[strongSwan] Outgoing site-to-site packets not sent through tunnel
Isaac Sutherland
isutherland at tmvcontrol.com
Wed Dec 6 23:18:50 CET 2017
For the record, putting the changes in /etc/strongswan.conf works fine, but
on a Ubuntu 16.04 system the recommended location is
/etc/strongswan.d/charon.conf, where the install_routes directive is
already populated but commented out.
Further, for the kind of setup I'm doing, the strongswan RouteBasedVPN page
advises to set both install_routes = no AND install_virtual_ip = no, both
of which may be found in the /etc/strongswan.d/charon.conf on a Ubuntu
16.04 system.
On Tue, Dec 5, 2017 at 3:38 PM Isaac Sutherland <isutherland at tmvcontrol.com>
wrote:
> Thanks Noel, that was what I needed. Packets started making it through the
> tunnel after I added "install_routes = no" to the default
> /etc/strongswan.conf file:
>
> # strongswan.conf - strongSwan configuration file
> #
> # Refer to the strongswan.conf(5) manpage for details
> #
> # Configuration changes should be made in the included files
>
> charon {
> load_modular = yes
> * install_routes = no*
> plugins {
> include strongswan.d/charon/*.conf
> }
> }
>
> include strongswan.d/*.conf
>
> On Tue, Dec 5, 2017 at 3:00 PM Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
>> Hi,
>>
>> You surely did not disable the installation of the routing. It needs to
>> be disabled for VTIs to work.
>>
>> Kind regards
>>
>> Noel
>>
>> On 05.12.2017 19:08, Isaac Sutherland wrote:
>> > I'm setting up a route-based strongswan site-to-site VTI tunnel between
>> a Ubuntu 16.04 host and a Cisco VPN. I'm trying to start very simple - just
>> get a vti ikev1 aes-256/sha1 tunnel up and ping the private IP of the
>> remote end. It smells like it's almost working (I'm getting ESP packets
>> from the Cisco router) but my outgoing packets don't get encrypted nor are
>> they routed to the remote endpoint -- they're just sent plaintext on the
>> public interface which obviously doesn't work because the packets are using
>> private-subnet IPs. Note I don't have control over the Cisco side of the
>> VPN so my diagnostic/debugging capacity on that end is limited.
>> >
>> > Bring up:
>> > ip tunnel add vti0 mode vti local <local-public-ip> remote
>> <remote-public-ip> okey 32 ikey 32
>> > ip link set vti0 up
>> > ip addr add 10.21.0.2 dev vti0
>> > ip route add 10.21.0.1 dev vti0
>> > sysctl -w "net.ipv4.conf.vti0.disable_policy=1"
>> >
>> > /etc/ipsec.conf:
>> > conn VTI
>> > keyexchange=ikev1
>> > ike=aes256-sha1-modp1024
>> > esp=aes256-sha1!
>> > left=<local-public-ip>
>> > leftid=<local-public-ip>
>> > leftsubnet=10.21.0.2/32 <http://10.21.0.2/32>
>> > leftauth=psk
>> > rightauth=psk
>> > right=<remote-public-ip>
>> > rightid=<remote-public-ip>
>> > rightsubnet=10.21.0.1/32 <http://10.21.0.1/32>
>> > mark=32
>> > auto=start
>> >
>> > $ sudo ipsec statusall
>> > Status of IKE charon daemon (strongSwan 5.3.5, Linux
>> 4.9.50-x86_64-linode86, x86_64):
>> > uptime: 5 seconds, since Dec 05 17:48:55 2017
>> > malloc: sbrk 2408448, mmap 0, used 366432, free 2042016
>> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 2
>> > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
>> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
>> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
>> kernel-netlink resolve socket-default connmark stroke updown
>> > Listening IP addresses:
>> > <local-public-ip>
>> > 10.21.0.2
>> > Connections:
>> > VTI: <local-public-ip>...<remote-public-ip> IKEv1
>> > VTI: local: [<local-public-ip>] uses pre-shared key
>> authentication
>> > VTI: remote: [<remote-public-ip>] uses pre-shared key
>> authentication
>> > VTI: child: 10.21.0.2/32 <http://10.21.0.2/32> ===
>> 10.21.0.1/32 <http://10.21.0.1/32> TUNNEL
>> > Security Associations (1 up, 0 connecting):
>> > VTI[1]: ESTABLISHED 5 seconds ago,
>> <local-public-ip>[<local-public-ip>]...<remote-public-ip>[<remote-public-ip>]
>> > VTI[1]: IKEv1 SPIs: f161f8c0def835fe_i* 1fe93eb02d49cd32_r,
>> pre-shared key reauthentication in 2 hours
>> > VTI[1]: IKE proposal:
>> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> > VTI{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: caf87319_i
>> 50a12c2b_o
>> > VTI{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 47 minutes
>> > VTI{1}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> >
>> > $ sudo tcpdump -i eth0 host <remote-public-ip>
>> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> > listening on eth0, link-type EN10MB (Ethernet), capture size 262144
>> bytes
>> > 17:52:28.535462 IP <remote-hostname> > <local-hostname>:
>> ESP(spi=0xcd3f3177,seq=0x4), length 100
>> > 17:52:51.404751 IP <remote-hostname> > <local-hostname>:
>> ESP(spi=0xcd3f3177,seq=0x5), length 100
>> > 17:52:53.404466 IP <remote-hostname> > <local-hostname>:
>> ESP(spi=0xcd3f3177,seq=0x6), length 100
>> > 17:52:57.404483 IP <remote-hostname> > <local-hostname>:
>> ESP(spi=0xcd3f3177,seq=0x7), length 100
>> > 17:53:05.404418 IP <remote-hostname> > <local-hostname>:
>> ESP(spi=0xcd3f3177,seq=0x8), length 100
>> >
>> > If I run a tcpdump on eth0 while pinging 10.21.0.1 from my Ubuntu host
>> I get:
>> >
>> > $ sudo tcpdump -i eth0 host 10.21.0.2
>> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> > listening on eth0, link-type EN10MB (Ethernet), capture size 262144
>> bytes
>> > 17:55:51.060099 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo
>> request, id 8305, seq 1, length 64
>> > 17:55:52.073711 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo
>> request, id 8305, seq 2, length 64
>> > 17:55:53.087071 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo
>> request, id 8305, seq 3, length 64
>> > 17:55:54.100374 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo
>> request, id 8305, seq 4, length 64
>> > 17:55:55.113690 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo
>> request, id 8305, seq 5, length 64
>> > 17:55:56.127045 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo
>> request, id 8305, seq 6, length 64
>> > 17:55:57.140397 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo
>> request, id 8305, seq 7, length 64
>> > 17:55:58.153678 IP 10.21.0.2 > 10.21.0.1 <http://10.21.0.1>: ICMP echo
>> request, id 8305, seq 8, length 64
>> >
>> > where eth0 is my public Internet interface on the Ubuntu box. And no
>> traffic on the vti0 interface.
>> >
>> > $ ip route show
>> > default via 198.74.60.1 dev eth0 onlink
>> > 10.21.0.1 dev vti0 scope link
>> >
>> > Another detail is that the connection seems to be dropping out and
>> coming back up periodically, as you can gather from the following, taken a
>> few minutes later:
>> > $ sudo ipsec statusall
>> > Status of IKE charon daemon (strongSwan 5.3.5, Linux
>> 4.9.50-x86_64-linode86, x86_64):
>> > uptime: 12 minutes, since Dec 05 17:48:55 2017
>> > malloc: sbrk 2408448, mmap 0, used 476512, free 1931936
>> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 2
>> > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
>> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
>> dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
>> kernel-netlink resolve socket-default connmark stroke updown
>> > Listening IP addresses:
>> > <local-public-ip>
>> > 10.21.0.2
>> > Connections:
>> > VTI: <local-public-ip>...<remote-public-ip> IKEv1
>> > VTI: local: [<local-public-ip>] uses pre-shared key
>> authentication
>> > VTI: remote: [<remote-public-ip>] uses pre-shared key
>> authentication
>> > VTI: child: 10.21.0.2/32 <http://10.21.0.2/32> ===
>> 10.21.0.1/32 <http://10.21.0.1/32> TUNNEL
>> > Security Associations (1 up, 0 connecting):
>> > VTI[1]: ESTABLISHED 12 minutes ago,
>> <local-public-ip>[<local-public-ip>]...<remote-public-ip>[<remote-public-ip>]
>> > VTI[1]: IKEv1 SPIs: f161f8c0def835fe_i* 1fe93eb02d49cd32_r,
>> pre-shared key reauthentication in 2 hours
>> > VTI[1]: IKE proposal:
>> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> > VTI{1}: REKEYED, TUNNEL, reqid 1, expires in 47 minutes
>> > VTI{1}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce1cd0f3_i
>> 219c09e7_o
>> > VTI{2}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 35 minutes
>> > VTI{2}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c4f08265_i
>> 943423ca_o
>> > VTI{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 34 minutes
>> > VTI{3}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{4}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0551732_i
>> 590f641e_o
>> > VTI{4}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 35 minutes
>> > VTI{4}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{5}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c6fc0b2e_i
>> 43a45c53_o
>> > VTI{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 33 minutes
>> > VTI{5}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{6}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c123ce23_i
>> 3d106f6b_o
>> > VTI{6}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 32 minutes
>> > VTI{6}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{7}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd3f3177_i
>> 486dadf9_o
>> > VTI{7}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 32 minutes
>> > VTI{7}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{8}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c057f07c_i
>> ac31a9cf_o
>> > VTI{8}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 40 minutes
>> > VTI{8}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{9}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cbd22eb8_i
>> 2c02b93e_o
>> > VTI{9}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 37 minutes
>> > VTI{9}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{10}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf9d7de4_i
>> f9bbf3ac_o
>> > VTI{10}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 40 minutes
>> > VTI{10}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{11}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0818f2d_i
>> 4db195e5_o
>> > VTI{11}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 37 minutes
>> > VTI{11}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{12}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2b3b560_i
>> 7c6f64a0_o
>> > VTI{12}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 40 minutes
>> > VTI{12}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{13}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c27ad328_i
>> aa40b268_o
>> > VTI{13}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 38 minutes
>> > VTI{13}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{14}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2c27758_i
>> 2a5e1d65_o
>> > VTI{14}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 42 minutes
>> > VTI{14}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{15}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf9658c4_i
>> fd65ee58_o
>> > VTI{15}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 38 minutes
>> > VTI{15}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{16}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c67182e0_i
>> a30b98ad_o
>> > VTI{16}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 39 minutes
>> > VTI{16}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{17}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7749046_i
>> acab5447_o
>> > VTI{17}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 38 minutes
>> > VTI{17}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{18}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb7025b6_i
>> 62e2a1e3_o
>> > VTI{18}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 40 minutes
>> > VTI{18}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{19}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce24136a_i
>> 2b1975ff_o
>> > VTI{19}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 41 minutes
>> > VTI{19}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{20}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb6a23c7_i
>> a580c19a_o
>> > VTI{20}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 40 minutes
>> > VTI{20}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{21}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd13d44b_i
>> eba4a1eb_o
>> > VTI{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 41 minutes
>> > VTI{21}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{22}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd6048b0_i
>> e28c1ba5_o
>> > VTI{22}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 41 minutes
>> > VTI{22}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > VTI{23}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cae775b9_i
>> 50852308_o
>> > VTI{23}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 45 minutes
>> > VTI{23}: 10.21.0.2/32 <http://10.21.0.2/32> === 10.21.0.1/32
>> <http://10.21.0.1/32>
>> > --
>> > Isaac Sutherland
>> > Software Designer
>> > TMV Control Systems Inc.
>> > 519-624-8219 x103 <(519)%20624-8219>
>>
>> --
> Isaac Sutherland
> Software Designer
> TMV Control Systems Inc.
> 519-624-8219 x103 <(519)%20624-8219>
>
--
Isaac Sutherland
Software Designer
TMV Control Systems Inc.
519-624-8219 x103
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171206/f44e734e/attachment-0001.html>
More information about the Users
mailing list