[strongSwan] Cannot ping machines on remote local network
Ric S
burj-al-arab at gmx.de
Tue Sep 5 11:06:51 CEST 2017
Current configs now:
strongswan.conf:
charon {
plugins {
dhcp {
force_server_address = yes
server = 192.168.0.1
identity_lease = yes
}
farp {
load = yes
}
}}
dns1 = 8.8.8.8
dns1 = 8.8.8.4
ipsec.conf:
config setup
charondebug="net 2, knl 2, cfg 2"
conn ikev2
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes2
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm
dpdaction=clear
dpddelay=60s
leftfirewall=yes
lefthostaccess=yes
leftid=carone.ddns.net
leftsubnet=192.168.0.0/24
leftcert=host-vpn.der
leftsendcert=always
right=%any
rightauth=eap-tls
rightsourceip=%dhcp
eap_identity=%any
auto=add
On Dienstag, 5. September 2017 04:54:31 CEST you wrote:
> Hi,
>
> > type=passthrough
Removed it, also did not use it previous attempts.
>
> You're sabotaging yourself. There is no IPsec processing happening with
> type=passthrough
> > threads = 8
Removed.
>
> You're doing it again. That can lock up the daemon later. Don't do that.
> Luckily, the setting is outside the valid configuration block, so it's
> invalid and ignored.
> >interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
I removed it. Just for the record these are my interfaces:
ifconfig
br0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5108 errors:0 dropped:0 overruns:0 frame:0
TX packets:4497 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:585507 (571.7 KiB) TX bytes:3738948 (3.5 MiB)
br0:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12075 errors:0 dropped:0 overruns:0 frame:0
TX packets:12590 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1941972 (1.8 MiB) TX bytes:9910375 (9.4 MiB)
Interrupt:179 Base address:0x4000
eth1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:7541
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:163
eth2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:17
inet6 addr: fe80::a263:91ff:feea:2e17/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:169
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:425 errors:0 dropped:0 overruns:0 frame:0
TX packets:425 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:53057 (51.8 KiB) TX bytes:53057 (51.8 KiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:87.168.251.19 P-t-P:62.155.242.107 Mask:255.255.255.255
UP POINTOPOINT RUNNING MULTICAST MTU:1492 Metric:1
RX packets:1010 errors:0 dropped:0 overruns:0 frame:0
TX packets:1092 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:470447 (459.4 KiB) TX bytes:160357 (156.5 KiB)
vlan1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9247 errors:0 dropped:0 overruns:0 frame:0
TX packets:9767 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:759337 (741.5 KiB) TX bytes:9462367 (9.0 MiB)
vlan2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
inet6 addr: fe80::a263:91ff:feea:2e15/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2828 errors:0 dropped:3 overruns:0 frame:0
TX packets:2815 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:916985 (895.4 KiB) TX bytes:397032 (387.7 KiB)
vlan2:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
inet addr:192.168.5.254 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
wl0.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:17
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::a063:91ff:feea:2e17/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3615 errors:0 dropped:5 overruns:0 frame:7541
TX packets:3989 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:538878 (526.2 KiB) TX bytes:998737 (975.3 KiB)
wl1.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:18
inet addr:192.168.9.1 Bcast:192.168.9.255 Mask:255.255.255.0
inet6 addr: fe80::a063:91ff:feea:2e18/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> Unnecessary.
>
> > left=%defaultroute
Removed.
>
> Unnecessary.
>
> > kernel-pfkey
>
> Plugin for the legacy IPsec API. Don't use it.
>
> >ping R6400
> >PING R6400 (192.168.0.121) 56(84) bytes of data.
> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> >Unreachable
> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> >Unreachable
Just a dynamic ip, who cares.
>
> Your next hop is sending that error. You're leaking private address into the
> WAN. That is forbidden. Don't do that.
> >Routers iptable output:
> >
> >iptables -vnL
>
> The output is unusable. Provide the output of `iptables-save`.
I disabled a few features, e.g. QOS in order to reduce the output
# Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
*raw
:PREROUTING ACCEPT [12217:1705679]
:OUTPUT ACCEPT [9354:9118762]
COMMIT
# Completed on Tue Sep 5 10:42:27 2017
# Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
*nat
:PREROUTING ACCEPT [285:28593]
:INPUT ACCEPT [604:43260]
:OUTPUT ACCEPT [47:3676]
:POSTROUTING ACCEPT [47:3676]
-A PREROUTING -d 87.168.251.19 -p icmp -j DNAT --to-destination 192.168.0.1
-A PREROUTING -d 87.168.251.19 -j TRIGGER --trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A POSTROUTING -o vlan2 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j SNAT --to-source 87.168.251.19
-A POSTROUTING -m mark --mark0x80000000/0x80000000 -j MASQUERADE
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -o ppp0 -j SNAT --to-source 87.168.251.19
-A POSTROUTING -s 192.168.9.0/255.255.255.0 -o ppp0 -j SNAT --to-source 87.168.251.19
COMMIT
# Completed on Tue Sep 5 10:42:27 2017
# Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
*mangle
:PREROUTING ACCEPT [3009:537902]
:INPUT ACCEPT [8937:741571]
:FORWARD ACCEPT [2521:798226]
:OUTPUT ACCEPT [2190:2277003]
:POSTROUTING ACCEPT [11882:9919352]
-A PREROUTING -d 87.168.251.19 -i ! ppp0 -j MARK --set-xmark 0x80000000/0x80000000
-A PREROUTING -j CONNMARK --save-mark
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Sep 5 10:42:27 2017
# Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [111:17285]
:advgrp_1 - [0:0]
:advgrp_10 - [0:0]
:advgrp_2 - [0:0]
:advgrp_3 - [0:0]
:advgrp_4 - [0:0]
:advgrp_5 - [0:0]
:advgrp_6 - [0:0]
:advgrp_7 - [0:0]
:advgrp_8 - [0:0]
:advgrp_9 - [0:0]
:grp_1 - [0:0]
:grp_10 - [0:0]
:grp_2 - [0:0]
:grp_3 - [0:0]
:grp_4 - [0:0]
:grp_5 - [0:0]
:grp_6 - [0:0]
:grp_7 - [0:0]
:grp_8 - [0:0]
:grp_9 - [0:0]
:lan2wan - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:trigger_out - [0:0]
-A INPUT -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -s 66.220.2.74 -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
-A INPUT -i ppp0 -p udp -m udp --dport 520 -j logdrop
-A INPUT -i br0 -p udp -m udp --dport 520 -j logdrop
-A INPUT -p udp -m udp --dport 520 -j logaccept
-A INPUT -i br0 -j logaccept
-A INPUT -i ppp0 -p icmp -j logdrop
-A INPUT -p igmp -j logdrop
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j logaccept
-A INPUT -i wl0.1 -p udp -m udp --dport 67 -j logaccept
-A INPUT -i wl0.1 -p udp -m udp --dport 53 -j logaccept
-A INPUT -i wl0.1 -p tcp -m tcp --dport 53 -j logaccept
-A INPUT -i wl0.1 -m state --state NEW -j logdrop
-A INPUT -i wl0.1 -j logaccept
-A INPUT -i wl1.1 -p udp -m udp --dport 67 -j logaccept
-A INPUT -i wl1.1 -p udp -m udp --dport 53 -j logaccept
-A INPUT -i wl1.1 -p tcp -m tcp --dport 53 -j logaccept
-A INPUT -i wl1.1 -m state --state NEW -j logdrop
-A INPUT -i wl1.1 -j logaccept
-A INPUT -j logdrop
-A FORWARD -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 192.168.0.10 -d 194.25.134.46 -j ACCEPT
-A FORWARD -s 192.168.0.10 -d 194.25.134.110 -j ACCEPT
-A FORWARD -s 192.168.0.10 -j LOG
-A FORWARD -s 192.168.0.10 -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
-A FORWARD -d 192.168.0.0/255.255.255.0 -i wl1.1 -m state --state NEW -j logdrop
-A FORWARD -d 192.168.0.0/255.255.255.0 -i wl0.1 -m state --state NEW -j logdrop
-A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p gre -j logaccept
-A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p tcp -m tcp --dport 1723 -j logaccept
-A FORWARD -i wl0.1 -j logaccept
-A FORWARD -i wl1.1 -j logaccept
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j logaccept
-A FORWARD -i br0 -o ppp0 -j logaccept
-A FORWARD -i ppp0 -o br0 -j TRIGGER --trigger-proto --trigger-match 0-0 --trigger-relate 0-0
-A FORWARD -i br0 -j trigger_out
-A FORWARD -i br0 -o wl0.1 -m state --state NEW -j logdrop
-A FORWARD -i br0 -o wl1.1 -m state --state NEW -j logdrop
-A FORWARD -i br0 -m state --state NEW -j logaccept
-A FORWARD -j logdrop
-A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A OUTPUT -o br0 -j logaccept
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -m state --state INVALID -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
-A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logreject -p tcp -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Tue Sep 5 10:42:27 2017
>
> >I have tried so many thinsg, but still cannot ping from either side or
> >access
> >any local machines.
> >Does anyone have a clue? Can I provide additional info?
>
> You're having no success because you're trying ramdom shit from the
> Internet. About 99,999% of the strongSwan related information on third
> party sites is wither well ng or of questinable quality. Don't get your
> information from any place but the project's website.
Well that's what I did in the first place and it also lacks info, e.g. it did not list all of the required kernel modules, took my a bit to
find out which modules it needs as it did not complain at startup, but requested features at runtime which were not there, e.g. a STD RNG.
Thanks for any hints, hope the above info helps.
Cheers Richard
>
> Kind regards
>
> Noel
>
> Am 5. September 2017 00:53:20 MESZ schrieb Ric S <burj-al-arab at gmx.de>:
> >Hi folks,
> >
> >I have been ripping my hair out with this issue.
> >
> >I'm running strongswan 5.5.3 on a router. The routers lan subnet is
> >192.168.0.1/24.
> >I can successfully connect to it with an Ipad with ikev2 and surf the
> >internet, but I cannot reach any internal machines.
> >
> >My config is the following:
> >
> >ipsec.conf:
> >
> >config setup
> >
> > charondebug="net 2, knl 2, cfg 2"
> >
> >conn ikev2
> >
> > keyexchange=ikev2
> >
> >ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-
> >sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
> >esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128
> >- sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
> >
> > dpdaction=clear
> > dpddelay=60s
> > left=%defaultroute
> > leftfirewall=yes
> > lefthostaccess=yes
> > leftid=myname.ddns.net
> > leftsubnet=192.168.0.0/24
> > leftcert=host-vpn.der
> > leftsendcert=always
> > right=%any
> > rightauth=eap-tls
> > rightsourceip=%dhcp
> > eap_identity=%any
> > type=passthrough
> > auto=add
> >
> >strongswanf.conf:
> >
> >charon {
> >interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> >plugins {
> >
> > dhcp {
> > force_server_address = yes
> > server = 192.168.0.1
> > identity_lease = yes
> > }
> > farp {
> > load = yes
> > }
> >
> >}}
> >
> >threads = 8
> >dns1 = 8.8.8.8
> >dns1 = 8.8.8.4
> >
> >
> >
> >Status:
> >
> >Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l):
> > uptime: 14 minutes, since Sep 05 00:09:53 2017
> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> >
> >scheduled: 8
> >loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5
> >random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
> >pkcs12 pgp
> >dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac
> >sqlite
> >attr kernel-pfkey kernel-netlink resolve socket-default farp stroke
> >vici
> >updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls
> >xauth-
> >generic xauth-eap dhcp whitelist led duplicheck
> >
> >Listening IP addresses:
> > 169.254.255.1
> > 192.168.0.1
> > 87.168.243.83
> >
> >Connections:
> > ikev2: %any...%any IKEv2, dpddelay=60s
> >
> > ikev2: local: [myname.ddns.net] uses public key authentication
> >
> > ikev2: cert: "C=DE, O=MYORG, CN=myname.ddns.net"
> >
> > ikev2: remote: uses EAP_TLS authentication with EAP identity '%any'
> >
> > ikev2: child: 192.168.0.0/24 === dynamic PASS, dpdaction=clear
> >
> >Security Associations (1 up, 0 connecting):
> >ikev2[6]: ESTABLISHED 11 seconds ago, 87.168.243.83[myname.ddns.net]...
> >109.43.1.19[R6400]
> >
> > ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public
> >
> >key reauthentication in 2 hours
> >
> > ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
> >
> >MODP_1024
> >
> > ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i
> >
> >04eb0f50_o
> >
> > ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
> >
> >rekeying in 48 minutes
> >
> > ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32
> >
> >swanctl --list-sas
> >ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r*
> >
> > local 'myname.ddns.net' @ 87.168.243.83[4500]
> > remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
> > AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> > established 92s ago, reauth in 9765s
> > ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
> >
> >HMAC_SHA2_256_128
> >
> > installed 89s ago, rekeying in 2800s, expires in 3511s
> > in c0983fe7, 0 bytes, 0 packets
> > out 04eb0f50, 0 bytes, 0 packets
> > local 192.168.0.0/24
> > remote 192.168.0.121/32
> >
> >ip route list table 220
> >192.168.0.121 via 62.155.242.107 dev ppp0 proto static src
> >192.168.0.1
> >
> >FARP seems to work, this is a ping from one of the local machines:
> >
> >ping R6400
> >PING R6400 (192.168.0.121) 56(84) bytes of data.
> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> >Unreachable
> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> >Unreachable
More information about the Users
mailing list