[strongSwan] Outgoing site-to-site packets not sent through tunnel

Isaac Sutherland isutherland at tmvcontrol.com
Tue Dec 5 19:08:28 CET 2017


I'm setting up a route-based strongswan site-to-site VTI tunnel between a
Ubuntu 16.04 host and a Cisco VPN. I'm trying to start very simple - just
get a vti ikev1 aes-256/sha1 tunnel up and ping the private IP of the
remote end. It smells like it's almost working (I'm getting ESP packets
from the Cisco router) but my outgoing packets don't get encrypted nor are
they routed to the remote endpoint -- they're just sent plaintext on the
public interface which obviously doesn't work because the packets are using
private-subnet IPs. Note I don't have control over the Cisco side of the
VPN so my diagnostic/debugging capacity on that end is limited.

Bring up:
ip tunnel add vti0 mode vti local <local-public-ip> remote
<remote-public-ip> okey 32 ikey 32
ip link set vti0 up
ip addr add 10.21.0.2 dev vti0
ip route add 10.21.0.1 dev vti0
sysctl -w "net.ipv4.conf.vti0.disable_policy=1"

/etc/ipsec.conf:
conn VTI
    keyexchange=ikev1
    ike=aes256-sha1-modp1024
    esp=aes256-sha1!
    left=<local-public-ip>
    leftid=<local-public-ip>
    leftsubnet=10.21.0.2/32
    leftauth=psk
    rightauth=psk
    right=<remote-public-ip>
    rightid=<remote-public-ip>
    rightsubnet=10.21.0.1/32
    mark=32
    auto=start

$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux
4.9.50-x86_64-linode86, x86_64):
  uptime: 5 seconds, since Dec 05 17:48:55 2017
  malloc: sbrk 2408448, mmap 0, used 366432, free 2042016
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
  <local-public-ip>
  10.21.0.2
Connections:
         VTI:  <local-public-ip>...<remote-public-ip>  IKEv1
         VTI:   local:  [<local-public-ip>] uses pre-shared key
authentication
         VTI:   remote: [<remote-public-ip>] uses pre-shared key
authentication
         VTI:   child:  10.21.0.2/32 === 10.21.0.1/32 TUNNEL
Security Associations (1 up, 0 connecting):
         VTI[1]: ESTABLISHED 5 seconds ago,
<local-public-ip>[<local-public-ip>]...<remote-public-ip>[<remote-public-ip>]
         VTI[1]: IKEv1 SPIs: f161f8c0def835fe_i* 1fe93eb02d49cd32_r,
pre-shared key reauthentication in 2 hours
         VTI[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
         VTI{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: caf87319_i
50a12c2b_o
         VTI{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 47 minutes
         VTI{1}:   10.21.0.2/32 === 10.21.0.1/32

$ sudo tcpdump -i eth0 host <remote-public-ip>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:52:28.535462 IP <remote-hostname> > <local-hostname>:
ESP(spi=0xcd3f3177,seq=0x4), length 100
17:52:51.404751 IP <remote-hostname> > <local-hostname>:
ESP(spi=0xcd3f3177,seq=0x5), length 100
17:52:53.404466 IP <remote-hostname> > <local-hostname>:
ESP(spi=0xcd3f3177,seq=0x6), length 100
17:52:57.404483 IP <remote-hostname> > <local-hostname>:
ESP(spi=0xcd3f3177,seq=0x7), length 100
17:53:05.404418 IP <remote-hostname> > <local-hostname>:
ESP(spi=0xcd3f3177,seq=0x8), length 100

If I run a tcpdump on eth0 while pinging 10.21.0.1 from my Ubuntu host I
get:

$ sudo tcpdump -i eth0 host 10.21.0.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:55:51.060099 IP 10.21.0.2 > 10.21.0.1: ICMP echo request, id 8305, seq
1, length 64
17:55:52.073711 IP 10.21.0.2 > 10.21.0.1: ICMP echo request, id 8305, seq
2, length 64
17:55:53.087071 IP 10.21.0.2 > 10.21.0.1: ICMP echo request, id 8305, seq
3, length 64
17:55:54.100374 IP 10.21.0.2 > 10.21.0.1: ICMP echo request, id 8305, seq
4, length 64
17:55:55.113690 IP 10.21.0.2 > 10.21.0.1: ICMP echo request, id 8305, seq
5, length 64
17:55:56.127045 IP 10.21.0.2 > 10.21.0.1: ICMP echo request, id 8305, seq
6, length 64
17:55:57.140397 IP 10.21.0.2 > 10.21.0.1: ICMP echo request, id 8305, seq
7, length 64
17:55:58.153678 IP 10.21.0.2 > 10.21.0.1: ICMP echo request, id 8305, seq
8, length 64

where eth0 is my public Internet interface on the Ubuntu box. And no
traffic on the vti0 interface.

$ ip route show
default via 198.74.60.1 dev eth0 onlink
10.21.0.1 dev vti0  scope link

Another detail is that the connection seems to be dropping out and coming
back up periodically, as you can gather from the following, taken a few
minutes later:
$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux
4.9.50-x86_64-linode86, x86_64):
  uptime: 12 minutes, since Dec 05 17:48:55 2017
  malloc: sbrk 2408448, mmap 0, used 476512, free 1931936
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
  <local-public-ip>
  10.21.0.2
Connections:
         VTI:  <local-public-ip>...<remote-public-ip>  IKEv1
         VTI:   local:  [<local-public-ip>] uses pre-shared key
authentication
         VTI:   remote: [<remote-public-ip>] uses pre-shared key
authentication
         VTI:   child:  10.21.0.2/32 === 10.21.0.1/32 TUNNEL
Security Associations (1 up, 0 connecting):
         VTI[1]: ESTABLISHED 12 minutes ago,
<local-public-ip>[<local-public-ip>]...<remote-public-ip>[<remote-public-ip>]
         VTI[1]: IKEv1 SPIs: f161f8c0def835fe_i* 1fe93eb02d49cd32_r,
pre-shared key reauthentication in 2 hours
         VTI[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
         VTI{1}:  REKEYED, TUNNEL, reqid 1, expires in 47 minutes
         VTI{1}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce1cd0f3_i
219c09e7_o
         VTI{2}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 35 minutes
         VTI{2}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4f08265_i
943423ca_o
         VTI{3}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 34 minutes
         VTI{3}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{4}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0551732_i
590f641e_o
         VTI{4}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 35 minutes
         VTI{4}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{5}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c6fc0b2e_i
43a45c53_o
         VTI{5}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 33 minutes
         VTI{5}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{6}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c123ce23_i
3d106f6b_o
         VTI{6}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 32 minutes
         VTI{6}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{7}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd3f3177_i
486dadf9_o
         VTI{7}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 32 minutes
         VTI{7}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{8}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c057f07c_i
ac31a9cf_o
         VTI{8}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 40 minutes
         VTI{8}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{9}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cbd22eb8_i
2c02b93e_o
         VTI{9}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 37 minutes
         VTI{9}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{10}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf9d7de4_i
f9bbf3ac_o
         VTI{10}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 40 minutes
         VTI{10}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{11}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0818f2d_i
4db195e5_o
         VTI{11}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 37 minutes
         VTI{11}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{12}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2b3b560_i
7c6f64a0_o
         VTI{12}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 40 minutes
         VTI{12}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{13}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c27ad328_i
aa40b268_o
         VTI{13}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 38 minutes
         VTI{13}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{14}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2c27758_i
2a5e1d65_o
         VTI{14}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 42 minutes
         VTI{14}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{15}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf9658c4_i
fd65ee58_o
         VTI{15}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 38 minutes
         VTI{15}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{16}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c67182e0_i
a30b98ad_o
         VTI{16}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 39 minutes
         VTI{16}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{17}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7749046_i
acab5447_o
         VTI{17}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 38 minutes
         VTI{17}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{18}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb7025b6_i
62e2a1e3_o
         VTI{18}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 40 minutes
         VTI{18}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{19}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce24136a_i
2b1975ff_o
         VTI{19}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 41 minutes
         VTI{19}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{20}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb6a23c7_i
a580c19a_o
         VTI{20}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 40 minutes
         VTI{20}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{21}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd13d44b_i
eba4a1eb_o
         VTI{21}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 41 minutes
         VTI{21}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{22}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd6048b0_i
e28c1ba5_o
         VTI{22}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 41 minutes
         VTI{22}:   10.21.0.2/32 === 10.21.0.1/32
         VTI{23}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cae775b9_i
50852308_o
         VTI{23}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 45 minutes
         VTI{23}:   10.21.0.2/32 === 10.21.0.1/32
-- 
Isaac Sutherland
Software Designer
TMV Control Systems Inc.
519-624-8219 x103
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171205/7983de19/attachment-0001.html>


More information about the Users mailing list