[strongSwan] Cannot ping machines on remote local network
Ric S
burj-al-arab at gmx.de
Wed Sep 6 00:05:23 CEST 2017
On Dienstag, 5. September 2017 16:36:30 CEST Noel Kuntze wrote:
> Hi,
>
> See the article about forwarding[1] that I linked previously.
I have done some more experimenting. It is really strange, right after the
connection established I get a few pings through, but they stop after 3 or 4
pings, then maybe one in a few minutes goes through.
Very strange. I also notice, that after a while I cannot esatblish a
connection to the router, until I request a new IP. Just like traffic is
intercepted by the ISP.
But since the Test is done with a LTE modem, thus want to see next week, if I
get the same results on a regular line.
>
> Kind regards
>
> Noel
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunn
> eling#MTUMSS-issues
> On 05.09.2017 16:33, Ric S wrote:
> > On Dienstag, 5. September 2017 12:36:47 CEST Noel Kuntze wrote:
> >> Hi,
> >>
> >> I just noticed that your NAT rules cause problems if you try to initiate
> >> connections to the RW, too. Read and apply the advice from the article
> >> about NAT problems[1].
> >
> > I added :
> >
> > iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
> >
> > I noticed when I ping the iPad from lan I now see that packages are
> > matching and ping changes
> >
> > Chain POSTROUTING (policy ACCEPT 1320 packets, 89681 bytes)
> >
> > pkts bytes target prot opt in out source
> > destination>
> > 1 84 ACCEPT 0 -- * * 0.0.0.0/0
> > 0.0.0.0/0 policy match dir out pol ipsec>
> > before adding the rule:
> >
> > ping R6400
> > PING R6400 (192.168.0.121) 56(84) bytes of data.
> > From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> > Unreachable From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination
> > Host Unreachable From 62.155.242.107 (62.155.242.107) icmp_seq=3
> > Destination Host Unreachable
> >
> >
> > after adding the rule:
> >
> > ping R6400
> > PING R6400 (192.168.0.121) 56(84) bytes of data.
> > hangs here
> >
> > Thus this rule most likely is one part of the solution.
> >
> > Now I setup a second client, Win7, unlike iOS surfing the net does not
> > work, and with wireshark I see incoming TCP Retransmissions messages,
> > looks like there is an issue with mtu/mss? I also managed to get one ping
> > through the tunnel to the a lan machine.
> >
> > What is the best way to specify mtu sizes etc in strongswan?
> >
> >> Kind regards
> >>
> >> Noel
> >>
> >> [1]
> >> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTu
> >> nn
> >> eling#General-NAT-problems
> >>
> >> On 05.09.2017 12:32, Ric S wrote:
> >>> On Dienstag, 5. September 2017 11:28:59 CEST Noel Kuntze wrote:
> >>>> Hi,
> >>>>
> >>>>> ifconfig
> >>>>
> >>>> Please don't use the net-tools. Use iproute2. The net-tools are
> >>>> woefully
> >>>> inadequate for this day and age. They are deprecated since the early
> >>>> 2000s.
> >>>>
> >>>> Please provide the output of `ip address`, `ip route show table all`,
> >>>> `ip
> >>>> rule` and `sysctl -A | grep rp_filter`.
> >>>>
> >>>> I suspect that at least the rp_filter needs to be set to 2.
> >>>
> >>> I just set all interfaces to 2, still no go.
> >>>
> >>>
> >>>
> >>> root at titan:~# ip address
> >>> 1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 65536 qdisc noqueue qlen 1
> >>>
> >>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >>> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> inet6 ::1/128 scope host
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> 2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
> >>>
> >>> link/void
> >>>
> >>> 3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
> >>> 1000
> >>>
> >>> link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
> >>> inet6 fe80::a263:91ff:feea:2e14/64 scope link
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> 4: vlan1 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> >>> master br0>
> >>>
> >>> link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
> >>> inet6 fe80::a263:91ff:feea:2e14/64 scope link
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> 5: vlan2 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> >>>
> >>> link/ether a0:63:91:ea:2e:15 brd ff:ff:ff:ff:ff:ff
> >>> inet 192.168.5.254/24 brd 192.168.5.255 scope global vlan2:0
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> inet6 fe80::a263:91ff:feea:2e15/64 scope link
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> 6: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master
> >>> br0
> >>> qlen 1000>
> >>>
> >>> link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
> >>> inet6 fe80::a263:91ff:feea:2e16/64 scope link
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> 7: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master
> >>> br0
> >>> qlen 1000>
> >>>
> >>> link/ether a0:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
> >>> inet6 fe80::a263:91ff:feea:2e17/64 scope link
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> 9: wl0.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
> >>> 1000
> >>>
> >>> link/ether a2:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
> >>> inet 192.168.10.1/24 brd 192.168.10.255 scope global wl0.1
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> inet6 fe80::a063:91ff:feea:2e17/64 scope link
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> 10: wl1.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
> >>> 1000
> >>>
> >>> link/ether a2:63:91:ea:2e:18 brd ff:ff:ff:ff:ff:ff
> >>> inet 192.168.9.1/24 brd 192.168.9.255 scope global wl1.1
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> inet6 fe80::a063:91ff:feea:2e18/64 scope link
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> 12: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue qlen 1000
> >>>
> >>> link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
> >>> inet 169.254.255.1/16 brd 169.254.255.255 scope global br0:0
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> inet6 fe80::a263:91ff:feea:2e16/64 scope link
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> 13: ppp0: <POINTOPOINT,MULTICAST,UP,10000> mtu 1492 qdisc fq_codel qlen
> >>> 3
> >>>
> >>> link/ppp
> >>> inet 87.168.251.19 peer 62.155.242.107/32 brd 87.168.251.19 scope
> >>> global ppp0>
> >>>
> >>> valid_lft forever preferred_lft forever
> >>>
> >>> root at titan:~# ip route show table all
> >>> 192.168.0.121 via 62.155.242.107 dev ppp0 table 220 proto static src
> >>> 192.168.0.1 default via 62.155.242.107 dev ppp0
> >>> 62.155.242.107 dev ppp0 proto kernel scope link src 87.168.251.19
> >>> 127.0.0.0/8 dev lo scope link
> >>> 169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
> >>> 192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.1
> >>> 192.168.5.0/24 dev vlan2 proto kernel scope link src 192.168.5.254
> >>> 192.168.9.0/24 dev wl1.1 proto kernel scope link src 192.168.9.1
> >>> 192.168.10.0/24 dev wl0.1 proto kernel scope link src 192.168.10.1
> >>> local 87.168.251.19 dev ppp0 table local proto kernel scope host src
> >>> 87.168.251.19 broadcast 87.168.251.19 dev ppp0 table local proto
> >>> kernel
> >>>
> >>> scope link src 87.168.251.19 broadcast 127.0.0.0 dev lo table local
> >>>
> >>> proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table
> >>> local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo
> >>> table local proto kernel scope host src 127.0.0.1 broadcast
> >>> 127.255.255.255 dev lo table local proto kernel scope link src
> >>> 127.0.0.1 broadcast 169.254.0.0 dev br0 table local proto kernel
> >>> scope
> >>> link src 169.254.255.1 local 169.254.255.1 dev br0 table local proto
> >>> kernel scope host src 169.254.255.1 broadcast 169.254.255.255 dev br0
> >>> table local proto kernel scope link src 169.254.255.1 broadcast
> >>> 192.168.0.0 dev br0 table local proto kernel scope link src
> >>> 192.168.0.1 local 192.168.0.1 dev br0 table local proto kernel scope
> >>> host src 192.168.0.1 broadcast 192.168.0.255 dev br0 table local
> >>> proto
> >>> kernel scope link src 192.168.0.1 broadcast 192.168.5.0 dev vlan2
> >>> table local proto kernel scope link src 192.168.5.254 local
> >>> 192.168.5.254 dev vlan2 table local proto kernel scope host src
> >>> 192.168.5.254 broadcast 192.168.5.255 dev vlan2 table local proto
> >>> kernel scope link src 192.168.5.254 broadcast 192.168.9.0 dev wl1.1
> >>> table local proto kernel scope link src 192.168.9.1 local 192.168.9.1
> >>> dev wl1.1 table local proto kernel scope host src 192.168.9.1
> >>> broadcast 192.168.9.255 dev wl1.1 table local proto kernel scope link
> >>> src 192.168.9.1 broadcast 192.168.10.0 dev wl0.1 table local proto
> >>> kernel scope link src 192.168.10.1 local 192.168.10.1 dev wl0.1 table
> >>> local proto kernel scope host src 192.168.10.1 broadcast
> >>> 192.168.10.255 dev wl0.1 table local proto kernel scope link src
> >>> 192.168.10.1 unreachable default dev lo table unspec proto kernel
> >>> metric -1 error -101 fe80::/64 dev eth0 proto kernel metric 256
> >>> fe80::/64 dev vlan1 proto kernel metric 256
> >>> fe80::/64 dev br0 proto kernel metric 256
> >>> fe80::/64 dev eth1 proto kernel metric 256
> >>> fe80::/64 dev wl0.1 proto kernel metric 256
> >>> fe80::/64 dev eth2 proto kernel metric 256
> >>> fe80::/64 dev wl1.1 proto kernel metric 256
> >>> fe80::/64 dev vlan2 proto kernel metric 256
> >>> unreachable default dev lo table unspec proto kernel metric -1 error
> >>> -101 local ::1 dev lo table local proto none metric 0
> >>> local fe80::a063:91ff:feea:2e17 dev lo table local proto none metric
> >>> 0
> >>> local fe80::a063:91ff:feea:2e18 dev lo table local proto none metric
> >>> 0
> >>> local fe80::a263:91ff:feea:2e14 dev lo table local proto none metric
> >>> 0
> >>> local fe80::a263:91ff:feea:2e14 dev lo table local proto none metric
> >>> 0
> >>> local fe80::a263:91ff:feea:2e15 dev lo table local proto none metric
> >>> 0
> >>> local fe80::a263:91ff:feea:2e16 dev lo table local proto none metric
> >>> 0
> >>> local fe80::a263:91ff:feea:2e16 dev lo table local proto none metric
> >>> 0
> >>> local fe80::a263:91ff:feea:2e17 dev lo table local proto none metric
> >>> 0
> >>> ff00::/8 dev eth0 table local metric 256
> >>> ff00::/8 dev vlan1 table local metric 256
> >>> ff00::/8 dev br0 table local metric 256
> >>> ff00::/8 dev eth1 table local metric 256
> >>> ff00::/8 dev wl0.1 table local metric 256
> >>> ff00::/8 dev eth2 table local metric 256
> >>> ff00::/8 dev wl1.1 table local metric 256
> >>> ff00::/8 dev vlan2 table local metric 256
> >>> unreachable default dev lo table unspec proto kernel metric -1 error
> >>> -101 root at titan:~# ip rule
> >>> 0: from all lookup local
> >>> 220: from all lookup 220
> >>> 32766: from all lookup main
> >>> 32767: from all lookup default
> >>> root at titan:~# sysctl -A | grep rp_filter
> >>> net.ipv4.conf.all.arp_filter = 0
> >>> net.ipv4.conf.all.rp_filter = 2
> >>> net.ipv4.conf.br0.arp_filter = 0
> >>> net.ipv4.conf.br0.rp_filter = 2
> >>> net.ipv4.conf.default.arp_filter = 0
> >>> net.ipv4.conf.default.rp_filter = 2
> >>> net.ipv4.conf.eth0.arp_filter = 0
> >>> net.ipv4.conf.eth0.rp_filter = 2
> >>> net.ipv4.conf.eth1.arp_filter = 0
> >>> net.ipv4.conf.eth1.rp_filter = 2
> >>> net.ipv4.conf.eth2.arp_filter = 0
> >>> net.ipv4.conf.eth2.rp_filter = 2
> >>> net.ipv4.conf.lo.arp_filter = 0
> >>> net.ipv4.conf.lo.rp_filter = 2
> >>> net.ipv4.conf.ppp0.arp_filter = 0
> >>> net.ipv4.conf.ppp0.rp_filter = 2
> >>> net.ipv4.conf.teql0.arp_filter = 0
> >>> net.ipv4.conf.teql0.rp_filter = 2
> >>> net.ipv4.conf.vlan1.arp_filter = 0
> >>> net.ipv4.conf.vlan1.rp_filter = 2
> >>> net.ipv4.conf.vlan2.arp_filter = 0
> >>> net.ipv4.conf.vlan2.rp_filter = 2
> >>> net.ipv4.conf.wl0.1.arp_filter = 0
> >>> net.ipv4.conf.wl0.1.rp_filter = 2
> >>> net.ipv4.conf.wl1.1.arp_filter = 0
> >>> net.ipv4.conf.wl1.1.rp_filter = 2
> >>>
> >>>>> Just a dynamic ip, who cares.
> >>>>
> >>>> Enough people that it's RFC'd[1].
> >>>
> >>> Sure but it doesn't hurt and makes sure you got the right info.
> >>>
> >>>> Kind regards
> >>>>
> >>>> Noel
> >>>>
> >>>> [1] https://tools.ietf.org/html/rfc1918#section-3
> >>>>
> >>>> On 05.09.2017 11:06, Ric S wrote:
> >>>>> Current configs now:
> >>>>>
> >>>>> strongswan.conf:
> >>>>>
> >>>>> charon {
> >>>>> plugins {
> >>>>>
> >>>>> dhcp {
> >>>>> force_server_address = yes
> >>>>> server = 192.168.0.1
> >>>>> identity_lease = yes
> >>>>> }
> >>>>> farp {
> >>>>> load = yes
> >>>>> }
> >>>>>
> >>>>> }}
> >>>>>
> >>>>> dns1 = 8.8.8.8
> >>>>> dns1 = 8.8.8.4
> >>>>>
> >>>>> ipsec.conf:
> >>>>>
> >>>>> config setup
> >>>>>
> >>>>> charondebug="net 2, knl 2, cfg 2"
> >>>>>
> >>>>> conn ikev2
> >>>>>
> >>>>> keyexchange=ikev2
> >>>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,ae
> >>>>> s1
> >>>>> 28
> >>>>> -sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-s
> >>>>> ha
> >>>>> 25
> >>>>> 6-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes25
> >>>>> 6-
> >>>>> sh
> >>>>> a1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes2
> >>>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,
> >>>>> ae
> >>>>> s
> >>>>> 128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sh
> >>>>> a2
> >>>>> 56
> >>>>> ,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,a
> >>>>> es
> >>>>> 12
> >>>>> 8-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm
> >>>>> dpdaction=clear
> >>>>> dpddelay=60s
> >>>>> leftfirewall=yes
> >>>>> lefthostaccess=yes
> >>>>> leftid=carone.ddns.net
> >>>>> leftsubnet=192.168.0.0/24
> >>>>> leftcert=host-vpn.der
> >>>>> leftsendcert=always
> >>>>> right=%any
> >>>>> rightauth=eap-tls
> >>>>> rightsourceip=%dhcp
> >>>>> eap_identity=%any
> >>>>> auto=add
> >>>>>
> >>>>> On Dienstag, 5. September 2017 04:54:31 CEST you wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>>> type=passthrough
> >>>>>
> >>>>> Removed it, also did not use it previous attempts.
> >>>>>
> >>>>>> You're sabotaging yourself. There is no IPsec processing happening
> >>>>>> with
> >>>>>> type=passthrough
> >>>>>>
> >>>>>>> threads = 8
> >>>>>
> >>>>> Removed.
> >>>>>
> >>>>>> You're doing it again. That can lock up the daemon later. Don't do
> >>>>>> that.
> >>>>>> Luckily, the setting is outside the valid configuration block, so
> >>>>>> it's
> >>>>>> invalid and ignored.
> >>>>>>
> >>>>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> >>>>>
> >>>>> I removed it. Just for the record these are my interfaces:
> >>>>>
> >>>>> ifconfig
> >>>>> br0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> >>>>>
> >>>>> inet addr:192.168.0.1 Bcast:192.168.0.255
> >>>>> Mask:255.255.255.0
> >>>>> inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>>> RX packets:5108 errors:0 dropped:0 overruns:0 frame:0
> >>>>> TX packets:4497 errors:0 dropped:0 overruns:0 carrier:0
> >>>>> collisions:0 txqueuelen:1000
> >>>>> RX bytes:585507 (571.7 KiB) TX bytes:3738948 (3.5 MiB)
> >>>>>
> >>>>> br0:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> >>>>>
> >>>>> inet addr:169.254.255.1 Bcast:169.254.255.255
> >>>>> Mask:255.255.0.0
> >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>>>
> >>>>> eth0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
> >>>>>
> >>>>> inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>>> RX packets:12075 errors:0 dropped:0 overruns:0 frame:0
> >>>>> TX packets:12590 errors:0 dropped:0 overruns:0 carrier:0
> >>>>> collisions:0 txqueuelen:1000
> >>>>> RX bytes:1941972 (1.8 MiB) TX bytes:9910375 (9.4 MiB)
> >>>>> Interrupt:179 Base address:0x4000
> >>>>>
> >>>>> eth1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> >>>>>
> >>>>> inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:7541
> >>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >>>>> collisions:0 txqueuelen:1000
> >>>>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> >>>>> Interrupt:163
> >>>>>
> >>>>> eth2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:17
> >>>>>
> >>>>> inet6 addr: fe80::a263:91ff:feea:2e17/64 Scope:Link
> >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >>>>> collisions:0 txqueuelen:1000
> >>>>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> >>>>> Interrupt:169
> >>>>>
> >>>>> lo Link encap:Local Loopback
> >>>>>
> >>>>> inet addr:127.0.0.1 Mask:255.0.0.0
> >>>>> inet6 addr: ::1/128 Scope:Host
> >>>>> UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
> >>>>> RX packets:425 errors:0 dropped:0 overruns:0 frame:0
> >>>>> TX packets:425 errors:0 dropped:0 overruns:0 carrier:0
> >>>>> collisions:0 txqueuelen:1
> >>>>> RX bytes:53057 (51.8 KiB) TX bytes:53057 (51.8 KiB)
> >>>>>
> >>>>> ppp0 Link encap:Point-to-Point Protocol
> >>>>>
> >>>>> inet addr:87.168.251.19 P-t-P:62.155.242.107
> >>>>> Mask:255.255.255.255
> >>>>> UP POINTOPOINT RUNNING MULTICAST MTU:1492 Metric:1
> >>>>> RX packets:1010 errors:0 dropped:0 overruns:0 frame:0
> >>>>> TX packets:1092 errors:0 dropped:0 overruns:0 carrier:0
> >>>>> collisions:0 txqueuelen:3
> >>>>> RX bytes:470447 (459.4 KiB) TX bytes:160357 (156.5 KiB)
> >>>>>
> >>>>> vlan1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
> >>>>>
> >>>>> inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>>> RX packets:9247 errors:0 dropped:0 overruns:0 frame:0
> >>>>> TX packets:9767 errors:0 dropped:0 overruns:0 carrier:0
> >>>>> collisions:0 txqueuelen:0
> >>>>> RX bytes:759337 (741.5 KiB) TX bytes:9462367 (9.0 MiB)
> >>>>>
> >>>>> vlan2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
> >>>>>
> >>>>> inet6 addr: fe80::a263:91ff:feea:2e15/64 Scope:Link
> >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>>> RX packets:2828 errors:0 dropped:3 overruns:0 frame:0
> >>>>> TX packets:2815 errors:0 dropped:0 overruns:0 carrier:0
> >>>>> collisions:0 txqueuelen:0
> >>>>> RX bytes:916985 (895.4 KiB) TX bytes:397032 (387.7 KiB)
> >>>>>
> >>>>> vlan2:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
> >>>>>
> >>>>> inet addr:192.168.5.254 Bcast:192.168.5.255
> >>>>> Mask:255.255.255.0
> >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>>>
> >>>>> wl0.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:17
> >>>>>
> >>>>> inet addr:192.168.10.1 Bcast:192.168.10.255
> >>>>> Mask:255.255.255.0
> >>>>> inet6 addr: fe80::a063:91ff:feea:2e17/64 Scope:Link
> >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>>> RX packets:3615 errors:0 dropped:5 overruns:0 frame:7541
> >>>>> TX packets:3989 errors:0 dropped:0 overruns:0 carrier:0
> >>>>> collisions:0 txqueuelen:1000
> >>>>> RX bytes:538878 (526.2 KiB) TX bytes:998737 (975.3 KiB)
> >>>>>
> >>>>> wl1.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:18
> >>>>>
> >>>>> inet addr:192.168.9.1 Bcast:192.168.9.255
> >>>>> Mask:255.255.255.0
> >>>>> inet6 addr: fe80::a063:91ff:feea:2e18/64 Scope:Link
> >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> >>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> >>>>> collisions:0 txqueuelen:1000
> >>>>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> >>>>>>
> >>>>>> Unnecessary.
> >>>>>>
> >>>>>>> left=%defaultroute
> >>>>>
> >>>>> Removed.
> >>>>>
> >>>>>> Unnecessary.
> >>>>>>
> >>>>>>> kernel-pfkey
> >>>>>>
> >>>>>> Plugin for the legacy IPsec API. Don't use it.
> >>>>>>
> >>>>>>> ping R6400
> >>>>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
> >>>>>>>
> >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> >>>>>> >
> >>>>>>> Unreachable
> >>>>>>>
> >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> >>>>>> >
> >>>>>>> Unreachable
> >>>>>
> >>>>> Just a dynamic ip, who cares.
> >>>>>
> >>>>>> Your next hop is sending that error. You're leaking private address
> >>>>>> into
> >>>>>> the WAN. That is forbidden. Don't do that.
> >>>>>>
> >>>>>>> Routers iptable output:
> >>>>>>>
> >>>>>>> iptables -vnL
> >>>>>>
> >>>>>> The output is unusable. Provide the output of `iptables-save`.
> >>>>>
> >>>>> I disabled a few features, e.g. QOS in order to reduce the output
> >>>>>
> >>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> >>>>> *raw
> >>>>>
> >>>>> :PREROUTING ACCEPT [12217:1705679]
> >>>>> :OUTPUT ACCEPT [9354:9118762]
> >>>>>
> >>>>> COMMIT
> >>>>> # Completed on Tue Sep 5 10:42:27 2017
> >>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> >>>>> *nat
> >>>>>
> >>>>> :PREROUTING ACCEPT [285:28593]
> >>>>> :INPUT ACCEPT [604:43260]
> >>>>> :OUTPUT ACCEPT [47:3676]
> >>>>> :POSTROUTING ACCEPT [47:3676]
> >>>>>
> >>>>> -A PREROUTING -d 87.168.251.19 -p icmp -j DNAT --to-destination
> >>>>> 192.168.0.1
> >>>>> -A PREROUTING -d 87.168.251.19 -j TRIGGER --trigger-proto
> >>>>> --trigger-match
> >>>>> 0-0 --trigger-relate 0-0 -A POSTROUTING -o vlan2 -j MASQUERADE
> >>>>> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j SNAT
> >>>>> --to-source
> >>>>> 87.168.251.19 -A POSTROUTING -m mark --mark0x80000000/0x80000000 -j
> >>>>> MASQUERADE
> >>>>> -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o ppp0 -j SNAT
> >>>>> --to-source
> >>>>> 87.168.251.19 -A POSTROUTING -s 192.168.9.0/255.255.255.0 -o ppp0 -j
> >>>>> SNAT
> >>>>> --to-source 87.168.251.19 COMMIT
> >>>>> # Completed on Tue Sep 5 10:42:27 2017
> >>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> >>>>> *mangle
> >>>>>
> >>>>> :PREROUTING ACCEPT [3009:537902]
> >>>>> :INPUT ACCEPT [8937:741571]
> >>>>> :FORWARD ACCEPT [2521:798226]
> >>>>> :OUTPUT ACCEPT [2190:2277003]
> >>>>> :POSTROUTING ACCEPT [11882:9919352]
> >>>>>
> >>>>> -A PREROUTING -d 87.168.251.19 -i ! ppp0 -j MARK --set-xmark
> >>>>> 0x80000000/0x80000000 -A PREROUTING -j CONNMARK --save-mark
> >>>>> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> >>>>> --clamp-mss-to-pmtu COMMIT
> >>>>> # Completed on Tue Sep 5 10:42:27 2017
> >>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> >>>>> *filter
> >>>>>
> >>>>> :INPUT ACCEPT [0:0]
> >>>>> :FORWARD ACCEPT [0:0]
> >>>>> :OUTPUT ACCEPT [111:17285]
> >>>>> :advgrp_1 - [0:0]
> >>>>> :advgrp_10 - [0:0]
> >>>>> :advgrp_2 - [0:0]
> >>>>> :advgrp_3 - [0:0]
> >>>>> :advgrp_4 - [0:0]
> >>>>> :advgrp_5 - [0:0]
> >>>>> :advgrp_6 - [0:0]
> >>>>> :advgrp_7 - [0:0]
> >>>>> :advgrp_8 - [0:0]
> >>>>> :advgrp_9 - [0:0]
> >>>>> :grp_1 - [0:0]
> >>>>> :grp_10 - [0:0]
> >>>>> :grp_2 - [0:0]
> >>>>> :grp_3 - [0:0]
> >>>>> :grp_4 - [0:0]
> >>>>> :grp_5 - [0:0]
> >>>>> :grp_6 - [0:0]
> >>>>> :grp_7 - [0:0]
> >>>>> :grp_8 - [0:0]
> >>>>> :grp_9 - [0:0]
> >>>>> :lan2wan - [0:0]
> >>>>> :logaccept - [0:0]
> >>>>> :logdrop - [0:0]
> >>>>> :logreject - [0:0]
> >>>>> :trigger_out - [0:0]
> >>>>>
> >>>>> -A INPUT -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m
> >>>>> policy
> >>>>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A INPUT -p udp
> >>>>> -m
> >>>>> udp --dport 4500 -j ACCEPT
> >>>>> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> >>>>> -A INPUT -s 66.220.2.74 -p icmp -j ACCEPT
> >>>>> -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
> >>>>> -A INPUT -i ppp0 -p udp -m udp --dport 520 -j logdrop
> >>>>> -A INPUT -i br0 -p udp -m udp --dport 520 -j logdrop
> >>>>> -A INPUT -p udp -m udp --dport 520 -j logaccept
> >>>>> -A INPUT -i br0 -j logaccept
> >>>>> -A INPUT -i ppp0 -p icmp -j logdrop
> >>>>> -A INPUT -p igmp -j logdrop
> >>>>> -A INPUT -i lo -m state --state NEW -j ACCEPT
> >>>>> -A INPUT -i br0 -m state --state NEW -j logaccept
> >>>>> -A INPUT -i wl0.1 -p udp -m udp --dport 67 -j logaccept
> >>>>> -A INPUT -i wl0.1 -p udp -m udp --dport 53 -j logaccept
> >>>>> -A INPUT -i wl0.1 -p tcp -m tcp --dport 53 -j logaccept
> >>>>> -A INPUT -i wl0.1 -m state --state NEW -j logdrop
> >>>>> -A INPUT -i wl0.1 -j logaccept
> >>>>> -A INPUT -i wl1.1 -p udp -m udp --dport 67 -j logaccept
> >>>>> -A INPUT -i wl1.1 -p udp -m udp --dport 53 -j logaccept
> >>>>> -A INPUT -i wl1.1 -p tcp -m tcp --dport 53 -j logaccept
> >>>>> -A INPUT -i wl1.1 -m state --state NEW -j logdrop
> >>>>> -A INPUT -i wl1.1 -j logaccept
> >>>>> -A INPUT -j logdrop
> >>>>> -A FORWARD -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m
> >>>>> policy
> >>>>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s
> >>>>> 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir out
> >>>>> --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s 192.168.0.10
> >>>>> -d
> >>>>> 194.25.134.46 -j ACCEPT
> >>>>> -A FORWARD -s 192.168.0.10 -d 194.25.134.110 -j ACCEPT
> >>>>> -A FORWARD -s 192.168.0.10 -j LOG
> >>>>> -A FORWARD -s 192.168.0.10 -j DROP
> >>>>> -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
> >>>>> -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl1.1 -m state --state NEW
> >>>>> -j
> >>>>> logdrop -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl0.1 -m state
> >>>>> --state
> >>>>> NEW -j logdrop -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p gre
> >>>>> -j
> >>>>> logaccept -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p tcp -m
> >>>>> tcp
> >>>>> --dport 1723 -j logaccept -A FORWARD -i wl0.1 -j logaccept
> >>>>> -A FORWARD -i wl1.1 -j logaccept
> >>>>> -A FORWARD -j lan2wan
> >>>>> -A FORWARD -i br0 -o br0 -j logaccept
> >>>>> -A FORWARD -i br0 -o ppp0 -j logaccept
> >>>>> -A FORWARD -i ppp0 -o br0 -j TRIGGER --trigger-proto --trigger-match
> >>>>> 0-0
> >>>>> --trigger-relate 0-0 -A FORWARD -i br0 -j trigger_out
> >>>>> -A FORWARD -i br0 -o wl0.1 -m state --state NEW -j logdrop
> >>>>> -A FORWARD -i br0 -o wl1.1 -m state --state NEW -j logdrop
> >>>>> -A FORWARD -i br0 -m state --state NEW -j logaccept
> >>>>> -A FORWARD -j logdrop
> >>>>> -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m
> >>>>> policy
> >>>>> --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT -A OUTPUT -o br0
> >>>>> -j
> >>>>> logaccept
> >>>>> -A logaccept -j ACCEPT
> >>>>> -A logdrop -m state --state NEW -j LOG --log-prefix "DROP "
> >>>>> --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -m
> >>>>> state
> >>>>> --state INVALID -j LOG --log-prefix "DROP " --log-tcp-sequence
> >>>>> --log-tcp-options --log-ip-options -A logdrop -j DROP
> >>>>> -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence
> >>>>> --log-tcp-options --log-ip-options -A logreject -p tcp -j REJECT
> >>>>> --reject-with tcp-reset
> >>>>> COMMIT
> >>>>> # Completed on Tue Sep 5 10:42:27 2017
> >>>>>
> >>>>>>> I have tried so many thinsg, but still cannot ping from either side
> >>>>>>> or
> >>>>>>> access
> >>>>>>> any local machines.
> >>>>>>> Does anyone have a clue? Can I provide additional info?
> >>>>>>
> >>>>>> You're having no success because you're trying ramdom shit from the
> >>>>>> Internet. About 99,999% of the strongSwan related information on
> >>>>>> third
> >>>>>> party sites is wither well ng or of questinable quality. Don't get
> >>>>>> your
> >>>>>> information from any place but the project's website.
> >>>>>
> >>>>> Well that's what I did in the first place and it also lacks info, e.g.
> >>>>> it
> >>>>> did not list all of the required kernel modules, took my a bit to find
> >>>>> out which modules it needs as it did not complain at startup, but
> >>>>> requested features at runtime which were not there, e.g. a STD RNG.
> >>>>>
> >>>>>
> >>>>> Thanks for any hints, hope the above info helps.
> >>>>>
> >>>>> Cheers Richard
> >>>>>
> >>>>>> Kind regards
> >>>>>>
> >>>>>> Noel
> >>>>>>
> >>>>>> Am 5. September 2017 00:53:20 MESZ schrieb Ric S <burj-al-
arab at gmx.de>:
> >>>>>>> Hi folks,
> >>>>>>>
> >>>>>>> I have been ripping my hair out with this issue.
> >>>>>>>
> >>>>>>> I'm running strongswan 5.5.3 on a router. The routers lan subnet is
> >>>>>>> 192.168.0.1/24.
> >>>>>>> I can successfully connect to it with an Ipad with ikev2 and surf
> >>>>>>> the
> >>>>>>> internet, but I cannot reach any internal machines.
> >>>>>>>
> >>>>>>> My config is the following:
> >>>>>>>
> >>>>>>> ipsec.conf:
> >>>>>>>
> >>>>>>> config setup
> >>>>>>>
> >>>>>>> charondebug="net 2, knl 2, cfg 2"
> >>>>>>>
> >>>>>>> conn ikev2
> >>>>>>>
> >>>>>>> keyexchange=ikev2
> >>>>>>>
> >>>>>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,a
> >>>>>>> es
> >>>>>>> 12
> >>>>>>> 8-
> >>>>>>> sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
> >>>>>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1
> >>>>>>> ,a
> >>>>>>> es
> >>>>>>> 128
> >>>>>>> - sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
> >>>>>>>
> >>>>>>> dpdaction=clear
> >>>>>>> dpddelay=60s
> >>>>>>> left=%defaultroute
> >>>>>>> leftfirewall=yes
> >>>>>>> lefthostaccess=yes
> >>>>>>> leftid=myname.ddns.net
> >>>>>>> leftsubnet=192.168.0.0/24
> >>>>>>> leftcert=host-vpn.der
> >>>>>>> leftsendcert=always
> >>>>>>> right=%any
> >>>>>>> rightauth=eap-tls
> >>>>>>> rightsourceip=%dhcp
> >>>>>>> eap_identity=%any
> >>>>>>> type=passthrough
> >>>>>>> auto=add
> >>>>>>>
> >>>>>>> strongswanf.conf:
> >>>>>>>
> >>>>>>> charon {
> >>>>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> >>>>>>> plugins {
> >>>>>>>
> >>>>>>> dhcp {
> >>>>>>> force_server_address = yes
> >>>>>>> server = 192.168.0.1
> >>>>>>> identity_lease = yes
> >>>>>>> }
> >>>>>>> farp {
> >>>>>>> load = yes
> >>>>>>> }
> >>>>>>>
> >>>>>>> }}
> >>>>>>>
> >>>>>>> threads = 8
> >>>>>>> dns1 = 8.8.8.8
> >>>>>>> dns1 = 8.8.8.4
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Status:
> >>>>>>>
> >>>>>>> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80,
armv7l):
> >>>>>>> uptime: 14 minutes, since Sep 05 00:09:53 2017
> >>>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> >>>>>>>
> >>>>>>> scheduled: 8
> >>>>>>> loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1
> >>>>>>> md5
> >>>>>>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
> >>>>>>> pkcs12 pgp
> >>>>>>> dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac
> >>>>>>> hmac
> >>>>>>> sqlite
> >>>>>>> attr kernel-pfkey kernel-netlink resolve socket-default farp stroke
> >>>>>>> vici
> >>>>>>> updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls
> >>>>>>> xauth-
> >>>>>>> generic xauth-eap dhcp whitelist led duplicheck
> >>>>>>>
> >>>>>>> Listening IP addresses:
> >>>>>>> 169.254.255.1
> >>>>>>> 192.168.0.1
> >>>>>>> 87.168.243.83
> >>>>>>>
> >>>>>>> Connections:
> >>>>>>> ikev2: %any...%any IKEv2, dpddelay=60s
> >>>>>>>
> >>>>>>> ikev2: local: [myname.ddns.net] uses public key
> >>>>>>> authentication
> >>>>>>>
> >>>>>>> ikev2: cert: "C=DE, O=MYORG, CN=myname.ddns.net"
> >>>>>>>
> >>>>>>> ikev2: remote: uses EAP_TLS authentication with EAP identity
> >>>>>>> '%any'
> >>>>>>>
> >>>>>>> ikev2: child: 192.168.0.0/24 === dynamic PASS,
> >>>>>>> dpdaction=clear
> >>>>>>>
> >>>>>>> Security Associations (1 up, 0 connecting):
> >>>>>>> ikev2[6]: ESTABLISHED 11 seconds ago,
> >>>>>>> 87.168.243.83[myname.ddns.net]...
> >>>>>>> 109.43.1.19[R6400]
> >>>>>>>
> >>>>>>> ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*,
> >>>>>>> public
> >>>>>>>
> >>>>>>> key reauthentication in 2 hours
> >>>>>>>
> >>>>>>> ikev2[6]: IKE proposal:
> >>>>>>> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
> >>>>>>>
> >>>>>>> MODP_1024
> >>>>>>>
> >>>>>>> ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
> >>>>>>> c0983fe7_i
> >>>>>>>
> >>>>>>> 04eb0f50_o
> >>>>>>>
> >>>>>>> ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0
> >>>>>>> bytes_o,
> >>>>>>>
> >>>>>>> rekeying in 48 minutes
> >>>>>>>
> >>>>>>> ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32
> >>>>>>>
> >>>>>>> swanctl --list-sas
> >>>>>>> ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i
> >>>>>>> 688c466c497d2b9a_r*
> >>>>>>>
> >>>>>>> local 'myname.ddns.net' @ 87.168.243.83[4500]
> >>>>>>> remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
> >>>>>>> AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> >>>>>>> established 92s ago, reauth in 9765s
> >>>>>>> ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
> >>>>>>>
> >>>>>>> HMAC_SHA2_256_128
> >>>>>>>
> >>>>>>> installed 89s ago, rekeying in 2800s, expires in 3511s
> >>>>>>> in c0983fe7, 0 bytes, 0 packets
> >>>>>>> out 04eb0f50, 0 bytes, 0 packets
> >>>>>>> local 192.168.0.0/24
> >>>>>>> remote 192.168.0.121/32
> >>>>>>>
> >>>>>>> ip route list table 220
> >>>>>>> 192.168.0.121 via 62.155.242.107 dev ppp0 proto static src
> >>>>>>> 192.168.0.1
> >>>>>>>
> >>>>>>> FARP seems to work, this is a ping from one of the local machines:
> >>>>>>>
> >>>>>>> ping R6400
> >>>>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
> >>>>>>>
> >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> >>>>>> >
> >>>>>>> Unreachable
> >>>>>>>
> >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> >>>>>> >
> >>>>>>> Unreachable
More information about the Users
mailing list