[strongSwan] strongswan not picking up traffic
Chengcheng Fu
terryfcc at icloud.com
Thu Sep 14 04:12:02 CEST 2017
Hi,
The GRE tunnel is working on its own, it's like Strongswan is not even aware of it's happening, and not trying to encapsulate it.
I must be missing something simple.
Below are my configs.
=========================
hub-192.168.23.193
=========================
##### ipsec.conf #####
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
mobike=no
keyexchange=ikev2
conn host-host
left=192.168.23.193
leftprotoport=gre
rightprotoport=gre
type=transport
auto=add
reauth=no
closeaction=clear
keyexchange=ikev2
right=%any
mark=%unique
##### strongswan.conf #####
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
/var/log/charon_debug.log {
time_format = %a, %Y-%m-%d %R
default = 2
mgr = 0
net = 1
enc = 1
asn = 1
job = 1
knl = 1
ike_name = yes
append = no
flush_line = yes
}
}
}
include strongswan.d/*.conf
##### swanctl.conf #####
include conf.d/*.conf
##### ipsec statusall #####
Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
uptime: 12 minutes, since Sep 14 09:52:04 2017
malloc: sbrk 1081344, mmap 0, used 267712, free 813632
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
Listening IP addresses:
192.168.23.193
192.168.34.1
Connections:
host-host: 192.168.23.193...%any IKEv2
host-host: local: [192.168.23.193] uses pre-shared key authentication
host-host: remote: uses pre-shared key authentication
host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
Security Associations (0 up, 0 connecting):
none
##### iptables -L -v #####
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
25 1876 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 13 packets, 1332 bytes)
pkts bytes target prot opt in out source destination
##### ip route show table all #####
default via 192.168.23.232 dev eth0 proto static metric 20
default via 192.168.23.232 dev eth0 proto static metric 100
192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.193 metric 100
192.168.34.3 dev gre1 proto kernel scope link src 192.168.34.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src 192.168.23.193
local 192.168.23.193 dev eth0 table local proto kernel scope host src 192.168.23.193
broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src 192.168.23.193
local 192.168.34.1 dev gre1 table local proto kernel scope host src 192.168.34.1
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
unreachable ::/96 dev lo metric 1024 error -113 pref medium
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev gre1 proto kernel metric 256 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::5efe:c0a8:17c1 dev lo table local proto none metric 0 pref medium
local fe80::5054:ff:fecb:abeb dev lo table local proto none metric 0 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev eth2 table local metric 256 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev gre1 table local metric 256 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
##### ip address #####
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:cb:ab:eb brd ff:ff:ff:ff:ff:ff
inet 192.168.23.193/24 brd 192.168.23.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fecb:abeb/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:62:6d:17 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:f9:74:56 brd ff:ff:ff:ff:ff:ff
5: gre0 at NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1
link/gre 0.0.0.0 brd 0.0.0.0
6: gretap0 at NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
7: gre1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1
link/gre 192.168.23.193 peer 192.168.23.203
inet 192.168.34.1 peer 192.168.34.3/32 scope global gre1
valid_lft forever preferred_lft forever
inet6 fe80::5efe:c0a8:17c1/64 scope link
valid_lft forever preferred_lft forever
=========================
spoke-192.168.23.203
=========================
##### ipsec.conf #####
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
mobike=no
keyexchange=ikev2
conn host-host
left=192.168.23.203
leftprotoport=gre
right=192.168.23.193
rightprotoport=gre
type=transport
auto=add
reauth=no
closeaction=hold
keyexchange=ikev2
keyingtries=%forever
##### strongswan.conf #####
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
syslog {
daemon {
default = 2
ike = 2
cfg = 2
esp = 2
chd = 2
net = 2
}
}
filelog {
/var/log/charon_debug.log {
time_format = %a, %Y-%m-%d %R
default = 2
mgr = 0
net = 1
enc = 1
asn = 1
job = 1
knl = 1
ike_name = yes
append = no
flush_line = yes
}
}
}
include strongswan.d/*.conf
##### swanctl.conf #####
include conf.d/*.conf
##### ipsec statusall #####
Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
uptime: 16 minutes, since Sep 14 09:53:16 2017
malloc: sbrk 2289664, mmap 0, used 295488, free 1994176
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
Listening IP addresses:
192.168.23.203
192.168.34.3
Connections:
host-host: 192.168.23.203...192.168.23.193 IKEv2
host-host: local: [192.168.23.203] uses pre-shared key authentication
host-host: remote: [192.168.23.193] uses pre-shared key authentication
host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
Security Associations (0 up, 0 connecting):
none
##### iptables -L -v #####
Chain INPUT (policy ACCEPT 376 packets, 60234 bytes)
pkts bytes target prot opt in out source destination
13280 5633K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
1 84 ACCEPT icmp -- any any anywhere anywhere
1 80 ACCEPT all -- lo any anywhere anywhere
2 120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 14803 packets, 4253K bytes)
pkts bytes target prot opt in out source destination
##### ip route show table all #####
default via 192.168.23.232 dev eth0 proto static metric 100
192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.203
192.168.34.1 dev gre1 proto kernel scope link src 192.168.34.3
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src 192.168.23.203
local 192.168.23.203 dev eth0 table local proto kernel scope host src 192.168.23.203
broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src 192.168.23.203
local 192.168.34.3 dev gre1 table local proto kernel scope host src 192.168.34.3
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
unreachable ::/96 dev lo metric 1024 error -113 pref medium
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev gre1 proto kernel metric 256 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
local ::1 dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80:: dev lo table local proto none metric 0 pref medium
local fe80::5efe:c0a8:17cb dev lo table local proto none metric 0 pref medium
local fe80::5054:ff:fe3e:b778 dev lo table local proto none metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev eth2 table local metric 256 pref medium
ff00::/8 dev gre1 table local metric 256 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
##### ip address #####
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:3e:b7:78 brd ff:ff:ff:ff:ff:ff
inet 192.168.23.203/24 brd 192.168.23.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe3e:b778/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:73:7f:25 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:89:7f:b2 brd ff:ff:ff:ff:ff:ff
5: gre0 at NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1
link/gre 0.0.0.0 brd 0.0.0.0
6: gretap0 at NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
7: gre1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1
link/gre 192.168.23.203 peer 192.168.23.193
inet 192.168.34.3 peer 192.168.34.1/32 scope global gre1
valid_lft forever preferred_lft forever
inet6 fe80::5efe:c0a8:17cb/64 scope link
valid_lft forever preferred_lft forever
Regards,
Terry
On Sep 13, 2017, at 12:12 PM, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
Hello,
Please provide all the information that is listed on the HelpRequests[1] page on the wiki. Use the listed commands to get that information.
Right now, you don't even have a CHILD_SA that could be used to encapsulate the traffic nor an IKE_SA to negotiate that CHILD_SA over.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
On 13.09.2017 19:18, Anvar Kuchkartaev wrote:
What happened when you initiate host-host connection from any side? Can you share your ipsec.conf file contents so I could see if any mistakes over there? One more question how are your firewall rules configured? Do they allow udp 500,4500, ah, esp protocols from both side?
Anvar Kuchkartaev
anvar at anvartay.com
*From: *Chengcheng Fu
*Sent: *miércoles, 13 de septiembre de 2017 06:27 p.m.
*To: *users at lists.strongswan.org
*Subject: *[strongSwan] strongswan not picking up traffic
Hi,
I'm trying to setup a GRE over IPSec.
I have the GRE working, but Strongswan wouldn't pickup the gre traffic and encrypt it.
Following is my topology
hub 192.168.23.193 - 192.168.23.203 spoke
And here are my output.
Hub side:
Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
uptime: 108 seconds, since Sep 14 00:23:00 2017
malloc: sbrk 2027520, mmap 0, used 273392, free 1754128
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
Listening IP addresses:
192.168.23.193
192.168.34.1
Connections:
host-host: 192.168.23.193...%any IKEv2
host-host: local: [192.168.23.193] uses pre-shared key authentication
host-host: remote: uses pre-shared key authentication
host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
Security Associations (0 up, 0 connecting):
none
Spoke side:
Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
uptime: 4 seconds, since Sep 14 00:17:44 2017
malloc: sbrk 2289664, mmap 0, used 287184, free 2002480
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
Listening IP addresses:
192.168.23.203
192.168.34.3
Connections:
host-host: 192.168.23.203...192.168.23.193 IKEv2
host-host: local: [192.168.23.203] uses pre-shared key authentication
host-host: remote: [192.168.23.193] uses pre-shared key authentication
host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
Security Associations (0 up, 0 connecting):
none
Any thoughts?
Regards,
Terry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170914/1ddfaf91/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 849 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170914/1ddfaf91/attachment-0001.sig>
More information about the Users
mailing list