[strongSwan] strongswan not picking up traffic

Fri Sep 22 01:56:24 CEST 2017

Hi

Try giving the "right=<ipaddr-of-tunnel-endppoint>"

for e,g:

left=1.1.1.11
right=2.2.2.51

and also use the below policy instead of using leftprotoport/rightprotoport

leftsubnet=1.1.1.11[gre]
rightsubnet=2.2.2.51[gre]

maybe then the gre tunnel traffic will trigger the ipsec tunnel; to come up

Also first try if possible with the firewall disabled...and then try with
firewall enabled...to eliminate and narrow down where the issue is...

In your case, does the traffic go thru once you bring up the ipsec tunnel
manually?

On Thu, Sep 14, 2017 at 12:37 PM, Chengcheng Fu <terryfcc at icloud.com> wrote:

> Hi,
>
> After I manually bring up the tunnel from the spoke side, it has started
> working.
>
> "ipsec up host-host".
>
> But is this normal??
>
> Regards,
>
> Terry
>
> On Sep 13, 2017, at 07:12 PM, Chengcheng Fu <terryfcc at icloud.com> wrote:
>
> Hi,
>
> The GRE tunnel is working on its own, it's like Strongswan is not even
> aware of it's happening, and not trying to encapsulate it.
> I must be missing something simple.
>
> Below are my configs.
>
>
> =========================
> hub-192.168.23.193
> =========================
> ##### ipsec.conf #####
> config setup
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> authby=secret
> mobike=no
> keyexchange=ikev2
>
> conn host-host
> left=192.168.23.193
> leftprotoport=gre
> rightprotoport=gre
> type=transport
> auto=add
> reauth=no
> closeaction=clear
> keyexchange=ikev2
> right=%any
> mark=%unique
>
>
> ##### strongswan.conf #####
> charon {
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> }
> filelog {
> /var/log/charon_debug.log {
> time_format = %a, %Y-%m-%d %R
> default = 2
> mgr = 0
> net = 1
> enc = 1
> asn = 1
> job = 1
> knl = 1
> ike_name = yes
> append = no
> flush_line = yes
> }
> }
> }
>
> include strongswan.d/*.conf
>
>
>
> ##### swanctl.conf #####
> include conf.d/*.conf
>
>
>
>
> ##### ipsec statusall #####
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
> uptime: 12 minutes, since Sep 14 09:52:04 2017
> malloc: sbrk 1081344, mmap 0, used 267712, free 813632
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke vici updown xauth-generic
> Listening IP addresses:
> 192.168.23.193
> 192.168.34.1
> Connections:
> host-host: 192.168.23.193...%any IKEv2
> host-host: local: [192.168.23.193] uses pre-shared key authentication
> host-host: remote: uses pre-shared key authentication
> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
> Security Associations (0 up, 0 connecting):
> none
>
>
>
>
> ##### iptables -L -v #####
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 25 1876 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
> 0 0 ACCEPT icmp -- any any anywhere anywhere
> 0 0 ACCEPT all -- lo any anywhere anywhere
> 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 13 packets, 1332 bytes)
> pkts bytes target prot opt in out source destination
>
>
>
>
>
> ##### ip route show table all #####
> default via 192.168.23.232 dev eth0 proto static metric 20
> default via 192.168.23.232 dev eth0 proto static metric 100
> 192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.193
> metric 100
> 192.168.34.3 dev gre1 proto kernel scope link src 192.168.34.1
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src
> 127.0.0.1
> local 127.0.0.0/8 dev lo table local proto kernel scope host src
> 127.0.0.1
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src
> 127.0.0.1
> broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src
> 192.168.23.193
> local 192.168.23.193 dev eth0 table local proto kernel scope host src
> 192.168.23.193
> broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src
> 192.168.23.193
> local 192.168.34.1 dev gre1 table local proto kernel scope host src
> 192.168.34.1
> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
> medium
> unreachable ::/96 dev lo metric 1024 error -113 pref medium
> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
> unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
> unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
> fe80::/64 dev eth0 proto kernel metric 256 pref medium
> fe80::/64 dev gre1 proto kernel metric 256 pref medium
> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
> medium
> local ::1 dev lo table local proto none metric 0 pref medium
> local fe80:: dev lo table local proto none metric 0 pref medium
> local fe80:: dev lo table local proto none metric 0 pref medium
> local fe80::5efe:c0a8:17c1 dev lo table local proto none metric 0 pref
> medium
> local fe80::5054:ff:fecb:abeb dev lo table local proto none metric 0 pref
> medium
> ff00::/8 dev eth1 table local metric 256 pref medium
> ff00::/8 dev eth2 table local metric 256 pref medium
> ff00::/8 dev eth0 table local metric 256 pref medium
> ff00::/8 dev gre1 table local metric 256 pref medium
> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
> medium
>
>
>
>
> ##### ip address #####
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
> default qlen 1
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 52:54:00:cb:ab:eb brd ff:ff:ff:ff:ff:ff
> inet 192.168.23.193/24 brd 192.168.23.255 scope global eth0
> valid_lft forever preferred_lft forever
> inet6 fe80::5054:ff:fecb:abeb/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 52:54:00:62:6d:17 brd ff:ff:ff:ff:ff:ff
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 52:54:00:f9:74:56 brd ff:ff:ff:ff:ff:ff
> 5: gre0 at NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1
> link/gre 0.0.0.0 brd 0.0.0.0
> 6: gretap0 at NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN
> group default qlen 1000
> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
> 7: gre1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue
> state UNKNOWN group default qlen 1
> link/gre 192.168.23.193 peer 192.168.23.203
> inet 192.168.34.1 peer 192.168.34.3/32 scope global gre1
> valid_lft forever preferred_lft forever
> inet6 fe80::5efe:c0a8:17c1/64 scope link
> valid_lft forever preferred_lft forever
>
>
>
>
>
> =========================
> spoke-192.168.23.203
> =========================
> ##### ipsec.conf #####
> config setup
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> authby=secret
> mobike=no
> keyexchange=ikev2
>
> conn host-host
> left=192.168.23.203
> leftprotoport=gre
> right=192.168.23.193
> rightprotoport=gre
> type=transport
> auto=add
> reauth=no
> closeaction=hold
> keyexchange=ikev2
> keyingtries=%forever
>
>
>
>
> ##### strongswan.conf #####
> charon {
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> }
> syslog {
> daemon {
> default = 2
> ike = 2
> cfg = 2
> esp = 2
> chd = 2
> net = 2
> }
> }
> filelog {
> /var/log/charon_debug.log {
> time_format = %a, %Y-%m-%d %R
> default = 2
> mgr = 0
> net = 1
> enc = 1
> asn = 1
> job = 1
> knl = 1
> ike_name = yes
> append = no
> flush_line = yes
> }
> }
> }
>
> include strongswan.d/*.conf
>
>
>
>
> ##### swanctl.conf #####
> include conf.d/*.conf
>
>
>
>
>
> ##### ipsec statusall #####
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
> uptime: 16 minutes, since Sep 14 09:53:16 2017
> malloc: sbrk 2289664, mmap 0, used 295488, free 1994176
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke vici updown xauth-generic
> Listening IP addresses:
> 192.168.23.203
> 192.168.34.3
> Connections:
> host-host: 192.168.23.203...192.168.23.193 IKEv2
> host-host: local: [192.168.23.203] uses pre-shared key authentication
> host-host: remote: [192.168.23.193] uses pre-shared key authentication
> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
> Security Associations (0 up, 0 connecting):
> none
>
>
>
> ##### iptables -L -v #####
> Chain INPUT (policy ACCEPT 376 packets, 60234 bytes)
> pkts bytes target prot opt in out source destination
> 13280 5633K ACCEPT all -- any any anywhere anywhere state
> RELATED,ESTABLISHED
> 1 84 ACCEPT icmp -- any any anywhere anywhere
> 1 80 ACCEPT all -- lo any anywhere anywhere
> 2 120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 14803 packets, 4253K bytes)
> pkts bytes target prot opt in out source destination
>
>
>
>
> ##### ip route show table all #####
> default via 192.168.23.232 dev eth0 proto static metric 100
> 192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.203
> 192.168.34.1 dev gre1 proto kernel scope link src 192.168.34.3
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src
> 127.0.0.1
> local 127.0.0.0/8 dev lo table local proto kernel scope host src
> 127.0.0.1
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src
> 127.0.0.1
> broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src
> 192.168.23.203
> local 192.168.23.203 dev eth0 table local proto kernel scope host src
> 192.168.23.203
> broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src
> 192.168.23.203
> local 192.168.34.3 dev gre1 table local proto kernel scope host src
> 192.168.34.3
> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
> medium
> unreachable ::/96 dev lo metric 1024 error -113 pref medium
> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
> unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
> unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
> fe80::/64 dev eth0 proto kernel metric 256 pref medium
> fe80::/64 dev gre1 proto kernel metric 256 pref medium
> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
> medium
> local ::1 dev lo table local proto none metric 0 pref medium
> local fe80:: dev lo table local proto none metric 0 pref medium
> local fe80:: dev lo table local proto none metric 0 pref medium
> local fe80::5efe:c0a8:17cb dev lo table local proto none metric 0 pref
> medium
> local fe80::5054:ff:fe3e:b778 dev lo table local proto none metric 0 pref
> medium
> ff00::/8 dev eth0 table local metric 256 pref medium
> ff00::/8 dev eth1 table local metric 256 pref medium
> ff00::/8 dev eth2 table local metric 256 pref medium
> ff00::/8 dev gre1 table local metric 256 pref medium
> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
> medium
>
>
>
>
>
> ##### ip address #####
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
> default qlen 1
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 52:54:00:3e:b7:78 brd ff:ff:ff:ff:ff:ff
> inet 192.168.23.203/24 brd 192.168.23.255 scope global eth0
> valid_lft forever preferred_lft forever
> inet6 fe80::5054:ff:fe3e:b778/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 52:54:00:73:7f:25 brd ff:ff:ff:ff:ff:ff
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 52:54:00:89:7f:b2 brd ff:ff:ff:ff:ff:ff
> 5: gre0 at NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1
> link/gre 0.0.0.0 brd 0.0.0.0
> 6: gretap0 at NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN
> group default qlen 1000
> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
> 7: gre1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue
> state UNKNOWN group default qlen 1
> link/gre 192.168.23.203 peer 192.168.23.193
> inet 192.168.34.3 peer 192.168.34.1/32 scope global gre1
> valid_lft forever preferred_lft forever
> inet6 fe80::5efe:c0a8:17cb/64 scope link
> valid_lft forever preferred_lft forever
>
>
>
>
>
> Regards,
>
> Terry
>
>
>
> On Sep 13, 2017, at 12:12 PM, Noel Kuntze <noel.kuntze+strongswan-users-
> ml at thermi.consulting> wrote:
>
> Hello,
>
> Please provide all the information that is listed on the HelpRequests[1]
> page on the wiki. Use the listed commands to get that information.
>
> Right now, you don't even have a CHILD_SA that could be used to
> encapsulate the traffic nor an IKE_SA to negotiate that CHILD_SA over.
>
> Kind regards
>
> Noel
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>
> On 13.09.2017 19:18, Anvar Kuchkartaev wrote:
>
> What happened when you initiate host-host connection from any side? Can
> you share your ipsec.conf file contents ‎so I could see if any mistakes
> over there? One more question how are your firewall rules configured? Do
> they allow udp 500,4500, ah, esp protocols from both side?
>
>
> Anvar Kuchkartaev
>
> anvar at anvartay.com
>
> *From: *Chengcheng Fu
>
> *Sent: *miércoles, 13 de septiembre de 2017 06:27 p.m.
>
> *To: *users at lists.strongswan.org
>
> *Subject: *[strongSwan] strongswan not picking up traffic
>
>
>
> Hi,
>
>
> I'm trying to setup a GRE over IPSec.
>
>
> I have the GRE working, but Strongswan wouldn't pickup the gre traffic and
> encrypt it.
>
>
> Following is my topology
>
>
> hub 192.168.23.193 - 192.168.23.203 spoke
>
>
>
> And here are my output.
>
> Hub side:
>
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
>
> uptime: 108 seconds, since Sep 14 00:23:00 2017
>
> malloc: sbrk 2027520, mmap 0, used 273392, free 1754128
>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke vici updown xauth-generic
>
> Listening IP addresses:
>
> 192.168.23.193
>
> 192.168.34.1
>
> Connections:
>
> host-host: 192.168.23.193...%any IKEv2
>
> host-host: local: [192.168.23.193] uses pre-shared key authentication
>
> host-host: remote: uses pre-shared key authentication
>
> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
>
> Security Associations (0 up, 0 connecting):
>
> none
>
>
>
>
> Spoke side:
>
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
>
> uptime: 4 seconds, since Sep 14 00:17:44 2017
>
> malloc: sbrk 2289664, mmap 0, used 287184, free 2002480
>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
>
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke vici updown xauth-generic
>
> Listening IP addresses:
>
> 192.168.23.203
>
> 192.168.34.3
>
> Connections:
>
> host-host: 192.168.23.203...192.168.23.193 IKEv2
>
> host-host: local: [192.168.23.203] uses pre-shared key authentication
>
> host-host: remote: [192.168.23.193] uses pre-shared key authentication
>
> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
>
> Security Associations (0 up, 0 connecting):
>
> none
>
>
>
>
> Any thoughts?
>
>
> Regards,
>
>
> Terry
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170922/b43021c2/attachment-0001.html>