[strongSwan] mark_updown

Sean Courtney scourtney2000 at gmail.com
Mon Aug 7 17:41:53 CEST 2017


Hello,

Here is some more info regarding the issue I am having with my test. Like I
mentioned I am trying to resolve an issue I have with overlapping subnets
connecting to my Strongswan VPN Hub.

The closest example to my issue is:

https://www.strongswan.org/uml/testresults/ikev2/nat-rw-mark/index.html

I copied the _updown script to /etc/ and renamed it mark_updown. It is
root:root and has 761 permissions.

Once the marks are introduced to ipsec.conf the packet that used to leave
the kernel and hit my ens224 destined for 172.31.0.0/16 network can not be
found. How to I troubleshoot what is going on in kernel space?

This is is a copy of my daemon.log for the scenario I am trying get up and
running. Basically as far as I can tell the mark_updown script is not
executing. I don't see anything in the daemon logs to indicate why the
script does not execute.

Aug  7 10:51:12 VPNGWServer charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.3.5, Linux 4.4.0-89-generic, x86_64)
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] disabling load-tester plugin,
not configured
Aug  7 10:51:12 VPNGWServer charon: 00[LIB] plugin 'load-tester': failed to
load - load_tester_plugin_create returned NULL
Aug  7 10:51:12 VPNGWServer charon: 00[KNL] known interfaces and IP
addresses:
Aug  7 10:51:12 VPNGWServer charon: 00[KNL]   ens192
Aug  7 10:51:12 VPNGWServer charon: 00[KNL]     67.102.243.141
Aug  7 10:51:12 VPNGWServer charon: 00[KNL]     fe80::20c:29ff:fe2d:c1c4
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading unbound resolver config
from '/etc/resolv.conf'
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading unbound trust anchors
from '/etc/ipsec.d/dnssec.keys'
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] dnscert plugin is disabled
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading unbound resolver config
from '/etc/resolv.conf'
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading unbound trust anchors
from '/etc/ipsec.d/dnssec.keys'
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] ipseckey plugin is disabled
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] attr-sql plugin: database URI
not set
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Aug  7 10:51:12 VPNGWServer charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/vpn-server-key.pem'
Aug  7 10:51:12 VPNGWServer charon: 00[CFG]   loaded IKE secret for
67.102.243.141 108.48.47.116
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] sql plugin: database URI not set
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] opening triplet file
/etc/ipsec.d/triplets.dat failed: No such file or directory
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] eap-simaka-sql database URI
missing
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loaded 0 RADIUS server
configurations
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] no threshold configured for
systime-fix, disabled
Aug  7 10:51:12 VPNGWServer charon: 00[CFG] coupling file path unspecified
Aug  7 10:51:12 VPNGWServer charon: 00[LIB] loaded plugins: charon
test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random
nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent
chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr
kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic
dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Aug  7 10:51:12 VPNGWServer charon: 00[LIB] dropped capabilities, running
as uid 0, gid 0
Aug  7 10:51:12 VPNGWServer charon: 00[JOB] spawning 16 worker threads
Aug  7 10:51:12 VPNGWServer charon: 02[NET] waiting for data on sockets
Aug  7 10:51:12 VPNGWServer charon: 03[CFG] received stroke: add connection
'StrongSWAN'
Aug  7 10:51:12 VPNGWServer charon: 03[CFG] conn StrongSWAN
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   left=67.102.243.141
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   leftsubnet=172.31.0.0/16
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   leftauth=psk
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   leftid=67.102.243.141
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   leftupdown=/etc/mark_updown
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   right=%any
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   rightsubnet=0.0.0.0/0
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   rightauth=psk
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]
ike=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]
esp=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   dpddelay=300
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   dpdtimeout=150
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   dpdaction=1
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   mediation=no
Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   keyexchange=ikev2
Aug  7 10:51:12 VPNGWServer charon: 03[CFG] added configuration 'StrongSWAN'
Aug  7 10:51:12 VPNGWServer charon: 07[CFG] received stroke: add connection
'IRIS'
Aug  7 10:51:12 VPNGWServer charon: 07[CFG] conn IRIS
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   left=67.102.243.141
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   leftsubnet=172.31.0.0/16
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   leftauth=psk
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   leftid=67.102.243.141
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   leftupdown=/etc/mark_updown
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   right=%any
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   rightsubnet=0.0.0.0/0
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   rightauth=psk
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   rightid=
scourtney at evolenthealth.com
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]
ike=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]
esp=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   dpddelay=300
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   dpdtimeout=150
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   dpdaction=1
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   mediation=no
Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   keyexchange=ikev2
Aug  7 10:51:12 VPNGWServer charon: 07[CFG] added configuration 'IRIS'
Aug  7 10:51:12 VPNGWServer charon: 09[CFG] received stroke: add connection
'Jeff'
Aug  7 10:51:12 VPNGWServer charon: 09[CFG] conn Jeff
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   left=67.102.243.141
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   leftsubnet=172.31.0.0/16
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   leftauth=psk
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   leftid=67.102.243.141
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   leftupdown=/etc/mark_updown
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   right=%any
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   rightsubnet=0.0.0.0/0
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   rightauth=psk
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   rightid=
jbalderson at evolenthealth.com
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]
ike=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]
esp=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   dpddelay=300
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   dpdtimeout=150
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   dpdaction=1
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   mediation=no
Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   keyexchange=ikev2
Aug  7 10:51:12 VPNGWServer charon: 09[CFG] added configuration 'Jeff'
Aug  7 10:51:21 VPNGWServer charon: 02[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500]
Aug  7 10:51:21 VPNGWServer charon: 02[NET] waiting for data on sockets
Aug  7 10:51:21 VPNGWServer charon: 08[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500] (464 bytes)
Aug  7 10:51:21 VPNGWServer charon: 08[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug  7 10:51:21 VPNGWServer charon: 08[CFG] looking for an ike config for
67.102.243.141...108.48.47.116
Aug  7 10:51:21 VPNGWServer charon: 08[CFG]   candidate:
67.102.243.141...%any, prio 1052
Aug  7 10:51:21 VPNGWServer charon: message repeated 2 times: [ 08[CFG]
candidate: 67.102.243.141...%any, prio 1052]
Aug  7 10:51:21 VPNGWServer charon: 08[CFG] found matching ike config:
67.102.243.141...%any with prio 1052
Aug  7 10:51:21 VPNGWServer charon: 08[IKE] 108.48.47.116 is initiating an
IKE_SA
Aug  7 10:51:21 VPNGWServer charon: 08[IKE] IKE_SA (unnamed)[1] state
change: CREATED => CONNECTING
Aug  7 10:51:21 VPNGWServer charon: 08[CFG] selecting proposal:
Aug  7 10:51:21 VPNGWServer charon: 08[CFG]   no acceptable
DIFFIE_HELLMAN_GROUP found
Aug  7 10:51:21 VPNGWServer charon: 08[CFG] selecting proposal:
Aug  7 10:51:21 VPNGWServer charon: 08[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Aug  7 10:51:21 VPNGWServer charon: 08[CFG] selecting proposal:
Aug  7 10:51:21 VPNGWServer charon: 08[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Aug  7 10:51:21 VPNGWServer charon: 08[CFG] selecting proposal:
Aug  7 10:51:21 VPNGWServer charon: 08[CFG]   proposal matches
Aug  7 10:51:21 VPNGWServer charon: 08[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug  7 10:51:21 VPNGWServer charon: 08[CFG] configured proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096,
IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096,
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Aug  7 10:51:21 VPNGWServer charon: 08[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug  7 10:51:21 VPNGWServer charon: 08[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Aug  7 10:51:21 VPNGWServer charon: 08[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500] (456 bytes)
Aug  7 10:51:21 VPNGWServer charon: 04[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500]
Aug  7 10:51:21 VPNGWServer charon: 02[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500]
Aug  7 10:51:21 VPNGWServer charon: 02[NET] waiting for data on sockets
Aug  7 10:51:21 VPNGWServer charon: 09[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500] (288 bytes)
Aug  7 10:51:21 VPNGWServer charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] looking for peer configs
matching 67.102.243.141[67.102.243.141]...108.48.47.116[
scourtney at evolenthealth.com]
Aug  7 10:51:21 VPNGWServer kernel: [ 1430.602846] audit: type=1400
audit(1502117481.870:27): apparmor="DENIED" operation="open"
profile="/usr/lib/ipsec/charon" name="/proc/2751/fd/" pid=2751
comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Aug  7 10:51:21 VPNGWServer charon: 09[CFG]   candidate "StrongSWAN",
match: 20/1/1052 (me/other/ike)
Aug  7 10:51:21 VPNGWServer charon: 09[CFG]   candidate "IRIS", match:
20/20/1052 (me/other/ike)
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] selected peer config 'IRIS'
Aug  7 10:51:21 VPNGWServer charon: 09[IKE] authentication of '
scourtney at evolenthealth.com' with pre-shared key successful
Aug  7 10:51:21 VPNGWServer charon: 09[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug  7 10:51:21 VPNGWServer charon: 09[IKE] authentication of
'67.102.243.141' (myself) with pre-shared key
Aug  7 10:51:21 VPNGWServer charon: 09[IKE] successfully created shared key
MAC
Aug  7 10:51:21 VPNGWServer charon: 09[IKE] IKE_SA IRIS[1] established
between 67.102.243.141[67.102.243.141]...108.48.47.116[
scourtney at evolenthealth.com]
Aug  7 10:51:21 VPNGWServer charon: 09[IKE] IKE_SA IRIS[1] state change:
CONNECTING => ESTABLISHED
Aug  7 10:51:21 VPNGWServer charon: 09[IKE] scheduling reauthentication in
28569s
Aug  7 10:51:21 VPNGWServer charon: 09[IKE] maximum IKE_SA lifetime 28749s
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] looking for a child config for
172.31.0.0/16 === 10.46.17.0/24
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] proposing traffic selectors for
us:
Aug  7 10:51:21 VPNGWServer charon: 09[CFG]  172.31.0.0/16
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] proposing traffic selectors for
other:
Aug  7 10:51:21 VPNGWServer charon: 09[CFG]  0.0.0.0/0
Aug  7 10:51:21 VPNGWServer charon: 09[CFG]   candidate "IRIS" with prio 5+1
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] found matching child config
"IRIS" with prio 6
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] selecting proposal:
Aug  7 10:51:21 VPNGWServer charon: 09[CFG]   proposal matches
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] received proposals:
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ,
ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ,
ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ,
ESP:AES_CBC_192/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_192/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ,
ESP:AES_CBC_192/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] got SPI c6df706d
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] selecting traffic selectors for
us:
Aug  7 10:51:21 VPNGWServer charon: 09[CFG]  config: 172.31.0.0/16,
received: 172.31.0.0/16 => match: 172.31.0.0/16
Aug  7 10:51:21 VPNGWServer charon: 09[CFG] selecting traffic selectors for
other:
Aug  7 10:51:21 VPNGWServer charon: 09[CFG]  config: 0.0.0.0/0, received:
10.46.17.0/24 => match: 10.46.17.0/24
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] adding SAD entry with SPI
c6df706d and reqid {1}  (mark 10/0xffffffff)
Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using encryption algorithm
AES_CBC with key size 256
Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using integrity algorithm
HMAC_SHA2_256_128 with key size 256
Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using replay window of 32
packets
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] adding SAD entry with SPI
cfd3131e and reqid {1}  (mark 10/0xffffffff)
Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using encryption algorithm
AES_CBC with key size 256
Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using integrity algorithm
HMAC_SHA2_256_128 with key size 256
Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using replay window of 32
packets
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] adding policy 172.31.0.0/16 ===
10.46.17.0/24 out  (mark 10/0xffffffff)
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] adding policy 10.46.17.0/24 ===
172.31.0.0/16 in  (mark 10/0xffffffff)
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] adding policy 10.46.17.0/24 ===
172.31.0.0/16 fwd  (mark 10/0xffffffff)
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] getting a local address in
traffic selector 172.31.0.0/16
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] no local address found in
traffic selector 172.31.0.0/16
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] policy 172.31.0.0/16 ===
10.46.17.0/24 out  (mark 10/0xffffffff) already exists, increasing refcount
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] updating policy 172.31.0.0/16
=== 10.46.17.0/24 out  (mark 10/0xffffffff)
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] policy 10.46.17.0/24 ===
172.31.0.0/16 in  (mark 10/0xffffffff) already exists, increasing refcount
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] updating policy 10.46.17.0/24
=== 172.31.0.0/16 in  (mark 10/0xffffffff)
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] policy 10.46.17.0/24 ===
172.31.0.0/16 fwd  (mark 10/0xffffffff) already exists, increasing refcount
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] updating policy 10.46.17.0/24
=== 172.31.0.0/16 fwd  (mark 10/0xffffffff)
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] getting a local address in
traffic selector 172.31.0.0/16
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] no local address found in
traffic selector 172.31.0.0/16
Aug  7 10:51:21 VPNGWServer charon: 09[IKE] CHILD_SA IRIS{1} established
with SPIs c6df706d_i cfd3131e_o and TS 172.31.0.0/16 === 10.46.17.0/24
Aug  7 10:51:21 VPNGWServer charon: 09[KNL] 67.102.243.141 is on interface
ens192
Aug  7 10:51:21 VPNGWServer charon: 09[ENC] generating IKE_AUTH response 1
[ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Aug  7 10:51:21 VPNGWServer charon: 09[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500] (224 bytes)
Aug  7 10:51:21 VPNGWServer charon: 04[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500]
Aug  7 10:51:31 VPNGWServer charon: 02[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500]
Aug  7 10:51:31 VPNGWServer charon: 02[NET] waiting for data on sockets
Aug  7 10:51:31 VPNGWServer charon: 14[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500] (80 bytes)
Aug  7 10:51:31 VPNGWServer charon: 14[ENC] parsed INFORMATIONAL request 2
[ ]
Aug  7 10:51:31 VPNGWServer charon: 14[ENC] generating INFORMATIONAL
response 2 [ ]
Aug  7 10:51:31 VPNGWServer charon: 14[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500] (80 bytes)
Aug  7 10:51:31 VPNGWServer charon: 04[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500]
Aug  7 10:51:42 VPNGWServer charon: 02[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500]
Aug  7 10:51:42 VPNGWServer charon: 02[NET] waiting for data on sockets
Aug  7 10:51:42 VPNGWServer charon: 14[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500] (80 bytes)
Aug  7 10:51:42 VPNGWServer charon: 14[ENC] parsed INFORMATIONAL request 3
[ ]
Aug  7 10:51:42 VPNGWServer charon: 14[ENC] generating INFORMATIONAL
response 3 [ ]
Aug  7 10:51:42 VPNGWServer charon: 14[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500] (80 bytes)
Aug  7 10:51:42 VPNGWServer charon: 04[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500]
Aug  7 10:51:52 VPNGWServer charon: 02[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500]
Aug  7 10:51:52 VPNGWServer charon: 02[NET] waiting for data on sockets
Aug  7 10:51:52 VPNGWServer charon: 15[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500] (80 bytes)
Aug  7 10:51:52 VPNGWServer charon: 15[ENC] parsed INFORMATIONAL request 4
[ ]
Aug  7 10:51:52 VPNGWServer charon: 15[ENC] generating INFORMATIONAL
response 4 [ ]
Aug  7 10:51:52 VPNGWServer charon: 15[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500] (80 bytes)
Aug  7 10:51:52 VPNGWServer charon: 04[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500]
Aug  7 10:52:02 VPNGWServer charon: 02[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500]
Aug  7 10:52:02 VPNGWServer charon: 02[NET] waiting for data on sockets
Aug  7 10:52:02 VPNGWServer charon: 14[NET] received packet: from
108.48.47.116[500] to 67.102.243.141[500] (80 bytes)
Aug  7 10:52:02 VPNGWServer charon: 14[ENC] parsed INFORMATIONAL request 5
[ ]
Aug  7 10:52:02 VPNGWServer charon: 14[ENC] generating INFORMATIONAL
response 5 [ ]
Aug  7 10:52:02 VPNGWServer charon: 14[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500] (80 bytes)
Aug  7 10:52:02 VPNGWServer charon: 04[NET] sending packet: from
67.102.243.141[500] to 108.48.47.116[500]

Here is my routing table:

ip route:

default via 67.102.243.137 dev ens192 onlink
10.32.4.0/24 dev ens160  proto kernel  scope link  src 10.32.4.15
10.32.8.224/30 dev ens224  proto kernel  scope link  src 10.32.8.225
10.32.8.236/30 dev ens256  proto kernel  scope link  src 10.32.8.237
67.102.243.136/29 dev ens192  proto kernel  scope link  src 67.102.243.141
172.16.0.0/16 via 10.32.4.1 dev ens160
172.24.0.0/20 via 10.32.8.238 dev ens256
172.31.0.0/16 via 10.32.8.226 dev ens224

route:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
default         h-67-102-243-13 0.0.0.0         UG    0      0        0
ens192
10.32.4.0       *               255.255.255.0   U     0      0        0
ens160
10.32.8.224     *               255.255.255.252 U     0      0        0
ens224
10.32.8.236     *               255.255.255.252 U     0      0        0
ens256
67.102.243.136  *               255.255.255.248 U     0      0        0
ens192
172.16.0.0      10.32.4.1       255.255.0.0     UG    0      0        0
ens160
172.24.0.0      10.32.8.238     255.255.240.0   UG    0      0        0
ens256
172.31.0.0      10.32.8.226     255.255.0.0     UG    0      0        0
ens224


Here is my xfrm state:

root at VPNGWServer:/etc# ip -s xfrm state
src 67.102.243.141 dst 108.48.47.116
        proto esp spi 0xc08667b8(3230033848) reqid 1(0x00000001) mode tunnel
        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
        mark 0xa/0xffffffff
        auth-trunc hmac(sha256)
0x8ec496bffdb53b77a11282535817350134695864511e2c93d4e3039ba4b89dd2 (256
bits) 128
        enc cbc(aes)
0xe7326d57a123fe6457e43258b4a4f885052123f66f220e03844e1da7cc258de1 (256
bits)
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 3275(sec), hard 3600(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:12:44 use -
        stats:
          replay-window 0 replay 0 failed 0
src 108.48.47.116 dst 67.102.243.141
        proto esp spi 0xc7a70ce0(3349613792) reqid 1(0x00000001) mode tunnel
        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
        mark 0xa/0xffffffff
        auth-trunc hmac(sha256)
0xc9951f3220a4b0c842ee3b240c268dc122cd98ef5ff83c76f7a59973bc91c496 (256
bits) 128
        enc cbc(aes)
0xcb36a9a8a062bca6c5ea3fe8c67515eae5ac16449d2a80b2a715803ba3c82cb8 (256
bits)
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 3375(sec), hard 3600(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:12:44 use -
        stats:
          replay-window 0 replay 0 failed 0

Here is my xfrm policy:


root at VPNGWServer:/etc# ip -s xfrm policy
src 10.46.17.0/24 dst 172.31.0.0/16 uid 0
        dir fwd action allow index 82 priority 2915 share any flag
 (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:12:44 use -
        mark 0xa/0xffffffff
        tmpl src 108.48.47.116 dst 67.102.243.141
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.46.17.0/24 dst 172.31.0.0/16 uid 0
        dir in action allow index 72 priority 2915 share any flag
 (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:12:44 use -
        mark 0xa/0xffffffff
        tmpl src 108.48.47.116 dst 67.102.243.141
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 172.31.0.0/16 dst 10.46.17.0/24 uid 0
        dir out action allow index 65 priority 2915 share any flag
 (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:12:44 use -
        mark 0xa/0xffffffff
        tmpl src 67.102.243.141 dst 108.48.47.116
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        socket in action allow index 59 priority 0 share any flag
 (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:11:21 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        socket out action allow index 52 priority 0 share any flag
 (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:11:21 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        socket in action allow index 43 priority 0 share any flag
 (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:11:21 use 2017-08-07 11:41:16
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        socket out action allow index 36 priority 0 share any flag
 (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:11:21 use 2017-08-07 11:41:16
src ::/0 dst ::/0 uid 0
        socket in action allow index 27 priority 0 share any flag
 (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:11:21 use -
src ::/0 dst ::/0 uid 0
        socket out action allow index 20 priority 0 share any flag
 (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:11:21 use -
src ::/0 dst ::/0 uid 0
        socket in action allow index 11 priority 0 share any flag
 (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:11:21 use -
src ::/0 dst ::/0 uid 0
        socket out action allow index 4 priority 0 share any flag
 (0x00000000)
        lifetime config:
          limit: soft 0(bytes), hard 0(bytes)
          limit: soft 0(packets), hard 0(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2017-08-07 11:11:21 use -


Any help is much appreciated.

Thanks,
Sean


-- 
Sean Courtney
Ph - 410 878 7833
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170807/8d8b99d2/attachment-0001.html>


More information about the Users mailing list