[strongSwan] Routing Problem

Thomas Creutz thomas.creutz at gmx.de
Wed Mar 22 15:37:43 CET 2017 

Hello List,

I use stongswan on 3 WRT Routers (TP-Link Archer C7) with 2x OpenWRT 
15.05.1 and one new with LEDE 17.01.0.

OpenWRT use strongSwan 5.3.3, Linux 3.18.23, mips
LEDE use strongSwan 5.5.1, Linux 4.4.50, mips

Okay, I want to build a routed VPN connection between 2 locations. The 
conn1 (192.168.0.0/24) is the main location with static public ip 
address. The conn2 (192.168.1.0/24) has currently a dynamic public ip 
address (DSL connection), but will be replaced with the new LEDE Router 
with a LTE connection, which has no public IP address. For testing I 
made a new subnet (192.168.2.0/24) and a new connection (conn2new).

conn1- 192.168.0.0/24 - lanip 192.168.0.254 - wanip fixed private (full 
port forwarding from wan ip)
conn2 - 192.168.1.0/24 - lanip 192.168.1.254 - wanip dynamic
conn2new - 192.168.2.0/24 - lanip 192.168.2.254 - wanip private (no port 
forwarding from wan ip possible)

My Problem is now, that I cannot ping from the router at 192.168.0.0/24 
to the hosts behind the router from subnet 192.168.2.0/24 - But I can 
reach the vpn-router.

Works:
    ping from 192.168.0.254 -> 192.168.2.254
Don't Work:
   ping from 192.168.0.254 -> 192.168.2.102 (example - host firewall is 
open for icmp, and ping from local router to the host works)

The statusall command also don't show me, that the subnet is routed. And 
when I try to "route" it I get this:

ipsec route conn2new
routing 'conn2new' failed

I am not sure if it is a problem of the right=%any or if it is a bug 
from LEDE. Hope somebody can give me a hint.

Thomas

#### Config conn1: ####
config setup
         # strictcrlpolicy=yes
         # uniqueids = no
         #charondebug="ike 2, knl 2, cfg 1"
         charondebug="knl 0,enc 0,net 0,cfg 2,chd 2"

conn %default
         # This server
         left=%defaultroute
         leftid=@fqdn
         ikelifetime=28800s
         # The network behind this server
         leftsubnet=192.168.0.0/24
         leftfirewall=yes
         lefthostaccess=yes
         # Connection parameters
         type=tunnel
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev2
         ike=aes256-sha1-modp2048
         esp=aes256-sha-modp2048
         aggressive=no
         authby=secret
         installpolicy=yes
         compress=yes
         mobike=yes
         dpdaction=restart
         dpddelay=10s
         auto=add

# sites
conn conn2
         auto=route
         modeconfig=push
         reqid=1
         # The remote site
         right=fqdn
         rightid=@fqdn
         # The network behind remote router
         rightsubnet=192.168.1.0/24

conn conn2new
         auto=route
         modeconfig=push
         reqid=2
         # The remote site
         right=%any
         rightid=@fqdn
         # The network behind remote router
         rightsubnet=192.168.2.0/24

#### Config conn2: ####
config setup
         # strictcrlpolicy=yes
         # uniqueids = no
         charondebug = "ike 1, knl 1, cfg 1"

conn %default
         # This server
         left=%defaultroute
         leftid=@fqdn
         ikelifetime=28800s
         # The network behind this server
         leftsubnet=192.168.1.0/24
         leftfirewall=yes
         lefthostaccess=yes
         # Connection parameters
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=%forever
         keyexchange=ikev2
         ike=aes256-sha1-modp2048
         esp=aes256-sha-modp2048
         aggressive=no
         authby=secret
         installpolicy=yes
         compress=yes
         mobike=no
         dpdaction=restart
         dpddelay=10s
         auto=add

conn conn1
         auto=route
         modeconfig=push
         # The remote site
         right=fqdn
         rightid=@fqdn
         # The network behind remote router
         rightsubnet=192.168.0.0/24

#### Config conn2new: ####
config setup
         # strictcrlpolicy=yes
         # uniqueids = no
         #charondebug="ike 0, knl 0, cfg 0"
         charondebug="knl 0,enc 0,net 0,cfg 2,chd 2"

conn %default
         # This server
         left=%defaultroute
         leftid=@fqdn
         ikelifetime=28800s
         # The network behind this server
         leftsubnet=192.168.2.0/24
         leftfirewall=yes
         lefthostaccess=yes
         # Connection parameters
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=%forever
         keyexchange=ikev2
         ike=aes256-sha1-modp2048
         esp=aes256-sha-modp2048
         aggressive=no
         authby=secret
         installpolicy=yes
         compress=yes
         mobike=no
         dpdaction=restart
         dpddelay=10s
         auto=add

conn conn1
         auto=route
         modeconfig=push
         # The remote site
         right=fqdn
         rightid=@fqdn
         # The network behind remote router
         rightsubnet=192.168.0.0/24

#### statusall conn1 ####
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.23, mips):
   uptime: 82 minutes, since Mar 22 14:02:04 2017
   malloc: sbrk 159744, mmap 0, used 140896, free 18848
   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 17
   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp 
xcbc hmac attr kernel-netlink resolve socket-default stroke updown 
xauth-generic
Listening IP addresses:
   192.168.77.101
   192.168.0.254
   192.168.100.100
   fd13:a51d:4d8a::1
Connections:
         conn2:  %any...fqdn  IKEv2, dpddelay=10s
         conn2:   local:  [fqdn] uses pre-shared key authentication
         conn2:   remote: [fqdn] uses pre-shared key authentication
         conn2:   child:  192.168.0.0/24 === 192.168.1.0/24 TUNNEL, 
dpdaction=restart
      conn2new:  %any...%any  IKEv2, dpddelay=10s
      conn2new:   local:  [fqdn] uses pre-shared key authentication
      conn2new:   remote: [fqdn] uses pre-shared key authentication
      conn2new:   child:  192.168.0.0/24 === 192.168.2.0/24 TUNNEL, 
dpdaction=restart
Routed Connections:
         conn2{1}:  ROUTED, TUNNEL, reqid 1
         conn2{1}:   192.168.0.0/24 === 192.168.1.0/24
Security Associations (2 up, 0 connecting):
      conn2new[9]: ESTABLISHED 28 minutes ago, 
192.168.77.101[fqdn]...80.XXX.XXX.XXX[fqdn]
      conn2new[9]: IKEv2 SPIs: 1420e34622680876_i a3eed4f723b3d313_r*, 
pre-shared key reauthentication in 27 minutes
      conn2new[9]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
      conn2new{16}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: 
c1d5fc40_i ceea3ead_o, IPCOMP CPIs: d615_i 90a5_o
      conn2new{16}:  AES_CBC_256/HMAC_SHA1_96, 52018 bytes_i (864 pkts, 
1s ago), 52123 bytes_o (864 pkts, 1s ago), rekeying in 17 seconds
      conn2new{16}:   192.168.0.0/24 === 192.168.2.0/24
         conn2[5]: ESTABLISHED 48 minutes ago, 
192.168.77.101[fqdn]...87.XXX.XXX.XXX[fqdn]
         conn2[5]: IKEv2 SPIs: 848ceafffd78b3c6_i* 49013863221c18db_r, 
pre-shared key reauthentication in 2 minutes
         conn2[5]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
         conn2{17}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 
c27b17fb_i ce842e43_o, IPCOMP CPIs: 9f71_i 7ee0_o
         conn2{17}:  AES_CBC_256/HMAC_SHA1_96, 49572 bytes_i (793 pkts, 
1s ago), 244884 bytes_o (1255 pkts, 1s ago), rekeying in 10 minutes
         conn2{17}:   192.168.0.0/24 === 192.168.1.0/24

More information about the Users mailing list