[strongSwan] Cannot ping machines on remote local network
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Sep 5 16:36:30 CEST 2017
Hi,
See the article about forwarding[1] that I linked previously.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#MTUMSS-issues
On 05.09.2017 16:33, Ric S wrote:
> On Dienstag, 5. September 2017 12:36:47 CEST Noel Kuntze wrote:
>> Hi,
>>
>> I just noticed that your NAT rules cause problems if you try to initiate
>> connections to the RW, too. Read and apply the advice from the article
>> about NAT problems[1].
>
>
>
> I added :
>
> iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
>
> I noticed when I ping the iPad from lan I now see that packages are matching and ping changes
>
> Chain POSTROUTING (policy ACCEPT 1320 packets, 89681 bytes)
> pkts bytes target prot opt in out source destination
> 1 84 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
>
> before adding the rule:
>
> ping R6400
> PING R6400 (192.168.0.121) 56(84) bytes of data.
> From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host Unreachable
> From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host Unreachable
> From 62.155.242.107 (62.155.242.107) icmp_seq=3 Destination Host Unreachable
>
>
> after adding the rule:
>
> ping R6400
> PING R6400 (192.168.0.121) 56(84) bytes of data.
> hangs here
>
> Thus this rule most likely is one part of the solution.
>
> Now I setup a second client, Win7, unlike iOS surfing the net does not work, and with wireshark I see incoming TCP Retransmissions messages, looks
> like there is an issue with mtu/mss? I also managed to get one ping through the tunnel to the a lan machine.
>
> What is the best way to specify mtu sizes etc in strongswan?
>
>>
>> Kind regards
>>
>> Noel
>>
>> [1]
>> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunn
>> eling#General-NAT-problems
>> On 05.09.2017 12:32, Ric S wrote:
>>> On Dienstag, 5. September 2017 11:28:59 CEST Noel Kuntze wrote:
>>>> Hi,
>>>>
>>>>> ifconfig
>>>>
>>>> Please don't use the net-tools. Use iproute2. The net-tools are woefully
>>>> inadequate for this day and age. They are deprecated since the early
>>>> 2000s.
>>>>
>>>> Please provide the output of `ip address`, `ip route show table all`, `ip
>>>> rule` and `sysctl -A | grep rp_filter`.
>>>>
>>>> I suspect that at least the rp_filter needs to be set to 2.
>>>
>>> I just set all interfaces to 2, still no go.
>>>
>>>
>>>
>>> root at titan:~# ip address
>>> 1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 65536 qdisc noqueue qlen 1
>>>
>>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> inet6 ::1/128 scope host
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
>>>
>>> link/void
>>>
>>> 3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen 1000
>>>
>>> link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
>>> inet6 fe80::a263:91ff:feea:2e14/64 scope link
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 4: vlan1 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
>>> master br0>
>>> link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
>>> inet6 fe80::a263:91ff:feea:2e14/64 scope link
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 5: vlan2 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
>>>
>>> link/ether a0:63:91:ea:2e:15 brd ff:ff:ff:ff:ff:ff
>>> inet 192.168.5.254/24 brd 192.168.5.255 scope global vlan2:0
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> inet6 fe80::a263:91ff:feea:2e15/64 scope link
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 6: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master br0
>>> qlen 1000>
>>> link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
>>> inet6 fe80::a263:91ff:feea:2e16/64 scope link
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 7: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master br0
>>> qlen 1000>
>>> link/ether a0:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
>>> inet6 fe80::a263:91ff:feea:2e17/64 scope link
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 9: wl0.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen 1000
>>>
>>> link/ether a2:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
>>> inet 192.168.10.1/24 brd 192.168.10.255 scope global wl0.1
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> inet6 fe80::a063:91ff:feea:2e17/64 scope link
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 10: wl1.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
>>> 1000
>>>
>>> link/ether a2:63:91:ea:2e:18 brd ff:ff:ff:ff:ff:ff
>>> inet 192.168.9.1/24 brd 192.168.9.255 scope global wl1.1
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> inet6 fe80::a063:91ff:feea:2e18/64 scope link
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 12: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue qlen 1000
>>>
>>> link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
>>> inet 169.254.255.1/16 brd 169.254.255.255 scope global br0:0
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> inet6 fe80::a263:91ff:feea:2e16/64 scope link
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 13: ppp0: <POINTOPOINT,MULTICAST,UP,10000> mtu 1492 qdisc fq_codel qlen 3
>>>
>>> link/ppp
>>> inet 87.168.251.19 peer 62.155.242.107/32 brd 87.168.251.19 scope
>>> global ppp0>
>>> valid_lft forever preferred_lft forever
>>>
>>> root at titan:~# ip route show table all
>>> 192.168.0.121 via 62.155.242.107 dev ppp0 table 220 proto static src
>>> 192.168.0.1 default via 62.155.242.107 dev ppp0
>>> 62.155.242.107 dev ppp0 proto kernel scope link src 87.168.251.19
>>> 127.0.0.0/8 dev lo scope link
>>> 169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
>>> 192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.1
>>> 192.168.5.0/24 dev vlan2 proto kernel scope link src 192.168.5.254
>>> 192.168.9.0/24 dev wl1.1 proto kernel scope link src 192.168.9.1
>>> 192.168.10.0/24 dev wl0.1 proto kernel scope link src 192.168.10.1
>>> local 87.168.251.19 dev ppp0 table local proto kernel scope host src
>>> 87.168.251.19 broadcast 87.168.251.19 dev ppp0 table local proto kernel
>>> scope link src 87.168.251.19 broadcast 127.0.0.0 dev lo table local
>>> proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table
>>> local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo
>>> table local proto kernel scope host src 127.0.0.1 broadcast
>>> 127.255.255.255 dev lo table local proto kernel scope link src
>>> 127.0.0.1 broadcast 169.254.0.0 dev br0 table local proto kernel scope
>>> link src 169.254.255.1 local 169.254.255.1 dev br0 table local proto
>>> kernel scope host src 169.254.255.1 broadcast 169.254.255.255 dev br0
>>> table local proto kernel scope link src 169.254.255.1 broadcast
>>> 192.168.0.0 dev br0 table local proto kernel scope link src
>>> 192.168.0.1 local 192.168.0.1 dev br0 table local proto kernel scope
>>> host src 192.168.0.1 broadcast 192.168.0.255 dev br0 table local proto
>>> kernel scope link src 192.168.0.1 broadcast 192.168.5.0 dev vlan2
>>> table local proto kernel scope link src 192.168.5.254 local
>>> 192.168.5.254 dev vlan2 table local proto kernel scope host src
>>> 192.168.5.254 broadcast 192.168.5.255 dev vlan2 table local proto
>>> kernel scope link src 192.168.5.254 broadcast 192.168.9.0 dev wl1.1
>>> table local proto kernel scope link src 192.168.9.1 local 192.168.9.1
>>> dev wl1.1 table local proto kernel scope host src 192.168.9.1
>>> broadcast 192.168.9.255 dev wl1.1 table local proto kernel scope link
>>> src 192.168.9.1 broadcast 192.168.10.0 dev wl0.1 table local proto
>>> kernel scope link src 192.168.10.1 local 192.168.10.1 dev wl0.1 table
>>> local proto kernel scope host src 192.168.10.1 broadcast
>>> 192.168.10.255 dev wl0.1 table local proto kernel scope link src
>>> 192.168.10.1 unreachable default dev lo table unspec proto kernel
>>> metric -1 error -101 fe80::/64 dev eth0 proto kernel metric 256
>>> fe80::/64 dev vlan1 proto kernel metric 256
>>> fe80::/64 dev br0 proto kernel metric 256
>>> fe80::/64 dev eth1 proto kernel metric 256
>>> fe80::/64 dev wl0.1 proto kernel metric 256
>>> fe80::/64 dev eth2 proto kernel metric 256
>>> fe80::/64 dev wl1.1 proto kernel metric 256
>>> fe80::/64 dev vlan2 proto kernel metric 256
>>> unreachable default dev lo table unspec proto kernel metric -1 error
>>> -101 local ::1 dev lo table local proto none metric 0
>>> local fe80::a063:91ff:feea:2e17 dev lo table local proto none metric 0
>>> local fe80::a063:91ff:feea:2e18 dev lo table local proto none metric 0
>>> local fe80::a263:91ff:feea:2e14 dev lo table local proto none metric 0
>>> local fe80::a263:91ff:feea:2e14 dev lo table local proto none metric 0
>>> local fe80::a263:91ff:feea:2e15 dev lo table local proto none metric 0
>>> local fe80::a263:91ff:feea:2e16 dev lo table local proto none metric 0
>>> local fe80::a263:91ff:feea:2e16 dev lo table local proto none metric 0
>>> local fe80::a263:91ff:feea:2e17 dev lo table local proto none metric 0
>>> ff00::/8 dev eth0 table local metric 256
>>> ff00::/8 dev vlan1 table local metric 256
>>> ff00::/8 dev br0 table local metric 256
>>> ff00::/8 dev eth1 table local metric 256
>>> ff00::/8 dev wl0.1 table local metric 256
>>> ff00::/8 dev eth2 table local metric 256
>>> ff00::/8 dev wl1.1 table local metric 256
>>> ff00::/8 dev vlan2 table local metric 256
>>> unreachable default dev lo table unspec proto kernel metric -1 error
>>> -101 root at titan:~# ip rule
>>> 0: from all lookup local
>>> 220: from all lookup 220
>>> 32766: from all lookup main
>>> 32767: from all lookup default
>>> root at titan:~# sysctl -A | grep rp_filter
>>> net.ipv4.conf.all.arp_filter = 0
>>> net.ipv4.conf.all.rp_filter = 2
>>> net.ipv4.conf.br0.arp_filter = 0
>>> net.ipv4.conf.br0.rp_filter = 2
>>> net.ipv4.conf.default.arp_filter = 0
>>> net.ipv4.conf.default.rp_filter = 2
>>> net.ipv4.conf.eth0.arp_filter = 0
>>> net.ipv4.conf.eth0.rp_filter = 2
>>> net.ipv4.conf.eth1.arp_filter = 0
>>> net.ipv4.conf.eth1.rp_filter = 2
>>> net.ipv4.conf.eth2.arp_filter = 0
>>> net.ipv4.conf.eth2.rp_filter = 2
>>> net.ipv4.conf.lo.arp_filter = 0
>>> net.ipv4.conf.lo.rp_filter = 2
>>> net.ipv4.conf.ppp0.arp_filter = 0
>>> net.ipv4.conf.ppp0.rp_filter = 2
>>> net.ipv4.conf.teql0.arp_filter = 0
>>> net.ipv4.conf.teql0.rp_filter = 2
>>> net.ipv4.conf.vlan1.arp_filter = 0
>>> net.ipv4.conf.vlan1.rp_filter = 2
>>> net.ipv4.conf.vlan2.arp_filter = 0
>>> net.ipv4.conf.vlan2.rp_filter = 2
>>> net.ipv4.conf.wl0.1.arp_filter = 0
>>> net.ipv4.conf.wl0.1.rp_filter = 2
>>> net.ipv4.conf.wl1.1.arp_filter = 0
>>> net.ipv4.conf.wl1.1.rp_filter = 2
>>>
>>>>> Just a dynamic ip, who cares.
>>>>
>>>> Enough people that it's RFC'd[1].
>>>
>>> Sure but it doesn't hurt and makes sure you got the right info.
>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> [1] https://tools.ietf.org/html/rfc1918#section-3
>>>>
>>>> On 05.09.2017 11:06, Ric S wrote:
>>>>> Current configs now:
>>>>>
>>>>> strongswan.conf:
>>>>>
>>>>> charon {
>>>>> plugins {
>>>>>
>>>>> dhcp {
>>>>> force_server_address = yes
>>>>> server = 192.168.0.1
>>>>> identity_lease = yes
>>>>> }
>>>>> farp {
>>>>> load = yes
>>>>> }
>>>>>
>>>>> }}
>>>>>
>>>>> dns1 = 8.8.8.8
>>>>> dns1 = 8.8.8.4
>>>>>
>>>>> ipsec.conf:
>>>>>
>>>>> config setup
>>>>>
>>>>> charondebug="net 2, knl 2, cfg 2"
>>>>>
>>>>> conn ikev2
>>>>>
>>>>> keyexchange=ikev2
>>>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes1
>>>>> 28
>>>>> -sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha
>>>>> 25
>>>>> 6-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-
>>>>> sh
>>>>> a1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes2
>>>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,ae
>>>>> s
>>>>> 128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha2
>>>>> 56
>>>>> ,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes
>>>>> 12
>>>>> 8-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm
>>>>> dpdaction=clear
>>>>> dpddelay=60s
>>>>> leftfirewall=yes
>>>>> lefthostaccess=yes
>>>>> leftid=carone.ddns.net
>>>>> leftsubnet=192.168.0.0/24
>>>>> leftcert=host-vpn.der
>>>>> leftsendcert=always
>>>>> right=%any
>>>>> rightauth=eap-tls
>>>>> rightsourceip=%dhcp
>>>>> eap_identity=%any
>>>>> auto=add
>>>>>
>>>>> On Dienstag, 5. September 2017 04:54:31 CEST you wrote:
>>>>>> Hi,
>>>>>>
>>>>>>> type=passthrough
>>>>>
>>>>> Removed it, also did not use it previous attempts.
>>>>>
>>>>>> You're sabotaging yourself. There is no IPsec processing happening with
>>>>>> type=passthrough
>>>>>>
>>>>>>> threads = 8
>>>>>
>>>>> Removed.
>>>>>
>>>>>> You're doing it again. That can lock up the daemon later. Don't do
>>>>>> that.
>>>>>> Luckily, the setting is outside the valid configuration block, so it's
>>>>>> invalid and ignored.
>>>>>>
>>>>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
>>>>>
>>>>> I removed it. Just for the record these are my interfaces:
>>>>>
>>>>> ifconfig
>>>>> br0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
>>>>>
>>>>> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
>>>>> inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>> RX packets:5108 errors:0 dropped:0 overruns:0 frame:0
>>>>> TX packets:4497 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:1000
>>>>> RX bytes:585507 (571.7 KiB) TX bytes:3738948 (3.5 MiB)
>>>>>
>>>>> br0:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
>>>>>
>>>>> inet addr:169.254.255.1 Bcast:169.254.255.255
>>>>> Mask:255.255.0.0
>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>>
>>>>> eth0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
>>>>>
>>>>> inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>> RX packets:12075 errors:0 dropped:0 overruns:0 frame:0
>>>>> TX packets:12590 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:1000
>>>>> RX bytes:1941972 (1.8 MiB) TX bytes:9910375 (9.4 MiB)
>>>>> Interrupt:179 Base address:0x4000
>>>>>
>>>>> eth1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
>>>>>
>>>>> inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:7541
>>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:1000
>>>>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>>>>> Interrupt:163
>>>>>
>>>>> eth2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:17
>>>>>
>>>>> inet6 addr: fe80::a263:91ff:feea:2e17/64 Scope:Link
>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:1000
>>>>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>>>>> Interrupt:169
>>>>>
>>>>> lo Link encap:Local Loopback
>>>>>
>>>>> inet addr:127.0.0.1 Mask:255.0.0.0
>>>>> inet6 addr: ::1/128 Scope:Host
>>>>> UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
>>>>> RX packets:425 errors:0 dropped:0 overruns:0 frame:0
>>>>> TX packets:425 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:1
>>>>> RX bytes:53057 (51.8 KiB) TX bytes:53057 (51.8 KiB)
>>>>>
>>>>> ppp0 Link encap:Point-to-Point Protocol
>>>>>
>>>>> inet addr:87.168.251.19 P-t-P:62.155.242.107
>>>>> Mask:255.255.255.255
>>>>> UP POINTOPOINT RUNNING MULTICAST MTU:1492 Metric:1
>>>>> RX packets:1010 errors:0 dropped:0 overruns:0 frame:0
>>>>> TX packets:1092 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:3
>>>>> RX bytes:470447 (459.4 KiB) TX bytes:160357 (156.5 KiB)
>>>>>
>>>>> vlan1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
>>>>>
>>>>> inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>> RX packets:9247 errors:0 dropped:0 overruns:0 frame:0
>>>>> TX packets:9767 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:0
>>>>> RX bytes:759337 (741.5 KiB) TX bytes:9462367 (9.0 MiB)
>>>>>
>>>>> vlan2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
>>>>>
>>>>> inet6 addr: fe80::a263:91ff:feea:2e15/64 Scope:Link
>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>> RX packets:2828 errors:0 dropped:3 overruns:0 frame:0
>>>>> TX packets:2815 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:0
>>>>> RX bytes:916985 (895.4 KiB) TX bytes:397032 (387.7 KiB)
>>>>>
>>>>> vlan2:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
>>>>>
>>>>> inet addr:192.168.5.254 Bcast:192.168.5.255
>>>>> Mask:255.255.255.0
>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>>
>>>>> wl0.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:17
>>>>>
>>>>> inet addr:192.168.10.1 Bcast:192.168.10.255
>>>>> Mask:255.255.255.0
>>>>> inet6 addr: fe80::a063:91ff:feea:2e17/64 Scope:Link
>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>> RX packets:3615 errors:0 dropped:5 overruns:0 frame:7541
>>>>> TX packets:3989 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:1000
>>>>> RX bytes:538878 (526.2 KiB) TX bytes:998737 (975.3 KiB)
>>>>>
>>>>> wl1.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:18
>>>>>
>>>>> inet addr:192.168.9.1 Bcast:192.168.9.255 Mask:255.255.255.0
>>>>> inet6 addr: fe80::a063:91ff:feea:2e18/64 Scope:Link
>>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>>> collisions:0 txqueuelen:1000
>>>>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>>>>>>
>>>>>> Unnecessary.
>>>>>>
>>>>>>> left=%defaultroute
>>>>>
>>>>> Removed.
>>>>>
>>>>>> Unnecessary.
>>>>>>
>>>>>>> kernel-pfkey
>>>>>>
>>>>>> Plugin for the legacy IPsec API. Don't use it.
>>>>>>
>>>>>>> ping R6400
>>>>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
>>>>>>>
>>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
>>>>>>>
>>>>>>> Unreachable
>>>>>>>
>>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
>>>>>>>
>>>>>>> Unreachable
>>>>>
>>>>> Just a dynamic ip, who cares.
>>>>>
>>>>>> Your next hop is sending that error. You're leaking private address
>>>>>> into
>>>>>> the WAN. That is forbidden. Don't do that.
>>>>>>
>>>>>>> Routers iptable output:
>>>>>>>
>>>>>>> iptables -vnL
>>>>>>
>>>>>> The output is unusable. Provide the output of `iptables-save`.
>>>>>
>>>>> I disabled a few features, e.g. QOS in order to reduce the output
>>>>>
>>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
>>>>> *raw
>>>>>
>>>>> :PREROUTING ACCEPT [12217:1705679]
>>>>> :OUTPUT ACCEPT [9354:9118762]
>>>>>
>>>>> COMMIT
>>>>> # Completed on Tue Sep 5 10:42:27 2017
>>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
>>>>> *nat
>>>>>
>>>>> :PREROUTING ACCEPT [285:28593]
>>>>> :INPUT ACCEPT [604:43260]
>>>>> :OUTPUT ACCEPT [47:3676]
>>>>> :POSTROUTING ACCEPT [47:3676]
>>>>>
>>>>> -A PREROUTING -d 87.168.251.19 -p icmp -j DNAT --to-destination
>>>>> 192.168.0.1
>>>>> -A PREROUTING -d 87.168.251.19 -j TRIGGER --trigger-proto
>>>>> --trigger-match
>>>>> 0-0 --trigger-relate 0-0 -A POSTROUTING -o vlan2 -j MASQUERADE
>>>>> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j SNAT --to-source
>>>>> 87.168.251.19 -A POSTROUTING -m mark --mark0x80000000/0x80000000 -j
>>>>> MASQUERADE
>>>>> -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o ppp0 -j SNAT --to-source
>>>>> 87.168.251.19 -A POSTROUTING -s 192.168.9.0/255.255.255.0 -o ppp0 -j
>>>>> SNAT
>>>>> --to-source 87.168.251.19 COMMIT
>>>>> # Completed on Tue Sep 5 10:42:27 2017
>>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
>>>>> *mangle
>>>>>
>>>>> :PREROUTING ACCEPT [3009:537902]
>>>>> :INPUT ACCEPT [8937:741571]
>>>>> :FORWARD ACCEPT [2521:798226]
>>>>> :OUTPUT ACCEPT [2190:2277003]
>>>>> :POSTROUTING ACCEPT [11882:9919352]
>>>>>
>>>>> -A PREROUTING -d 87.168.251.19 -i ! ppp0 -j MARK --set-xmark
>>>>> 0x80000000/0x80000000 -A PREROUTING -j CONNMARK --save-mark
>>>>> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
>>>>> --clamp-mss-to-pmtu COMMIT
>>>>> # Completed on Tue Sep 5 10:42:27 2017
>>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
>>>>> *filter
>>>>>
>>>>> :INPUT ACCEPT [0:0]
>>>>> :FORWARD ACCEPT [0:0]
>>>>> :OUTPUT ACCEPT [111:17285]
>>>>> :advgrp_1 - [0:0]
>>>>> :advgrp_10 - [0:0]
>>>>> :advgrp_2 - [0:0]
>>>>> :advgrp_3 - [0:0]
>>>>> :advgrp_4 - [0:0]
>>>>> :advgrp_5 - [0:0]
>>>>> :advgrp_6 - [0:0]
>>>>> :advgrp_7 - [0:0]
>>>>> :advgrp_8 - [0:0]
>>>>> :advgrp_9 - [0:0]
>>>>> :grp_1 - [0:0]
>>>>> :grp_10 - [0:0]
>>>>> :grp_2 - [0:0]
>>>>> :grp_3 - [0:0]
>>>>> :grp_4 - [0:0]
>>>>> :grp_5 - [0:0]
>>>>> :grp_6 - [0:0]
>>>>> :grp_7 - [0:0]
>>>>> :grp_8 - [0:0]
>>>>> :grp_9 - [0:0]
>>>>> :lan2wan - [0:0]
>>>>> :logaccept - [0:0]
>>>>> :logdrop - [0:0]
>>>>> :logreject - [0:0]
>>>>> :trigger_out - [0:0]
>>>>>
>>>>> -A INPUT -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m policy
>>>>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A INPUT -p udp -m
>>>>> udp --dport 4500 -j ACCEPT
>>>>> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
>>>>> -A INPUT -s 66.220.2.74 -p icmp -j ACCEPT
>>>>> -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
>>>>> -A INPUT -i ppp0 -p udp -m udp --dport 520 -j logdrop
>>>>> -A INPUT -i br0 -p udp -m udp --dport 520 -j logdrop
>>>>> -A INPUT -p udp -m udp --dport 520 -j logaccept
>>>>> -A INPUT -i br0 -j logaccept
>>>>> -A INPUT -i ppp0 -p icmp -j logdrop
>>>>> -A INPUT -p igmp -j logdrop
>>>>> -A INPUT -i lo -m state --state NEW -j ACCEPT
>>>>> -A INPUT -i br0 -m state --state NEW -j logaccept
>>>>> -A INPUT -i wl0.1 -p udp -m udp --dport 67 -j logaccept
>>>>> -A INPUT -i wl0.1 -p udp -m udp --dport 53 -j logaccept
>>>>> -A INPUT -i wl0.1 -p tcp -m tcp --dport 53 -j logaccept
>>>>> -A INPUT -i wl0.1 -m state --state NEW -j logdrop
>>>>> -A INPUT -i wl0.1 -j logaccept
>>>>> -A INPUT -i wl1.1 -p udp -m udp --dport 67 -j logaccept
>>>>> -A INPUT -i wl1.1 -p udp -m udp --dport 53 -j logaccept
>>>>> -A INPUT -i wl1.1 -p tcp -m tcp --dport 53 -j logaccept
>>>>> -A INPUT -i wl1.1 -m state --state NEW -j logdrop
>>>>> -A INPUT -i wl1.1 -j logaccept
>>>>> -A INPUT -j logdrop
>>>>> -A FORWARD -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m
>>>>> policy
>>>>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s
>>>>> 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir out
>>>>> --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s 192.168.0.10
>>>>> -d
>>>>> 194.25.134.46 -j ACCEPT
>>>>> -A FORWARD -s 192.168.0.10 -d 194.25.134.110 -j ACCEPT
>>>>> -A FORWARD -s 192.168.0.10 -j LOG
>>>>> -A FORWARD -s 192.168.0.10 -j DROP
>>>>> -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
>>>>> -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl1.1 -m state --state NEW -j
>>>>> logdrop -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl0.1 -m state
>>>>> --state
>>>>> NEW -j logdrop -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p gre -j
>>>>> logaccept -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p tcp -m tcp
>>>>> --dport 1723 -j logaccept -A FORWARD -i wl0.1 -j logaccept
>>>>> -A FORWARD -i wl1.1 -j logaccept
>>>>> -A FORWARD -j lan2wan
>>>>> -A FORWARD -i br0 -o br0 -j logaccept
>>>>> -A FORWARD -i br0 -o ppp0 -j logaccept
>>>>> -A FORWARD -i ppp0 -o br0 -j TRIGGER --trigger-proto --trigger-match 0-0
>>>>> --trigger-relate 0-0 -A FORWARD -i br0 -j trigger_out
>>>>> -A FORWARD -i br0 -o wl0.1 -m state --state NEW -j logdrop
>>>>> -A FORWARD -i br0 -o wl1.1 -m state --state NEW -j logdrop
>>>>> -A FORWARD -i br0 -m state --state NEW -j logaccept
>>>>> -A FORWARD -j logdrop
>>>>> -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m
>>>>> policy
>>>>> --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT -A OUTPUT -o br0
>>>>> -j
>>>>> logaccept
>>>>> -A logaccept -j ACCEPT
>>>>> -A logdrop -m state --state NEW -j LOG --log-prefix "DROP "
>>>>> --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -m
>>>>> state
>>>>> --state INVALID -j LOG --log-prefix "DROP " --log-tcp-sequence
>>>>> --log-tcp-options --log-ip-options -A logdrop -j DROP
>>>>> -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence
>>>>> --log-tcp-options --log-ip-options -A logreject -p tcp -j REJECT
>>>>> --reject-with tcp-reset
>>>>> COMMIT
>>>>> # Completed on Tue Sep 5 10:42:27 2017
>>>>>
>>>>>>> I have tried so many thinsg, but still cannot ping from either side or
>>>>>>> access
>>>>>>> any local machines.
>>>>>>> Does anyone have a clue? Can I provide additional info?
>>>>>>
>>>>>> You're having no success because you're trying ramdom shit from the
>>>>>> Internet. About 99,999% of the strongSwan related information on third
>>>>>> party sites is wither well ng or of questinable quality. Don't get your
>>>>>> information from any place but the project's website.
>>>>>
>>>>> Well that's what I did in the first place and it also lacks info, e.g.
>>>>> it
>>>>> did not list all of the required kernel modules, took my a bit to find
>>>>> out which modules it needs as it did not complain at startup, but
>>>>> requested features at runtime which were not there, e.g. a STD RNG.
>>>>>
>>>>>
>>>>> Thanks for any hints, hope the above info helps.
>>>>>
>>>>> Cheers Richard
>>>>>
>>>>>> Kind regards
>>>>>>
>>>>>> Noel
>>>>>>
>>>>>> Am 5. September 2017 00:53:20 MESZ schrieb Ric S <burj-al-arab at gmx.de>:
>>>>>>> Hi folks,
>>>>>>>
>>>>>>> I have been ripping my hair out with this issue.
>>>>>>>
>>>>>>> I'm running strongswan 5.5.3 on a router. The routers lan subnet is
>>>>>>> 192.168.0.1/24.
>>>>>>> I can successfully connect to it with an Ipad with ikev2 and surf the
>>>>>>> internet, but I cannot reach any internal machines.
>>>>>>>
>>>>>>> My config is the following:
>>>>>>>
>>>>>>> ipsec.conf:
>>>>>>>
>>>>>>> config setup
>>>>>>>
>>>>>>> charondebug="net 2, knl 2, cfg 2"
>>>>>>>
>>>>>>> conn ikev2
>>>>>>>
>>>>>>> keyexchange=ikev2
>>>>>>>
>>>>>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes
>>>>>>> 12
>>>>>>> 8-
>>>>>>> sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
>>>>>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,a
>>>>>>> es
>>>>>>> 128
>>>>>>> - sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
>>>>>>>
>>>>>>> dpdaction=clear
>>>>>>> dpddelay=60s
>>>>>>> left=%defaultroute
>>>>>>> leftfirewall=yes
>>>>>>> lefthostaccess=yes
>>>>>>> leftid=myname.ddns.net
>>>>>>> leftsubnet=192.168.0.0/24
>>>>>>> leftcert=host-vpn.der
>>>>>>> leftsendcert=always
>>>>>>> right=%any
>>>>>>> rightauth=eap-tls
>>>>>>> rightsourceip=%dhcp
>>>>>>> eap_identity=%any
>>>>>>> type=passthrough
>>>>>>> auto=add
>>>>>>>
>>>>>>> strongswanf.conf:
>>>>>>>
>>>>>>> charon {
>>>>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
>>>>>>> plugins {
>>>>>>>
>>>>>>> dhcp {
>>>>>>> force_server_address = yes
>>>>>>> server = 192.168.0.1
>>>>>>> identity_lease = yes
>>>>>>> }
>>>>>>> farp {
>>>>>>> load = yes
>>>>>>> }
>>>>>>>
>>>>>>> }}
>>>>>>>
>>>>>>> threads = 8
>>>>>>> dns1 = 8.8.8.8
>>>>>>> dns1 = 8.8.8.4
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Status:
>>>>>>>
>>>>>>> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l):
>>>>>>> uptime: 14 minutes, since Sep 05 00:09:53 2017
>>>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>>>>>>>
>>>>>>> scheduled: 8
>>>>>>> loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5
>>>>>>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
>>>>>>> pkcs12 pgp
>>>>>>> dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac
>>>>>>> sqlite
>>>>>>> attr kernel-pfkey kernel-netlink resolve socket-default farp stroke
>>>>>>> vici
>>>>>>> updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls
>>>>>>> xauth-
>>>>>>> generic xauth-eap dhcp whitelist led duplicheck
>>>>>>>
>>>>>>> Listening IP addresses:
>>>>>>> 169.254.255.1
>>>>>>> 192.168.0.1
>>>>>>> 87.168.243.83
>>>>>>>
>>>>>>> Connections:
>>>>>>> ikev2: %any...%any IKEv2, dpddelay=60s
>>>>>>>
>>>>>>> ikev2: local: [myname.ddns.net] uses public key authentication
>>>>>>>
>>>>>>> ikev2: cert: "C=DE, O=MYORG, CN=myname.ddns.net"
>>>>>>>
>>>>>>> ikev2: remote: uses EAP_TLS authentication with EAP identity '%any'
>>>>>>>
>>>>>>> ikev2: child: 192.168.0.0/24 === dynamic PASS, dpdaction=clear
>>>>>>>
>>>>>>> Security Associations (1 up, 0 connecting):
>>>>>>> ikev2[6]: ESTABLISHED 11 seconds ago,
>>>>>>> 87.168.243.83[myname.ddns.net]...
>>>>>>> 109.43.1.19[R6400]
>>>>>>>
>>>>>>> ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public
>>>>>>>
>>>>>>> key reauthentication in 2 hours
>>>>>>>
>>>>>>> ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
>>>>>>>
>>>>>>> MODP_1024
>>>>>>>
>>>>>>> ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i
>>>>>>>
>>>>>>> 04eb0f50_o
>>>>>>>
>>>>>>> ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
>>>>>>>
>>>>>>> rekeying in 48 minutes
>>>>>>>
>>>>>>> ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32
>>>>>>>
>>>>>>> swanctl --list-sas
>>>>>>> ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r*
>>>>>>>
>>>>>>> local 'myname.ddns.net' @ 87.168.243.83[4500]
>>>>>>> remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
>>>>>>> AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>>>>> established 92s ago, reauth in 9765s
>>>>>>> ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
>>>>>>>
>>>>>>> HMAC_SHA2_256_128
>>>>>>>
>>>>>>> installed 89s ago, rekeying in 2800s, expires in 3511s
>>>>>>> in c0983fe7, 0 bytes, 0 packets
>>>>>>> out 04eb0f50, 0 bytes, 0 packets
>>>>>>> local 192.168.0.0/24
>>>>>>> remote 192.168.0.121/32
>>>>>>>
>>>>>>> ip route list table 220
>>>>>>> 192.168.0.121 via 62.155.242.107 dev ppp0 proto static src
>>>>>>> 192.168.0.1
>>>>>>>
>>>>>>> FARP seems to work, this is a ping from one of the local machines:
>>>>>>>
>>>>>>> ping R6400
>>>>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
>>>>>>>
>>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
>>>>>>>
>>>>>>> Unreachable
>>>>>>>
>>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
>>>>>>>
>>>>>>> Unreachable
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/5e34229b/attachment-0001.sig>
More information about the Users
mailing list