[strongSwan] mark_updown

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Aug 7 17:58:37 CEST 2017


Hi,

You need to manuall mark the IPsec packets that should match the policies.
You probably want to use connmark to send back responses through the right tunnel and some other stuff. Maybe netmap?

If you provide information, please do it exactly as it is listed on the HelpRequests[1] page.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

On 07.08.2017 17:41, Sean Courtney wrote:
> Hello,
>
> Here is some more info regarding the issue I am having with my test. Like I mentioned I am trying to resolve an issue I have with overlapping subnets connecting to my Strongswan VPN Hub.
>
> The closest example to my issue is:
>
> https://www.strongswan.org/uml/testresults/ikev2/nat-rw-mark/index.html
>
> I copied the _updown script to /etc/ and renamed it mark_updown. It is root:root and has 761 permissions. 
>
> Once the marks are introduced to ipsec.conf the packet that used to leave the kernel and hit my ens224 destined for 172.31.0.0/16 <http://172.31.0.0/16> network can not be found. How to I troubleshoot what is going on in kernel space?
>
> This is is a copy of my daemon.log for the scenario I am trying get up and running. Basically as far as I can tell the mark_updown script is not executing. I don't see anything in the daemon logs to indicate why the script does not execute.
>
> Aug  7 10:51:12 VPNGWServer charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-89-generic, x86_64)
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] disabling load-tester plugin, not configured
> Aug  7 10:51:12 VPNGWServer charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
> Aug  7 10:51:12 VPNGWServer charon: 00[KNL] known interfaces and IP addresses:
> Aug  7 10:51:12 VPNGWServer charon: 00[KNL]   ens192
> Aug  7 10:51:12 VPNGWServer charon: 00[KNL]     67.102.243.141
> Aug  7 10:51:12 VPNGWServer charon: 00[KNL]     fe80::20c:29ff:fe2d:c1c4
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading unbound trust anchors from '/etc/ipsec.d/dnssec.keys'
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] dnscert plugin is disabled
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading unbound trust anchors from '/etc/ipsec.d/dnssec.keys'
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] ipseckey plugin is disabled
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] attr-sql plugin: database URI not set
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/vpn-server-key.pem'
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG]   loaded IKE secret for 67.102.243.141 108.48.47.116
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] sql plugin: database URI not set
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] eap-simaka-sql database URI missing
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] loaded 0 RADIUS server configurations
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] no threshold configured for systime-fix, disabled
> Aug  7 10:51:12 VPNGWServer charon: 00[CFG] coupling file path unspecified
> Aug  7 10:51:12 VPNGWServer charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
> Aug  7 10:51:12 VPNGWServer charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
> Aug  7 10:51:12 VPNGWServer charon: 00[JOB] spawning 16 worker threads
> Aug  7 10:51:12 VPNGWServer charon: 02[NET] waiting for data on sockets
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG] received stroke: add connection 'StrongSWAN'
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG] conn StrongSWAN
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   left=67.102.243.141
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   leftsubnet=172.31.0.0/16 <http://172.31.0.0/16>
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   leftauth=psk
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   leftid=67.102.243.141
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   leftupdown=/etc/mark_updown
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   right=%any
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   rightauth=psk
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   ike=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   esp=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   dpddelay=300
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   dpdtimeout=150
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   dpdaction=1
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   mediation=no
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG]   keyexchange=ikev2
> Aug  7 10:51:12 VPNGWServer charon: 03[CFG] added configuration 'StrongSWAN'
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG] received stroke: add connection 'IRIS'
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG] conn IRIS
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   left=67.102.243.141
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   leftsubnet=172.31.0.0/16 <http://172.31.0.0/16>
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   leftauth=psk
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   leftid=67.102.243.141
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   leftupdown=/etc/mark_updown
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   right=%any
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   rightauth=psk
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   rightid=scourtney at evolenthealth.com <mailto:scourtney at evolenthealth.com>
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   ike=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   esp=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   dpddelay=300
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   dpdtimeout=150
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   dpdaction=1
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   mediation=no
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG]   keyexchange=ikev2
> Aug  7 10:51:12 VPNGWServer charon: 07[CFG] added configuration 'IRIS'
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG] received stroke: add connection 'Jeff'
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG] conn Jeff
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   left=67.102.243.141
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   leftsubnet=172.31.0.0/16 <http://172.31.0.0/16>
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   leftauth=psk
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   leftid=67.102.243.141
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   leftupdown=/etc/mark_updown
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   right=%any
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   rightauth=psk
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   rightid=jbalderson at evolenthealth.com <mailto:jbalderson at evolenthealth.com>
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   ike=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   esp=aes256-sha256-modp4096,aes192-sha256-modp4096,aes128-sha256-modp4096,aes256-sha256-modp2048,aes192-sha256-modp2048,aes128-sha256-modp2048,aes256-sha256-modp1536,aes192-sha256-modp1536,aes128-sha256-modp1536,aes256-sha1-modp4096,aes192-sha1-modp4096,aes128-sha1-modp4096,aes256-sha1-modp2048,aes192-sha1-modp2048,aes128-sha1-modp2048,aes256-sha1-modp1536,aes192-sha1-modp1536,aes128-sha1-modp1536!
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   dpddelay=300
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   dpdtimeout=150
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   dpdaction=1
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   mediation=no
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG]   keyexchange=ikev2
> Aug  7 10:51:12 VPNGWServer charon: 09[CFG] added configuration 'Jeff'
> Aug  7 10:51:21 VPNGWServer charon: 02[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500]
> Aug  7 10:51:21 VPNGWServer charon: 02[NET] waiting for data on sockets
> Aug  7 10:51:21 VPNGWServer charon: 08[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500] (464 bytes)
> Aug  7 10:51:21 VPNGWServer charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG] looking for an ike config for 67.102.243.141...108.48.47.116
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG]   candidate: 67.102.243.141...%any, prio 1052
> Aug  7 10:51:21 VPNGWServer charon: message repeated 2 times: [ 08[CFG]   candidate: 67.102.243.141...%any, prio 1052]
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG] found matching ike config: 67.102.243.141...%any with prio 1052
> Aug  7 10:51:21 VPNGWServer charon: 08[IKE] 108.48.47.116 is initiating an IKE_SA
> Aug  7 10:51:21 VPNGWServer charon: 08[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG] selecting proposal:
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG]   no acceptable DIFFIE_HELLMAN_GROUP found
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG] selecting proposal:
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG] selecting proposal:
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG] selecting proposal:
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG]   proposal matches
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
> Aug  7 10:51:21 VPNGWServer charon: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> Aug  7 10:51:21 VPNGWServer charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
> Aug  7 10:51:21 VPNGWServer charon: 08[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500] (456 bytes)
> Aug  7 10:51:21 VPNGWServer charon: 04[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500]
> Aug  7 10:51:21 VPNGWServer charon: 02[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500]
> Aug  7 10:51:21 VPNGWServer charon: 02[NET] waiting for data on sockets
> Aug  7 10:51:21 VPNGWServer charon: 09[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500] (288 bytes)
> Aug  7 10:51:21 VPNGWServer charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] looking for peer configs matching 67.102.243.141[67.102.243.141]...108.48.47.116[scourtney at evolenthealth.com <mailto:scourtney at evolenthealth.com>]
> Aug  7 10:51:21 VPNGWServer kernel: [ 1430.602846] audit: type=1400 audit(1502117481.870:27): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/2751/fd/" pid=2751 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG]   candidate "StrongSWAN", match: 20/1/1052 (me/other/ike)
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG]   candidate "IRIS", match: 20/20/1052 (me/other/ike)
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] selected peer config 'IRIS'
> Aug  7 10:51:21 VPNGWServer charon: 09[IKE] authentication of 'scourtney at evolenthealth.com <mailto:scourtney at evolenthealth.com>' with pre-shared key successful
> Aug  7 10:51:21 VPNGWServer charon: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Aug  7 10:51:21 VPNGWServer charon: 09[IKE] authentication of '67.102.243.141' (myself) with pre-shared key
> Aug  7 10:51:21 VPNGWServer charon: 09[IKE] successfully created shared key MAC
> Aug  7 10:51:21 VPNGWServer charon: 09[IKE] IKE_SA IRIS[1] established between 67.102.243.141[67.102.243.141]...108.48.47.116[scourtney at evolenthealth.com <mailto:scourtney at evolenthealth.com>]
> Aug  7 10:51:21 VPNGWServer charon: 09[IKE] IKE_SA IRIS[1] state change: CONNECTING => ESTABLISHED
> Aug  7 10:51:21 VPNGWServer charon: 09[IKE] scheduling reauthentication in 28569s
> Aug  7 10:51:21 VPNGWServer charon: 09[IKE] maximum IKE_SA lifetime 28749s
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] looking for a child config for 172.31.0.0/16 <http://172.31.0.0/16> === 10.46.17.0/24 <http://10.46.17.0/24>
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] proposing traffic selectors for us:
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG]  172.31.0.0/16 <http://172.31.0.0/16>
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] proposing traffic selectors for other:
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG]  0.0.0.0/0 <http://0.0.0.0/0>
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG]   candidate "IRIS" with prio 5+1
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] found matching child config "IRIS" with prio 6
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] selecting proposal:
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG]   proposal matches
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] got SPI c6df706d
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] selecting traffic selectors for us:
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG]  config: 172.31.0.0/16 <http://172.31.0.0/16>, received: 172.31.0.0/16 <http://172.31.0.0/16> => match: 172.31.0.0/16 <http://172.31.0.0/16>
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG] selecting traffic selectors for other:
> Aug  7 10:51:21 VPNGWServer charon: 09[CFG]  config: 0.0.0.0/0 <http://0.0.0.0/0>, received: 10.46.17.0/24 <http://10.46.17.0/24> => match: 10.46.17.0/24 <http://10.46.17.0/24>
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] adding SAD entry with SPI c6df706d and reqid {1}  (mark 10/0xffffffff)
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using encryption algorithm AES_CBC with key size 256
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using integrity algorithm HMAC_SHA2_256_128 with key size 256
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using replay window of 32 packets
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] adding SAD entry with SPI cfd3131e and reqid {1}  (mark 10/0xffffffff)
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using encryption algorithm AES_CBC with key size 256
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using integrity algorithm HMAC_SHA2_256_128 with key size 256
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL]   using replay window of 32 packets
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] adding policy 172.31.0.0/16 <http://172.31.0.0/16> === 10.46.17.0/24 <http://10.46.17.0/24> out  (mark 10/0xffffffff)
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] adding policy 10.46.17.0/24 <http://10.46.17.0/24> === 172.31.0.0/16 <http://172.31.0.0/16> in  (mark 10/0xffffffff)
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] adding policy 10.46.17.0/24 <http://10.46.17.0/24> === 172.31.0.0/16 <http://172.31.0.0/16> fwd  (mark 10/0xffffffff)
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] getting a local address in traffic selector 172.31.0.0/16 <http://172.31.0.0/16>
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] no local address found in traffic selector 172.31.0.0/16 <http://172.31.0.0/16>
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] policy 172.31.0.0/16 <http://172.31.0.0/16> === 10.46.17.0/24 <http://10.46.17.0/24> out  (mark 10/0xffffffff) already exists, increasing refcount
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] updating policy 172.31.0.0/16 <http://172.31.0.0/16> === 10.46.17.0/24 <http://10.46.17.0/24> out  (mark 10/0xffffffff)
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] policy 10.46.17.0/24 <http://10.46.17.0/24> === 172.31.0.0/16 <http://172.31.0.0/16> in  (mark 10/0xffffffff) already exists, increasing refcount
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] updating policy 10.46.17.0/24 <http://10.46.17.0/24> === 172.31.0.0/16 <http://172.31.0.0/16> in  (mark 10/0xffffffff)
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] policy 10.46.17.0/24 <http://10.46.17.0/24> === 172.31.0.0/16 <http://172.31.0.0/16> fwd  (mark 10/0xffffffff) already exists, increasing refcount
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] updating policy 10.46.17.0/24 <http://10.46.17.0/24> === 172.31.0.0/16 <http://172.31.0.0/16> fwd  (mark 10/0xffffffff)
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] getting a local address in traffic selector 172.31.0.0/16 <http://172.31.0.0/16>
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] no local address found in traffic selector 172.31.0.0/16 <http://172.31.0.0/16>
> Aug  7 10:51:21 VPNGWServer charon: 09[IKE] CHILD_SA IRIS{1} established with SPIs c6df706d_i cfd3131e_o and TS 172.31.0.0/16 <http://172.31.0.0/16> === 10.46.17.0/24 <http://10.46.17.0/24>
> Aug  7 10:51:21 VPNGWServer charon: 09[KNL] 67.102.243.141 is on interface ens192
> Aug  7 10:51:21 VPNGWServer charon: 09[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
> Aug  7 10:51:21 VPNGWServer charon: 09[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500] (224 bytes)
> Aug  7 10:51:21 VPNGWServer charon: 04[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500]
> Aug  7 10:51:31 VPNGWServer charon: 02[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500]
> Aug  7 10:51:31 VPNGWServer charon: 02[NET] waiting for data on sockets
> Aug  7 10:51:31 VPNGWServer charon: 14[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500] (80 bytes)
> Aug  7 10:51:31 VPNGWServer charon: 14[ENC] parsed INFORMATIONAL request 2 [ ]
> Aug  7 10:51:31 VPNGWServer charon: 14[ENC] generating INFORMATIONAL response 2 [ ]
> Aug  7 10:51:31 VPNGWServer charon: 14[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500] (80 bytes)
> Aug  7 10:51:31 VPNGWServer charon: 04[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500]
> Aug  7 10:51:42 VPNGWServer charon: 02[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500]
> Aug  7 10:51:42 VPNGWServer charon: 02[NET] waiting for data on sockets
> Aug  7 10:51:42 VPNGWServer charon: 14[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500] (80 bytes)
> Aug  7 10:51:42 VPNGWServer charon: 14[ENC] parsed INFORMATIONAL request 3 [ ]
> Aug  7 10:51:42 VPNGWServer charon: 14[ENC] generating INFORMATIONAL response 3 [ ]
> Aug  7 10:51:42 VPNGWServer charon: 14[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500] (80 bytes)
> Aug  7 10:51:42 VPNGWServer charon: 04[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500]
> Aug  7 10:51:52 VPNGWServer charon: 02[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500]
> Aug  7 10:51:52 VPNGWServer charon: 02[NET] waiting for data on sockets
> Aug  7 10:51:52 VPNGWServer charon: 15[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500] (80 bytes)
> Aug  7 10:51:52 VPNGWServer charon: 15[ENC] parsed INFORMATIONAL request 4 [ ]
> Aug  7 10:51:52 VPNGWServer charon: 15[ENC] generating INFORMATIONAL response 4 [ ]
> Aug  7 10:51:52 VPNGWServer charon: 15[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500] (80 bytes)
> Aug  7 10:51:52 VPNGWServer charon: 04[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500]
> Aug  7 10:52:02 VPNGWServer charon: 02[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500]
> Aug  7 10:52:02 VPNGWServer charon: 02[NET] waiting for data on sockets
> Aug  7 10:52:02 VPNGWServer charon: 14[NET] received packet: from 108.48.47.116[500] to 67.102.243.141[500] (80 bytes)
> Aug  7 10:52:02 VPNGWServer charon: 14[ENC] parsed INFORMATIONAL request 5 [ ]
> Aug  7 10:52:02 VPNGWServer charon: 14[ENC] generating INFORMATIONAL response 5 [ ]
> Aug  7 10:52:02 VPNGWServer charon: 14[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500] (80 bytes)
> Aug  7 10:52:02 VPNGWServer charon: 04[NET] sending packet: from 67.102.243.141[500] to 108.48.47.116[500]
>
> Here is my routing table:
>
> ip route:
>
> default via 67.102.243.137 dev ens192 onlink
> 10.32.4.0/24 <http://10.32.4.0/24> dev ens160  proto kernel  scope link  src 10.32.4.15
> 10.32.8.224/30 <http://10.32.8.224/30> dev ens224  proto kernel  scope link  src 10.32.8.225
> 10.32.8.236/30 <http://10.32.8.236/30> dev ens256  proto kernel  scope link  src 10.32.8.237
> 67.102.243.136/29 <http://67.102.243.136/29> dev ens192  proto kernel  scope link  src 67.102.243.141
> 172.16.0.0/16 <http://172.16.0.0/16> via 10.32.4.1 dev ens160
> 172.24.0.0/20 <http://172.24.0.0/20> via 10.32.8.238 dev ens256
> 172.31.0.0/16 <http://172.31.0.0/16> via 10.32.8.226 dev ens224
>
> route:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> default         h-67-102-243-13 0.0.0.0         UG    0      0        0 ens192
> 10.32.4.0       *               255.255.255.0   U     0      0        0 ens160
> 10.32.8.224     *               255.255.255.252 U     0      0        0 ens224
> 10.32.8.236     *               255.255.255.252 U     0      0        0 ens256
> 67.102.243.136  *               255.255.255.248 U     0      0        0 ens192
> 172.16.0.0      10.32.4.1       255.255.0.0     UG    0      0        0 ens160
> 172.24.0.0      10.32.8.238     255.255.240.0   UG    0      0        0 ens256
> 172.31.0.0      10.32.8.226     255.255.0.0     UG    0      0        0 ens224
>
>
> Here is my xfrm state:
>
> root at VPNGWServer:/etc# ip -s xfrm state
> src 67.102.243.141 dst 108.48.47.116
>         proto esp spi 0xc08667b8(3230033848) reqid 1(0x00000001) mode tunnel
>         replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
>         mark 0xa/0xffffffff
>         auth-trunc hmac(sha256) 0x8ec496bffdb53b77a11282535817350134695864511e2c93d4e3039ba4b89dd2 (256 bits) 128
>         enc cbc(aes) 0xe7326d57a123fe6457e43258b4a4f885052123f66f220e03844e1da7cc258de1 (256 bits)
>         anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>         lifetime config:
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>           limit: soft (INF)(packets), hard (INF)(packets)
>           expire add: soft 3275(sec), hard 3600(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:12:44 use -
>         stats:
>           replay-window 0 replay 0 failed 0
> src 108.48.47.116 dst 67.102.243.141
>         proto esp spi 0xc7a70ce0(3349613792) reqid 1(0x00000001) mode tunnel
>         replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
>         mark 0xa/0xffffffff
>         auth-trunc hmac(sha256) 0xc9951f3220a4b0c842ee3b240c268dc122cd98ef5ff83c76f7a59973bc91c496 (256 bits) 128
>         enc cbc(aes) 0xcb36a9a8a062bca6c5ea3fe8c67515eae5ac16449d2a80b2a715803ba3c82cb8 (256 bits)
>         anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>         lifetime config:
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>           limit: soft (INF)(packets), hard (INF)(packets)
>           expire add: soft 3375(sec), hard 3600(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:12:44 use -
>         stats:
>           replay-window 0 replay 0 failed 0
>
> Here is my xfrm policy:
>
>
> root at VPNGWServer:/etc# ip -s xfrm policy
> src 10.46.17.0/24 <http://10.46.17.0/24> dst 172.31.0.0/16 <http://172.31.0.0/16> uid 0
>         dir fwd action allow index 82 priority 2915 share any flag  (0x00000000)
>         lifetime config:
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>           limit: soft (INF)(packets), hard (INF)(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:12:44 use -
>         mark 0xa/0xffffffff
>         tmpl src 108.48.47.116 dst 67.102.243.141
>                 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>                 level required share any
>                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.46.17.0/24 <http://10.46.17.0/24> dst 172.31.0.0/16 <http://172.31.0.0/16> uid 0
>         dir in action allow index 72 priority 2915 share any flag  (0x00000000)
>         lifetime config:
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>           limit: soft (INF)(packets), hard (INF)(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:12:44 use -
>         mark 0xa/0xffffffff
>         tmpl src 108.48.47.116 dst 67.102.243.141
>                 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>                 level required share any
>                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 172.31.0.0/16 <http://172.31.0.0/16> dst 10.46.17.0/24 <http://10.46.17.0/24> uid 0
>         dir out action allow index 65 priority 2915 share any flag  (0x00000000)
>         lifetime config:
>           limit: soft (INF)(bytes), hard (INF)(bytes)
>           limit: soft (INF)(packets), hard (INF)(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:12:44 use -
>         mark 0xa/0xffffffff
>         tmpl src 67.102.243.141 dst 108.48.47.116
>                 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>                 level required share any
>                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> uid 0
>         socket in action allow index 59 priority 0 share any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:11:21 use -
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> uid 0
>         socket out action allow index 52 priority 0 share any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:11:21 use -
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> uid 0
>         socket in action allow index 43 priority 0 share any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:11:21 use 2017-08-07 11:41:16
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> uid 0
>         socket out action allow index 36 priority 0 share any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:11:21 use 2017-08-07 11:41:16
> src ::/0 dst ::/0 uid 0
>         socket in action allow index 27 priority 0 share any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:11:21 use -
> src ::/0 dst ::/0 uid 0
>         socket out action allow index 20 priority 0 share any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:11:21 use -
> src ::/0 dst ::/0 uid 0
>         socket in action allow index 11 priority 0 share any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:11:21 use -
> src ::/0 dst ::/0 uid 0
>         socket out action allow index 4 priority 0 share any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-08-07 11:11:21 use -
>
>
> Any help is much appreciated.
>
> Thanks,
> Sean
>
>
> -- 
> Sean Courtney
> Ph - 410 878 7833

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170807/34ffdd10/attachment-0001.sig>


More information about the Users mailing list