[strongSwan] Cannot ping machines on remote local network
Ric S
burj-al-arab at gmx.de
Tue Sep 5 16:33:37 CEST 2017
On Dienstag, 5. September 2017 12:36:47 CEST Noel Kuntze wrote:
> Hi,
>
> I just noticed that your NAT rules cause problems if you try to initiate
> connections to the RW, too. Read and apply the advice from the article
> about NAT problems[1].
I added :
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
I noticed when I ping the iPad from lan I now see that packages are matching and ping changes
Chain POSTROUTING (policy ACCEPT 1320 packets, 89681 bytes)
pkts bytes target prot opt in out source destination
1 84 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
before adding the rule:
ping R6400
PING R6400 (192.168.0.121) 56(84) bytes of data.
>From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host Unreachable
>From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host Unreachable
>From 62.155.242.107 (62.155.242.107) icmp_seq=3 Destination Host Unreachable
after adding the rule:
ping R6400
PING R6400 (192.168.0.121) 56(84) bytes of data.
hangs here
Thus this rule most likely is one part of the solution.
Now I setup a second client, Win7, unlike iOS surfing the net does not work, and with wireshark I see incoming TCP Retransmissions messages, looks
like there is an issue with mtu/mss? I also managed to get one ping through the tunnel to the a lan machine.
What is the best way to specify mtu sizes etc in strongswan?
>
> Kind regards
>
> Noel
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunn
> eling#General-NAT-problems
> On 05.09.2017 12:32, Ric S wrote:
> > On Dienstag, 5. September 2017 11:28:59 CEST Noel Kuntze wrote:
> >> Hi,
> >>
> >>> ifconfig
> >>
> >> Please don't use the net-tools. Use iproute2. The net-tools are woefully
> >> inadequate for this day and age. They are deprecated since the early
> >> 2000s.
> >>
> >> Please provide the output of `ip address`, `ip route show table all`, `ip
> >> rule` and `sysctl -A | grep rp_filter`.
> >>
> >> I suspect that at least the rp_filter needs to be set to 2.
> >
> > I just set all interfaces to 2, still no go.
> >
> >
> >
> > root at titan:~# ip address
> > 1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 65536 qdisc noqueue qlen 1
> >
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> >
> > valid_lft forever preferred_lft forever
> >
> > inet6 ::1/128 scope host
> >
> > valid_lft forever preferred_lft forever
> >
> > 2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
> >
> > link/void
> >
> > 3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen 1000
> >
> > link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
> > inet6 fe80::a263:91ff:feea:2e14/64 scope link
> >
> > valid_lft forever preferred_lft forever
> >
> > 4: vlan1 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> > master br0>
> > link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
> > inet6 fe80::a263:91ff:feea:2e14/64 scope link
> >
> > valid_lft forever preferred_lft forever
> >
> > 5: vlan2 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> >
> > link/ether a0:63:91:ea:2e:15 brd ff:ff:ff:ff:ff:ff
> > inet 192.168.5.254/24 brd 192.168.5.255 scope global vlan2:0
> >
> > valid_lft forever preferred_lft forever
> >
> > inet6 fe80::a263:91ff:feea:2e15/64 scope link
> >
> > valid_lft forever preferred_lft forever
> >
> > 6: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master br0
> > qlen 1000>
> > link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
> > inet6 fe80::a263:91ff:feea:2e16/64 scope link
> >
> > valid_lft forever preferred_lft forever
> >
> > 7: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master br0
> > qlen 1000>
> > link/ether a0:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
> > inet6 fe80::a263:91ff:feea:2e17/64 scope link
> >
> > valid_lft forever preferred_lft forever
> >
> > 9: wl0.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen 1000
> >
> > link/ether a2:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
> > inet 192.168.10.1/24 brd 192.168.10.255 scope global wl0.1
> >
> > valid_lft forever preferred_lft forever
> >
> > inet6 fe80::a063:91ff:feea:2e17/64 scope link
> >
> > valid_lft forever preferred_lft forever
> >
> > 10: wl1.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
> > 1000
> >
> > link/ether a2:63:91:ea:2e:18 brd ff:ff:ff:ff:ff:ff
> > inet 192.168.9.1/24 brd 192.168.9.255 scope global wl1.1
> >
> > valid_lft forever preferred_lft forever
> >
> > inet6 fe80::a063:91ff:feea:2e18/64 scope link
> >
> > valid_lft forever preferred_lft forever
> >
> > 12: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue qlen 1000
> >
> > link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
> > inet 169.254.255.1/16 brd 169.254.255.255 scope global br0:0
> >
> > valid_lft forever preferred_lft forever
> >
> > inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
> >
> > valid_lft forever preferred_lft forever
> >
> > inet6 fe80::a263:91ff:feea:2e16/64 scope link
> >
> > valid_lft forever preferred_lft forever
> >
> > 13: ppp0: <POINTOPOINT,MULTICAST,UP,10000> mtu 1492 qdisc fq_codel qlen 3
> >
> > link/ppp
> > inet 87.168.251.19 peer 62.155.242.107/32 brd 87.168.251.19 scope
> > global ppp0>
> > valid_lft forever preferred_lft forever
> >
> > root at titan:~# ip route show table all
> > 192.168.0.121 via 62.155.242.107 dev ppp0 table 220 proto static src
> > 192.168.0.1 default via 62.155.242.107 dev ppp0
> > 62.155.242.107 dev ppp0 proto kernel scope link src 87.168.251.19
> > 127.0.0.0/8 dev lo scope link
> > 169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
> > 192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.1
> > 192.168.5.0/24 dev vlan2 proto kernel scope link src 192.168.5.254
> > 192.168.9.0/24 dev wl1.1 proto kernel scope link src 192.168.9.1
> > 192.168.10.0/24 dev wl0.1 proto kernel scope link src 192.168.10.1
> > local 87.168.251.19 dev ppp0 table local proto kernel scope host src
> > 87.168.251.19 broadcast 87.168.251.19 dev ppp0 table local proto kernel
> > scope link src 87.168.251.19 broadcast 127.0.0.0 dev lo table local
> > proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table
> > local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo
> > table local proto kernel scope host src 127.0.0.1 broadcast
> > 127.255.255.255 dev lo table local proto kernel scope link src
> > 127.0.0.1 broadcast 169.254.0.0 dev br0 table local proto kernel scope
> > link src 169.254.255.1 local 169.254.255.1 dev br0 table local proto
> > kernel scope host src 169.254.255.1 broadcast 169.254.255.255 dev br0
> > table local proto kernel scope link src 169.254.255.1 broadcast
> > 192.168.0.0 dev br0 table local proto kernel scope link src
> > 192.168.0.1 local 192.168.0.1 dev br0 table local proto kernel scope
> > host src 192.168.0.1 broadcast 192.168.0.255 dev br0 table local proto
> > kernel scope link src 192.168.0.1 broadcast 192.168.5.0 dev vlan2
> > table local proto kernel scope link src 192.168.5.254 local
> > 192.168.5.254 dev vlan2 table local proto kernel scope host src
> > 192.168.5.254 broadcast 192.168.5.255 dev vlan2 table local proto
> > kernel scope link src 192.168.5.254 broadcast 192.168.9.0 dev wl1.1
> > table local proto kernel scope link src 192.168.9.1 local 192.168.9.1
> > dev wl1.1 table local proto kernel scope host src 192.168.9.1
> > broadcast 192.168.9.255 dev wl1.1 table local proto kernel scope link
> > src 192.168.9.1 broadcast 192.168.10.0 dev wl0.1 table local proto
> > kernel scope link src 192.168.10.1 local 192.168.10.1 dev wl0.1 table
> > local proto kernel scope host src 192.168.10.1 broadcast
> > 192.168.10.255 dev wl0.1 table local proto kernel scope link src
> > 192.168.10.1 unreachable default dev lo table unspec proto kernel
> > metric -1 error -101 fe80::/64 dev eth0 proto kernel metric 256
> > fe80::/64 dev vlan1 proto kernel metric 256
> > fe80::/64 dev br0 proto kernel metric 256
> > fe80::/64 dev eth1 proto kernel metric 256
> > fe80::/64 dev wl0.1 proto kernel metric 256
> > fe80::/64 dev eth2 proto kernel metric 256
> > fe80::/64 dev wl1.1 proto kernel metric 256
> > fe80::/64 dev vlan2 proto kernel metric 256
> > unreachable default dev lo table unspec proto kernel metric -1 error
> > -101 local ::1 dev lo table local proto none metric 0
> > local fe80::a063:91ff:feea:2e17 dev lo table local proto none metric 0
> > local fe80::a063:91ff:feea:2e18 dev lo table local proto none metric 0
> > local fe80::a263:91ff:feea:2e14 dev lo table local proto none metric 0
> > local fe80::a263:91ff:feea:2e14 dev lo table local proto none metric 0
> > local fe80::a263:91ff:feea:2e15 dev lo table local proto none metric 0
> > local fe80::a263:91ff:feea:2e16 dev lo table local proto none metric 0
> > local fe80::a263:91ff:feea:2e16 dev lo table local proto none metric 0
> > local fe80::a263:91ff:feea:2e17 dev lo table local proto none metric 0
> > ff00::/8 dev eth0 table local metric 256
> > ff00::/8 dev vlan1 table local metric 256
> > ff00::/8 dev br0 table local metric 256
> > ff00::/8 dev eth1 table local metric 256
> > ff00::/8 dev wl0.1 table local metric 256
> > ff00::/8 dev eth2 table local metric 256
> > ff00::/8 dev wl1.1 table local metric 256
> > ff00::/8 dev vlan2 table local metric 256
> > unreachable default dev lo table unspec proto kernel metric -1 error
> > -101 root at titan:~# ip rule
> > 0: from all lookup local
> > 220: from all lookup 220
> > 32766: from all lookup main
> > 32767: from all lookup default
> > root at titan:~# sysctl -A | grep rp_filter
> > net.ipv4.conf.all.arp_filter = 0
> > net.ipv4.conf.all.rp_filter = 2
> > net.ipv4.conf.br0.arp_filter = 0
> > net.ipv4.conf.br0.rp_filter = 2
> > net.ipv4.conf.default.arp_filter = 0
> > net.ipv4.conf.default.rp_filter = 2
> > net.ipv4.conf.eth0.arp_filter = 0
> > net.ipv4.conf.eth0.rp_filter = 2
> > net.ipv4.conf.eth1.arp_filter = 0
> > net.ipv4.conf.eth1.rp_filter = 2
> > net.ipv4.conf.eth2.arp_filter = 0
> > net.ipv4.conf.eth2.rp_filter = 2
> > net.ipv4.conf.lo.arp_filter = 0
> > net.ipv4.conf.lo.rp_filter = 2
> > net.ipv4.conf.ppp0.arp_filter = 0
> > net.ipv4.conf.ppp0.rp_filter = 2
> > net.ipv4.conf.teql0.arp_filter = 0
> > net.ipv4.conf.teql0.rp_filter = 2
> > net.ipv4.conf.vlan1.arp_filter = 0
> > net.ipv4.conf.vlan1.rp_filter = 2
> > net.ipv4.conf.vlan2.arp_filter = 0
> > net.ipv4.conf.vlan2.rp_filter = 2
> > net.ipv4.conf.wl0.1.arp_filter = 0
> > net.ipv4.conf.wl0.1.rp_filter = 2
> > net.ipv4.conf.wl1.1.arp_filter = 0
> > net.ipv4.conf.wl1.1.rp_filter = 2
> >
> >>> Just a dynamic ip, who cares.
> >>
> >> Enough people that it's RFC'd[1].
> >
> > Sure but it doesn't hurt and makes sure you got the right info.
> >
> >> Kind regards
> >>
> >> Noel
> >>
> >> [1] https://tools.ietf.org/html/rfc1918#section-3
> >>
> >> On 05.09.2017 11:06, Ric S wrote:
> >>> Current configs now:
> >>>
> >>> strongswan.conf:
> >>>
> >>> charon {
> >>> plugins {
> >>>
> >>> dhcp {
> >>> force_server_address = yes
> >>> server = 192.168.0.1
> >>> identity_lease = yes
> >>> }
> >>> farp {
> >>> load = yes
> >>> }
> >>>
> >>> }}
> >>>
> >>> dns1 = 8.8.8.8
> >>> dns1 = 8.8.8.4
> >>>
> >>> ipsec.conf:
> >>>
> >>> config setup
> >>>
> >>> charondebug="net 2, knl 2, cfg 2"
> >>>
> >>> conn ikev2
> >>>
> >>> keyexchange=ikev2
> >>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes1
> >>> 28
> >>> -sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha
> >>> 25
> >>> 6-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-
> >>> sh
> >>> a1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes2
> >>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,ae
> >>> s
> >>> 128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha2
> >>> 56
> >>> ,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes
> >>> 12
> >>> 8-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm
> >>> dpdaction=clear
> >>> dpddelay=60s
> >>> leftfirewall=yes
> >>> lefthostaccess=yes
> >>> leftid=carone.ddns.net
> >>> leftsubnet=192.168.0.0/24
> >>> leftcert=host-vpn.der
> >>> leftsendcert=always
> >>> right=%any
> >>> rightauth=eap-tls
> >>> rightsourceip=%dhcp
> >>> eap_identity=%any
> >>> auto=add
> >>>
> >>> On Dienstag, 5. September 2017 04:54:31 CEST you wrote:
> >>>> Hi,
> >>>>
> >>>>> type=passthrough
> >>>
> >>> Removed it, also did not use it previous attempts.
> >>>
> >>>> You're sabotaging yourself. There is no IPsec processing happening with
> >>>> type=passthrough
> >>>>
> >>>>> threads = 8
> >>>
> >>> Removed.
> >>>
> >>>> You're doing it again. That can lock up the daemon later. Don't do
> >>>> that.
> >>>> Luckily, the setting is outside the valid configuration block, so it's
> >>>> invalid and ignored.
> >>>>
> >>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> >>>
> >>> I removed it. Just for the record these are my interfaces:
> >>>
> >>> ifconfig
> >>> br0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> >>>
> >>> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
> >>> inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>> RX packets:5108 errors:0 dropped:0 overruns:0 frame:0
> >>> TX packets:4497 errors:0 dropped:0 overruns:0 carrier:0
> >>> collisions:0 txqueuelen:1000
> >>> RX bytes:585507 (571.7 KiB) TX bytes:3738948 (3.5 MiB)
> >>>
> >>> br0:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> >>>
> >>> inet addr:169.254.255.1 Bcast:169.254.255.255
> >>> Mask:255.255.0.0
> >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>
> >>> eth0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
> >>>
> >>> inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>> RX packets:12075 errors:0 dropped:0 overruns:0 frame:0
> >>> TX packets:12590 errors:0 dropped:0 overruns:0 carrier:0
> >>> collisions:0 txqueuelen:1000
> >>> RX bytes:1941972 (1.8 MiB) TX bytes:9910375 (9.4 MiB)
> >>> Interrupt:179 Base address:0x4000
> >>>
> >>> eth1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> >>>
> >>> inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>> RX packets:0 errors:0 dropped:0 overruns:0 frame:7541
> >>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >>> collisions:0 txqueuelen:1000
> >>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> >>> Interrupt:163
> >>>
> >>> eth2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:17
> >>>
> >>> inet6 addr: fe80::a263:91ff:feea:2e17/64 Scope:Link
> >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >>> collisions:0 txqueuelen:1000
> >>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> >>> Interrupt:169
> >>>
> >>> lo Link encap:Local Loopback
> >>>
> >>> inet addr:127.0.0.1 Mask:255.0.0.0
> >>> inet6 addr: ::1/128 Scope:Host
> >>> UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
> >>> RX packets:425 errors:0 dropped:0 overruns:0 frame:0
> >>> TX packets:425 errors:0 dropped:0 overruns:0 carrier:0
> >>> collisions:0 txqueuelen:1
> >>> RX bytes:53057 (51.8 KiB) TX bytes:53057 (51.8 KiB)
> >>>
> >>> ppp0 Link encap:Point-to-Point Protocol
> >>>
> >>> inet addr:87.168.251.19 P-t-P:62.155.242.107
> >>> Mask:255.255.255.255
> >>> UP POINTOPOINT RUNNING MULTICAST MTU:1492 Metric:1
> >>> RX packets:1010 errors:0 dropped:0 overruns:0 frame:0
> >>> TX packets:1092 errors:0 dropped:0 overruns:0 carrier:0
> >>> collisions:0 txqueuelen:3
> >>> RX bytes:470447 (459.4 KiB) TX bytes:160357 (156.5 KiB)
> >>>
> >>> vlan1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
> >>>
> >>> inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>> RX packets:9247 errors:0 dropped:0 overruns:0 frame:0
> >>> TX packets:9767 errors:0 dropped:0 overruns:0 carrier:0
> >>> collisions:0 txqueuelen:0
> >>> RX bytes:759337 (741.5 KiB) TX bytes:9462367 (9.0 MiB)
> >>>
> >>> vlan2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
> >>>
> >>> inet6 addr: fe80::a263:91ff:feea:2e15/64 Scope:Link
> >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>> RX packets:2828 errors:0 dropped:3 overruns:0 frame:0
> >>> TX packets:2815 errors:0 dropped:0 overruns:0 carrier:0
> >>> collisions:0 txqueuelen:0
> >>> RX bytes:916985 (895.4 KiB) TX bytes:397032 (387.7 KiB)
> >>>
> >>> vlan2:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
> >>>
> >>> inet addr:192.168.5.254 Bcast:192.168.5.255
> >>> Mask:255.255.255.0
> >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>
> >>> wl0.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:17
> >>>
> >>> inet addr:192.168.10.1 Bcast:192.168.10.255
> >>> Mask:255.255.255.0
> >>> inet6 addr: fe80::a063:91ff:feea:2e17/64 Scope:Link
> >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>> RX packets:3615 errors:0 dropped:5 overruns:0 frame:7541
> >>> TX packets:3989 errors:0 dropped:0 overruns:0 carrier:0
> >>> collisions:0 txqueuelen:1000
> >>> RX bytes:538878 (526.2 KiB) TX bytes:998737 (975.3 KiB)
> >>>
> >>> wl1.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:18
> >>>
> >>> inet addr:192.168.9.1 Bcast:192.168.9.255 Mask:255.255.255.0
> >>> inet6 addr: fe80::a063:91ff:feea:2e18/64 Scope:Link
> >>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >>> collisions:0 txqueuelen:1000
> >>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> >>>>
> >>>> Unnecessary.
> >>>>
> >>>>> left=%defaultroute
> >>>
> >>> Removed.
> >>>
> >>>> Unnecessary.
> >>>>
> >>>>> kernel-pfkey
> >>>>
> >>>> Plugin for the legacy IPsec API. Don't use it.
> >>>>
> >>>>> ping R6400
> >>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
> >>>>>
> >>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> >>>> >
> >>>>> Unreachable
> >>>>>
> >>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> >>>> >
> >>>>> Unreachable
> >>>
> >>> Just a dynamic ip, who cares.
> >>>
> >>>> Your next hop is sending that error. You're leaking private address
> >>>> into
> >>>> the WAN. That is forbidden. Don't do that.
> >>>>
> >>>>> Routers iptable output:
> >>>>>
> >>>>> iptables -vnL
> >>>>
> >>>> The output is unusable. Provide the output of `iptables-save`.
> >>>
> >>> I disabled a few features, e.g. QOS in order to reduce the output
> >>>
> >>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> >>> *raw
> >>>
> >>> :PREROUTING ACCEPT [12217:1705679]
> >>> :OUTPUT ACCEPT [9354:9118762]
> >>>
> >>> COMMIT
> >>> # Completed on Tue Sep 5 10:42:27 2017
> >>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> >>> *nat
> >>>
> >>> :PREROUTING ACCEPT [285:28593]
> >>> :INPUT ACCEPT [604:43260]
> >>> :OUTPUT ACCEPT [47:3676]
> >>> :POSTROUTING ACCEPT [47:3676]
> >>>
> >>> -A PREROUTING -d 87.168.251.19 -p icmp -j DNAT --to-destination
> >>> 192.168.0.1
> >>> -A PREROUTING -d 87.168.251.19 -j TRIGGER --trigger-proto
> >>> --trigger-match
> >>> 0-0 --trigger-relate 0-0 -A POSTROUTING -o vlan2 -j MASQUERADE
> >>> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j SNAT --to-source
> >>> 87.168.251.19 -A POSTROUTING -m mark --mark0x80000000/0x80000000 -j
> >>> MASQUERADE
> >>> -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o ppp0 -j SNAT --to-source
> >>> 87.168.251.19 -A POSTROUTING -s 192.168.9.0/255.255.255.0 -o ppp0 -j
> >>> SNAT
> >>> --to-source 87.168.251.19 COMMIT
> >>> # Completed on Tue Sep 5 10:42:27 2017
> >>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> >>> *mangle
> >>>
> >>> :PREROUTING ACCEPT [3009:537902]
> >>> :INPUT ACCEPT [8937:741571]
> >>> :FORWARD ACCEPT [2521:798226]
> >>> :OUTPUT ACCEPT [2190:2277003]
> >>> :POSTROUTING ACCEPT [11882:9919352]
> >>>
> >>> -A PREROUTING -d 87.168.251.19 -i ! ppp0 -j MARK --set-xmark
> >>> 0x80000000/0x80000000 -A PREROUTING -j CONNMARK --save-mark
> >>> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> >>> --clamp-mss-to-pmtu COMMIT
> >>> # Completed on Tue Sep 5 10:42:27 2017
> >>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> >>> *filter
> >>>
> >>> :INPUT ACCEPT [0:0]
> >>> :FORWARD ACCEPT [0:0]
> >>> :OUTPUT ACCEPT [111:17285]
> >>> :advgrp_1 - [0:0]
> >>> :advgrp_10 - [0:0]
> >>> :advgrp_2 - [0:0]
> >>> :advgrp_3 - [0:0]
> >>> :advgrp_4 - [0:0]
> >>> :advgrp_5 - [0:0]
> >>> :advgrp_6 - [0:0]
> >>> :advgrp_7 - [0:0]
> >>> :advgrp_8 - [0:0]
> >>> :advgrp_9 - [0:0]
> >>> :grp_1 - [0:0]
> >>> :grp_10 - [0:0]
> >>> :grp_2 - [0:0]
> >>> :grp_3 - [0:0]
> >>> :grp_4 - [0:0]
> >>> :grp_5 - [0:0]
> >>> :grp_6 - [0:0]
> >>> :grp_7 - [0:0]
> >>> :grp_8 - [0:0]
> >>> :grp_9 - [0:0]
> >>> :lan2wan - [0:0]
> >>> :logaccept - [0:0]
> >>> :logdrop - [0:0]
> >>> :logreject - [0:0]
> >>> :trigger_out - [0:0]
> >>>
> >>> -A INPUT -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m policy
> >>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A INPUT -p udp -m
> >>> udp --dport 4500 -j ACCEPT
> >>> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> >>> -A INPUT -s 66.220.2.74 -p icmp -j ACCEPT
> >>> -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
> >>> -A INPUT -i ppp0 -p udp -m udp --dport 520 -j logdrop
> >>> -A INPUT -i br0 -p udp -m udp --dport 520 -j logdrop
> >>> -A INPUT -p udp -m udp --dport 520 -j logaccept
> >>> -A INPUT -i br0 -j logaccept
> >>> -A INPUT -i ppp0 -p icmp -j logdrop
> >>> -A INPUT -p igmp -j logdrop
> >>> -A INPUT -i lo -m state --state NEW -j ACCEPT
> >>> -A INPUT -i br0 -m state --state NEW -j logaccept
> >>> -A INPUT -i wl0.1 -p udp -m udp --dport 67 -j logaccept
> >>> -A INPUT -i wl0.1 -p udp -m udp --dport 53 -j logaccept
> >>> -A INPUT -i wl0.1 -p tcp -m tcp --dport 53 -j logaccept
> >>> -A INPUT -i wl0.1 -m state --state NEW -j logdrop
> >>> -A INPUT -i wl0.1 -j logaccept
> >>> -A INPUT -i wl1.1 -p udp -m udp --dport 67 -j logaccept
> >>> -A INPUT -i wl1.1 -p udp -m udp --dport 53 -j logaccept
> >>> -A INPUT -i wl1.1 -p tcp -m tcp --dport 53 -j logaccept
> >>> -A INPUT -i wl1.1 -m state --state NEW -j logdrop
> >>> -A INPUT -i wl1.1 -j logaccept
> >>> -A INPUT -j logdrop
> >>> -A FORWARD -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m
> >>> policy
> >>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s
> >>> 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir out
> >>> --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s 192.168.0.10
> >>> -d
> >>> 194.25.134.46 -j ACCEPT
> >>> -A FORWARD -s 192.168.0.10 -d 194.25.134.110 -j ACCEPT
> >>> -A FORWARD -s 192.168.0.10 -j LOG
> >>> -A FORWARD -s 192.168.0.10 -j DROP
> >>> -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
> >>> -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl1.1 -m state --state NEW -j
> >>> logdrop -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl0.1 -m state
> >>> --state
> >>> NEW -j logdrop -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p gre -j
> >>> logaccept -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p tcp -m tcp
> >>> --dport 1723 -j logaccept -A FORWARD -i wl0.1 -j logaccept
> >>> -A FORWARD -i wl1.1 -j logaccept
> >>> -A FORWARD -j lan2wan
> >>> -A FORWARD -i br0 -o br0 -j logaccept
> >>> -A FORWARD -i br0 -o ppp0 -j logaccept
> >>> -A FORWARD -i ppp0 -o br0 -j TRIGGER --trigger-proto --trigger-match 0-0
> >>> --trigger-relate 0-0 -A FORWARD -i br0 -j trigger_out
> >>> -A FORWARD -i br0 -o wl0.1 -m state --state NEW -j logdrop
> >>> -A FORWARD -i br0 -o wl1.1 -m state --state NEW -j logdrop
> >>> -A FORWARD -i br0 -m state --state NEW -j logaccept
> >>> -A FORWARD -j logdrop
> >>> -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m
> >>> policy
> >>> --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT -A OUTPUT -o br0
> >>> -j
> >>> logaccept
> >>> -A logaccept -j ACCEPT
> >>> -A logdrop -m state --state NEW -j LOG --log-prefix "DROP "
> >>> --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -m
> >>> state
> >>> --state INVALID -j LOG --log-prefix "DROP " --log-tcp-sequence
> >>> --log-tcp-options --log-ip-options -A logdrop -j DROP
> >>> -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence
> >>> --log-tcp-options --log-ip-options -A logreject -p tcp -j REJECT
> >>> --reject-with tcp-reset
> >>> COMMIT
> >>> # Completed on Tue Sep 5 10:42:27 2017
> >>>
> >>>>> I have tried so many thinsg, but still cannot ping from either side or
> >>>>> access
> >>>>> any local machines.
> >>>>> Does anyone have a clue? Can I provide additional info?
> >>>>
> >>>> You're having no success because you're trying ramdom shit from the
> >>>> Internet. About 99,999% of the strongSwan related information on third
> >>>> party sites is wither well ng or of questinable quality. Don't get your
> >>>> information from any place but the project's website.
> >>>
> >>> Well that's what I did in the first place and it also lacks info, e.g.
> >>> it
> >>> did not list all of the required kernel modules, took my a bit to find
> >>> out which modules it needs as it did not complain at startup, but
> >>> requested features at runtime which were not there, e.g. a STD RNG.
> >>>
> >>>
> >>> Thanks for any hints, hope the above info helps.
> >>>
> >>> Cheers Richard
> >>>
> >>>> Kind regards
> >>>>
> >>>> Noel
> >>>>
> >>>> Am 5. September 2017 00:53:20 MESZ schrieb Ric S <burj-al-arab at gmx.de>:
> >>>>> Hi folks,
> >>>>>
> >>>>> I have been ripping my hair out with this issue.
> >>>>>
> >>>>> I'm running strongswan 5.5.3 on a router. The routers lan subnet is
> >>>>> 192.168.0.1/24.
> >>>>> I can successfully connect to it with an Ipad with ikev2 and surf the
> >>>>> internet, but I cannot reach any internal machines.
> >>>>>
> >>>>> My config is the following:
> >>>>>
> >>>>> ipsec.conf:
> >>>>>
> >>>>> config setup
> >>>>>
> >>>>> charondebug="net 2, knl 2, cfg 2"
> >>>>>
> >>>>> conn ikev2
> >>>>>
> >>>>> keyexchange=ikev2
> >>>>>
> >>>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes
> >>>>> 12
> >>>>> 8-
> >>>>> sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
> >>>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,a
> >>>>> es
> >>>>> 128
> >>>>> - sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
> >>>>>
> >>>>> dpdaction=clear
> >>>>> dpddelay=60s
> >>>>> left=%defaultroute
> >>>>> leftfirewall=yes
> >>>>> lefthostaccess=yes
> >>>>> leftid=myname.ddns.net
> >>>>> leftsubnet=192.168.0.0/24
> >>>>> leftcert=host-vpn.der
> >>>>> leftsendcert=always
> >>>>> right=%any
> >>>>> rightauth=eap-tls
> >>>>> rightsourceip=%dhcp
> >>>>> eap_identity=%any
> >>>>> type=passthrough
> >>>>> auto=add
> >>>>>
> >>>>> strongswanf.conf:
> >>>>>
> >>>>> charon {
> >>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> >>>>> plugins {
> >>>>>
> >>>>> dhcp {
> >>>>> force_server_address = yes
> >>>>> server = 192.168.0.1
> >>>>> identity_lease = yes
> >>>>> }
> >>>>> farp {
> >>>>> load = yes
> >>>>> }
> >>>>>
> >>>>> }}
> >>>>>
> >>>>> threads = 8
> >>>>> dns1 = 8.8.8.8
> >>>>> dns1 = 8.8.8.4
> >>>>>
> >>>>>
> >>>>>
> >>>>> Status:
> >>>>>
> >>>>> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l):
> >>>>> uptime: 14 minutes, since Sep 05 00:09:53 2017
> >>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> >>>>>
> >>>>> scheduled: 8
> >>>>> loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5
> >>>>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
> >>>>> pkcs12 pgp
> >>>>> dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac
> >>>>> sqlite
> >>>>> attr kernel-pfkey kernel-netlink resolve socket-default farp stroke
> >>>>> vici
> >>>>> updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls
> >>>>> xauth-
> >>>>> generic xauth-eap dhcp whitelist led duplicheck
> >>>>>
> >>>>> Listening IP addresses:
> >>>>> 169.254.255.1
> >>>>> 192.168.0.1
> >>>>> 87.168.243.83
> >>>>>
> >>>>> Connections:
> >>>>> ikev2: %any...%any IKEv2, dpddelay=60s
> >>>>>
> >>>>> ikev2: local: [myname.ddns.net] uses public key authentication
> >>>>>
> >>>>> ikev2: cert: "C=DE, O=MYORG, CN=myname.ddns.net"
> >>>>>
> >>>>> ikev2: remote: uses EAP_TLS authentication with EAP identity '%any'
> >>>>>
> >>>>> ikev2: child: 192.168.0.0/24 === dynamic PASS, dpdaction=clear
> >>>>>
> >>>>> Security Associations (1 up, 0 connecting):
> >>>>> ikev2[6]: ESTABLISHED 11 seconds ago,
> >>>>> 87.168.243.83[myname.ddns.net]...
> >>>>> 109.43.1.19[R6400]
> >>>>>
> >>>>> ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public
> >>>>>
> >>>>> key reauthentication in 2 hours
> >>>>>
> >>>>> ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
> >>>>>
> >>>>> MODP_1024
> >>>>>
> >>>>> ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i
> >>>>>
> >>>>> 04eb0f50_o
> >>>>>
> >>>>> ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
> >>>>>
> >>>>> rekeying in 48 minutes
> >>>>>
> >>>>> ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32
> >>>>>
> >>>>> swanctl --list-sas
> >>>>> ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r*
> >>>>>
> >>>>> local 'myname.ddns.net' @ 87.168.243.83[4500]
> >>>>> remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
> >>>>> AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>>>> established 92s ago, reauth in 9765s
> >>>>> ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
> >>>>>
> >>>>> HMAC_SHA2_256_128
> >>>>>
> >>>>> installed 89s ago, rekeying in 2800s, expires in 3511s
> >>>>> in c0983fe7, 0 bytes, 0 packets
> >>>>> out 04eb0f50, 0 bytes, 0 packets
> >>>>> local 192.168.0.0/24
> >>>>> remote 192.168.0.121/32
> >>>>>
> >>>>> ip route list table 220
> >>>>> 192.168.0.121 via 62.155.242.107 dev ppp0 proto static src
> >>>>> 192.168.0.1
> >>>>>
> >>>>> FARP seems to work, this is a ping from one of the local machines:
> >>>>>
> >>>>> ping R6400
> >>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
> >>>>>
> >>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> >>>> >
> >>>>> Unreachable
> >>>>>
> >>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> >>>> >
> >>>>> Unreachable
More information about the Users
mailing list