[strongSwan] net-net sample can not work on ubuntu14.04
zhuyj
mounter625 at 163.com
Wed May 6 10:39:09 CEST 2015
Hi,
Would you like to explain it in details?
You mean that we should set VPN as default gateway?
Thanks a lot.
Zhu Yanjun
On 05/06/2015 02:44 PM, Bernhard Marx wrote:
> Hi all,
>
> for my issue I could resolve it with adding a routing rule to all
> clients, because the VPN is not the default gateway for
> 192.168.120.0/24 <http://192.168.120.0/24> network...
>
> Bernhard
>
> 2015-05-05 5:12 GMT+02:00 zhuyj <mounter625 at 163.com
> <mailto:mounter625 at 163.com>>:
>
> Hi, Noel
>
> This is the output of forwarding on sun:
>
> root at strongswan2:~# cat /proc/sys/net/ipv4/ip_forward
> 1
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/
> all/ default/ eth0/ eth1/ eth2/ lo/
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/all/forwarding
> 1
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/default/forwarding
> 1
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/eth0/forwarding
> 1
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/eth1/forwarding
> 1
> root at strongswan2:~# cat /proc/sys/net/ipv4/conf/eth2/forwarding
> 1
>
> When I run "ping 10.2.0.1" on moon, I run "ipsec statusall" on sun
>
> On moon:
>
> root at strongswan1:~# ping 10.2.0.1
> PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
> 64 bytes from 10.2.0.1 <http://10.2.0.1>: icmp_seq=1 ttl=64
> time=0.410 ms
> 64 bytes from 10.2.0.1 <http://10.2.0.1>: icmp_seq=2 ttl=64
> time=0.285 ms
> 64 bytes from 10.2.0.1 <http://10.2.0.1>: icmp_seq=3 ttl=64
> time=0.338 ms
> 64 bytes from 10.2.0.1 <http://10.2.0.1>: icmp_seq=4 ttl=64
> time=0.373 ms
> 64 bytes from 10.2.0.1 <http://10.2.0.1>: icmp_seq=5 ttl=64
> time=0.300 ms
> 64 bytes from 10.2.0.1 <http://10.2.0.1>: icmp_seq=6 ttl=64
> time=0.424 ms
> 64 bytes from 10.2.0.1 <http://10.2.0.1>: icmp_seq=7 ttl=64
> time=3.11 ms
> 64 bytes from 10.2.0.1 <http://10.2.0.1>: icmp_seq=8 ttl=64
> time=0.422 ms
> 64 bytes from 10.2.0.1 <http://10.2.0.1>: icmp_seq=9 ttl=64
> time=2.88 ms
> ^C
> --- 10.2.0.1 ping statistics ---
> 9 packets transmitted, 9 received, 0% packet loss, time 7998ms
> rtt min/avg/max/mdev = 0.285/0.950/3.115/1.098 ms
>
> On Sun
>
> root at strongswan2:~# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.1.2, Linux
> 3.19.0-15-generic, x86_64):
> uptime: 19 minutes, since May 05 10:36:17 2015
> malloc: sbrk 1486848, mmap 0, used 353968, free 1132880
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
> 0/0/0/0, scheduled: 2
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12
> pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
> socket-default stroke updown eap-identity addrblock
> Listening IP addresses:
> 128.224.162.165
> 11:2233:4455:6677:20c:29ff:fe70:bf88
> 192.168.0.2
> 11:2233:4455:6677:20c:29ff:fe70:bf92
> 10.2.0.1
> 11:2233:4455:6677:20c:29ff:fe70:bf9c
> Connections:
> net-net: 192.168.0.2...192.168.0.1 IKEv1
> net-net: local: [sun.strongswan.org
> <http://sun.strongswan.org>] uses pre-shared key authentication
> net-net: remote: [moon.strongswan.org
> <http://moon.strongswan.org>] uses pre-shared key authentication
> net-net: child: 0.0.0.0/0 <http://0.0.0.0/0> ===
> 10.1.0.0/16 <http://10.1.0.0/16> TUNNEL
> Routed Connections:
> net-net{1}: ROUTED, TUNNEL
> net-net{1}: 0.0.0.0/0 <http://0.0.0.0/0> === 10.1.0.0/16
> <http://10.1.0.0/16>
> Security Associations (1 up, 0 connecting):
> net-net[1]: ESTABLISHED 19 minutes ago,
> 192.168.0.2[sun.strongswan.org
> <http://sun.strongswan.org>]...192.168.0.1[moon.strongswan.org
> <http://moon.strongswan.org>]
> net-net[1]: IKEv1 SPIs: 7233e70c634fa8aa_i
> eb8634d7b0b00874_r*, pre-shared key reauthentication in 37 minutes
> net-net[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> net-net{1}: REKEYING, TUNNEL, expires in 5 minutes
> net-net{1}: 10.2.0.0/16 <http://10.2.0.0/16> === 10.1.0.0/16
> <http://10.1.0.0/16>
> net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c043a424_i cf9ecbf3_o
> net-net{1}: AES_CBC_128/HMAC_SHA1_96, 420 bytes_i (5 pkts,
> 2s ago), 420 bytes_o (5 pkts, 2s ago), rekeying in 15 minutes
> <----I can see the input/output packets.
> net-net{1}: 10.2.0.0/16 <http://10.2.0.0/16> === 10.1.0.0/16
> <http://10.1.0.0/16>
>
> But when I run "ping 10.2.0.10" on Moon, I run "ipsec statusall"
> on Sun.
>
> On Moon:
>
> root at strongswan1:~# ping 10.2.0.10
> PING 10.2.0.10 (10.2.0.10) 56(84) bytes of data.
> ^C
> --- 10.2.0.10 ping statistics ---
> 13 packets transmitted, 0 received, 100% packet loss, time 12095ms
>
> On Sun:
>
> root at strongswan2:~# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.1.2, Linux
> 3.19.0-15-generic, x86_64):
> uptime: 24 minutes, since May 05 10:36:18 2015
> malloc: sbrk 1486848, mmap 0, used 353968, free 1132880
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
> 0/0/0/0, scheduled: 2
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5
> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12
> pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
> socket-default stroke updown eap-identity addrblock
> Listening IP addresses:
> 128.224.162.165
> 11:2233:4455:6677:20c:29ff:fe70:bf88
> 192.168.0.2
> 11:2233:4455:6677:20c:29ff:fe70:bf92
> 10.2.0.1
> 11:2233:4455:6677:20c:29ff:fe70:bf9c
> Connections:
> net-net: 192.168.0.2...192.168.0.1 IKEv1
> net-net: local: [sun.strongswan.org
> <http://sun.strongswan.org>] uses pre-shared key authentication
> net-net: remote: [moon.strongswan.org
> <http://moon.strongswan.org>] uses pre-shared key authentication
> net-net: child: 0.0.0.0/0 <http://0.0.0.0/0> ===
> 10.1.0.0/16 <http://10.1.0.0/16> TUNNEL
> Routed Connections:
> net-net{1}: ROUTED, TUNNEL
> net-net{1}: 0.0.0.0/0 <http://0.0.0.0/0> === 10.1.0.0/16
> <http://10.1.0.0/16>
> Security Associations (1 up, 0 connecting):
> net-net[1]: ESTABLISHED 24 minutes ago,
> 192.168.0.2[sun.strongswan.org
> <http://sun.strongswan.org>]...192.168.0.1[moon.strongswan.org
> <http://moon.strongswan.org>]
> net-net[1]: IKEv1 SPIs: 7233e70c634fa8aa_i
> eb8634d7b0b00874_r*, pre-shared key reauthentication in 32 minutes
> net-net[1]: IKE proposal:
> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> net-net{1}: REKEYING, TUNNEL, expires in 33 seconds
> net-net{1}: 10.2.0.0/16 <http://10.2.0.0/16> === 10.1.0.0/16
> <http://10.1.0.0/16>
> net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c043a424_i cf9ecbf3_o
> net-net{1}: AES_CBC_128/HMAC_SHA1_96, 1512 bytes_i (18 pkts,
> 1s ago), 672 bytes_o (8 pkts, 284s ago), rekeying in 10 minutes
> <----I only find input packages.
> net-net{1}: 10.2.0.0/16 <http://10.2.0.0/16> === 10.1.0.0/16
> <http://10.1.0.0/16>
>
>
> In a word, when I run "ping 10.2.0.1", I run "ipsec statusall", I
> can see input/output packages.
>
> When I run "ping 10.2.0.10", I run "ipsec statusall", I can only
> see input packages.
> I run "tcpdump -ni eth2 icmp", I can find the icmp reply packages.
> That is, the icmp reply packages do not pass vpn tunnel.
>
> I do not know why.
>
> Best Regards!
>
> Zhu Yanjun
>
>
> On 05/04/2015 06:39 PM, Noel Kuntze wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Zhuyj,
>
> Please check that you enabled forwarding for the network devices
> that are involved in the forwarding of the packages.
> Also, please check the counters in the output of ipsec
> statusall to see,
> if the packets get decrypted. The counters should increment,
> when you send
> packets to the remote subnet.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 04.05.2015 um 12:34 schrieb zhuyj:
>
> Hi, Noel
>
> Thanks for your reply.
> I read carefully this link:
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> In this link, I think, the most important is: ip_forward
> and iptables.
> Now I show you the configurations on the sun:
>
> root at strongswan2:~# cat /proc/sys/net/ipv4/ip_forward
> 1
> root at strongswan2:~# iptables-save
> # Generated by iptables-save v1.4.21 on Mon May 4
> 18:29:28 2015
> *nat
> :PREROUTING ACCEPT [93:14126]
> :INPUT ACCEPT [36:4578]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [1:84]
> -A POSTROUTING -s 10.0.0.0/8 <http://10.0.0.0/8> -o eth1
> -m policy --dir out --pol ipsec -j ACCEPT
> -A POSTROUTING -s 10.0.0.0/8 <http://10.0.0.0/8> -o eth1
> -j MASQUERADE
> COMMIT
> # Completed on Mon May 4 18:29:28 2015
> # Generated by iptables-save v1.4.21 on Mon May 4
> 18:29:28 2015
> *filter
> :INPUT ACCEPT [2033:256543]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [182:23858]
> -A FORWARD -s 10.1.0.0/16 <http://10.1.0.0/16> -d
> 10.2.0.0/16 <http://10.2.0.0/16> -i eth1 -m policy --dir
> in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 10.2.0.0/16 <http://10.2.0.0/16> -d
> 10.1.0.0/16 <http://10.1.0.0/16> -o eth1 -m policy --dir
> out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> COMMIT
> # Completed on Mon May 4 18:29:28 2015
>
> I think, ip forward feature is enabled in sun. And the
> iptables rules are inserted.
> But the result is the same.
>
> Any reply is appreciated.
>
> Thanks a lot.
> Zhu Yanjun
>
> On 05/04/2015 06:01 PM, Noel Kuntze wrote:
> Hello,
>
> Did you follow the guide for forwarding[1]?
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 04.05.2015 um 11:25 schrieb zhuyj:
>
> Hi,
>
> Are you using psk or certificate to auth?
>
> Best Regards!
> Zhu Yanjun
> On 05/04/2015 05:18 PM, zhuyj wrote:
>
> Hi, Bernhard
>
> Your problem is the same with mine.
>
> Best Regards!
> Zhu Yanjun
>
> On 05/04/2015 05:00 PM, Bernhard Marx wrote:
>
> Hi Zhu,
>
> no problem. I wish I would have :-)
> But moon and sun is connected via
> public networks?
> This is my scenario:
>
> 192.168.2.0/24 <http://192.168.2.0/24>
> <http://192.168.2.0/24> <=>
> 192.168.2.1 hardware router
> xx.xx.xx.xx (public IP from provider)
> <=> Internet <=> public IP on eth0
> 192.168.120.125 <=> 192.168.120.0/24
> <http://192.168.120.0/24>
> <http://192.168.120.0/24> on eth1
>
> I can ping from 192.168.120.125 to
> 192.168.2.1 and vice versa - but I can
> not reach any devices in the subnet...
>
> Regards
> Bernhard
>
>
> 2015-05-04 10:51 GMT+02:00 zhuyj
> <mounter625 at 163.com
> <mailto:mounter625 at 163.com>
> <mailto:mounter625 at 163.com
> <mailto:mounter625 at 163.com>>>:
>
> Sorry. I thought your solve this
> problem already.
> Do you think that it is related
> with psk or pubkey? I mean that
> strongswan can support auth-based
> certificate very well.
> Maybe there is something wrong
> with psk auth?
>
> Zhu Yanjun
>
>
> On 05/04/2015 04:45 PM, zhuyj wrote:
>
> Hi, Marx
>
> Please let me know how to
> solve this problem.
>
> Thanks a lot.
> Zhu Yanjun
>
> On 05/04/2015 04:22 PM,
> Bernhard Marx wrote:
>
> Dear Zhu,
>
> I think I have the
> issue... as send a request to
> mail list yesterday...
>
> Feedback I received is
> to check the routing of
> packets... but I cant identify
> the issue...
>
> Regards
> Bernhard
>
> 2015-05-04 10:17
> GMT+02:00 zhuyj
> <mounter625 at 163.com
> <mailto:mounter625 at 163.com>
> <mailto:mounter625 at 163.com
> <mailto:mounter625 at 163.com>>>:
>
> Hi, all
>
> I followed this
> link:
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
>
> I configured 4 vmare
> hosts. The hosts are ubuntu14.04.
>
> The network topology
> is as below.
>
> 10.1.0.10
> <---->10.1.0.1 (moon)
> 192.168.0.1<----->192.168.0.2
> (sun) 10.2.0.1<---->10.2.0.10
>
> strongswan is 5.1.2.
>
> >From this link:
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/,
> after a vpn tunnel is created,
> I ran "ping
> 10.2.0.10" on clinet
> 10.1.0.10. But I can not get
> any reply from 10.2.0.10.
>
> I can find the icmp
> packets into moon. But moon
> will not forward these icmp
> packets.
>
> I exactly followed
> this link
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/,
> but I can not get
> the same test result
> with this link.
>
> Does any one have
> the similar experience?
>
> Any reply is
> appreciated.
>
> Thanks a lot.
> Zhu Yanjun
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVR0x7AAoJEDg5KY9j7GZYdoEQAI7bJaY+Iy5volndjpsV4xol
> 3Sv2TPyVa/Fvo4BWYlFWtpLvAsyUkRDCOGycRV2iD3LVd6Y+WC8QeN2KXvcC6nvK
> y0mS3bhxgonrMVDuJ/Qmrk3qmNIx5TkvqAjuxSxeKoKhoL9zigbUhCX4xRoLg+fq
> 83vPQ5tMw03+hWshfKd+f8VPbSy9P3YNQ+9fy4f69bFRKcHDwj/L2k45L7s5gRMG
> shFL/VvIEWlZqzBRHbWGw3t7GUUDtsUjpy7M/1KJ5XelS97i7PBeU+JTQWpW64W5
> HoVolQgqc9BarsG4pUTx+v5Q31YexUawEfNngzcp3WoDvYvhPe+8Dqq0rEsZYZV5
> 4cIBBEyKkCJ8caR5bdV+etvy80pDj/bnfM5RXNSGERB9pwTPF+WvsAHm6LpS1iiF
> ATwqIcEwcsvwR50+twhRmH+yoV2bcNCqsOxrKLqp2H4nab1/q0+R0j1uMoCW6IHv
> 6v5ZAVanPLCgI0a+re61hndrCPVoXiPYMg3abLKZVFXmqcDgoL42Qc7F1XL+0csR
> WsO3CGIe45g7PG9DZ3gjhs0PP2grIVy3LzsHUi6ONuB5Jhy7FTMkClaH36WPVD4+
> zOi7lKPWiNWg+OqXzf7Fkb3FJCz3vjOBG1ieRrSsO05JBmqsReFmWR6F3J44gd17
> F1t5/uhaSEb4435vTos7
> =URb/
> -----END PGP SIGNATURE-----
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150506/a9f953d4/attachment-0001.html>
More information about the Users
mailing list