[strongSwan] net-net sample can not work on ubuntu14.04
zhuyj
mounter625 at 163.com
Tue May 5 05:12:17 CEST 2015
Hi, Noel
This is the output of forwarding on sun:
root at strongswan2:~# cat /proc/sys/net/ipv4/ip_forward
1
root at strongswan2:~# cat /proc/sys/net/ipv4/conf/
all/ default/ eth0/ eth1/ eth2/ lo/
root at strongswan2:~# cat /proc/sys/net/ipv4/conf/all/forwarding
1
root at strongswan2:~# cat /proc/sys/net/ipv4/conf/default/forwarding
1
root at strongswan2:~# cat /proc/sys/net/ipv4/conf/eth0/forwarding
1
root at strongswan2:~# cat /proc/sys/net/ipv4/conf/eth1/forwarding
1
root at strongswan2:~# cat /proc/sys/net/ipv4/conf/eth2/forwarding
1
When I run "ping 10.2.0.1" on moon, I run "ipsec statusall" on sun
On moon:
root at strongswan1:~# ping 10.2.0.1
PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.410 ms
64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=0.285 ms
64 bytes from 10.2.0.1: icmp_seq=3 ttl=64 time=0.338 ms
64 bytes from 10.2.0.1: icmp_seq=4 ttl=64 time=0.373 ms
64 bytes from 10.2.0.1: icmp_seq=5 ttl=64 time=0.300 ms
64 bytes from 10.2.0.1: icmp_seq=6 ttl=64 time=0.424 ms
64 bytes from 10.2.0.1: icmp_seq=7 ttl=64 time=3.11 ms
64 bytes from 10.2.0.1: icmp_seq=8 ttl=64 time=0.422 ms
64 bytes from 10.2.0.1: icmp_seq=9 ttl=64 time=2.88 ms
^C
--- 10.2.0.1 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 7998ms
rtt min/avg/max/mdev = 0.285/0.950/3.115/1.098 ms
On Sun
root at strongswan2:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.19.0-15-generic,
x86_64):
uptime: 19 minutes, since May 05 10:36:17 2015
malloc: sbrk 1486848, mmap 0, used 353968, free 1132880
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl
xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default
stroke updown eap-identity addrblock
Listening IP addresses:
128.224.162.165
11:2233:4455:6677:20c:29ff:fe70:bf88
192.168.0.2
11:2233:4455:6677:20c:29ff:fe70:bf92
10.2.0.1
11:2233:4455:6677:20c:29ff:fe70:bf9c
Connections:
net-net: 192.168.0.2...192.168.0.1 IKEv1
net-net: local: [sun.strongswan.org] uses pre-shared key
authentication
net-net: remote: [moon.strongswan.org] uses pre-shared key
authentication
net-net: child: 0.0.0.0/0 === 10.1.0.0/16 TUNNEL
Routed Connections:
net-net{1}: ROUTED, TUNNEL
net-net{1}: 0.0.0.0/0 === 10.1.0.0/16
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 19 minutes ago,
192.168.0.2[sun.strongswan.org]...192.168.0.1[moon.strongswan.org]
net-net[1]: IKEv1 SPIs: 7233e70c634fa8aa_i eb8634d7b0b00874_r*,
pre-shared key reauthentication in 37 minutes
net-net[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
net-net{1}: REKEYING, TUNNEL, expires in 5 minutes
net-net{1}: 10.2.0.0/16 === 10.1.0.0/16
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c043a424_i cf9ecbf3_o
net-net{1}: AES_CBC_128/HMAC_SHA1_96, 420 bytes_i (5 pkts, 2s
ago), 420 bytes_o (5 pkts, 2s ago), rekeying in 15 minutes <----I can
see the input/output packets.
net-net{1}: 10.2.0.0/16 === 10.1.0.0/16
But when I run "ping 10.2.0.10" on Moon, I run "ipsec statusall" on Sun.
On Moon:
root at strongswan1:~# ping 10.2.0.10
PING 10.2.0.10 (10.2.0.10) 56(84) bytes of data.
^C
--- 10.2.0.10 ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 12095ms
On Sun:
root at strongswan2:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.19.0-15-generic,
x86_64):
uptime: 24 minutes, since May 05 10:36:18 2015
malloc: sbrk 1486848, mmap 0, used 353968, free 1132880
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl
xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default
stroke updown eap-identity addrblock
Listening IP addresses:
128.224.162.165
11:2233:4455:6677:20c:29ff:fe70:bf88
192.168.0.2
11:2233:4455:6677:20c:29ff:fe70:bf92
10.2.0.1
11:2233:4455:6677:20c:29ff:fe70:bf9c
Connections:
net-net: 192.168.0.2...192.168.0.1 IKEv1
net-net: local: [sun.strongswan.org] uses pre-shared key
authentication
net-net: remote: [moon.strongswan.org] uses pre-shared key
authentication
net-net: child: 0.0.0.0/0 === 10.1.0.0/16 TUNNEL
Routed Connections:
net-net{1}: ROUTED, TUNNEL
net-net{1}: 0.0.0.0/0 === 10.1.0.0/16
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 24 minutes ago,
192.168.0.2[sun.strongswan.org]...192.168.0.1[moon.strongswan.org]
net-net[1]: IKEv1 SPIs: 7233e70c634fa8aa_i eb8634d7b0b00874_r*,
pre-shared key reauthentication in 32 minutes
net-net[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
net-net{1}: REKEYING, TUNNEL, expires in 33 seconds
net-net{1}: 10.2.0.0/16 === 10.1.0.0/16
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c043a424_i cf9ecbf3_o
net-net{1}: AES_CBC_128/HMAC_SHA1_96, 1512 bytes_i (18 pkts, 1s
ago), 672 bytes_o (8 pkts, 284s ago), rekeying in 10 minutes <----I only
find input packages.
net-net{1}: 10.2.0.0/16 === 10.1.0.0/16
In a word, when I run "ping 10.2.0.1", I run "ipsec statusall", I can
see input/output packages.
When I run "ping 10.2.0.10", I run "ipsec statusall", I can only see
input packages.
I run "tcpdump -ni eth2 icmp", I can find the icmp reply packages.
That is, the icmp reply packages do not pass vpn tunnel.
I do not know why.
Best Regards!
Zhu Yanjun
On 05/04/2015 06:39 PM, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Zhuyj,
>
> Please check that you enabled forwarding for the network devices
> that are involved in the forwarding of the packages.
> Also, please check the counters in the output of ipsec statusall to see,
> if the packets get decrypted. The counters should increment, when you send
> packets to the remote subnet.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 04.05.2015 um 12:34 schrieb zhuyj:
>> Hi, Noel
>>
>> Thanks for your reply.
>> I read carefully this link: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>
>> In this link, I think, the most important is: ip_forward and iptables.
>> Now I show you the configurations on the sun:
>>
>> root at strongswan2:~# cat /proc/sys/net/ipv4/ip_forward
>> 1
>> root at strongswan2:~# iptables-save
>> # Generated by iptables-save v1.4.21 on Mon May 4 18:29:28 2015
>> *nat
>> :PREROUTING ACCEPT [93:14126]
>> :INPUT ACCEPT [36:4578]
>> :OUTPUT ACCEPT [0:0]
>> :POSTROUTING ACCEPT [1:84]
>> -A POSTROUTING -s 10.0.0.0/8 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
>> -A POSTROUTING -s 10.0.0.0/8 -o eth1 -j MASQUERADE
>> COMMIT
>> # Completed on Mon May 4 18:29:28 2015
>> # Generated by iptables-save v1.4.21 on Mon May 4 18:29:28 2015
>> *filter
>> :INPUT ACCEPT [2033:256543]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [182:23858]
>> -A FORWARD -s 10.1.0.0/16 -d 10.2.0.0/16 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A FORWARD -s 10.2.0.0/16 -d 10.1.0.0/16 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> COMMIT
>> # Completed on Mon May 4 18:29:28 2015
>>
>> I think, ip forward feature is enabled in sun. And the iptables rules are inserted.
>> But the result is the same.
>>
>> Any reply is appreciated.
>>
>> Thanks a lot.
>> Zhu Yanjun
>>
>> On 05/04/2015 06:01 PM, Noel Kuntze wrote:
>> Hello,
>>
>> Did you follow the guide for forwarding[1]?
>>
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 04.05.2015 um 11:25 schrieb zhuyj:
>>>>> Hi,
>>>>>
>>>>> Are you using psk or certificate to auth?
>>>>>
>>>>> Best Regards!
>>>>> Zhu Yanjun
>>>>> On 05/04/2015 05:18 PM, zhuyj wrote:
>>>>>> Hi, Bernhard
>>>>>>
>>>>>> Your problem is the same with mine.
>>>>>>
>>>>>> Best Regards!
>>>>>> Zhu Yanjun
>>>>>>
>>>>>> On 05/04/2015 05:00 PM, Bernhard Marx wrote:
>>>>>>> Hi Zhu,
>>>>>>>
>>>>>>> no problem. I wish I would have :-)
>>>>>>> But moon and sun is connected via public networks?
>>>>>>> This is my scenario:
>>>>>>>
>>>>>>> 192.168.2.0/24 <http://192.168.2.0/24> <=> 192.168.2.1 hardware router xx.xx.xx.xx (public IP from provider) <=> Internet <=> public IP on eth0 192.168.120.125 <=> 192.168.120.0/24 <http://192.168.120.0/24> on eth1
>>>>>>>
>>>>>>> I can ping from 192.168.120.125 to 192.168.2.1 and vice versa - but I can not reach any devices in the subnet...
>>>>>>>
>>>>>>> Regards
>>>>>>> Bernhard
>>>>>>>
>>>>>>>
>>>>>>> 2015-05-04 10:51 GMT+02:00 zhuyj <mounter625 at 163.com <mailto:mounter625 at 163.com>>:
>>>>>>>
>>>>>>> Sorry. I thought your solve this problem already.
>>>>>>> Do you think that it is related with psk or pubkey? I mean that strongswan can support auth-based certificate very well.
>>>>>>> Maybe there is something wrong with psk auth?
>>>>>>>
>>>>>>> Zhu Yanjun
>>>>>>>
>>>>>>>
>>>>>>> On 05/04/2015 04:45 PM, zhuyj wrote:
>>>>>>>> Hi, Marx
>>>>>>>>
>>>>>>>> Please let me know how to solve this problem.
>>>>>>>>
>>>>>>>> Thanks a lot.
>>>>>>>> Zhu Yanjun
>>>>>>>>
>>>>>>>> On 05/04/2015 04:22 PM, Bernhard Marx wrote:
>>>>>>>>> Dear Zhu,
>>>>>>>>>
>>>>>>>>> I think I have the issue... as send a request to mail list yesterday...
>>>>>>>>>
>>>>>>>>> Feedback I received is to check the routing of packets... but I cant identify the issue...
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Bernhard
>>>>>>>>>
>>>>>>>>> 2015-05-04 10:17 GMT+02:00 zhuyj <mounter625 at 163.com <mailto:mounter625 at 163.com>>:
>>>>>>>>>
>>>>>>>>> Hi, all
>>>>>>>>>
>>>>>>>>> I followed this link: http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
>>>>>>>>>
>>>>>>>>> I configured 4 vmare hosts. The hosts are ubuntu14.04.
>>>>>>>>>
>>>>>>>>> The network topology is as below.
>>>>>>>>>
>>>>>>>>> 10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 10.2.0.1<---->10.2.0.10
>>>>>>>>>
>>>>>>>>> strongswan is 5.1.2.
>>>>>>>>>
>>>>>>>>> >From this link: http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, after a vpn tunnel is created,
>>>>>>>>> I ran "ping 10.2.0.10" on clinet 10.1.0.10. But I can not get any reply from 10.2.0.10.
>>>>>>>>>
>>>>>>>>> I can find the icmp packets into moon. But moon will not forward these icmp packets.
>>>>>>>>>
>>>>>>>>> I exactly followed this link http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, but I can not get
>>>>>>>>> the same test result with this link.
>>>>>>>>>
>>>>>>>>> Does any one have the similar experience?
>>>>>>>>>
>>>>>>>>> Any reply is appreciated.
>>>>>>>>>
>>>>>>>>> Thanks a lot.
>>>>>>>>> Zhu Yanjun
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.strongswan.org
>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVR0x7AAoJEDg5KY9j7GZYdoEQAI7bJaY+Iy5volndjpsV4xol
> 3Sv2TPyVa/Fvo4BWYlFWtpLvAsyUkRDCOGycRV2iD3LVd6Y+WC8QeN2KXvcC6nvK
> y0mS3bhxgonrMVDuJ/Qmrk3qmNIx5TkvqAjuxSxeKoKhoL9zigbUhCX4xRoLg+fq
> 83vPQ5tMw03+hWshfKd+f8VPbSy9P3YNQ+9fy4f69bFRKcHDwj/L2k45L7s5gRMG
> shFL/VvIEWlZqzBRHbWGw3t7GUUDtsUjpy7M/1KJ5XelS97i7PBeU+JTQWpW64W5
> HoVolQgqc9BarsG4pUTx+v5Q31YexUawEfNngzcp3WoDvYvhPe+8Dqq0rEsZYZV5
> 4cIBBEyKkCJ8caR5bdV+etvy80pDj/bnfM5RXNSGERB9pwTPF+WvsAHm6LpS1iiF
> ATwqIcEwcsvwR50+twhRmH+yoV2bcNCqsOxrKLqp2H4nab1/q0+R0j1uMoCW6IHv
> 6v5ZAVanPLCgI0a+re61hndrCPVoXiPYMg3abLKZVFXmqcDgoL42Qc7F1XL+0csR
> WsO3CGIe45g7PG9DZ3gjhs0PP2grIVy3LzsHUi6ONuB5Jhy7FTMkClaH36WPVD4+
> zOi7lKPWiNWg+OqXzf7Fkb3FJCz3vjOBG1ieRrSsO05JBmqsReFmWR6F3J44gd17
> F1t5/uhaSEb4435vTos7
> =URb/
> -----END PGP SIGNATURE-----
>
More information about the Users
mailing list