexthop to reach 147.188.254.135
05[KNL] 192.168.47.2 is on interface eth0
05[IKE] CHILD_SA roadwarrior-eap{3} established with SPIs c36133b4_i 60c67b08_o and TS 0.0.0.0/0 === 10.3.0.1/32
05[NET] sending packet: from 192.168.47.2[4500] to 147.188.254.135[59221] (220 bytes)
08[NET] received packet: from 147.188.254.135[59221] to 192.168.47.2[4500] (76 bytes)
08[IKE] received DELETE for ESP CHILD_SA with SPI 60c67b08
08[KNL] querying SAD entry with SPI c36133b4  (mark 0/0x00000000)
08[KNL] querying SAD entry with SPI 60c67b08  (mark 0/0x00000000)
08[IKE] closing CHILD_SA roadwarrior-eap{3} with SPIs c36133b4_i (20886 bytes) 60c67b08_o (18716 bytes) and TS 0.0.0.0/0 === 10.3.0.1/32
08[IKE] sending DELETE for ESP CHILD_SA with SPI c36133b4
08[IKE] CHILD_SA closed
08[KNL] deleting SAD entry with SPI c36133b4  (mark 0/0x00000000)
08[KNL] deleted SAD entry with SPI c36133b4 (mark 0/0x00000000)
08[KNL] deleting SAD entry with SPI 60c67b08  (mark 0/0x00000000)
08[KNL] deleted SAD entry with SPI 60c67b08 (mark 0/0x00000000)
08[KNL] deleting policy 0.0.0.0/0 === 10.3.0.1/32 out  (mark 0/0x00000000)
08[KNL] policy still used by another CHILD_SA, not removed
08[KNL] updating policy 0.0.0.0/0 === 10.3.0.1/32 out  (mark 0/0x00000000)
08[KNL] deleting policy 10.3.0.1/32 === 0.0.0.0/0 in  (mark 0/0x00000000)
08[KNL] policy still used by another CHILD_SA, not removed
11[KNL] received a XFRM_MSG_ACQUIRE
08[KNL] updating policy 10.3.0.1/32 === 0.0.0.0/0 in  (mark 0/0x00000000)
11[KNL]   XFRMA_TMPL
08[KNL] deleting policy 10.3.0.1/32 === 0.0.0.0/0 fwd  (mark 0/0x00000000)
11[KNL]   XFRMA_POLICY_TYPE
08[KNL] policy still used by another CHILD_SA, not removed
08[KNL] updating policy 10.3.0.1/32 === 0.0.0.0/0 fwd  (mark 0/0x00000000)
08[KNL] getting a local address in traffic selector 0.0.0.0/0
08[KNL] using host %any
08[KNL] using 192.168.47.1 as nexthop to reach 147.188.254.135
08[KNL] 192.168.47.2 is on interface eth0
08[KNL] deleting policy 0.0.0.0/0 === 10.3.0.1/32 out  (mark 0/0x00000000)
08[KNL] deleting policy 10.3.0.1/32 === 0.0.0.0/0 in  (mark 0/0x00000000)
08[KNL] deleting policy 10.3.0.1/32 === 0.0.0.0/0 fwd  (mark 0/0x00000000)
08[KNL] getting iface index for eth0
08[NET] sending packet: from 192.168.47.2[4500] to 147.188.254.135[59221] (76 bytes)
11[KNL] creating acquire job for policy 157.55.44.125/32[tcp/https] === 10.3.0.1/32[tcp/54963] with reqid {3}
10[CFG] trap not found, unable to acquire reqid 3
14[NET] received packet: from 147.188.254.135[59221] to 192.168.47.2[4500] (76 bytes)
14[IKE] received DELETE for IKE_SA roadwarrior-eap[3]
14[IKE] deleting IKE_SA roadwarrior-eap[3] between 192.168.47.2[dnsname.com]...147.188.254.135[10.6.118.141]
14[IKE] IKE_SA deleted
14[NET] sending packet: from 192.168.47.2[4500] to 147.188.254.135[59221] (76 bytes)

I am still able to ping 192.168.7.0/24 network hosts but not 192.168.7.1. I am also unable to ping the other interface 192.168.47.2 but I can ping the 192.168.47.1 interface of the sky router.

At this point I am thinking there is some default behaviour/setting in Ubuntu which might prevent me from accessing the two interfaces of the server from virtual IPs.

for reference my sysctl has:

kernel.panic = 3
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

and
echo 0 > /sys/devices/virtual/net/br-lan/bridge/multicast_snooping

Thanks
Mihai


> -----Original Message-----
> From: Martin Willi [mailto:martin at strongswan.org]
> Sent: 21 January 2015 08:10
> To: Mihai Ordean
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] unable to ping local gateway in roadwarrior configuration
> 
> Hi Mihai,
> 
> > "ip route show table 220" returns empty. I guess the problem is here
> > that the route does not get installed. DO you have any suggestions
> > about fixing this?
> 
> First take a look at your log about any errors related to route installation. Increasing the "knl" loglevel to 2 might give some additional
> information what's going on.
> 
> Regards
> Martin
>

More information about the Users mailing list