[strongSwan] Outgoing site-to-site packets not sent through tunnel
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Dec 5 20:59:26 CET 2017
Hi,
You surely did not disable the installation of the routing. It needs to be disabled for VTIs to work.
Kind regards
Noel
On 05.12.2017 19:08, Isaac Sutherland wrote:
> I'm setting up a route-based strongswan site-to-site VTI tunnel between a Ubuntu 16.04 host and a Cisco VPN. I'm trying to start very simple - just get a vti ikev1 aes-256/sha1 tunnel up and ping the private IP of the remote end. It smells like it's almost working (I'm getting ESP packets from the Cisco router) but my outgoing packets don't get encrypted nor are they routed to the remote endpoint -- they're just sent plaintext on the public interface which obviously doesn't work because the packets are using private-subnet IPs. Note I don't have control over the Cisco side of the VPN so my diagnostic/debugging capacity on that end is limited.
>
> Bring up:
> ip tunnel add vti0 mode vti local <local-public-ip> remote <remote-public-ip> okey 32 ikey 32
> ip link set vti0 up
> ip addr add 10.21.0.2 dev vti0
> ip route add 10.21.0.1 dev vti0
> sysctl -w "net.ipv4.conf.vti0.disable_policy=1"
>
> /etc/ipsec.conf:
> conn VTI
> keyexchange=ikev1
> ike=aes256-sha1-modp1024
> esp=aes256-sha1!
> left=<local-public-ip>
> leftid=<local-public-ip>
> leftsubnet=10.21.0.2/32 <http://10.21.0.2/32>
> leftauth=psk
> rightauth=psk
> right=<remote-public-ip>
> rightid=<remote-public-ip>
> rightsubnet=10.21.0.1/32 <http://10.21.0.1/32>
> mark=32
> auto=start
>
> $ sudo ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.9.50-x86_64-linode86, x86_64):
> uptime: 5 seconds, since Dec 05 17:48:55 2017
> malloc: sbrk 2408448, mmap 0, used 366432, free 2042016
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
> Listening IP addresses:
> <local-public-ip>
> 10.21.0.2
> Connections:
> VTI: <local-public-ip>...<remote-public-ip> IKEv1
> VTI: local: [<local-public-ip>] uses pre-shared key authentication
> VTI: remote: [<remote-public-ip>] uses pre-shared key authentication
> VTI: child: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32> TUNNEL
> Security Associations (1 up, 0 connecting):
> VTI[1]: ESTABLISHED 5 seconds ago, <local-public-ip>[<local-public-ip>]...<remote-public-ip>[<remote-public-ip>]
> VTI[1]: IKEv1 SPIs: f161f8c0def835fe_i* 1fe93eb02d49cd32_r, pre-shared key reauthentication in 2 hours
> VTI[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> VTI{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: caf87319_i 50a12c2b_o
> VTI{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 47 minutes
> VTI{1}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
>
> $ sudo tcpdump -i eth0 host <remote-public-ip>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 17:52:28.535462 IP <remote-hostname> > <local-hostname>: ESP(spi=0xcd3f3177,seq=0x4), length 100
> 17:52:51.404751 IP <remote-hostname> > <local-hostname>: ESP(spi=0xcd3f3177,seq=0x5), length 100
> 17:52:53.404466 IP <remote-hostname> > <local-hostname>: ESP(spi=0xcd3f3177,seq=0x6), length 100
> 17:52:57.404483 IP <remote-hostname> > <local-hostname>: ESP(spi=0xcd3f3177,seq=0x7), length 100
> 17:53:05.404418 IP <remote-hostname> > <local-hostname>: ESP(spi=0xcd3f3177,seq=0x8), length 100
>
> If I run a tcpdump on eth0 while pinging 10.21.0.1 from my Ubuntu host I get:
>
> $ sudo tcpdump -i eth0 host 10.21.0.2
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 17:55:51.060099 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo request, id 8305, seq 1, length 64
> 17:55:52.073711 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo request, id 8305, seq 2, length 64
> 17:55:53.087071 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo request, id 8305, seq 3, length 64
> 17:55:54.100374 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo request, id 8305, seq 4, length 64
> 17:55:55.113690 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo request, id 8305, seq 5, length 64
> 17:55:56.127045 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo request, id 8305, seq 6, length 64
> 17:55:57.140397 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo request, id 8305, seq 7, length 64
> 17:55:58.153678 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo request, id 8305, seq 8, length 64
>
> where eth0 is my public Internet interface on the Ubuntu box. And no traffic on the vti0 interface.
>
> $ ip route show
> default via 198.74.60.1 dev eth0 onlink
> 10.21.0.1 dev vti0 scope link
>
> Another detail is that the connection seems to be dropping out and coming back up periodically, as you can gather from the following, taken a few minutes later:
> $ sudo ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.9.50-x86_64-linode86, x86_64):
> uptime: 12 minutes, since Dec 05 17:48:55 2017
> malloc: sbrk 2408448, mmap 0, used 476512, free 1931936
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
> Listening IP addresses:
> <local-public-ip>
> 10.21.0.2
> Connections:
> VTI: <local-public-ip>...<remote-public-ip> IKEv1
> VTI: local: [<local-public-ip>] uses pre-shared key authentication
> VTI: remote: [<remote-public-ip>] uses pre-shared key authentication
> VTI: child: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32> TUNNEL
> Security Associations (1 up, 0 connecting):
> VTI[1]: ESTABLISHED 12 minutes ago, <local-public-ip>[<local-public-ip>]...<remote-public-ip>[<remote-public-ip>]
> VTI[1]: IKEv1 SPIs: f161f8c0def835fe_i* 1fe93eb02d49cd32_r, pre-shared key reauthentication in 2 hours
> VTI[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> VTI{1}: REKEYED, TUNNEL, reqid 1, expires in 47 minutes
> VTI{1}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce1cd0f3_i 219c09e7_o
> VTI{2}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 35 minutes
> VTI{2}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4f08265_i 943423ca_o
> VTI{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 34 minutes
> VTI{3}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{4}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0551732_i 590f641e_o
> VTI{4}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 35 minutes
> VTI{4}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{5}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c6fc0b2e_i 43a45c53_o
> VTI{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 33 minutes
> VTI{5}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{6}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c123ce23_i 3d106f6b_o
> VTI{6}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 32 minutes
> VTI{6}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{7}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd3f3177_i 486dadf9_o
> VTI{7}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 32 minutes
> VTI{7}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{8}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c057f07c_i ac31a9cf_o
> VTI{8}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
> VTI{8}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{9}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cbd22eb8_i 2c02b93e_o
> VTI{9}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 37 minutes
> VTI{9}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{10}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf9d7de4_i f9bbf3ac_o
> VTI{10}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
> VTI{10}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{11}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0818f2d_i 4db195e5_o
> VTI{11}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 37 minutes
> VTI{11}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{12}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2b3b560_i 7c6f64a0_o
> VTI{12}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
> VTI{12}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{13}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c27ad328_i aa40b268_o
> VTI{13}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 38 minutes
> VTI{13}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{14}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2c27758_i 2a5e1d65_o
> VTI{14}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes
> VTI{14}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{15}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf9658c4_i fd65ee58_o
> VTI{15}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 38 minutes
> VTI{15}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{16}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c67182e0_i a30b98ad_o
> VTI{16}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 39 minutes
> VTI{16}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{17}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7749046_i acab5447_o
> VTI{17}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 38 minutes
> VTI{17}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{18}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb7025b6_i 62e2a1e3_o
> VTI{18}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
> VTI{18}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{19}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce24136a_i 2b1975ff_o
> VTI{19}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
> VTI{19}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{20}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb6a23c7_i a580c19a_o
> VTI{20}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
> VTI{20}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{21}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd13d44b_i eba4a1eb_o
> VTI{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
> VTI{21}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{22}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd6048b0_i e28c1ba5_o
> VTI{22}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
> VTI{22}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> VTI{23}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cae775b9_i 50852308_o
> VTI{23}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 45 minutes
> VTI{23}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32 <http://10.21.0.1/32>
> --
> Isaac Sutherland
> Software Designer
> TMV Control Systems Inc.
> 519-624-8219 x103
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171205/8767e2b1/attachment.sig>
More information about the Users
mailing list