[strongSwan] Cannot ping machines on remote local network

Ric S burj-al-arab at gmx.de
Tue Sep 5 16:33:37 CEST 2017


On Dienstag, 5. September 2017 12:36:47 CEST Noel Kuntze wrote:
> Hi,
> 
> I just noticed that your NAT rules cause problems if you try to initiate
> connections to the RW, too. Read and apply the advice from the article
> about NAT problems[1].



I added :

iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

I noticed when I ping the iPad from lan I now see that packages are matching and ping changes

Chain POSTROUTING (policy ACCEPT 1320 packets, 89681 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir out pol ipsec 

before adding the rule:

ping R6400
PING R6400 (192.168.0.121) 56(84) bytes of data.
>From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host Unreachable
>From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host Unreachable
>From 62.155.242.107 (62.155.242.107) icmp_seq=3 Destination Host Unreachable


after adding the rule:

ping R6400
PING R6400 (192.168.0.121) 56(84) bytes of data.
hangs here

Thus this rule most likely is one part of the solution. 

Now I setup a second client, Win7, unlike iOS surfing the net does not work, and with wireshark I see incoming TCP Retransmissions messages, looks
like there is an issue with mtu/mss? I also managed to get one ping through the tunnel to the a lan machine.

What is the best way to specify mtu sizes etc in strongswan?

> 
> Kind regards
> 
> Noel
> 
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunn
> eling#General-NAT-problems
> On 05.09.2017 12:32, Ric S wrote:
> > On Dienstag, 5. September 2017 11:28:59 CEST Noel Kuntze wrote:
> >> Hi,
> >> 
> >>> ifconfig
> >> 
> >> Please don't use the net-tools. Use iproute2. The net-tools are woefully
> >> inadequate for this day and age. They are deprecated since the early
> >> 2000s.
> >> 
> >> Please provide the output of `ip address`, `ip route show table all`, `ip
> >> rule` and `sysctl -A | grep rp_filter`.
> >> 
> >> I suspect that at least the rp_filter needs to be set to 2.
> > 
> > I just set all interfaces to 2, still no go.
> > 
> > 
> > 
> > root at titan:~# ip address
> > 1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 65536 qdisc noqueue qlen 1
> > 
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> >     
> >        valid_lft forever preferred_lft forever
> >     
> >     inet6 ::1/128 scope host
> >     
> >        valid_lft forever preferred_lft forever
> > 
> > 2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
> > 
> >     link/void
> > 
> > 3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen 1000
> > 
> >     link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
> >     inet6 fe80::a263:91ff:feea:2e14/64 scope link
> >     
> >        valid_lft forever preferred_lft forever
> > 
> > 4: vlan1 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> > master br0> 
> >     link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
> >     inet6 fe80::a263:91ff:feea:2e14/64 scope link
> >     
> >        valid_lft forever preferred_lft forever
> > 
> > 5: vlan2 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> > 
> >     link/ether a0:63:91:ea:2e:15 brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.5.254/24 brd 192.168.5.255 scope global vlan2:0
> >     
> >        valid_lft forever preferred_lft forever
> >     
> >     inet6 fe80::a263:91ff:feea:2e15/64 scope link
> >     
> >        valid_lft forever preferred_lft forever
> > 
> > 6: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master br0
> > qlen 1000> 
> >     link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
> >     inet6 fe80::a263:91ff:feea:2e16/64 scope link
> >     
> >        valid_lft forever preferred_lft forever
> > 
> > 7: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master br0
> > qlen 1000> 
> >     link/ether a0:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
> >     inet6 fe80::a263:91ff:feea:2e17/64 scope link
> >     
> >        valid_lft forever preferred_lft forever
> > 
> > 9: wl0.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen 1000
> > 
> >     link/ether a2:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.10.1/24 brd 192.168.10.255 scope global wl0.1
> >     
> >        valid_lft forever preferred_lft forever
> >     
> >     inet6 fe80::a063:91ff:feea:2e17/64 scope link
> >     
> >        valid_lft forever preferred_lft forever
> > 
> > 10: wl1.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
> > 1000
> > 
> >     link/ether a2:63:91:ea:2e:18 brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.9.1/24 brd 192.168.9.255 scope global wl1.1
> >     
> >        valid_lft forever preferred_lft forever
> >     
> >     inet6 fe80::a063:91ff:feea:2e18/64 scope link
> >     
> >        valid_lft forever preferred_lft forever
> > 
> > 12: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue qlen 1000
> > 
> >     link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
> >     inet 169.254.255.1/16 brd 169.254.255.255 scope global br0:0
> >     
> >        valid_lft forever preferred_lft forever
> >     
> >     inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
> >     
> >        valid_lft forever preferred_lft forever
> >     
> >     inet6 fe80::a263:91ff:feea:2e16/64 scope link
> >     
> >        valid_lft forever preferred_lft forever
> > 
> > 13: ppp0: <POINTOPOINT,MULTICAST,UP,10000> mtu 1492 qdisc fq_codel qlen 3
> > 
> >     link/ppp
> >     inet 87.168.251.19 peer 62.155.242.107/32 brd 87.168.251.19 scope
> >     global ppp0>     
> >        valid_lft forever preferred_lft forever
> > 
> > root at titan:~# ip route show table all
> > 192.168.0.121 via 62.155.242.107 dev ppp0  table 220  proto static  src
> > 192.168.0.1 default via 62.155.242.107 dev ppp0
> > 62.155.242.107 dev ppp0  proto kernel  scope link  src 87.168.251.19
> > 127.0.0.0/8 dev lo  scope link
> > 169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1
> > 192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.1
> > 192.168.5.0/24 dev vlan2  proto kernel  scope link  src 192.168.5.254
> > 192.168.9.0/24 dev wl1.1  proto kernel  scope link  src 192.168.9.1
> > 192.168.10.0/24 dev wl0.1  proto kernel  scope link  src 192.168.10.1
> > local 87.168.251.19 dev ppp0  table local  proto kernel  scope host  src
> > 87.168.251.19 broadcast 87.168.251.19 dev ppp0  table local  proto kernel
> >  scope link  src 87.168.251.19 broadcast 127.0.0.0 dev lo  table local 
> > proto kernel  scope link  src 127.0.0.1 local 127.0.0.0/8 dev lo  table
> > local  proto kernel  scope host  src 127.0.0.1 local 127.0.0.1 dev lo 
> > table local  proto kernel  scope host  src 127.0.0.1 broadcast
> > 127.255.255.255 dev lo  table local  proto kernel  scope link  src
> > 127.0.0.1 broadcast 169.254.0.0 dev br0  table local  proto kernel  scope
> > link  src 169.254.255.1 local 169.254.255.1 dev br0  table local  proto
> > kernel  scope host  src 169.254.255.1 broadcast 169.254.255.255 dev br0 
> > table local  proto kernel  scope link  src 169.254.255.1 broadcast
> > 192.168.0.0 dev br0  table local  proto kernel  scope link  src
> > 192.168.0.1 local 192.168.0.1 dev br0  table local  proto kernel  scope
> > host  src 192.168.0.1 broadcast 192.168.0.255 dev br0  table local  proto
> > kernel  scope link  src 192.168.0.1 broadcast 192.168.5.0 dev vlan2 
> > table local  proto kernel  scope link  src 192.168.5.254 local
> > 192.168.5.254 dev vlan2  table local  proto kernel  scope host  src
> > 192.168.5.254 broadcast 192.168.5.255 dev vlan2  table local  proto
> > kernel  scope link  src 192.168.5.254 broadcast 192.168.9.0 dev wl1.1 
> > table local  proto kernel  scope link  src 192.168.9.1 local 192.168.9.1
> > dev wl1.1  table local  proto kernel  scope host  src 192.168.9.1
> > broadcast 192.168.9.255 dev wl1.1  table local  proto kernel  scope link 
> > src 192.168.9.1 broadcast 192.168.10.0 dev wl0.1  table local  proto
> > kernel  scope link  src 192.168.10.1 local 192.168.10.1 dev wl0.1  table
> > local  proto kernel  scope host  src 192.168.10.1 broadcast
> > 192.168.10.255 dev wl0.1  table local  proto kernel  scope link  src
> > 192.168.10.1 unreachable default dev lo  table unspec  proto kernel 
> > metric -1  error -101 fe80::/64 dev eth0  proto kernel  metric 256
> > fe80::/64 dev vlan1  proto kernel  metric 256
> > fe80::/64 dev br0  proto kernel  metric 256
> > fe80::/64 dev eth1  proto kernel  metric 256
> > fe80::/64 dev wl0.1  proto kernel  metric 256
> > fe80::/64 dev eth2  proto kernel  metric 256
> > fe80::/64 dev wl1.1  proto kernel  metric 256
> > fe80::/64 dev vlan2  proto kernel  metric 256
> > unreachable default dev lo  table unspec  proto kernel  metric -1  error
> > -101 local ::1 dev lo  table local  proto none  metric 0
> > local fe80::a063:91ff:feea:2e17 dev lo  table local  proto none  metric 0
> > local fe80::a063:91ff:feea:2e18 dev lo  table local  proto none  metric 0
> > local fe80::a263:91ff:feea:2e14 dev lo  table local  proto none  metric 0
> > local fe80::a263:91ff:feea:2e14 dev lo  table local  proto none  metric 0
> > local fe80::a263:91ff:feea:2e15 dev lo  table local  proto none  metric 0
> > local fe80::a263:91ff:feea:2e16 dev lo  table local  proto none  metric 0
> > local fe80::a263:91ff:feea:2e16 dev lo  table local  proto none  metric 0
> > local fe80::a263:91ff:feea:2e17 dev lo  table local  proto none  metric 0
> > ff00::/8 dev eth0  table local  metric 256
> > ff00::/8 dev vlan1  table local  metric 256
> > ff00::/8 dev br0  table local  metric 256
> > ff00::/8 dev eth1  table local  metric 256
> > ff00::/8 dev wl0.1  table local  metric 256
> > ff00::/8 dev eth2  table local  metric 256
> > ff00::/8 dev wl1.1  table local  metric 256
> > ff00::/8 dev vlan2  table local  metric 256
> > unreachable default dev lo  table unspec  proto kernel  metric -1  error
> > -101 root at titan:~# ip rule
> > 0:      from all lookup local
> > 220:    from all lookup 220
> > 32766:  from all lookup main
> > 32767:  from all lookup default
> > root at titan:~# sysctl -A | grep rp_filter
> > net.ipv4.conf.all.arp_filter = 0
> > net.ipv4.conf.all.rp_filter = 2
> > net.ipv4.conf.br0.arp_filter = 0
> > net.ipv4.conf.br0.rp_filter = 2
> > net.ipv4.conf.default.arp_filter = 0
> > net.ipv4.conf.default.rp_filter = 2
> > net.ipv4.conf.eth0.arp_filter = 0
> > net.ipv4.conf.eth0.rp_filter = 2
> > net.ipv4.conf.eth1.arp_filter = 0
> > net.ipv4.conf.eth1.rp_filter = 2
> > net.ipv4.conf.eth2.arp_filter = 0
> > net.ipv4.conf.eth2.rp_filter = 2
> > net.ipv4.conf.lo.arp_filter = 0
> > net.ipv4.conf.lo.rp_filter = 2
> > net.ipv4.conf.ppp0.arp_filter = 0
> > net.ipv4.conf.ppp0.rp_filter = 2
> > net.ipv4.conf.teql0.arp_filter = 0
> > net.ipv4.conf.teql0.rp_filter = 2
> > net.ipv4.conf.vlan1.arp_filter = 0
> > net.ipv4.conf.vlan1.rp_filter = 2
> > net.ipv4.conf.vlan2.arp_filter = 0
> > net.ipv4.conf.vlan2.rp_filter = 2
> > net.ipv4.conf.wl0.1.arp_filter = 0
> > net.ipv4.conf.wl0.1.rp_filter = 2
> > net.ipv4.conf.wl1.1.arp_filter = 0
> > net.ipv4.conf.wl1.1.rp_filter = 2
> > 
> >>> Just a dynamic ip, who cares.
> >> 
> >> Enough people that it's RFC'd[1].
> > 
> > Sure but it doesn't hurt and makes sure you got the right info.
> > 
> >> Kind regards
> >> 
> >> Noel
> >> 
> >> [1] https://tools.ietf.org/html/rfc1918#section-3
> >> 
> >> On 05.09.2017 11:06, Ric S wrote:
> >>> Current configs now:
> >>> 
> >>> strongswan.conf:
> >>> 
> >>> charon {
> >>> plugins {
> >>> 
> >>>         dhcp {
> >>>         force_server_address = yes
> >>>         server = 192.168.0.1
> >>>         identity_lease = yes
> >>>         }
> >>>         farp {
> >>>         load = yes
> >>>         }
> >>> 
> >>> }}
> >>> 
> >>> dns1 = 8.8.8.8
> >>> dns1 = 8.8.8.4
> >>> 
> >>> ipsec.conf:
> >>> 
> >>> config setup
> >>> 
> >>>  charondebug="net 2, knl 2, cfg 2"
> >>> 
> >>> conn ikev2
> >>> 
> >>>  keyexchange=ikev2
> >>>  ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes1
> >>>  28
> >>>  -sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha
> >>>  25
> >>>  6-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-
> >>>  sh
> >>>  a1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes2
> >>>  esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,ae
> >>>  s
> >>>  128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha2
> >>>  56
> >>>  ,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes
> >>>  12
> >>>  8-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm
> >>>  dpdaction=clear
> >>>  dpddelay=60s
> >>>  leftfirewall=yes
> >>>  lefthostaccess=yes
> >>>  leftid=carone.ddns.net
> >>>  leftsubnet=192.168.0.0/24
> >>>  leftcert=host-vpn.der
> >>>  leftsendcert=always
> >>>  right=%any
> >>>  rightauth=eap-tls
> >>>  rightsourceip=%dhcp
> >>>  eap_identity=%any
> >>>  auto=add
> >>> 
> >>> On Dienstag, 5. September 2017 04:54:31 CEST you wrote:
> >>>> Hi,
> >>>> 
> >>>>> type=passthrough
> >>> 
> >>> Removed it, also did not use it previous attempts.
> >>> 
> >>>> You're sabotaging yourself. There is no IPsec processing happening with
> >>>> type=passthrough
> >>>> 
> >>>>> threads = 8
> >>> 
> >>> Removed.
> >>> 
> >>>> You're doing it again. That can lock up the daemon later. Don't do
> >>>> that.
> >>>> Luckily, the setting is outside the valid configuration block, so it's
> >>>> invalid and ignored.
> >>>> 
> >>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> >>> 
> >>> I removed it. Just for the record these are my interfaces:
> >>> 
> >>> ifconfig
> >>> br0       Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16
> >>> 
> >>>           inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
> >>>           inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> >>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>>           RX packets:5108 errors:0 dropped:0 overruns:0 frame:0
> >>>           TX packets:4497 errors:0 dropped:0 overruns:0 carrier:0
> >>>           collisions:0 txqueuelen:1000
> >>>           RX bytes:585507 (571.7 KiB)  TX bytes:3738948 (3.5 MiB)
> >>> 
> >>> br0:0     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16
> >>> 
> >>>           inet addr:169.254.255.1  Bcast:169.254.255.255 
> >>>           Mask:255.255.0.0
> >>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>> 
> >>> eth0      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:14
> >>> 
> >>>           inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> >>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>>           RX packets:12075 errors:0 dropped:0 overruns:0 frame:0
> >>>           TX packets:12590 errors:0 dropped:0 overruns:0 carrier:0
> >>>           collisions:0 txqueuelen:1000
> >>>           RX bytes:1941972 (1.8 MiB)  TX bytes:9910375 (9.4 MiB)
> >>>           Interrupt:179 Base address:0x4000
> >>> 
> >>> eth1      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16
> >>> 
> >>>           inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> >>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:7541
> >>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >>>           collisions:0 txqueuelen:1000
> >>>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
> >>>           Interrupt:163
> >>> 
> >>> eth2      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:17
> >>> 
> >>>           inet6 addr: fe80::a263:91ff:feea:2e17/64 Scope:Link
> >>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >>>           collisions:0 txqueuelen:1000
> >>>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
> >>>           Interrupt:169
> >>> 
> >>> lo        Link encap:Local Loopback
> >>> 
> >>>           inet addr:127.0.0.1  Mask:255.0.0.0
> >>>           inet6 addr: ::1/128 Scope:Host
> >>>           UP LOOPBACK RUNNING MULTICAST  MTU:65536  Metric:1
> >>>           RX packets:425 errors:0 dropped:0 overruns:0 frame:0
> >>>           TX packets:425 errors:0 dropped:0 overruns:0 carrier:0
> >>>           collisions:0 txqueuelen:1
> >>>           RX bytes:53057 (51.8 KiB)  TX bytes:53057 (51.8 KiB)
> >>> 
> >>> ppp0      Link encap:Point-to-Point Protocol
> >>> 
> >>>           inet addr:87.168.251.19  P-t-P:62.155.242.107
> >>>           Mask:255.255.255.255
> >>>           UP POINTOPOINT RUNNING MULTICAST  MTU:1492  Metric:1
> >>>           RX packets:1010 errors:0 dropped:0 overruns:0 frame:0
> >>>           TX packets:1092 errors:0 dropped:0 overruns:0 carrier:0
> >>>           collisions:0 txqueuelen:3
> >>>           RX bytes:470447 (459.4 KiB)  TX bytes:160357 (156.5 KiB)
> >>> 
> >>> vlan1     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:14
> >>> 
> >>>           inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> >>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>>           RX packets:9247 errors:0 dropped:0 overruns:0 frame:0
> >>>           TX packets:9767 errors:0 dropped:0 overruns:0 carrier:0
> >>>           collisions:0 txqueuelen:0
> >>>           RX bytes:759337 (741.5 KiB)  TX bytes:9462367 (9.0 MiB)
> >>> 
> >>> vlan2     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:15
> >>> 
> >>>           inet6 addr: fe80::a263:91ff:feea:2e15/64 Scope:Link
> >>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>>           RX packets:2828 errors:0 dropped:3 overruns:0 frame:0
> >>>           TX packets:2815 errors:0 dropped:0 overruns:0 carrier:0
> >>>           collisions:0 txqueuelen:0
> >>>           RX bytes:916985 (895.4 KiB)  TX bytes:397032 (387.7 KiB)
> >>> 
> >>> vlan2:0   Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:15
> >>> 
> >>>           inet addr:192.168.5.254  Bcast:192.168.5.255 
> >>>           Mask:255.255.255.0
> >>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>> 
> >>> wl0.1     Link encap:Ethernet  HWaddr A2:XX:XX:XX:XX:17
> >>> 
> >>>           inet addr:192.168.10.1  Bcast:192.168.10.255 
> >>>           Mask:255.255.255.0
> >>>           inet6 addr: fe80::a063:91ff:feea:2e17/64 Scope:Link
> >>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>>           RX packets:3615 errors:0 dropped:5 overruns:0 frame:7541
> >>>           TX packets:3989 errors:0 dropped:0 overruns:0 carrier:0
> >>>           collisions:0 txqueuelen:1000
> >>>           RX bytes:538878 (526.2 KiB)  TX bytes:998737 (975.3 KiB)
> >>> 
> >>> wl1.1     Link encap:Ethernet  HWaddr A2:XX:XX:XX:XX:18
> >>> 
> >>>           inet addr:192.168.9.1  Bcast:192.168.9.255  Mask:255.255.255.0
> >>>           inet6 addr: fe80::a063:91ff:feea:2e18/64 Scope:Link
> >>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >>>           collisions:0 txqueuelen:1000
> >>>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
> >>>> 
> >>>> Unnecessary.
> >>>> 
> >>>>> left=%defaultroute
> >>> 
> >>> Removed.
> >>> 
> >>>> Unnecessary.
> >>>> 
> >>>>> kernel-pfkey
> >>>> 
> >>>> Plugin for the legacy IPsec API. Don't use it.
> >>>> 
> >>>>> ping R6400
> >>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
> >>>>> 
> >>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> >>>> >
> >>>>> Unreachable
> >>>>> 
> >>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> >>>> >
> >>>>> Unreachable
> >>> 
> >>> Just a dynamic ip, who cares.
> >>> 
> >>>> Your next hop is sending that error. You're leaking private address
> >>>> into
> >>>> the WAN. That is forbidden. Don't do that.
> >>>> 
> >>>>> Routers iptable output:
> >>>>> 
> >>>>> iptables -vnL
> >>>> 
> >>>> The output is unusable. Provide the output of `iptables-save`.
> >>> 
> >>> I disabled a few features, e.g. QOS in order to reduce the output
> >>> 
> >>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> >>> *raw
> >>> 
> >>> :PREROUTING ACCEPT [12217:1705679]
> >>> :OUTPUT ACCEPT [9354:9118762]
> >>> 
> >>> COMMIT
> >>> # Completed on Tue Sep  5 10:42:27 2017
> >>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> >>> *nat
> >>> 
> >>> :PREROUTING ACCEPT [285:28593]
> >>> :INPUT ACCEPT [604:43260]
> >>> :OUTPUT ACCEPT [47:3676]
> >>> :POSTROUTING ACCEPT [47:3676]
> >>> 
> >>> -A PREROUTING -d 87.168.251.19 -p icmp -j DNAT --to-destination
> >>> 192.168.0.1
> >>> -A PREROUTING -d 87.168.251.19 -j TRIGGER --trigger-proto
> >>> --trigger-match
> >>> 0-0 --trigger-relate 0-0 -A POSTROUTING -o vlan2 -j MASQUERADE
> >>> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j SNAT --to-source
> >>> 87.168.251.19 -A POSTROUTING -m mark  --mark0x80000000/0x80000000 -j
> >>> MASQUERADE
> >>> -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o ppp0 -j SNAT --to-source
> >>> 87.168.251.19 -A POSTROUTING -s 192.168.9.0/255.255.255.0 -o ppp0 -j
> >>> SNAT
> >>> --to-source 87.168.251.19 COMMIT
> >>> # Completed on Tue Sep  5 10:42:27 2017
> >>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> >>> *mangle
> >>> 
> >>> :PREROUTING ACCEPT [3009:537902]
> >>> :INPUT ACCEPT [8937:741571]
> >>> :FORWARD ACCEPT [2521:798226]
> >>> :OUTPUT ACCEPT [2190:2277003]
> >>> :POSTROUTING ACCEPT [11882:9919352]
> >>> 
> >>> -A PREROUTING -d 87.168.251.19 -i ! ppp0 -j MARK  --set-xmark
> >>> 0x80000000/0x80000000 -A PREROUTING -j CONNMARK --save-mark
> >>> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> >>> --clamp-mss-to-pmtu COMMIT
> >>> # Completed on Tue Sep  5 10:42:27 2017
> >>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> >>> *filter
> >>> 
> >>> :INPUT ACCEPT [0:0]
> >>> :FORWARD ACCEPT [0:0]
> >>> :OUTPUT ACCEPT [111:17285]
> >>> :advgrp_1 - [0:0]
> >>> :advgrp_10 - [0:0]
> >>> :advgrp_2 - [0:0]
> >>> :advgrp_3 - [0:0]
> >>> :advgrp_4 - [0:0]
> >>> :advgrp_5 - [0:0]
> >>> :advgrp_6 - [0:0]
> >>> :advgrp_7 - [0:0]
> >>> :advgrp_8 - [0:0]
> >>> :advgrp_9 - [0:0]
> >>> :grp_1 - [0:0]
> >>> :grp_10 - [0:0]
> >>> :grp_2 - [0:0]
> >>> :grp_3 - [0:0]
> >>> :grp_4 - [0:0]
> >>> :grp_5 - [0:0]
> >>> :grp_6 - [0:0]
> >>> :grp_7 - [0:0]
> >>> :grp_8 - [0:0]
> >>> :grp_9 - [0:0]
> >>> :lan2wan - [0:0]
> >>> :logaccept - [0:0]
> >>> :logdrop - [0:0]
> >>> :logreject - [0:0]
> >>> :trigger_out - [0:0]
> >>> 
> >>> -A INPUT -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m policy
> >>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A INPUT -p udp -m
> >>> udp --dport 4500 -j ACCEPT
> >>> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> >>> -A INPUT -s 66.220.2.74 -p icmp -j ACCEPT
> >>> -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
> >>> -A INPUT -i ppp0 -p udp -m udp --dport 520 -j logdrop
> >>> -A INPUT -i br0 -p udp -m udp --dport 520 -j logdrop
> >>> -A INPUT -p udp -m udp --dport 520 -j logaccept
> >>> -A INPUT -i br0 -j logaccept
> >>> -A INPUT -i ppp0 -p icmp -j logdrop
> >>> -A INPUT -p igmp -j logdrop
> >>> -A INPUT -i lo -m state --state NEW -j ACCEPT
> >>> -A INPUT -i br0 -m state --state NEW -j logaccept
> >>> -A INPUT -i wl0.1 -p udp -m udp --dport 67 -j logaccept
> >>> -A INPUT -i wl0.1 -p udp -m udp --dport 53 -j logaccept
> >>> -A INPUT -i wl0.1 -p tcp -m tcp --dport 53 -j logaccept
> >>> -A INPUT -i wl0.1 -m state --state NEW -j logdrop
> >>> -A INPUT -i wl0.1 -j logaccept
> >>> -A INPUT -i wl1.1 -p udp -m udp --dport 67 -j logaccept
> >>> -A INPUT -i wl1.1 -p udp -m udp --dport 53 -j logaccept
> >>> -A INPUT -i wl1.1 -p tcp -m tcp --dport 53 -j logaccept
> >>> -A INPUT -i wl1.1 -m state --state NEW -j logdrop
> >>> -A INPUT -i wl1.1 -j logaccept
> >>> -A INPUT -j logdrop
> >>> -A FORWARD -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m
> >>> policy
> >>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s
> >>> 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir out
> >>> --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s 192.168.0.10
> >>> -d
> >>> 194.25.134.46 -j ACCEPT
> >>> -A FORWARD -s 192.168.0.10 -d 194.25.134.110 -j ACCEPT
> >>> -A FORWARD -s 192.168.0.10 -j LOG
> >>> -A FORWARD -s 192.168.0.10 -j DROP
> >>> -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
> >>> -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl1.1 -m state --state NEW -j
> >>> logdrop -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl0.1 -m state
> >>> --state
> >>> NEW -j logdrop -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p gre -j
> >>> logaccept -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p tcp -m tcp
> >>> --dport 1723 -j logaccept -A FORWARD -i wl0.1 -j logaccept
> >>> -A FORWARD -i wl1.1 -j logaccept
> >>> -A FORWARD -j lan2wan
> >>> -A FORWARD -i br0 -o br0 -j logaccept
> >>> -A FORWARD -i br0 -o ppp0 -j logaccept
> >>> -A FORWARD -i ppp0 -o br0 -j TRIGGER --trigger-proto --trigger-match 0-0
> >>> --trigger-relate 0-0 -A FORWARD -i br0 -j trigger_out
> >>> -A FORWARD -i br0 -o wl0.1 -m state --state NEW -j logdrop
> >>> -A FORWARD -i br0 -o wl1.1 -m state --state NEW -j logdrop
> >>> -A FORWARD -i br0 -m state --state NEW -j logaccept
> >>> -A FORWARD -j logdrop
> >>> -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m
> >>> policy
> >>> --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT -A OUTPUT -o br0
> >>> -j
> >>> logaccept
> >>> -A logaccept -j ACCEPT
> >>> -A logdrop -m state --state NEW -j LOG --log-prefix "DROP "
> >>> --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -m
> >>> state
> >>> --state INVALID -j LOG --log-prefix "DROP " --log-tcp-sequence
> >>> --log-tcp-options --log-ip-options -A logdrop -j DROP
> >>> -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence
> >>> --log-tcp-options --log-ip-options -A logreject -p tcp -j REJECT
> >>> --reject-with tcp-reset
> >>> COMMIT
> >>> # Completed on Tue Sep  5 10:42:27 2017
> >>> 
> >>>>> I have tried so many thinsg, but still cannot ping from either side or
> >>>>> access
> >>>>> any local machines.
> >>>>> Does anyone have a clue? Can I provide additional info?
> >>>> 
> >>>> You're having no success because you're trying ramdom shit from the
> >>>> Internet. About 99,999% of the strongSwan related information on third
> >>>> party sites is wither well ng or of questinable quality. Don't get your
> >>>> information from any place but the project's website.
> >>> 
> >>> Well that's what I did in the first place and it also lacks info, e.g.
> >>> it
> >>> did not list all of the required kernel modules, took my a bit to find
> >>> out which modules it needs as it did not complain at startup, but
> >>> requested features at runtime which were not there, e.g. a STD RNG.
> >>> 
> >>> 
> >>> Thanks for any hints, hope the above info helps.
> >>> 
> >>> Cheers Richard
> >>> 
> >>>> Kind regards
> >>>> 
> >>>> Noel
> >>>> 
> >>>> Am 5. September 2017 00:53:20 MESZ schrieb Ric S <burj-al-arab at gmx.de>:
> >>>>> Hi folks,
> >>>>> 
> >>>>> I have been ripping my hair out with this issue.
> >>>>> 
> >>>>> I'm running strongswan 5.5.3 on a router. The routers lan subnet is
> >>>>> 192.168.0.1/24.
> >>>>> I can successfully connect to it with an Ipad with ikev2 and surf the
> >>>>> internet, but I cannot reach any internal machines.
> >>>>> 
> >>>>> My config is the following:
> >>>>> 
> >>>>> ipsec.conf:
> >>>>> 
> >>>>> config setup
> >>>>> 
> >>>>> charondebug="net 2, knl 2, cfg 2"
> >>>>> 
> >>>>> conn ikev2
> >>>>> 
> >>>>> keyexchange=ikev2
> >>>>> 
> >>>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes
> >>>>> 12
> >>>>> 8-
> >>>>> sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
> >>>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,a
> >>>>> es
> >>>>> 128
> >>>>> - sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
> >>>>> 
> >>>>> dpdaction=clear
> >>>>> dpddelay=60s
> >>>>> left=%defaultroute
> >>>>> leftfirewall=yes
> >>>>> lefthostaccess=yes
> >>>>> leftid=myname.ddns.net
> >>>>> leftsubnet=192.168.0.0/24
> >>>>> leftcert=host-vpn.der
> >>>>> leftsendcert=always
> >>>>> right=%any
> >>>>> rightauth=eap-tls
> >>>>> rightsourceip=%dhcp
> >>>>> eap_identity=%any
> >>>>> type=passthrough
> >>>>> auto=add
> >>>>> 
> >>>>> strongswanf.conf:
> >>>>> 
> >>>>> charon {
> >>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> >>>>> plugins {
> >>>>> 
> >>>>>        dhcp {
> >>>>>        force_server_address = yes
> >>>>>        server = 192.168.0.1
> >>>>>        identity_lease = yes
> >>>>>        }
> >>>>>        farp {
> >>>>>        load = yes
> >>>>>        }
> >>>>> 
> >>>>> }}
> >>>>> 
> >>>>> threads = 8
> >>>>> dns1 = 8.8.8.8
> >>>>> dns1 = 8.8.8.4
> >>>>> 
> >>>>> 
> >>>>> 
> >>>>> Status:
> >>>>> 
> >>>>> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l):
> >>>>>  uptime: 14 minutes, since Sep 05 00:09:53 2017
> >>>>>  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> >>>>> 
> >>>>> scheduled: 8
> >>>>> loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5
> >>>>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
> >>>>> pkcs12 pgp
> >>>>> dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac
> >>>>> sqlite
> >>>>> attr kernel-pfkey kernel-netlink resolve socket-default farp stroke
> >>>>> vici
> >>>>> updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls
> >>>>> xauth-
> >>>>> generic xauth-eap dhcp whitelist led duplicheck
> >>>>> 
> >>>>> Listening IP addresses:
> >>>>>  169.254.255.1
> >>>>>  192.168.0.1
> >>>>>  87.168.243.83
> >>>>> 
> >>>>> Connections:
> >>>>>       ikev2:  %any...%any  IKEv2, dpddelay=60s
> >>>>>      
> >>>>>      ikev2:   local:  [myname.ddns.net] uses public key authentication
> >>>>>      
> >>>>>       ikev2:    cert:  "C=DE, O=MYORG, CN=myname.ddns.net"
> >>>>>  
> >>>>>  ikev2:   remote: uses EAP_TLS authentication with EAP identity '%any'
> >>>>>  
> >>>>>      ikev2:   child:  192.168.0.0/24 === dynamic PASS, dpdaction=clear
> >>>>> 
> >>>>> Security Associations (1 up, 0 connecting):
> >>>>> ikev2[6]: ESTABLISHED 11 seconds ago,
> >>>>> 87.168.243.83[myname.ddns.net]...
> >>>>> 109.43.1.19[R6400]
> >>>>> 
> >>>>>  ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public
> >>>>> 
> >>>>> key reauthentication in 2 hours
> >>>>> 
> >>>>>       ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
> >>>>> 
> >>>>> MODP_1024
> >>>>> 
> >>>>>    ikev2{4}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i
> >>>>> 
> >>>>> 04eb0f50_o
> >>>>> 
> >>>>>       ikev2{4}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
> >>>>> 
> >>>>> rekeying in 48 minutes
> >>>>> 
> >>>>>       ikev2{4}:   192.168.0.0/24 === 192.168.0.121/32
> >>>>> 
> >>>>> swanctl --list-sas
> >>>>> ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r*
> >>>>> 
> >>>>>  local  'myname.ddns.net' @ 87.168.243.83[4500]
> >>>>>  remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
> >>>>>  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>>>>  established 92s ago, reauth in 9765s
> >>>>>  ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
> >>>>> 
> >>>>> HMAC_SHA2_256_128
> >>>>> 
> >>>>>    installed 89s ago, rekeying in 2800s, expires in 3511s
> >>>>>    in  c0983fe7,      0 bytes,     0 packets
> >>>>>    out 04eb0f50,      0 bytes,     0 packets
> >>>>>    local  192.168.0.0/24
> >>>>>    remote 192.168.0.121/32
> >>>>> 
> >>>>> ip route list table 220
> >>>>> 192.168.0.121 via 62.155.242.107 dev ppp0  proto static  src
> >>>>> 192.168.0.1
> >>>>> 
> >>>>> FARP seems to work, this is a ping from one of the local machines:
> >>>>> 
> >>>>> ping R6400
> >>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
> >>>>> 
> >>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> >>>> >
> >>>>> Unreachable
> >>>>> 
> >>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> >>>> >
> >>>>> Unreachable




More information about the Users mailing list