[strongSwan] net-net sample can not work on ubuntu14.04

Bernhard Marx bernhard.marx at gmail.com
Wed May 6 08:44:08 CEST 2015


Hi all,

for my issue I could resolve it with adding a routing rule to all clients,
because the VPN is not the default gateway for 192.168.120.0/24 network...

Bernhard

2015-05-05 5:12 GMT+02:00 zhuyj <mounter625 at 163.com>:

> Hi, Noel
>
> This is the output of forwarding on sun:
>
> root at strongswan2:~# cat /proc/sys/net/ipv4/ip_forward
> 1
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/
> all/     default/ eth0/    eth1/    eth2/    lo/
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/all/forwarding
> 1
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/default/forwarding
> 1
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/eth0/forwarding
> 1
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/eth1/forwarding
> 1
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/eth2/forwarding
> 1
>
> When I run "ping 10.2.0.1" on moon, I run "ipsec statusall" on sun
>
> On moon:
>
> root at strongswan1:~# ping 10.2.0.1
> PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
> 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.410 ms
> 64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=0.285 ms
> 64 bytes from 10.2.0.1: icmp_seq=3 ttl=64 time=0.338 ms
> 64 bytes from 10.2.0.1: icmp_seq=4 ttl=64 time=0.373 ms
> 64 bytes from 10.2.0.1: icmp_seq=5 ttl=64 time=0.300 ms
> 64 bytes from 10.2.0.1: icmp_seq=6 ttl=64 time=0.424 ms
> 64 bytes from 10.2.0.1: icmp_seq=7 ttl=64 time=3.11 ms
> 64 bytes from 10.2.0.1: icmp_seq=8 ttl=64 time=0.422 ms
> 64 bytes from 10.2.0.1: icmp_seq=9 ttl=64 time=2.88 ms
> ^C
> --- 10.2.0.1 ping statistics ---
> 9 packets transmitted, 9 received, 0% packet loss, time 7998ms
> rtt min/avg/max/mdev = 0.285/0.950/3.115/1.098 ms
>
> On Sun
>
> root at strongswan2:~# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.19.0-15-generic,
> x86_64):
>   uptime: 19 minutes, since May 05 10:36:17 2015
>   malloc: sbrk 1486848, mmap 0, used 353968, free 1132880
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 2
>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc
> cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke
> updown eap-identity addrblock
> Listening IP addresses:
>   128.224.162.165
>   11:2233:4455:6677:20c:29ff:fe70:bf88
>   192.168.0.2
>   11:2233:4455:6677:20c:29ff:fe70:bf92
>   10.2.0.1
>   11:2233:4455:6677:20c:29ff:fe70:bf9c
> Connections:
>      net-net:  192.168.0.2...192.168.0.1  IKEv1
>      net-net:   local:  [sun.strongswan.org] uses pre-shared key
> authentication
>      net-net:   remote: [moon.strongswan.org] uses pre-shared key
> authentication
>      net-net:   child:  0.0.0.0/0 === 10.1.0.0/16 TUNNEL
> Routed Connections:
>      net-net{1}:  ROUTED, TUNNEL
>      net-net{1}:   0.0.0.0/0 === 10.1.0.0/16
> Security Associations (1 up, 0 connecting):
>      net-net[1]: ESTABLISHED 19 minutes ago, 192.168.0.2[
> sun.strongswan.org]...192.168.0.1[moon.strongswan.org]
>      net-net[1]: IKEv1 SPIs: 7233e70c634fa8aa_i eb8634d7b0b00874_r*,
> pre-shared key reauthentication in 37 minutes
>      net-net[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>      net-net{1}:  REKEYING, TUNNEL, expires in 5 minutes
>      net-net{1}:   10.2.0.0/16 === 10.1.0.0/16
>      net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c043a424_i cf9ecbf3_o
>      net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 420 bytes_i (5 pkts, 2s ago),
> 420 bytes_o (5 pkts, 2s ago), rekeying in 15 minutes <----I can see the
> input/output packets.
>      net-net{1}:   10.2.0.0/16 === 10.1.0.0/16
>
> But when I run "ping 10.2.0.10" on Moon, I run "ipsec statusall" on Sun.
>
> On Moon:
>
> root at strongswan1:~# ping 10.2.0.10
> PING 10.2.0.10 (10.2.0.10) 56(84) bytes of data.
> ^C
> --- 10.2.0.10 ping statistics ---
> 13 packets transmitted, 0 received, 100% packet loss, time 12095ms
>
> On Sun:
>
> root at strongswan2:~# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.19.0-15-generic,
> x86_64):
>   uptime: 24 minutes, since May 05 10:36:18 2015
>   malloc: sbrk 1486848, mmap 0, used 353968, free 1132880
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 2
>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
> nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc
> cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke
> updown eap-identity addrblock
> Listening IP addresses:
>   128.224.162.165
>   11:2233:4455:6677:20c:29ff:fe70:bf88
>   192.168.0.2
>   11:2233:4455:6677:20c:29ff:fe70:bf92
>   10.2.0.1
>   11:2233:4455:6677:20c:29ff:fe70:bf9c
> Connections:
>      net-net:  192.168.0.2...192.168.0.1  IKEv1
>      net-net:   local:  [sun.strongswan.org] uses pre-shared key
> authentication
>      net-net:   remote: [moon.strongswan.org] uses pre-shared key
> authentication
>      net-net:   child:  0.0.0.0/0 === 10.1.0.0/16 TUNNEL
> Routed Connections:
>      net-net{1}:  ROUTED, TUNNEL
>      net-net{1}:   0.0.0.0/0 === 10.1.0.0/16
> Security Associations (1 up, 0 connecting):
>      net-net[1]: ESTABLISHED 24 minutes ago, 192.168.0.2[
> sun.strongswan.org]...192.168.0.1[moon.strongswan.org]
>      net-net[1]: IKEv1 SPIs: 7233e70c634fa8aa_i eb8634d7b0b00874_r*,
> pre-shared key reauthentication in 32 minutes
>      net-net[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>      net-net{1}:  REKEYING, TUNNEL, expires in 33 seconds
>      net-net{1}:   10.2.0.0/16 === 10.1.0.0/16
>      net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c043a424_i cf9ecbf3_o
>      net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 1512 bytes_i (18 pkts, 1s
> ago), 672 bytes_o (8 pkts, 284s ago), rekeying in 10 minutes <----I only
> find input packages.
>      net-net{1}:   10.2.0.0/16 === 10.1.0.0/16
>
>
> In a word, when I run "ping 10.2.0.1", I run "ipsec statusall", I can see
> input/output packages.
>
> When I run "ping 10.2.0.10", I run "ipsec statusall", I can only see input
> packages.
> I run "tcpdump -ni eth2 icmp", I can find the icmp reply packages.
> That is, the icmp reply packages do not pass vpn tunnel.
>
> I do not know why.
>
> Best Regards!
>
> Zhu Yanjun
>
>
> On 05/04/2015 06:39 PM, Noel Kuntze wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello Zhuyj,
>>
>> Please check that you enabled forwarding for the network devices
>> that are involved in the forwarding of the packages.
>> Also, please check the counters in the output of ipsec statusall to see,
>> if the packets get decrypted. The counters should increment, when you send
>> packets to the remote subnet.
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 04.05.2015 um 12:34 schrieb zhuyj:
>>
>>> Hi, Noel
>>>
>>> Thanks for your reply.
>>> I read carefully this link:
>>> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>>
>>> In this link, I think, the most important is: ip_forward and iptables.
>>> Now I show you the configurations on the sun:
>>>
>>> root at strongswan2:~# cat /proc/sys/net/ipv4/ip_forward
>>> 1
>>> root at strongswan2:~# iptables-save
>>> # Generated by iptables-save v1.4.21 on Mon May  4 18:29:28 2015
>>> *nat
>>> :PREROUTING ACCEPT [93:14126]
>>> :INPUT ACCEPT [36:4578]
>>> :OUTPUT ACCEPT [0:0]
>>> :POSTROUTING ACCEPT [1:84]
>>> -A POSTROUTING -s 10.0.0.0/8 -o eth1 -m policy --dir out --pol ipsec -j
>>> ACCEPT
>>> -A POSTROUTING -s 10.0.0.0/8 -o eth1 -j MASQUERADE
>>> COMMIT
>>> # Completed on Mon May  4 18:29:28 2015
>>> # Generated by iptables-save v1.4.21 on Mon May  4 18:29:28 2015
>>> *filter
>>> :INPUT ACCEPT [2033:256543]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [182:23858]
>>> -A FORWARD -s 10.1.0.0/16 -d 10.2.0.0/16 -i eth1 -m policy --dir in
>>> --pol ipsec --reqid 1 --proto esp -j ACCEPT
>>> -A FORWARD -s 10.2.0.0/16 -d 10.1.0.0/16 -o eth1 -m policy --dir out
>>> --pol ipsec --reqid 1 --proto esp -j ACCEPT
>>> COMMIT
>>> # Completed on Mon May  4 18:29:28 2015
>>>
>>> I think, ip forward feature is enabled in sun. And the iptables rules
>>> are inserted.
>>> But the result is the same.
>>>
>>> Any reply is appreciated.
>>>
>>> Thanks a lot.
>>> Zhu Yanjun
>>>
>>> On 05/04/2015 06:01 PM, Noel Kuntze wrote:
>>> Hello,
>>>
>>> Did you follow the guide for forwarding[1]?
>>>
>>> [1]
>>> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>>
>>> Mit freundlichen Grüßen/Regards,
>>> Noel Kuntze
>>>
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>
>>> Am 04.05.2015 um 11:25 schrieb zhuyj:
>>>
>>>> Hi,
>>>>>>
>>>>>> Are you using psk or certificate to auth?
>>>>>>
>>>>>> Best Regards!
>>>>>> Zhu Yanjun
>>>>>> On 05/04/2015 05:18 PM, zhuyj wrote:
>>>>>>
>>>>>>> Hi, Bernhard
>>>>>>>
>>>>>>> Your problem is the same with mine.
>>>>>>>
>>>>>>> Best Regards!
>>>>>>> Zhu Yanjun
>>>>>>>
>>>>>>> On 05/04/2015 05:00 PM, Bernhard Marx wrote:
>>>>>>>
>>>>>>>> Hi Zhu,
>>>>>>>>
>>>>>>>> no problem. I wish I would have :-)
>>>>>>>> But moon and sun is connected via public networks?
>>>>>>>> This is my scenario:
>>>>>>>>
>>>>>>>> 192.168.2.0/24 <http://192.168.2.0/24> <=> 192.168.2.1 hardware
>>>>>>>> router xx.xx.xx.xx (public IP from provider) <=> Internet <=> public IP on
>>>>>>>> eth0 192.168.120.125 <=> 192.168.120.0/24 <http://192.168.120.0/24>
>>>>>>>> on eth1
>>>>>>>>
>>>>>>>> I can ping from 192.168.120.125 to 192.168.2.1 and vice versa - but
>>>>>>>> I can not reach any devices in the subnet...
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Bernhard
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-05-04 10:51 GMT+02:00 zhuyj <mounter625 at 163.com <mailto:
>>>>>>>> mounter625 at 163.com>>:
>>>>>>>>
>>>>>>>>       Sorry. I thought your solve this problem already.
>>>>>>>>       Do you think that it is related with psk or pubkey? I mean
>>>>>>>> that strongswan can support auth-based certificate very well.
>>>>>>>>       Maybe there is something wrong with psk auth?
>>>>>>>>
>>>>>>>>       Zhu Yanjun
>>>>>>>>
>>>>>>>>
>>>>>>>>       On 05/04/2015 04:45 PM, zhuyj wrote:
>>>>>>>>
>>>>>>>>>       Hi, Marx
>>>>>>>>>
>>>>>>>>>       Please let me know how to solve this problem.
>>>>>>>>>
>>>>>>>>>       Thanks a lot.
>>>>>>>>>       Zhu Yanjun
>>>>>>>>>
>>>>>>>>>       On 05/04/2015 04:22 PM, Bernhard Marx wrote:
>>>>>>>>>
>>>>>>>>>>       Dear Zhu,
>>>>>>>>>>
>>>>>>>>>>       I think I have the issue... as send a request to mail list
>>>>>>>>>> yesterday...
>>>>>>>>>>
>>>>>>>>>>       Feedback I received is to check the routing of packets...
>>>>>>>>>> but I cant identify the issue...
>>>>>>>>>>
>>>>>>>>>>       Regards
>>>>>>>>>>       Bernhard
>>>>>>>>>>
>>>>>>>>>>       2015-05-04 10:17 GMT+02:00 zhuyj <mounter625 at 163.com
>>>>>>>>>> <mailto:mounter625 at 163.com>>:
>>>>>>>>>>
>>>>>>>>>>           Hi, all
>>>>>>>>>>
>>>>>>>>>>           I followed this link:
>>>>>>>>>> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
>>>>>>>>>>
>>>>>>>>>>           I configured 4 vmare hosts. The hosts are ubuntu14.04.
>>>>>>>>>>
>>>>>>>>>>           The network topology is as below.
>>>>>>>>>>
>>>>>>>>>>           10.1.0.10 <---->10.1.0.1 (moon)
>>>>>>>>>> 192.168.0.1<----->192.168.0.2 (sun) 10.2.0.1<---->10.2.0.10
>>>>>>>>>>
>>>>>>>>>>           strongswan is 5.1.2.
>>>>>>>>>>
>>>>>>>>>>           >From this link:
>>>>>>>>>> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/,
>>>>>>>>>> after a vpn tunnel is created,
>>>>>>>>>>           I ran "ping 10.2.0.10" on clinet 10.1.0.10. But I can
>>>>>>>>>> not get any reply from 10.2.0.10.
>>>>>>>>>>
>>>>>>>>>>           I can find the icmp packets into moon. But moon will
>>>>>>>>>> not forward these icmp packets.
>>>>>>>>>>
>>>>>>>>>>           I exactly followed this link
>>>>>>>>>> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/,
>>>>>>>>>> but I can not get
>>>>>>>>>>           the same test result with this link.
>>>>>>>>>>
>>>>>>>>>>           Does any one have the similar experience?
>>>>>>>>>>
>>>>>>>>>>           Any reply is appreciated.
>>>>>>>>>>
>>>>>>>>>>           Thanks a lot.
>>>>>>>>>>           Zhu Yanjun
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>           _______________________________________________
>>>>>>>>>>           Users mailing list
>>>>>>>>>>           Users at lists.strongswan.org <mailto:
>>>>>>>>>> Users at lists.strongswan.org>
>>>>>>>>>>           https://lists.strongswan.org/mailman/listinfo/users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>       _______________________________________________
>>>>>>>>>>       Users mailing list
>>>>>>>>>>       Users at lists.strongswan.org <mailto:
>>>>>>>>>> Users at lists.strongswan.org>
>>>>>>>>>>       https://lists.strongswan.org/mailman/listinfo/users
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>       _______________________________________________
>>>>>>>>>       Users mailing list
>>>>>>>>>       Users at lists.strongswan.org <mailto:
>>>>>>>>> Users at lists.strongswan.org>
>>>>>>>>>       https://lists.strongswan.org/mailman/listinfo/users
>>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at lists.strongswan.org
>>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.strongswan.org
>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>>
>>>>>>
>>>  -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJVR0x7AAoJEDg5KY9j7GZYdoEQAI7bJaY+Iy5volndjpsV4xol
>> 3Sv2TPyVa/Fvo4BWYlFWtpLvAsyUkRDCOGycRV2iD3LVd6Y+WC8QeN2KXvcC6nvK
>> y0mS3bhxgonrMVDuJ/Qmrk3qmNIx5TkvqAjuxSxeKoKhoL9zigbUhCX4xRoLg+fq
>> 83vPQ5tMw03+hWshfKd+f8VPbSy9P3YNQ+9fy4f69bFRKcHDwj/L2k45L7s5gRMG
>> shFL/VvIEWlZqzBRHbWGw3t7GUUDtsUjpy7M/1KJ5XelS97i7PBeU+JTQWpW64W5
>> HoVolQgqc9BarsG4pUTx+v5Q31YexUawEfNngzcp3WoDvYvhPe+8Dqq0rEsZYZV5
>> 4cIBBEyKkCJ8caR5bdV+etvy80pDj/bnfM5RXNSGERB9pwTPF+WvsAHm6LpS1iiF
>> ATwqIcEwcsvwR50+twhRmH+yoV2bcNCqsOxrKLqp2H4nab1/q0+R0j1uMoCW6IHv
>> 6v5ZAVanPLCgI0a+re61hndrCPVoXiPYMg3abLKZVFXmqcDgoL42Qc7F1XL+0csR
>> WsO3CGIe45g7PG9DZ3gjhs0PP2grIVy3LzsHUi6ONuB5Jhy7FTMkClaH36WPVD4+
>> zOi7lKPWiNWg+OqXzf7Fkb3FJCz3vjOBG1ieRrSsO05JBmqsReFmWR6F3J44gd17
>> F1t5/uhaSEb4435vTos7
>> =URb/
>> -----END PGP SIGNATURE-----
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150506/0fa6c2d2/attachment-0001.html>


More information about the Users mailing list