[strongSwan] IPsec Tunnel but no Traffic
Robert Hofmann
robert.hofmann at econob.com
Tue Jun 16 18:34:03 CEST 2015
Hi,
I have some troubles setting up a site-to-site IPsec based VPN tunnel with strongSwan.
Infrastructure Overview:
On my side:
There is only one (hosted) Ubuntu 10.04.2 LTS Server that acts as gateway, firewall, VPN server and client, ...
I installed strongSwan 5.3.2 from source - the ubuntu version (4.x) missed some libraries.
The other side is a Cisco ASA, I have no further Information about their infrastructure (besides the necessary ip-addresses and subnets).
+---------------------+ +---------------------+
| my side | | CISCO ASA |
| | internet | |
| venet0: aa.bb.cc.dd +--------------------+ mm.nn.oo.pp |
| | | |
| | | |
+---------------------+ +-----+---------------+
|
|
|
+---------------------+
| client |
| |
| ww.xx.yy.zz/32 |
+---------------------+
Since I got the configuration from the Cisco ASA side, the tunnel is up, but I can't send anything through the tunnel
my ipsec.conf:
-------------------------------
# ipsec.conf - strongSwan IPsec configuration file
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug="ike 2, knl 1, cfg 0"
conn %default
ikelifetime=1440m
keylife=480m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
installpolicy=no
conn VCC_test_VPN_ww_xx_yy_zz
left=aa.bb.cc.dd
leftsubnet=aa.bb.cc.dd/32
leftid=aa.bb.cc.dd
#leftfirewall=yes
right=mm.nn.oo.pp
rightsubnet=ww.xx.yy.zz/32
rightid=mm.nn.oo.pp
auto=start
ike=aes256-sha1-modp1536
esp=aes256-sha1
-------------------------------
# ipsec start
-------------------------------
Starting strongSwan 5.3.2 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
-------------------------------
Are these messages important?
# ifconfig
-------------------------------
ipsec0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1146 errors:0 dropped:0 overruns:0 frame:0
TX packets:1146 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:82609 (82.6 KB) TX bytes:82609 (82.6 KB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:19563 errors:0 dropped:0 overruns:0 frame:0
TX packets:13359 errors:0 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1718886 (1.7 MB) TX bytes:3098671 (3.0 MB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:aa.bb.cc.dd P-t-P:aa.bb.cc.dd Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
-------------------------------
As you can see, an additional interface "ipsec0" appears after >ipsec start< is issued, but it has no ip-address assigned.
# ipsec statusall
-------------------------------
Status of IKE charon daemon (strongSwan 5.3.2, Linux 2.6.18-028stab101.1, x86_64):
uptime: 111 seconds, since Jun 16 17:53:06 2015
malloc: sbrk 270336, mmap 0, used 241712, free 28624
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 8
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
aa.bb.cc.dd
Connections:
VCC_test_VPN_192_168_100_43: aa.bb.cc.dd...mm.nn.oo.pp IKEv1
VCC_test_VPN_192_168_100_43: local: [aa.bb.cc.dd] uses pre-shared key authentication
VCC_test_VPN_192_168_100_43: remote: [mm.nn.oo.pp] uses pre-shared key authentication
VCC_test_VPN_192_168_100_43: child: aa.bb.cc.dd/32 === ww.xx.yy.zz/32 TUNNEL
Security Associations (1 up, 0 connecting):
VCC_test_VPN_192_168_100_43[2]: ESTABLISHED 106 seconds ago, aa.bb.cc.dd[aa.bb.cc.dd]...mm.nn.oo.pp[mm.nn.oo.pp]
VCC_test_VPN_192_168_100_43[2]: IKEv1 SPIs: f4fe2292dc0efc3e_i a5a1566ded91b5b6_r*, pre-shared key reauthentication in 23 hours
VCC_test_VPN_192_168_100_43[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
VCC_test_VPN_192_168_100_43{1}: REKEYED, TUNNEL, reqid 1, expires in 7 hours
VCC_test_VPN_192_168_100_43{1}: aa.bb.cc.dd/32 === ww.xx.yy.zz/32
VCC_test_VPN_192_168_100_43{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 364d4945_i c2f714a8_o
VCC_test_VPN_192_168_100_43{2}: AES_CBC_256/HMAC_SHA1_96, 1140 bytes_i (19 pkts, 4s ago), 0 bytes_o, rekeying in 7 hours
VCC_test_VPN_192_168_100_43{2}: aa.bb.cc.dd/32 === ww.xx.yy.zz/32
-------------------------------
My colleagues from the other side tried to ping my machine from their internal IP-Address, it seems, that their ping is sent through the tunnel as tcpdump indicates:
-------------------------------
17:58:28.802132 IP mm.nn.oo.pp.4500 > aa.bb.cc.dd.4500: UDP-encap: ESP(spi=0x364d4945,seq=0x3e), length 10
-------------------------------
but, and this is my problem, I cannot send anything back!
I assume that the tunnel is set up correctly and that it is a configuration issue on my side.
I think there is a problem with my ipsec0 interface (has no IP) and therefore, there is no routing:
# route -n
-------------------------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.255.255.1 0.0.0.0 255.255.255.255 UH 0 0 0 venet0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 xxx.255.255.1 0.0.0.0 UG 0 0 0 venet0
-------------------------------
To rule out any firewall related I disabled iptables for this test. I found some threads on the Internet, that iptable natting is needed, but all configurations are using the classic client<-->ServerA<--tunnel-->ServerB<-->client setup.
Summary:
1. does my ipsec0 interface need an ip-addres
a) if yes, should it get one from strongSwan or do I have to assing one manually?
- if manually: what address, as I have no subnet behind my server?
2. should I get some routes from strongSwan or do I have to create them manually?
3. Is an iptable necessary for IPsec when there is no subnet?
4. ipsec start throws some messages, can I ignore those?
I read the similar thread https://lists.strongswan.org/pipermail/users/2014-July/006365.html but the tread ended with no solution (for me), so I’m afraid I have to ask this similar question.
If you need further information feel free to ask,
thank you in advance,
br
Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150616/34e7856f/attachment-0001.html>
More information about the Users
mailing list