[strongSwan] Problem with tunnel from a /24 to a /32 network
Steffen Hild
s.hild at ppc-ag.de
Thu Oct 15 16:47:15 CEST 2015
Hey there,
currently we are using OpenSwan as IPsec implementation, but we want to change to strongSwan.
To do so, we are testing some cases like the ones we are currently using with OpenSwan. This is where we encountered some problems.
For your tests we use the following setup:
+------------+
| |
| PC1 |
| |
+-----+------+
| 10.10.10.2/24
|
| 10.10.10.1/24
+-----+------+
| |
| VPN-GW01 |
|
+-----+------+
| 192.168.222.1/24
|
| 192.168.222.2/24
+-----+------+
| |
| VPN-GW02 |
| |
+-----+------+
| 10.20.10.1/24
|
| 10.20.10.2/24
+-----+------+
| |
| PC02 |
| |
+------------+
Both VPN-GW are running Ubuntu 14.04 LTS with strongSwan 5.1.2 which is included in the Ubuntu packets.
Using the configuration NET/24-TO-NET/24 below , everything works fine like expected. PC01 can reach PC02:
------------------------------------
NET/24-TO-NET/24 PC01 <--> PC02 ping
------------------------------------
ping 10.20.10.2
PING 10.20.10.2 (10.20.10.2) 56(84) bytes of data.
64 bytes from 10.20.10.2: icmp_seq=1 ttl=126 time=2.66 ms
64 bytes from 10.20.10.2: icmp_seq=2 ttl=126 time=2.28 ms
Our goal however is to make only one host (PC01) reachable from PC02, so all other access to other potential hosts in subnet 10.10.10.0/24 is not possible through IPsec-SAs.
In our current setup with OpenSwan this is working like a charm.
So we changed the configuration like shown in NET/24-TO-NET/32. The tunnel is established like before, but there is no communication possible:
------------------------------------
NET/24-TO-NET/32 PC01 <--> PC02 ping
------------------------------------
ping 10.20.10.2
PING 10.20.10.2 (10.20.10.2) 56(84) bytes of data.
>From 10.10.10.1 icmp_seq=1 Destination Net Unreachable
>From 10.10.10.1 icmp_seq=2 Destination Net Unreachable
We are trying for days now with no success.
Is there something we are missing or something we messed up?
Thanks in advance.
Cheers Steffen
PS: This is the first time we are using a mailing list, so hopefully this isn't too much text :)
------------------------------------
NET/24-TO-NET/24 GW01 /etc/ipsec.conf
------------------------------------
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug = "3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn net-net
left=192.168.222.1
leftsubnet=10.10.10.0/24
leftid=@moon.strongswan.org
leftsourceip=10.10.10.1
right=192.168.222.2
rightsubnet=10.20.10.0/24
rightid=@sun.strongswan.org
auto=add
------------------------------------
NET/24-TO-NET/24 GW02 /etc/ipsec.conf
------------------------------------
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug = "3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn net-net
left=192.168.222.2
leftsubnet=10.20.10.0/24
leftid=@sun.strongswan.org
right=192.168.222.1
rightsubnet=10.10.10.2/32
rightid=@moon.strongswan.org
auto=start
------------------------------------
NET/24-TO-NET/24 GW01 ipsec statusall
------------------------------------
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-65-generic, x86_64):
uptime: 18 seconds, since Oct 15 14:36:38 2015
malloc: sbrk 2433024, mmap 0, used 355936, free 2077088
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock unity
Listening IP addresses:
10.10.10.1
192.168.222.1
Connections:
net-net: 192.168.222.1...192.168.222.2 IKEv1
net-net: local: [moon.strongswan.org] uses pre-shared key authentication
net-net: remote: [sun.strongswan.org] uses pre-shared key authentication
net-net: child: 10.10.10.0/24 === 10.20.10.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 4 seconds ago, 192.168.222.1[moon.strongswan.org]...192.168.222.2[sun.strongswan.org]
net-net[1]: IKEv1 SPIs: d37ef198c782911d_i cf96cb57ad4008a0_r*, pre-shared key reauthentication in 55 minutes
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: cb37112a_i c79cdb9a_o
net-net{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 14 minutes
net-net{1}: 10.10.10.0/24 === 10.20.10.0/24
------------------------------------
NET/24-TO-NET/24 GW02 ipsec statusall
------------------------------------
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-65-generic, x86_64):
uptime: 45 seconds, since Oct 15 14:38:26 2015
malloc: sbrk 2433024, mmap 0, used 358000, free 2075024
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock unity
Listening IP addresses:
192.168.222.2
10.20.10.1
Connections:
net-net: 192.168.222.2...192.168.222.1 IKEv1
net-net: local: [sun.strongswan.org] uses pre-shared key authentication
net-net: remote: [moon.strongswan.org] uses pre-shared key authentication
net-net: child: 10.20.10.0/24 === 10.10.10.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 45 seconds ago, 192.168.222.2[sun.strongswan.org]...192.168.222.1[moon.strongswan.org]
net-net[1]: IKEv1 SPIs: ca97fe949b46e4dc_i* c1851729914e5310_r, pre-shared key reauthentication in 53 minutes
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: cb0631aa_i cd943f0f_o
net-net{1}: AES_CBC_128/HMAC_SHA1_96, 2748 bytes_i (45 pkts, 0s ago), 2748 bytes_o (45 pkts, 0s ago), rekeying in 14 minutes
net-net{1}: 10.20.10.0/24 === 10.10.10.0/24
-------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------
NET/24-TO-NET/32 GW01 /etc/ipsec.conf
------------------------------------
conn net-net
left=192.168.222.1
leftsubnet=10.10.10.2/32
leftid=@moon.strongswan.org
leftsourceip=10.10.10.1
right=192.168.222.2
rightsubnet=10.20.10.0/24
rightid=@sun.strongswan.org
auto=add
------------------------------------
NET/24-TO-NET/32 GW02 /etc/ipsec.conf
------------------------------------
conn net-net
left=192.168.222.2
leftsubnet=10.20.10.0/24
leftid=@sun.strongswan.org
right=192.168.222.1
rightsubnet=10.10.10.2/32
rightid=@moon.strongswan.org
auto=start
------------------------------------
NET/24-TO-NET/32 GW01 ipsec statusall
------------------------------------
Connections:
net-net: 192.168.222.1...192.168.222.2 IKEv1
net-net: local: [moon.strongswan.org] uses pre-shared key authentication
net-net: remote: [sun.strongswan.org] uses pre-shared key authentication
net-net: child: 10.10.10.2/32 === 10.20.10.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 10 seconds ago, 192.168.222.1[moon.strongswan.org]...192.168.222.2[sun.strongswan.org]
net-net[1]: IKEv1 SPIs: 2a7f469f9d6f6929_i b0ef323e5e4f4ea3_r*, pre-shared key reauthentication in 56 minutes
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c6d22b2d_i c4feb7ca_o
net-net{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 15 minutes
net-net{1}: 10.10.10.2/32 === 10.20.10.0/24
------------------------------------
NET/24-TO-NET/32 GW02 ipsec statusall
-----------------------------------
Connections:
net-net: 192.168.222.2...192.168.222.1 IKEv1
net-net: local: [sun.strongswan.org] uses pre-shared key authentication
net-net: remote: [moon.strongswan.org] uses pre-shared key authentication
net-net: child: 10.20.10.0/24 === 10.10.10.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 31 seconds ago, 192.168.222.2[sun.strongswan.org]...192.168.222.1[moon.strongswan.org]
net-net[1]: IKEv1 SPIs: 2a7f469f9d6f6929_i* b0ef323e5e4f4ea3_r, pre-shared key reauthentication in 56 minutes
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c4feb7ca_i c6d22b2d_o
net-net{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes
net-net{1}: 10.20.10.0/24 === 10.10.10.2/32
More information about the Users
mailing list