[strongSwan] Roadwarriors can't ping eachother

Bas van Dijk v.dijk.bas at gmail.com
Sat Sep 9 16:16:19 CEST 2017


(I removed the NFLOG rules)

[alice] $ iptables-save -c
# Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:40 2017
*nat
:PREROUTING ACCEPT [4:256]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [4:2672]
:POSTROUTING ACCEPT [4:2672]
COMMIT
# Completed on Sat Sep  9 14:02:40 2017
# Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:40 2017
*raw
:PREROUTING ACCEPT [18:6158]
:OUTPUT ACCEPT [16:8534]
:nixos-fw-rpfilter - [0:0]
[18:6158] -A PREROUTING -j nixos-fw-rpfilter
[18:6158] -A nixos-fw-rpfilter -m rpfilter -j RETURN
[0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m
udp --sport 68 --dport 67 -j RETURN
[0:0] -A nixos-fw-rpfilter -j DROP
COMMIT
# Completed on Sat Sep  9 14:02:40 2017
# Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:40 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:nixos-fw - [0:0]
:nixos-fw-accept - [0:0]
:nixos-fw-log-refuse - [0:0]
:nixos-fw-refuse - [0:0]
[0:0] -A INPUT -s 10.0.0.0/24 -d 10.0.0.1/32 -i eth1 -m policy --dir in
--pol ipsec --reqid 1 --proto esp -j ACCEPT
[18:6158] -A INPUT -j nixos-fw
[0:0] -A FORWARD -s 10.0.0.0/24 -d 10.0.0.1/32 -i eth1 -m policy --dir in
--pol ipsec --reqid 1 --proto esp -j ACCEPT
[0:0] -A FORWARD -s 10.0.0.1/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out
--pol ipsec --reqid 1 --proto esp -j ACCEPT
[0:0] -A OUTPUT -s 10.0.0.1/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out
--pol ipsec --reqid 1 --proto esp -j ACCEPT
[2:1152] -A nixos-fw -i lo -j nixos-fw-accept
[10:4622] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j
nixos-fw-accept
[0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
[6:384] -A nixos-fw -j nixos-fw-log-refuse
[12:5774] -A nixos-fw-accept -j ACCEPT
[0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
-j LOG --log-prefix "rejected connection: " --log-level 6
[6:384] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j
nixos-fw-refuse
[0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse
[6:384] -A nixos-fw-refuse -j DROP
COMMIT
# Completed on Sat Sep  9 14:02:40 2017

[alice] $ sysctl -A | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.arp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0

[carol] $ iptables-save -c
# Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:56 2017
*nat
:PREROUTING ACCEPT [2:128]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [3:2002]
:POSTROUTING ACCEPT [3:2002]
COMMIT
# Completed on Sat Sep  9 14:02:56 2017
# Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:56 2017
*raw
:PREROUTING ACCEPT [7:1983]
:OUTPUT ACCEPT [5:2374]
:nixos-fw-rpfilter - [0:0]
[7:1983] -A PREROUTING -j nixos-fw-rpfilter
[7:1983] -A nixos-fw-rpfilter -m rpfilter -j RETURN
[0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m
udp --sport 68 --dport 67 -j RETURN
[0:0] -A nixos-fw-rpfilter -j DROP
COMMIT
# Completed on Sat Sep  9 14:02:56 2017
# Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:56 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:nixos-fw - [0:0]
:nixos-fw-accept - [0:0]
:nixos-fw-log-refuse - [0:0]
:nixos-fw-refuse - [0:0]
[0:0] -A INPUT -s 10.0.0.0/24 -d 10.0.0.2/32 -i eth1 -m policy --dir in
--pol ipsec --reqid 1 --proto esp -j ACCEPT
[7:1983] -A INPUT -j nixos-fw
[0:0] -A FORWARD -s 10.0.0.0/24 -d 10.0.0.2/32 -i eth1 -m policy --dir in
--pol ipsec --reqid 1 --proto esp -j ACCEPT
[0:0] -A FORWARD -s 10.0.0.2/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out
--pol ipsec --reqid 1 --proto esp -j ACCEPT
[0:0] -A OUTPUT -s 10.0.0.2/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out
--pol ipsec --reqid 1 --proto esp -j ACCEPT
[0:0] -A nixos-fw -i lo -j nixos-fw-accept
[3:1727] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j
nixos-fw-accept
[0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
[4:256] -A nixos-fw -j nixos-fw-log-refuse
[3:1727] -A nixos-fw-accept -j ACCEPT
[0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
-j LOG --log-prefix "rejected connection: " --log-level 6
[4:256] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j
nixos-fw-refuse
[0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse
[4:256] -A nixos-fw-refuse -j DROP
COMMIT
# Completed on Sat Sep  9 14:02:56 2017

[carol] $ sysctl -A | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.arp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0

[moon] $ iptables-save -c
# Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:37 2017
*nat
:PREROUTING ACCEPT [5:4546]
:INPUT ACCEPT [5:4546]
:OUTPUT ACCEPT [1:64]
:POSTROUTING ACCEPT [1:64]
COMMIT
# Completed on Sat Sep  9 14:02:37 2017
# Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:37 2017
*raw
:PREROUTING ACCEPT [15:8288]
:OUTPUT ACCEPT [15:6477]
:nixos-fw-rpfilter - [0:0]
[15:8288] -A PREROUTING -j nixos-fw-rpfilter
[15:8288] -A nixos-fw-rpfilter -m rpfilter -j RETURN
[0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m
udp --sport 68 --dport 67 -j RETURN
[0:0] -A nixos-fw-rpfilter -j DROP
COMMIT
# Completed on Sat Sep  9 14:02:37 2017
# Generated by iptables-save v1.6.1 on Sat Sep  9 14:02:37 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:1432]
:nixos-fw - [0:0]
:nixos-fw-accept - [0:0]
:nixos-fw-log-refuse - [0:0]
:nixos-fw-refuse - [0:0]
[15:8288] -A INPUT -j nixos-fw
[0:0] -A FORWARD -s 10.0.0.2/32 -d 10.0.0.0/24 -i eth1 -m policy --dir in
--pol ipsec --reqid 3 --proto esp -j ACCEPT
[0:0] -A FORWARD -s 10.0.0.0/24 -d 10.0.0.2/32 -o eth1 -m policy --dir out
--pol ipsec --reqid 3 --proto esp -j ACCEPT
[0:0] -A FORWARD -s 10.0.0.1/32 -d 10.0.0.0/24 -i eth1 -m policy --dir in
--pol ipsec --reqid 2 --proto esp -j ACCEPT
[0:0] -A FORWARD -s 10.0.0.0/24 -d 10.0.0.1/32 -o eth1 -m policy --dir out
--pol ipsec --reqid 2 --proto esp -j ACCEPT
[0:0] -A nixos-fw -i lo -j nixos-fw-accept
[5:2328] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j
nixos-fw-accept
[4:3152] -A nixos-fw -p udp -m udp --dport 4500 -j nixos-fw-accept
[4:2680] -A nixos-fw -p udp -m udp --dport 500 -j nixos-fw-accept
[0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
[2:128] -A nixos-fw -j nixos-fw-log-refuse
[13:8160] -A nixos-fw-accept -j ACCEPT
[0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
-j LOG --log-prefix "rejected connection: " --log-level 6
[2:128] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j
nixos-fw-refuse
[0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse
[2:128] -A nixos-fw-refuse -j DROP
COMMIT
# Completed on Sat Sep  9 14:02:37 2017

[moon] $ sysctl -A | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.arp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0

BTW note that if I execute the following on all hosts:

$ iptables --insert INPUT --protocol ESP --jump ACCEPT

pinging from alice to carol will actually give a "Destination Net
Unreachable" error instead of not giving any output:

[alice] $ ping -c 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
>From 192.168.1.3 icmp_seq=1 Destination Net Unreachable

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms


On 9 September 2017 at 15:57, Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hi Bas,
>
> Please provide the outputs of `iptables-save -c` on all hosts
> and the output of `sysctl -A | grep rp_filter`. `iptables -S` is not
> useful.
>
> Kind regards
>
> Noel
>
> On 09.09.2017 15:50, Bas van Dijk wrote:
> > Hi Noel,
> >
> > These are the firewall rules of all hosts after establishing the tunnels
> (all the NFLOG rules will be removed eventually, they're currently used for
> debugging):
> >
> > [alice] $ iptables -S
> > -P INPUT ACCEPT
> > -P FORWARD ACCEPT
> > -P OUTPUT ACCEPT
> > -N nixos-fw
> > -N nixos-fw-accept
> > -N nixos-fw-log-refuse
> > -N nixos-fw-refuse
> > -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 <
> http://10.0.0.1/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec
> -j NFLOG --nflog-group 5
> > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j
> NFLOG --nflog-group 5
> > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
> > -A INPUT -p ah -j NFLOG --nflog-group 5
> > -A INPUT -p esp -j NFLOG --nflog-group 5
> > -A INPUT -j nixos-fw
> > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 <
> http://10.0.0.1/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > -A OUTPUT -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5
> > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
> > -A OUTPUT -p ah -j NFLOG --nflog-group 5
> > -A OUTPUT -p esp -j NFLOG --nflog-group 5
> > -A nixos-fw -i lo -j nixos-fw-accept
> > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
> > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> > -A nixos-fw -j nixos-fw-log-refuse
> > -A nixos-fw-accept -j ACCEPT
> > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j
> LOG --log-prefix "rejected connection: " --log-level 6
> > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
> > -A nixos-fw-log-refuse -j nixos-fw-refuse
> > -A nixos-fw-refuse -j DROP
> >
> > [carol] $ iptables -S
> > -P INPUT ACCEPT
> > -P FORWARD ACCEPT
> > -P OUTPUT ACCEPT
> > -N nixos-fw
> > -N nixos-fw-accept
> > -N nixos-fw-log-refuse
> > -N nixos-fw-refuse
> > -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 <
> http://10.0.0.2/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec
> -j NFLOG --nflog-group 5
> > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j
> NFLOG --nflog-group 5
> > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
> > -A INPUT -p ah -j NFLOG --nflog-group 5
> > -A INPUT -p esp -j NFLOG --nflog-group 5
> > -A INPUT -j nixos-fw
> > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 <
> http://10.0.0.2/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > -A OUTPUT -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5
> > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
> > -A OUTPUT -p ah -j NFLOG --nflog-group 5
> > -A OUTPUT -p esp -j NFLOG --nflog-group 5
> > -A nixos-fw -i lo -j nixos-fw-accept
> > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
> > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> > -A nixos-fw -j nixos-fw-log-refuse
> > -A nixos-fw-accept -j ACCEPT
> > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j
> LOG --log-prefix "rejected connection: " --log-level 6
> > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
> > -A nixos-fw-log-refuse -j nixos-fw-refuse
> > -A nixos-fw-refuse -j DROP
> >
> > [moon] $ iptables -S
> > -P INPUT ACCEPT
> > -P FORWARD ACCEPT
> > -P OUTPUT ACCEPT
> > -N nixos-fw
> > -N nixos-fw-accept
> > -N nixos-fw-log-refuse
> > -N nixos-fw-refuse
> > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec
> -j NFLOG --nflog-group 5
> > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j
> NFLOG --nflog-group 5
> > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
> > -A INPUT -p ah -j NFLOG --nflog-group 5
> > -A INPUT -p esp -j NFLOG --nflog-group 5
> > -A INPUT -j nixos-fw
> > -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -i eth1 -m policy --dir in --pol ipsec --reqid 2
> --proto esp -j ACCEPT
> > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 <
> http://10.0.0.2/32> -o eth1 -m policy --dir out --pol ipsec --reqid 2
> --proto esp -j ACCEPT
> > -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 <
> http://10.0.0.0/24> -i eth1 -m policy --dir in --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 <
> http://10.0.0.1/32> -o eth1 -m policy --dir out --pol ipsec --reqid 1
> --proto esp -j ACCEPT
> > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5
> > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
> > -A OUTPUT -p ah -j NFLOG --nflog-group 5
> > -A OUTPUT -p esp -j NFLOG --nflog-group 5
> > -A nixos-fw -i lo -j nixos-fw-accept
> > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
> > -A nixos-fw -p udp -m udp --dport 4500 -j nixos-fw-accept
> > -A nixos-fw -p udp -m udp --dport 500 -j nixos-fw-accept
> > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
> > -A nixos-fw -j nixos-fw-log-refuse
> > -A nixos-fw-accept -j ACCEPT
> > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j
> LOG --log-prefix "rejected connection: " --log-level 6
> > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
> > -A nixos-fw-log-refuse -j nixos-fw-refuse
> > -A nixos-fw-refuse -j DROP
> >
> >
> > On 9 September 2017 at 15:34, Noel Kuntze <noel.kuntze+strongswan-users-
> ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.
> consulting>> wrote:
> >
> >     Hi,
> >
> >     Check your iptables rules.
> >
> >     Kind regards
> >
> >     Noel
> >
> >     On 09.09.2017 14 <tel:09.09.2017%2014>:06, Bas van Dijk wrote:
> >     > Dear list,
> >     >
> >     > (I accidentally sent a previous message <
> https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA <
> https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA>>
> to the read-only strongswan-users at googlegroups.com <mailto:
> strongswan-users at googlegroups.com> <mailto:strongswan-users@
> googlegroups.com <mailto:strongswan-users at googlegroups.com>>. So let's
> try the real list.)
> >     >
> >     > I'm working on another NixOS strongswan test. This time I have two
> roadwarriors alice and carol that set up a connection to gateway moon. They
> request a virtual IP. The gateway moon assigns virtual IP addresses from a
> pool per roadwarrior containing a single IP address. Authentication is
> based on X.509 certificates. In order to test the tunnel alice and carol
> ping each other. The test configuration can be found in:
> >     >
> >     > https://github.com/LumiGuide/nixpkgs/blob/strongswan-
> swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix <
> https://github.com/LumiGuide/nixpkgs/blob/strongswan-
> swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix>
> >     >
> >     > The roadwarriors alice and carol can successfully establish a
> CHILD_SA with the gateway moon. The problem is that the roadwarriors can't
> ping eachother.
> >     >
> >     > This is a tcpdump on alice while initiating the CHILD_SA and
> trying to ping carol:
> >     >
> >     > [alice] $ tcpdump -s 0 -n -i nflog:5
> >     > tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
> >     > listening on nflog:5, link-type NFLOG (Linux netfilter log
> messages), capture size 262144 bytes
> >     > # swanctl -i --child alice
> >     > 11:05:07.318185 IP 192.168.1.1.500 > 192.168.1.3.500: isakmp:
> parent_sa ikev2_init[I]
> >     > 11:05:07.318291 IP 192.168.1.3.500 > 192.168.1.1.500: isakmp:
> parent_sa ikev2_init[R]
> >     > 11:05:07.318296 IP 192.168.1.1.4500 > 192.168.1.3.4500:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> >     > 11:05:07.318308 IP 192.168.1.1.4500 > 192.168.1.3.4500:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> >     > 11:05:08.346181 IP 192.168.1.3.4500 > 192.168.1.1.4500:
> NONESP-encap: isakmp: child_sa  ikev2_auth[R]
> >     > 11:05:08.346196 IP 192.168.1.3.4500 > 192.168.1.1.4500:
> NONESP-encap: isakmp: child_sa  ikev2_auth[R]
> >     > # ping -c 1 10.0.0.2
> >     > 11:05:15.898172 IP 192.168.1.1 > 10.0.0.2 <http://10.0.0.2>: ICMP
> echo request, id 1120, seq 1, length 64
> >     > 11:05:15.898200 IP 192.168.1.1 > 10.0.0.2 <http://10.0.0.2>: ICMP
> echo request, id 1120, seq 1, length 64
> >     > 11:05:15.898205 IP 192.168.1.1 > 192.168.1.3 <http://192.168.1.3>:
> ESP(spi=0xc6877d56,seq=0x1), length 136
> >     >
> >     > So it looks like the ping packet gets encapsulated and send to
> moon. This is the dump on moon:
> >     >
> >     > [moon] $ tcpdump -s 0 -n -i nflog:5
> >     > tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
> >     > listening on nflog:5, link-type NFLOG (Linux netfilter log
> messages), capture size 262144 bytes
> >     > 11:05:07.170190 IP 192.168.1.1.500 > 192.168.1.3.500: isakmp:
> parent_sa ikev2_init[I]
> >     > 11:05:07.170218 IP 192.168.1.3.500 > 192.168.1.1.500: isakmp:
> parent_sa ikev2_init[R]
> >     > 11:05:07.170221 IP 192.168.1.1.4500 > 192.168.1.3.4500:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> >     > 11:05:07.170227 IP 192.168.1.1.4500 > 192.168.1.3.4500:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> >     > 11:05:08.225827 IP 192.168.1.3.4500 > 192.168.1.1.4500:
> NONESP-encap: isakmp: child_sa  ikev2_auth[R]
> >     > 11:05:08.225843 IP 192.168.1.3.4500 > 192.168.1.1.4500:
> NONESP-encap: isakmp: child_sa  ikev2_auth[R]
> >     >
> >     > 11:05:15.777787 IP 192.168.1.1 > 192.168.1.3 <http://192.168.1.3>:
> ESP(spi=0xc6877d56,seq=0x1), length 136
> >     >
> >     > So moon receives the encapsulated ping message from alice but it
> never reroutes it to carol. Is this caused by a bad routing configuration?
> These are the routes on alice and her auto-generated swanctl configuration:
> >     >
> >     > [alice] $ ip route list table 220
> >     > 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> via
> 192.168.1.3 dev eth1 proto static src 192.168.1.1
> >     >
> >     > [alice] $ cat /etc/swanctl/swanctl.conf
> >     > connections {
> >     >   alice {
> >     >     children {
> >     >       alice {
> >     >         remote_ts = 10.0.0.0/24 <http://10.0.0.0/24> <
> http://10.0.0.0/24>
> >     >         start_action = trap
> >     >         updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w
> 9g-strongswan-5.6.0/libexec/ipsec/_updown iptables
> >     >       }
> >     >     }
> >     >     local-main {
> >     >       auth = pubkey
> >     >       certs = aliceCert.der
> >     >       id = alice
> >     >     }
> >     >     remote-main {
> >     >       auth = pubkey
> >     >       id = moon
> >     >     }
> >     >     remote_addrs = moon
> >     >     version = 2
> >     >     vips = 0.0.0.0
> >     >   }
> >     > }
> >     >
> >     > Routing table 220 is empty on moon. Is that how it's supposed to
> be? This is its auto-generated swanctl configuration:
> >     >
> >     > [moon] $ cat /etc/swanctl/swanctl.conf
> >     > connections {
> >     >   alice {
> >     >     children {
> >     >       alice {
> >     >         local_ts = 10.0.0.0/24 <http://10.0.0.0/24> <
> http://10.0.0.0/24>
> >     >         updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w
> 9g-strongswan-5.6.0/libexec/ipsec/_updown iptables
> >     >       }
> >     >     }
> >     >     local-main {
> >     >       auth = pubkey
> >     >       certs = moonCert.der
> >     >       id = moon
> >     >     }
> >     >     pools = alice
> >     >     remote-main {
> >     >       auth = pubkey
> >     >       id = alice
> >     >     }
> >     >     version = 2
> >     >   }
> >     >   carol {
> >     >     children {
> >     >       carol {
> >     >         local_ts = 10.0.0.0/24 <http://10.0.0.0/24> <
> http://10.0.0.0/24>
> >     >         updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w
> 9g-strongswan-5.6.0/libexec/ipsec/_updown iptables
> >     >       }
> >     >     }
> >     >     local-main {
> >     >       auth = pubkey
> >     >       certs = moonCert.der
> >     >       id = moon
> >     >     }
> >     >     pools = carol
> >     >     remote-main {
> >     >       auth = pubkey
> >     >       id = carol
> >     >     }
> >     >     version = 2
> >     >   }
> >     > }
> >     > pools {
> >     >   alice {
> >     >     addrs = 10.0.0.1
> >     >   }
> >     >   carol {
> >     >     addrs = 10.0.0.2
> >     >   }
> >     > }
> >     >
> >     > I'm sure I'm not configuring something correctly. Can somebody
> point me in the right direction to get this test succeeding?
> >     >
> >     > Regards,
> >     >
> >     > Bas
> >     >
> >     >
> >     >
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170909/d7e86924/attachment-0001.html>


More information about the Users mailing list