[strongSwan] strongswan not picking up traffic

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Fri Sep 22 01:58:48 CEST 2017


OOPs!!...Jumped the Gun...Sorry!

Noel has answered it more correctly and succintly....Sorry again



On Fri, Sep 22, 2017 at 5:26 AM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com>
wrote:

> Hi
>
> Try giving the "right=<ipaddr-of-tunnel-endppoint>"
>
> for e,g:
>
> left=1.1.1.11
> right=2.2.2.51
>
> and also use the below policy instead of using leftprotoport/rightprotoport
>
> leftsubnet=1.1.1.11[gre]
> rightsubnet=2.2.2.51[gre]
>
> maybe then the gre tunnel traffic will trigger the ipsec tunnel; to come
> up
>
> Also first try if possible with the firewall disabled...and then try with
> firewall enabled...to eliminate and narrow down where the issue is...
>
> In your case, does the traffic go thru once you bring up the ipsec tunnel
> manually?
>
>
>
> On Thu, Sep 14, 2017 at 12:37 PM, Chengcheng Fu <terryfcc at icloud.com>
> wrote:
>
>> Hi,
>>
>> After I manually bring up the tunnel from the spoke side, it has started
>> working.
>>
>> "ipsec up host-host".
>>
>> But is this normal??
>>
>> Regards,
>>
>> Terry
>>
>> On Sep 13, 2017, at 07:12 PM, Chengcheng Fu <terryfcc at icloud.com> wrote:
>>
>> Hi,
>>
>> The GRE tunnel is working on its own, it's like Strongswan is not even
>> aware of it's happening, and not trying to encapsulate it.
>> I must be missing something simple.
>>
>> Below are my configs.
>>
>>
>> =========================
>> hub-192.168.23.193
>> =========================
>> ##### ipsec.conf #####
>> config setup
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> authby=secret
>> mobike=no
>> keyexchange=ikev2
>>
>> conn host-host
>> left=192.168.23.193
>> leftprotoport=gre
>> rightprotoport=gre
>> type=transport
>> auto=add
>> reauth=no
>> closeaction=clear
>> keyexchange=ikev2
>> right=%any
>> mark=%unique
>>
>>
>> ##### strongswan.conf #####
>> charon {
>> load_modular = yes
>> plugins {
>> include strongswan.d/charon/*.conf
>> }
>> filelog {
>> /var/log/charon_debug.log {
>> time_format = %a, %Y-%m-%d %R
>> default = 2
>> mgr = 0
>> net = 1
>> enc = 1
>> asn = 1
>> job = 1
>> knl = 1
>> ike_name = yes
>> append = no
>> flush_line = yes
>> }
>> }
>> }
>>
>> include strongswan.d/*.conf
>>
>>
>>
>> ##### swanctl.conf #####
>> include conf.d/*.conf
>>
>>
>>
>>
>> ##### ipsec statusall #####
>> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
>> uptime: 12 minutes, since Sep 14 09:52:04 2017
>> malloc: sbrk 1081344, mmap 0, used 267712, free 813632
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
>> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve
>> socket-default stroke vici updown xauth-generic
>> Listening IP addresses:
>> 192.168.23.193
>> 192.168.34.1
>> Connections:
>> host-host: 192.168.23.193...%any IKEv2
>> host-host: local: [192.168.23.193] uses pre-shared key authentication
>> host-host: remote: uses pre-shared key authentication
>> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
>> Security Associations (0 up, 0 connecting):
>> none
>>
>>
>>
>>
>> ##### iptables -L -v #####
>> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source destination
>> 25 1876 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
>> 0 0 ACCEPT icmp -- any any anywhere anywhere
>> 0 0 ACCEPT all -- lo any anywhere anywhere
>> 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source destination
>>
>> Chain OUTPUT (policy ACCEPT 13 packets, 1332 bytes)
>> pkts bytes target prot opt in out source destination
>>
>>
>>
>>
>>
>> ##### ip route show table all #####
>> default via 192.168.23.232 dev eth0 proto static metric 20
>> default via 192.168.23.232 dev eth0 proto static metric 100
>> 192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.193
>> metric 100
>> 192.168.34.3 dev gre1 proto kernel scope link src 192.168.34.1
>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src
>> 127.0.0.1
>> local 127.0.0.0/8 dev lo table local proto kernel scope host src
>> 127.0.0.1
>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src
>> 127.0.0.1
>> broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src
>> 192.168.23.193
>> local 192.168.23.193 dev eth0 table local proto kernel scope host src
>> 192.168.23.193
>> broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src
>> 192.168.23.193
>> local 192.168.34.1 dev gre1 table local proto kernel scope host src
>> 192.168.34.1
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
>> medium
>> unreachable ::/96 dev lo metric 1024 error -113 pref medium
>> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
>> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
>> fe80::/64 dev eth0 proto kernel metric 256 pref medium
>> fe80::/64 dev gre1 proto kernel metric 256 pref medium
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
>> medium
>> local ::1 dev lo table local proto none metric 0 pref medium
>> local fe80:: dev lo table local proto none metric 0 pref medium
>> local fe80:: dev lo table local proto none metric 0 pref medium
>> local fe80::5efe:c0a8:17c1 dev lo table local proto none metric 0 pref
>> medium
>> local fe80::5054:ff:fecb:abeb dev lo table local proto none metric 0 pref
>> medium
>> ff00::/8 dev eth1 table local metric 256 pref medium
>> ff00::/8 dev eth2 table local metric 256 pref medium
>> ff00::/8 dev eth0 table local metric 256 pref medium
>> ff00::/8 dev gre1 table local metric 256 pref medium
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
>> medium
>>
>>
>>
>>
>> ##### ip address #####
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
>> default qlen 1
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> valid_lft forever preferred_lft forever
>> inet6 ::1/128 scope host
>> valid_lft forever preferred_lft forever
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP group default qlen 1000
>> link/ether 52:54:00:cb:ab:eb brd ff:ff:ff:ff:ff:ff
>> inet 192.168.23.193/24 brd 192.168.23.255 scope global eth0
>> valid_lft forever preferred_lft forever
>> inet6 fe80::5054:ff:fecb:abeb/64 scope link
>> valid_lft forever preferred_lft forever
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP group default qlen 1000
>> link/ether 52:54:00:62:6d:17 brd ff:ff:ff:ff:ff:ff
>> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP group default qlen 1000
>> link/ether 52:54:00:f9:74:56 brd ff:ff:ff:ff:ff:ff
>> 5: gre0 at NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1
>> link/gre 0.0.0.0 brd 0.0.0.0
>> 6: gretap0 at NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN
>> group default qlen 1000
>> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
>> 7: gre1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue
>> state UNKNOWN group default qlen 1
>> link/gre 192.168.23.193 peer 192.168.23.203
>> inet 192.168.34.1 peer 192.168.34.3/32 scope global gre1
>> valid_lft forever preferred_lft forever
>> inet6 fe80::5efe:c0a8:17c1/64 scope link
>> valid_lft forever preferred_lft forever
>>
>>
>>
>>
>>
>> =========================
>> spoke-192.168.23.203
>> =========================
>> ##### ipsec.conf #####
>> config setup
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> authby=secret
>> mobike=no
>> keyexchange=ikev2
>>
>> conn host-host
>> left=192.168.23.203
>> leftprotoport=gre
>> right=192.168.23.193
>> rightprotoport=gre
>> type=transport
>> auto=add
>> reauth=no
>> closeaction=hold
>> keyexchange=ikev2
>> keyingtries=%forever
>>
>>
>>
>>
>> ##### strongswan.conf #####
>> charon {
>> load_modular = yes
>> plugins {
>> include strongswan.d/charon/*.conf
>> }
>> syslog {
>> daemon {
>> default = 2
>> ike = 2
>> cfg = 2
>> esp = 2
>> chd = 2
>> net = 2
>> }
>> }
>> filelog {
>> /var/log/charon_debug.log {
>> time_format = %a, %Y-%m-%d %R
>> default = 2
>> mgr = 0
>> net = 1
>> enc = 1
>> asn = 1
>> job = 1
>> knl = 1
>> ike_name = yes
>> append = no
>> flush_line = yes
>> }
>> }
>> }
>>
>> include strongswan.d/*.conf
>>
>>
>>
>>
>> ##### swanctl.conf #####
>> include conf.d/*.conf
>>
>>
>>
>>
>>
>> ##### ipsec statusall #####
>> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
>> uptime: 16 minutes, since Sep 14 09:53:16 2017
>> malloc: sbrk 2289664, mmap 0, used 295488, free 1994176
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
>> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve
>> socket-default stroke vici updown xauth-generic
>> Listening IP addresses:
>> 192.168.23.203
>> 192.168.34.3
>> Connections:
>> host-host: 192.168.23.203...192.168.23.193 IKEv2
>> host-host: local: [192.168.23.203] uses pre-shared key authentication
>> host-host: remote: [192.168.23.193] uses pre-shared key authentication
>> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
>> Security Associations (0 up, 0 connecting):
>> none
>>
>>
>>
>> ##### iptables -L -v #####
>> Chain INPUT (policy ACCEPT 376 packets, 60234 bytes)
>> pkts bytes target prot opt in out source destination
>> 13280 5633K ACCEPT all -- any any anywhere anywhere state
>> RELATED,ESTABLISHED
>> 1 84 ACCEPT icmp -- any any anywhere anywhere
>> 1 80 ACCEPT all -- lo any anywhere anywhere
>> 2 120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target prot opt in out source destination
>>
>> Chain OUTPUT (policy ACCEPT 14803 packets, 4253K bytes)
>> pkts bytes target prot opt in out source destination
>>
>>
>>
>>
>> ##### ip route show table all #####
>> default via 192.168.23.232 dev eth0 proto static metric 100
>> 192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.203
>> 192.168.34.1 dev gre1 proto kernel scope link src 192.168.34.3
>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src
>> 127.0.0.1
>> local 127.0.0.0/8 dev lo table local proto kernel scope host src
>> 127.0.0.1
>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src
>> 127.0.0.1
>> broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src
>> 192.168.23.203
>> local 192.168.23.203 dev eth0 table local proto kernel scope host src
>> 192.168.23.203
>> broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src
>> 192.168.23.203
>> local 192.168.34.3 dev gre1 table local proto kernel scope host src
>> 192.168.34.3
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
>> medium
>> unreachable ::/96 dev lo metric 1024 error -113 pref medium
>> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium
>> unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium
>> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium
>> fe80::/64 dev eth0 proto kernel metric 256 pref medium
>> fe80::/64 dev gre1 proto kernel metric 256 pref medium
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
>> medium
>> local ::1 dev lo table local proto none metric 0 pref medium
>> local fe80:: dev lo table local proto none metric 0 pref medium
>> local fe80:: dev lo table local proto none metric 0 pref medium
>> local fe80::5efe:c0a8:17cb dev lo table local proto none metric 0 pref
>> medium
>> local fe80::5054:ff:fe3e:b778 dev lo table local proto none metric 0 pref
>> medium
>> ff00::/8 dev eth0 table local metric 256 pref medium
>> ff00::/8 dev eth1 table local metric 256 pref medium
>> ff00::/8 dev eth2 table local metric 256 pref medium
>> ff00::/8 dev gre1 table local metric 256 pref medium
>> unreachable default dev lo proto kernel metric 4294967295 error -101 pref
>> medium
>>
>>
>>
>>
>>
>> ##### ip address #####
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
>> default qlen 1
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> valid_lft forever preferred_lft forever
>> inet6 ::1/128 scope host
>> valid_lft forever preferred_lft forever
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP group default qlen 1000
>> link/ether 52:54:00:3e:b7:78 brd ff:ff:ff:ff:ff:ff
>> inet 192.168.23.203/24 brd 192.168.23.255 scope global eth0
>> valid_lft forever preferred_lft forever
>> inet6 fe80::5054:ff:fe3e:b778/64 scope link
>> valid_lft forever preferred_lft forever
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP group default qlen 1000
>> link/ether 52:54:00:73:7f:25 brd ff:ff:ff:ff:ff:ff
>> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP group default qlen 1000
>> link/ether 52:54:00:89:7f:b2 brd ff:ff:ff:ff:ff:ff
>> 5: gre0 at NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1
>> link/gre 0.0.0.0 brd 0.0.0.0
>> 6: gretap0 at NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN
>> group default qlen 1000
>> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
>> 7: gre1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue
>> state UNKNOWN group default qlen 1
>> link/gre 192.168.23.203 peer 192.168.23.193
>> inet 192.168.34.3 peer 192.168.34.1/32 scope global gre1
>> valid_lft forever preferred_lft forever
>> inet6 fe80::5efe:c0a8:17cb/64 scope link
>> valid_lft forever preferred_lft forever
>>
>>
>>
>>
>>
>> Regards,
>>
>> Terry
>>
>>
>>
>> On Sep 13, 2017, at 12:12 PM, Noel Kuntze <noel.kuntze+strongswan-users-
>> ml at thermi.consulting> wrote:
>>
>> Hello,
>>
>> Please provide all the information that is listed on the HelpRequests[1]
>> page on the wiki. Use the listed commands to get that information.
>>
>> Right now, you don't even have a CHILD_SA that could be used to
>> encapsulate the traffic nor an IKE_SA to negotiate that CHILD_SA over.
>>
>> Kind regards
>>
>> Noel
>>
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>>
>> On 13.09.2017 19:18, Anvar Kuchkartaev wrote:
>>
>> What happened when you initiate host-host connection from any side? Can
>> you share your ipsec.conf file contents ‎so I could see if any mistakes
>> over there? One more question how are your firewall rules configured? Do
>> they allow udp 500,4500, ah, esp protocols from both side?
>>
>>
>> Anvar Kuchkartaev
>>
>> anvar at anvartay.com
>>
>> *From: *Chengcheng Fu
>>
>> *Sent: *miércoles, 13 de septiembre de 2017 06:27 p.m.
>>
>> *To: *users at lists.strongswan.org
>>
>> *Subject: *[strongSwan] strongswan not picking up traffic
>>
>>
>>
>> Hi,
>>
>>
>> I'm trying to setup a GRE over IPSec.
>>
>>
>> I have the GRE working, but Strongswan wouldn't pickup the gre traffic
>> and encrypt it.
>>
>>
>> Following is my topology
>>
>>
>> hub 192.168.23.193 - 192.168.23.203 spoke
>>
>>
>>
>> And here are my output.
>>
>> Hub side:
>>
>> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
>>
>> uptime: 108 seconds, since Sep 14 00:23:00 2017
>>
>> malloc: sbrk 2027520, mmap 0, used 273392, free 1754128
>>
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>>
>> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
>> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve
>> socket-default stroke vici updown xauth-generic
>>
>> Listening IP addresses:
>>
>> 192.168.23.193
>>
>> 192.168.34.1
>>
>> Connections:
>>
>> host-host: 192.168.23.193...%any IKEv2
>>
>> host-host: local: [192.168.23.193] uses pre-shared key authentication
>>
>> host-host: remote: uses pre-shared key authentication
>>
>> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
>>
>> Security Associations (0 up, 0 connecting):
>>
>> none
>>
>>
>>
>>
>> Spoke side:
>>
>> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
>>
>> uptime: 4 seconds, since Sep 14 00:17:44 2017
>>
>> malloc: sbrk 2289664, mmap 0, used 287184, free 2002480
>>
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>>
>> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
>> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve
>> socket-default stroke vici updown xauth-generic
>>
>> Listening IP addresses:
>>
>> 192.168.23.203
>>
>> 192.168.34.3
>>
>> Connections:
>>
>> host-host: 192.168.23.203...192.168.23.193 IKEv2
>>
>> host-host: local: [192.168.23.203] uses pre-shared key authentication
>>
>> host-host: remote: [192.168.23.193] uses pre-shared key authentication
>>
>> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
>>
>> Security Associations (0 up, 0 connecting):
>>
>> none
>>
>>
>>
>>
>> Any thoughts?
>>
>>
>> Regards,
>>
>>
>> Terry
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170922/056178b1/attachment-0001.html>


More information about the Users mailing list