[strongSwan] Problem Routing Decrypted Packets

Sajal Malhotra sajalmalhotra at gmail.com
Fri May 8 12:53:35 CEST 2015 

Hi,

I am using following Setup in my Lab:

Host A<---->SeGW<-----(ESP Tunnel)---->(eth1)Strongswan (Linux PC)
(eth0)<--->Host B

So there is one Tunnel Established between SeGW and Linux PC which is
running Strongswan Stack v5.2.2.
The Linux is connected to SeGW via its eth1 interface
and Host B is connected via eth0 Interface.

What we want is that:
1. Any traffic that we want to send from Host A to Host B should go via
SeGW where it is sent encrypted towards Linux Box.
2. The Linux Box running strongswan should then decrypt the traffic and
route it to Host B
3. As expected, the reverse path to be followed for traffic from Host B to
Host A.

What we observe is that:
1. SeGW is successfully able to encrypt the traffic and send ESP frames to
Linux PC
2. the linux PC also decrypts it successfully
3. However after decryption *it is not able to route *the traffic towards
interface connected to Host B. *On the contrary we see that decrypted
traffic is seen on the same interface from which it received the ESP
frames. i.e. the interface connected to SeGW. i.e. both Encrypted and
decrypted packet seen on same interface.*

The routing configured on Linux PC also looks to be correct as when I send
ping traffic from Host A to Host B (this traffic is not encrypted), i see
that Linux PC is correctly able to route this ICMP traffic towards Host B
without any Issue.

Can you let me know what could be the possible issue here. Or provide some
indication on how to debug it.

Below are the logs and configuration. Let me know if any additional detail
is needed that i missed--:

Here is the ipsec.conf connection setting:



conn saM

        ikelifetime=24h

        keyexchange=ikev2

        keyingtries=%forever

        keylife=5m

        reauth=no

        rekey=yes

        mobike=no

        dpdaction=clear

        dpddelay=10

        rekeymargin=1m

        ike=aes128-sha1-modp1024,3des-sha1-modp1024!

        esp=aes128-sha1-modp1024,3des-sha1-modp1024!

        authby=rsasig

        left=31.31.31.22

        leftsubnet=0.0.0.0/32

        right=31.31.31.31

        rightsubnet=0.0.0.0/32

        leftprotoport=%any/%any

        rightprotoport=%any/%any

        leftcert=/usr/local/etc/ipsec.d/certs/linux.pem

        rightid=%any

        auto=add


Host A IP: 172.18.21.232

Host B IP: 10.3.4.22


*Routing Table on Linux PC:*


Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface

172.18.21.0     *               255.255.255.0   U     0      0        0 eth1

*10.3.4.0        *               255.255.255.0   U     1      0        0
eth0 <<<this route should have worked*

192.168.122.0   *               255.255.255.0   U     0      0        0
virbr0

31.31.31.0      *               255.255.255.0   U     0      0        0 eth1

172.18.0.0      *               255.255.0.0     U     0      0        0 eth1

default         10.3.4.1        0.0.0.0         UG    0      0        0 eth0

default         10.3.4.1        0.0.0.0         UG    0      0        0 eth0

*ifconfig output:*
[root at root ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr A4:1F:72:8E:66:F5
          inet addr:10.3.4.139  Bcast:10.3.4.255  Mask:255.255.255.0
          inet6 addr: fe80::a61f:72ff:fe8e:66f5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:33355 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32425 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:18132226 (17.2 MiB)  TX bytes:28624412 (27.2 MiB)
          Interrupt:46 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 00:0A:F7:16:7E:5D
          inet addr:31.31.31.22  Bcast:31.31.31.255  Mask:255.255.255.0
          inet6 addr: fe80::20a:f7ff:fe16:7e5d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2807 errors:0 dropped:0 overruns:0 frame:0
          TX packets:265 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:395217 (385.9 KiB)  TX bytes:35486 (34.6 KiB)
          Interrupt:17

eth1:1    Link encap:Ethernet  HWaddr 00:0A:F7:16:7E:5D
          inet addr:172.18.21.1  Bcast:172.18.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:17

Wireshark logs captured on eth1 interface are attached, which show both
encrypted and decrypted packets on same interface.

Thanks and Regards
Sajal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150508/5e340247/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: routing_Issue.pcap
Type: application/octet-stream
Size: 6632 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150508/5e340247/attachment-0001.obj>

More information about the Users mailing list