[strongSwan] Strongswan failed to forward decrypted packet to socket

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Dec 22 00:00:39 CET 2017 

There have previously been problems with running XFRM in OpenVZ containers (meaning it didn't work at all, despite claims of the OpenVZ developers it did).

Please provide the following outputs:
ipsec statusall (or swanctl -l, if you use swanctl)
sysctl -A | grep rp_filter
ip route show table all
ip rule
'tcpdump -n -i ipsec0' when you're trying to connect over the tunnels


On 19.12.2017 08:57, Quaker wrote:
> I am using Strongswan 5.6.1 on my OpenVZ servers
> And strongswan 5.6.1 is compiled by myself. kernel-libipsec enabled by 
> ./configure --enable-eap-identity --enable-eap-md5 \ --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc --enable-eap-dynamic--enable-eap-radius --enable-xauth-eap \ --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \ --enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec
> the strongswan.conf configuration modified as :
>
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>                 kernel-netlink {
>                         fwmark = !0x4
>                 }
>                 socket-default {
>                         fwmark = 0x4
>                 }
>                 kernel-libipsec {
>                         allow_peer_ts = yes
>                 }
>         }
> }
> I have created ipsec tunnel successfully between my OpenVZ server alpha and beta:
> But the socket connection fails.
> By investigate the problem, I tried tcpdump, found that
> If I ping from alpha to beta
> tcpdump could found 
> esp from alpha->beta
> esp from beta->alpha
> but ping timeout
>
> If I ping from beta to alpha
> tcpdump could found 
> esp from beta->alpha
> and ping timeout
>
> if using tcp, and answer is similar
> alpha->beta
> alpha SYN_SENT
> beta SYN_RECV
>
> beta->alpha
> beta SYN_SENT
> alpha NULL
>
> I guess there should be some problem during esp to socket
> anyone could tell me how to detect the problem, or some further information should I give.
>
> alpha and beta belongs to different OpenVZ supplier, don't know the problem.
> I have reinstalled alpha sometimes, but doesn't work.
>
> beta:Linux beta 2.6.32-042stab125.5 #1 SMP Tue Oct 17 12:48:22 MSK 2017 x86_64 GNU/Linux
>
> alpha: Linux alpha 2.6.32-042stab123.3 #1 SMP Fri May 5 12:29:05 MSK 2017 x86_64 GNU/Linux
>
> Regards
> Quaker

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171222/dee22fd1/attachment.sig>

More information about the Users mailing list