[strongSwan] strongswan not picking up traffic
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Sep 14 13:01:27 CEST 2017
Hi,
You're expected to use auto=route. It is normal, by design and common with all other *swans, that auto=add does not initiate a connection.
You gotta read the manual/documentation before using the software.
Kind regards
Noel
On 14.09.2017 09:07, Chengcheng Fu wrote:
> Hi,
>
> After I manually bring up the tunnel from the spoke side, it has started working.
>
> "ipsec up host-host".
>
> But is this normal??
>
> Regards,
>
> Terry
>
> On Sep 13, 2017, at 07:12 PM, Chengcheng Fu <terryfcc at icloud.com> wrote:
>
>> Hi,
>>
>> The GRE tunnel is working on its own, it's like Strongswan is not even aware of it's happening, and not trying to encapsulate it.
>> I must be missing something simple.
>>
>> Below are my configs.
>>
>>
>> =========================
>> hub-192.168.23.193
>> =========================
>> ##### ipsec.conf #####
>> config setup
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> authby=secret
>> mobike=no
>> keyexchange=ikev2
>>
>> conn host-host
>> left=192.168.23.193
>> leftprotoport=gre
>> rightprotoport=gre
>> type=transport
>> auto=add
>> reauth=no
>> closeaction=clear
>> keyexchange=ikev2
>> right=%any
>> mark=%unique
>>
>>
>> ##### strongswan.conf #####
>> charon {
>> load_modular = yes
>> plugins {
>> include strongswan.d/charon/*.conf
>> }
>> filelog {
>> /var/log/charon_debug.log {
>> time_format = %a, %Y-%m-%d %R
>> default = 2
>> mgr = 0
>> net = 1
>> enc = 1
>> asn = 1
>> job = 1
>> knl = 1
>> ike_name = yes
>> append = no
>> flush_line = yes
>> }
>> }
>> }
>>
>> include strongswan.d/*.conf
>>
>>
>>
>> ##### swanctl.conf #####
>> include conf.d/*.conf
>>
>>
>>
>>
>> ##### ipsec statusall #####
>> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
>> uptime: 12 minutes, since Sep 14 09:52:04 2017
>> malloc: sbrk 1081344, mmap 0, used 267712, free 813632
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
>> Listening IP addresses:
>> 192.168.23.193
>> 192.168.34.1
>> Connections:
>> host-host: 192.168.23.193...%any IKEv2
>> host-host: local: [192.168.23.193] uses pre-shared key authentication
>> host-host: remote: uses pre-shared key authentication
>> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
>> Security Associations (0 up, 0 connecting):
>> none
>>
>>
>>
>>
>> ##### iptables -L -v #####
>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source destination
>> 25 1876 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
>> 0 0 ACCEPT icmp -- any any anywhere anywhere
>> 0 0 ACCEPT all -- lo any anywhere anywhere
>> 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source destination
>>
>> Chain OUTPUT (policy ACCEPT 13 packets, 1332 bytes)
>> pkts bytes target prot opt in out source destination
>>
>>
>>
>>
>>
>> ##### ip route show table all #####
>> default via 192.168.23.232 dev eth0 proto static metric 20
>> default via 192.168.23.232 dev eth0 proto static metric 100
>> 192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.193 metric 100
>> 192.168.34.3 dev gre1 proto kernel scope link src 192.168.34.1
>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
>> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
>> broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src 192.168.23.193
>> local 192.168.23.193 dev eth0 table local proto kernel scope host src 192.168.23.193
>> broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src 192.168.23.193
>> local 192.168.34.1 dev gre1 table local proto kernel scope host src 192.168.34.1
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
>> unreachable ::/96 dev lo metric 1024 error -113 pref medium
>> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
>> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
>> fe80::/64 dev eth0 proto kernel metric 256 pref medium
>> fe80::/64 dev gre1 proto kernel metric 256 pref medium
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
>> local ::1 dev lo table local proto none metric 0 pref medium
>> local fe80:: dev lo table local proto none metric 0 pref medium
>> local fe80:: dev lo table local proto none metric 0 pref medium
>> local fe80::5efe:c0a8:17c1 dev lo table local proto none metric 0 pref medium
>> local fe80::5054:ff:fecb:abeb dev lo table local proto none metric 0 pref medium
>> ff00::/8 dev eth1 table local metric 256 pref medium
>> ff00::/8 dev eth2 table local metric 256 pref medium
>> ff00::/8 dev eth0 table local metric 256 pref medium
>> ff00::/8 dev gre1 table local metric 256 pref medium
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
>>
>>
>>
>>
>> ##### ip address #####
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> valid_lft forever preferred_lft forever
>> inet6 ::1/128 scope host
>> valid_lft forever preferred_lft forever
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>> link/ether 52:54:00:cb:ab:eb brd ff:ff:ff:ff:ff:ff
>> inet 192.168.23.193/24 brd 192.168.23.255 scope global eth0
>> valid_lft forever preferred_lft forever
>> inet6 fe80::5054:ff:fecb:abeb/64 scope link
>> valid_lft forever preferred_lft forever
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>> link/ether 52:54:00:62:6d:17 brd ff:ff:ff:ff:ff:ff
>> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>> link/ether 52:54:00:f9:74:56 brd ff:ff:ff:ff:ff:ff
>> 5: gre0 at NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1
>> link/gre 0.0.0.0 brd 0.0.0.0
>> 6: gretap0 at NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
>> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
>> 7: gre1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1
>> link/gre 192.168.23.193 peer 192.168.23.203
>> inet 192.168.34.1 peer 192.168.34.3/32 scope global gre1
>> valid_lft forever preferred_lft forever
>> inet6 fe80::5efe:c0a8:17c1/64 scope link
>> valid_lft forever preferred_lft forever
>>
>>
>>
>>
>>
>> =========================
>> spoke-192.168.23.203
>> =========================
>> ##### ipsec.conf #####
>> config setup
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> authby=secret
>> mobike=no
>> keyexchange=ikev2
>>
>> conn host-host
>> left=192.168.23.203
>> leftprotoport=gre
>> right=192.168.23.193
>> rightprotoport=gre
>> type=transport
>> auto=add
>> reauth=no
>> closeaction=hold
>> keyexchange=ikev2
>> keyingtries=%forever
>>
>>
>>
>>
>> ##### strongswan.conf #####
>> charon {
>> load_modular = yes
>> plugins {
>> include strongswan.d/charon/*.conf
>> }
>> syslog {
>> daemon {
>> default = 2
>> ike = 2
>> cfg = 2
>> esp = 2
>> chd = 2
>> net = 2
>> }
>> }
>> filelog {
>> /var/log/charon_debug.log {
>> time_format = %a, %Y-%m-%d %R
>> default = 2
>> mgr = 0
>> net = 1
>> enc = 1
>> asn = 1
>> job = 1
>> knl = 1
>> ike_name = yes
>> append = no
>> flush_line = yes
>> }
>> }
>> }
>>
>> include strongswan.d/*.conf
>>
>>
>>
>>
>> ##### swanctl.conf #####
>> include conf.d/*.conf
>>
>>
>>
>>
>>
>> ##### ipsec statusall #####
>> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
>> uptime: 16 minutes, since Sep 14 09:53:16 2017
>> malloc: sbrk 2289664, mmap 0, used 295488, free 1994176
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
>> Listening IP addresses:
>> 192.168.23.203
>> 192.168.34.3
>> Connections:
>> host-host: 192.168.23.203...192.168.23.193 IKEv2
>> host-host: local: [192.168.23.203] uses pre-shared key authentication
>> host-host: remote: [192.168.23.193] uses pre-shared key authentication
>> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
>> Security Associations (0 up, 0 connecting):
>> none
>>
>>
>>
>> ##### iptables -L -v #####
>> Chain INPUT (policy ACCEPT 376 packets, 60234 bytes)
>> pkts bytes target prot opt in out source destination
>> 13280 5633K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
>> 1 84 ACCEPT icmp -- any any anywhere anywhere
>> 1 80 ACCEPT all -- lo any anywhere anywhere
>> 2 120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source destination
>>
>> Chain OUTPUT (policy ACCEPT 14803 packets, 4253K bytes)
>> pkts bytes target prot opt in out source destination
>>
>>
>>
>>
>> ##### ip route show table all #####
>> default via 192.168.23.232 dev eth0 proto static metric 100
>> 192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.203
>> 192.168.34.1 dev gre1 proto kernel scope link src 192.168.34.3
>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
>> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
>> broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src 192.168.23.203
>> local 192.168.23.203 dev eth0 table local proto kernel scope host src 192.168.23.203
>> broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src 192.168.23.203
>> local 192.168.34.3 dev gre1 table local proto kernel scope host src 192.168.34.3
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
>> unreachable ::/96 dev lo metric 1024 error -113 pref medium
>> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
>> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
>> fe80::/64 dev eth0 proto kernel metric 256 pref medium
>> fe80::/64 dev gre1 proto kernel metric 256 pref medium
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
>> local ::1 dev lo table local proto none metric 0 pref medium
>> local fe80:: dev lo table local proto none metric 0 pref medium
>> local fe80:: dev lo table local proto none metric 0 pref medium
>> local fe80::5efe:c0a8:17cb dev lo table local proto none metric 0 pref medium
>> local fe80::5054:ff:fe3e:b778 dev lo table local proto none metric 0 pref medium
>> ff00::/8 dev eth0 table local metric 256 pref medium
>> ff00::/8 dev eth1 table local metric 256 pref medium
>> ff00::/8 dev eth2 table local metric 256 pref medium
>> ff00::/8 dev gre1 table local metric 256 pref medium
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
>>
>>
>>
>>
>>
>> ##### ip address #####
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> valid_lft forever preferred_lft forever
>> inet6 ::1/128 scope host
>> valid_lft forever preferred_lft forever
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>> link/ether 52:54:00:3e:b7:78 brd ff:ff:ff:ff:ff:ff
>> inet 192.168.23.203/24 brd 192.168.23.255 scope global eth0
>> valid_lft forever preferred_lft forever
>> inet6 fe80::5054:ff:fe3e:b778/64 scope link
>> valid_lft forever preferred_lft forever
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>> link/ether 52:54:00:73:7f:25 brd ff:ff:ff:ff:ff:ff
>> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>> link/ether 52:54:00:89:7f:b2 brd ff:ff:ff:ff:ff:ff
>> 5: gre0 at NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1
>> link/gre 0.0.0.0 brd 0.0.0.0
>> 6: gretap0 at NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
>> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
>> 7: gre1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1
>> link/gre 192.168.23.203 peer 192.168.23.193
>> inet 192.168.34.3 peer 192.168.34.1/32 scope global gre1
>> valid_lft forever preferred_lft forever
>> inet6 fe80::5efe:c0a8:17cb/64 scope link
>> valid_lft forever preferred_lft forever
>>
>>
>>
>>
>>
>> Regards,
>>
>> Terry
>>
>>
>>
>> On Sep 13, 2017, at 12:12 PM, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>
>>> Hello,
>>>
>>> Please provide all the information that is listed on the HelpRequests[1] page on the wiki. Use the listed commands to get that information.
>>>
>>> Right now, you don't even have a CHILD_SA that could be used to encapsulate the traffic nor an IKE_SA to negotiate that CHILD_SA over.
>>>
>>> Kind regards
>>>
>>> Noel
>>>
>>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>>>
>>> On 13.09.2017 19:18, Anvar Kuchkartaev wrote:
>>>> What happened when you initiate host-host connection from any side? Can you share your ipsec.conf file contents so I could see if any mistakes over there? One more question how are your firewall rules configured? Do they allow udp 500,4500, ah, esp protocols from both side?
>>>>
>>>> Anvar Kuchkartaev
>>>> anvar at anvartay.com <mailto:anvar at anvartay.com>
>>>> *From: *Chengcheng Fu
>>>> *Sent: *miércoles, 13 de septiembre de 2017 06:27 p.m.
>>>> *To: *users at lists.strongswan.org
>>>> *Subject: *[strongSwan] strongswan not picking up traffic
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I'm trying to setup a GRE over IPSec.
>>>>
>>>> I have the GRE working, but Strongswan wouldn't pickup the gre traffic and encrypt it.
>>>>
>>>> Following is my topology
>>>>
>>>> hub 192.168.23.193 - 192.168.23.203 spoke
>>>>
>>>>
>>>> And here are my output.
>>>> Hub side:
>>>> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
>>>> uptime: 108 seconds, since Sep 14 00:23:00 2017
>>>> malloc: sbrk 2027520, mmap 0, used 273392, free 1754128
>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>>>> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
>>>> Listening IP addresses:
>>>> 192.168.23.193
>>>> 192.168.34.1
>>>> Connections:
>>>> host-host: 192.168.23.193...%any IKEv2
>>>> host-host: local: [192.168.23.193] uses pre-shared key authentication
>>>> host-host: remote: uses pre-shared key authentication
>>>> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
>>>> Security Associations (0 up, 0 connecting):
>>>> none
>>>>
>>>>
>>>>
>>>> Spoke side:
>>>> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
>>>> uptime: 4 seconds, since Sep 14 00:17:44 2017
>>>> malloc: sbrk 2289664, mmap 0, used 287184, free 2002480
>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>>>> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
>>>> Listening IP addresses:
>>>> 192.168.23.203
>>>> 192.168.34.3
>>>> Connections:
>>>> host-host: 192.168.23.203...192.168.23.193 IKEv2
>>>> host-host: local: [192.168.23.203] uses pre-shared key authentication
>>>> host-host: remote: [192.168.23.193] uses pre-shared key authentication
>>>> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
>>>> Security Associations (0 up, 0 connecting):
>>>> none
>>>>
>>>>
>>>>
>>>> Any thoughts?
>>>>
>>>> Regards,
>>>>
>>>> Terry
>>>>
>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170914/2e062f9e/attachment-0001.sig>
More information about the Users
mailing list