[strongSwan] successful ipsec link but no traffic with strongswan 5.5.0 and kernel 4.4.20
Mihai Ordean
social at mihaiordean.com
Tue Sep 13 13:50:42 CEST 2016
Hello,
I am in need of some help. I had a perfectly fine (and simpleish) strongswan
setup on my home server: a router with a pppoe connection to the ISP which
provides me with a dynamic non-NAT-ed IP and a DDNS setup with my domain
provider.
On top of this I set up a basic roadwarrior IKEv2 VPN with strongswan.
Everything was running an ARCHLINUX with kernel 3.18.
After updating the kernel to 4.4.20 the VPN stopped working. I get the
connection established, but no traffic goes through it. If I roll back to
kernel 3.18 everything works fine again. Is anyone aware of any changes
related to IPSEC/VPN/TUNNELS or ROUTING that might have changed.
Please see my logs below:
/>ipsec statusall
-------------------------------------------
Status of IKE charon daemon (strongSwan 5.5.0, Linux 4.4.20, armv7l):
uptime: 5 minutes, since Sep 13 12:37:32 2016
malloc: sbrk 1339392, mmap 0, used 355624, free 983768
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf gmp chapoly xcbc cmac hmac curl sqlite attr kernel-netlink
resolve socket-default connmark forecast farp stroke vici updown
eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym
eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius
eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth
dhcp radattr unity
Virtual IP pools (size/online/offline):
10.0.1.0/24: 254/1/0
Listening IP addresses:
192.168.2.10
192.168.7.1
90.203.141.93
Connections:
windows: %any...%any IKEv2, dpddelay=300s
windows: local: [mihaiordean.com] uses public key authentication
windows: cert: "C=GB, O=mihaiordean.com, CN=mihaiordean.com"
windows: remote: uses EAP_MSCHAPV2 authentication with EAP identity
'%any'
windows: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
android: %any...%any IKEv2, dpddelay=300s
android: local: [mihaiordean.com] uses public key authentication
android: cert: "C=GB, O=mihaiordean.com, CN=mihaiordean.com"
android: remote: [C=GB, O=mihaiordean.com, CN=vpn-client] uses public
key authentication
android: cert: "C=GB, O=mihaiordean.com, CN=vpn-client"
android: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
android[10]: ESTABLISHED 24 seconds ago,
90.203.141.93[mihaiordean.com]...147.188.254.72[C=GB, O=mihaiordean.com,
CN=vpn-client]
android[10]: IKEv2 SPIs: 446cfc0fce52fc90_i 95cc24497fefd7b9_r*,
rekeying disabled
android[10]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
android{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cde084f3_i
1c5743ef_o
android{1}: AES_CBC_128/HMAC_SHA2_256_128, 1570 bytes_i, 0 bytes_o,
rekeying disabled
android{1}: 0.0.0.0/0 === 10.0.1.1/32
/>ip route show table 220
----------------------------------
10.0.1.1 via 147.188.254.72 dev ppp64 proto static
/>iptables -L
-----------------------------------
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.7.0/24 anywhere
REJECT all -- 192.168.7.0/24 anywhere reject-with
icmp-port-unreachable
ACCEPT icmp -- anywhere 5acb8d5d.bb.sky.com
ACCEPT all -- anywhere 5acb8d5d.bb.sky.com ctstate
RELATED,ESTABLISHED
ACCEPT udp -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED udp dpt:isakmp
ACCEPT udp -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED udp dpt:ipsec-nat-t
ACCEPT ah -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere policy match
dir in pol ipsec proto esp
ACCEPT tcp -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED tcp dpt:http
ACCEPT tcp -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED tcp dpt:https
ACCEPT tcp -- anywhere 5acb8d5d.bb.sky.com ctstate
NEW,RELATED,ESTABLISHED tcp dpt:telnet
ACCEPT tcp -- anywhere ironbox.meehien.lan ctstate
NEW,RELATED,ESTABLISHED tcp dpt:51413
ACCEPT udp -- anywhere ironbox.meehien.lan ctstate
NEW,RELATED,ESTABLISHED udp dpt:51413
ACCEPT tcp -- anywhere anywhere tcp spt:bootpc
dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootpc
dpt:bootps
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS set 1412
ACCEPT all -- anywhere anywhere policy match
dir in pol ipsec proto esp
ACCEPT all -- anywhere anywhere policy match
dir out pol ipsec proto esp
ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere localserver.lan tcp dpt:51413
ACCEPT udp -- anywhere localserver.lan udp dpt:51413
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP icmp -- anywhere anywhere ctstate
INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- 5acb8d5d.bb.sky.com 192.168.7.0/24
ACCEPT all -- localserver.lan 192.168.7.0/24
REJECT all -- anywhere 192.168.7.0/24 reject-with
icmp-port-unreachable
ACCEPT tcp -- localserver.lan anywhere tcp spt:51413
ACCEPT udp -- localserver.lan anywhere udp spt:51413
ACCEPT esp -- anywhere anywhere
ACCEPT all -- anywhere anywhere policy match
dir out pol ipsec proto esp
ACCEPT tcp -- localserver.lan 255.255.255.255 tcp spt:bootps
dpt:bootpc
ACCEPT udp -- localserver.lan 255.255.255.255 udp spt:bootps
dpt:bootpc
ACCEPT all -- 5acb8d5d.bb.sky.com anywhere
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
/> ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: can0: <NOARP,ECHO> mtu 16 qdisc noop state DOWN group default qlen 10
link/can
3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel master
brlan state DOWN group default qlen 1000
link/ether 00:d0:12:8b:f0:47 brd ff:ff:ff:ff:ff:ff
4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
link/ether 00:d0:12:8b:f0:48 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.10/24 brd 192.168.2.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::2d0:12ff:fe8b:f048/64 scope link
valid_lft forever preferred_lft forever
5: sit0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1
link/sit 0.0.0.0 brd 0.0.0.0
6: ath9k: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master brlan
state UP group default qlen 1000
link/ether 04:f0:21:04:fb:bc brd ff:ff:ff:ff:ff:ff
inet6 fe80::6f0:21ff:fe04:fbbc/64 scope link
valid_lft forever preferred_lft forever
7: ath10k: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master brlan
state UP group default qlen 1000
link/ether 00:30:1a:4e:00:5a brd ff:ff:ff:ff:ff:ff
inet6 fe80::230:1aff:fe4e:5a/64 scope link
valid_lft forever preferred_lft forever
8: brlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
group default qlen 1000
link/ether 00:30:1a:4e:00:5b brd ff:ff:ff:ff:ff:ff
inet 192.168.7.1/24 brd 192.168.7.255 scope global brlan
valid_lft forever preferred_lft forever
11: ppp64: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel
state UNKNOWN group default qlen 3
link/ppp
inet x.x.x.x peer x.x.x.x/32 scope global ppp64
valid_lft forever preferred_lft forever
More information about the Users
mailing list