[strongSwan] Simple road warrior setup no longer routing after upgrade

James Lay jlay at slave-tothe-box.net
Sun Jul 29 16:00:07 CEST 2018


On Sun, 2018-07-29 at 07:53 -0600, James Lay wrote:
> On Wed, 2018-07-25 at 18:33 -0600, James Lay wrote:
> > On Wed, 2018-07-25 at 06:53 -0600, James Lay wrote:
> > > On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,
> > > So I moved to Strongswan 5.6.2 during a distribution upgrade.
> > > What distribution?  What was the previous version?  Do you still
> > > havethe same plugins installed and enabled?
> > > My simplesetup no longer routes back to the client (I can see the
> > > incoming pingson the server, but nothing goes back). I establish
> > > a tunnel fine...mysetup looks like this:
> > > 
> > > external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
> > > all I need is to have a connected device able to
> > > access192.168.1.1...and it's only a single user.
> > > Please read [1].  From the involved IPs I guess you used the farp
> > > pluginbefore, so make sure you still have that installed and
> > > loaded.
> > > Regards,Tobias
> > > [1]https://wiki.strongswan.org/projects/strongswan/wiki/Forwardin
> > > gAndSplitTunneling
> > > Thanks Tobias...I have access to the old server so I'll see
> > > what's there...I don't recall installing any other plugins, but
> > > we shall see.  I'll report my findings soon..thanks again.
> > > James
> > 
> > So now I'm super confused.  I changed to the below:
> > 
> > conn rw	
> > leftsubnet=192.168.1.0/24
> > leftcert=StrongSwanHostCert.pem
> > right=%any
> > rightsourceip=172.16.0.1
> > auto=add 
> > 
> > 
> > 
> > and added the below top 2 postrouting nat rules:
> >  pkts bytes target     prot opt
> > in     out     source               destination         
> >     0     0 ACCEPT     all  
> > --  *      *       0.0.0.0/0            0.0.0.0/0            policy
> > match dir out pol ipsec
> >     0     0 MASQUERADE  all  
> > --  *      enp0s31f6  172.16.0.1           0.0.0.0/0           
> > 24519 1646K MASQUERADE  all  
> > --  *      ppp0    192.168.1.0/24       0.0.0.0/0           
> > 
> > 
> > However when I attempt to ping, I see the ping on the ppp0
> > interface, and the source isn't 172.16.0.1:
> > 2018-07-25 18:26:37.085194521      8.0.0.1 → 192.168.1.1 ICMP 100
> > Echo (ping) request  id=0x0004, seq=1/256, ttl=64
> > 
> > 
> > Not exactly sure where to go next.  I did install the extra plugins
> > that include farp as well.  Thank you.
> > 
> > James
> 
> Anything on this?  in testing I made this change:
> 
> rightsourceip=10.10.10.0/24
> 
> Pinging from the client connected device gets me this:
> 
> 1 2018-07-29 07:50:27.606525877     8.0.10.1 → 192.168.1.1 ICMP 100
> Echo (ping) request  id=0x000f, seq=1/256, ttl=64
> 
> 
> Something seems very broken.  Thank you.
> 
> James

And some startup and connect logs:

Jul 29 07:29:44 gateway charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64)
Jul 29 07:29:44 gateway charon: 00[CFG] PKCS11 module '<name>' lacks
library path
Jul 29 07:29:44 gateway charon: 00[CFG] disabling load-tester plugin,
not configured
Jul 29 07:29:44 gateway charon: 00[LIB] plugin 'load-tester': failed to
load - load_tester_plugin_create returned NULL
Jul 29 07:29:44 gateway charon: 00[CFG] dnscert plugin is disabled
Jul 29 07:29:44 gateway charon: 00[CFG] ipseckey plugin is disabled
Jul 29 07:29:44 gateway charon: 00[CFG] attr-sql plugin: database URI
not set
Jul 29 07:29:44 gateway charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jul 29 07:29:44 gateway charon: 00[CFG]   loaded ca certificate "C=CH,
O=strongSwan, CN=strongSwan Root CA" from
'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'
Jul 29 07:29:44 gateway charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jul 29 07:29:44 gateway charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jul 29 07:29:44 gateway charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Jul 29 07:29:44 gateway charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jul 29 07:29:44 gateway charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jul 29 07:29:44 gateway charon: 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/StrongSwanHostKey.pem'
Jul 29 07:29:44 gateway charon: 00[CFG] sql plugin: database URI not
set
Jul 29 07:29:44 gateway charon: 00[CFG] opening triplet file
/etc/ipsec.d/triplets.dat failed: No such file or directory
Jul 29 07:29:44 gateway charon: 00[CFG] eap-simaka-sql database URI
missing
Jul 29 07:29:44 gateway charon: 00[CFG] loaded 0 RADIUS server
configurations
Jul 29 07:29:44 gateway charon: 00[CFG] HA config misses local/remote
address
Jul 29 07:29:44 gateway charon: 00[CFG] no threshold configured for
systime-fix, disabled
Jul 29 07:29:44 gateway charon: 00[CFG] coupling file path unspecified
Jul 29 07:29:44 gateway charon: 00[LIB] loaded plugins: charon test-
vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1
rdrand random nonce x509 revocation constraints acert pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl
gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr
ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve
socket-default connmark farp stroke updown eap-identity eap-sim eap-
sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth
eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls
eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-
tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-
notify certexpire led radattr addrblock unity counters
Jul 29 07:29:44 gateway charon: 00[LIB] dropped capabilities, running
as uid 0, gid 0
Jul 29 07:29:44 gateway charon: 00[JOB] spawning 16 worker threads
Jul 29 07:29:44 gateway ipsec[12353]: charon (12392) started after 100
ms
Jul 29 07:29:44 gateway ipsec_starter[12353]: charon (12392) started
after 100 ms
Jul 29 07:29:44 gateway charon: 06[CFG] received stroke: add connection
'rw'
Jul 29 07:29:44 gateway charon: 06[CFG] adding virtual IP address pool
172.16.0.1
Jul 29 07:29:44 gateway charon: 06[CFG]   loaded certificate "C=CH,
O=strongSwan, CN=ns1.domain" from 'StrongSwanHostCert.pem'
Jul 29 07:29:44 gateway charon: 06[CFG]   id 'external_ip' not
confirmed by certificate, defaulting to 'C=CH, O=strongSwan,
CN=ns1.domain'
Jul 29 07:29:44 gateway charon: 06[CFG] added configuration 'rw'
Jul 29 07:30:13 gateway charon: 10[NET] received packet: from
x.x.15.77[7388] to external_ip[500] (716 bytes)
Jul 29 07:30:13 gateway charon: 10[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
]
Jul 29 07:30:13 gateway charon: 10[IKE] x.x.15.77 is initiating an
IKE_SA
Jul 29 07:30:13 gateway charon: 10[IKE] x.x.15.77 is initiating an
IKE_SA
Jul 29 07:30:13 gateway charon: 10[IKE] remote host is behind NAT
Jul 29 07:30:13 gateway charon: 10[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan Root CA"
Jul 29 07:30:13 gateway charon: 10[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Jul 29 07:30:13 gateway charon: 10[NET] sending packet: from
external_ip[500] to x.x.15.77[7388] (297 bytes)
Jul 29 07:30:15 gateway charon: 11[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1364 bytes)
Jul 29 07:30:15 gateway charon: 11[ENC] parsed IKE_AUTH request 1 [
EF(1/4) ]
Jul 29 07:30:15 gateway charon: 11[ENC] received fragment #1 of 4,
waiting for complete IKE message
Jul 29 07:30:15 gateway charon: 12[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1364 bytes)
Jul 29 07:30:15 gateway charon: 12[ENC] parsed IKE_AUTH request 1 [
EF(2/4) ]
Jul 29 07:30:15 gateway charon: 12[ENC] received fragment #2 of 4,
waiting for complete IKE message
Jul 29 07:30:15 gateway charon: 13[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1364 bytes)
Jul 29 07:30:15 gateway charon: 13[ENC] parsed IKE_AUTH request 1 [
EF(3/4) ]
Jul 29 07:30:15 gateway charon: 13[ENC] received fragment #3 of 4,
waiting for complete IKE message
Jul 29 07:30:15 gateway charon: 14[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1156 bytes)
Jul 29 07:30:15 gateway charon: 14[ENC] parsed IKE_AUTH request 1 [
EF(4/4) ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180729/fe397f37/attachment-0001.html>


More information about the Users mailing list