[strongSwan] Simple road warrior setup no longer routing after upgrade

James Lay jlay at slave-tothe-box.net
Sun Jul 29 16:43:39 CEST 2018


On Sun, 2018-07-29 at 08:00 -0600, James Lay wrote:
> On Sun, 2018-07-29 at 07:53 -0600, James Lay wrote:
> > On Wed, 2018-07-25 at 18:33 -0600, James Lay wrote:
> > > On Wed, 2018-07-25 at 06:53 -0600, James Lay wrote:
> > > > On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,
> > > > So I moved to Strongswan 5.6.2 during a distribution upgrade.
> > > > What distribution?  What was the previous version?  Do you
> > > > still havethe same plugins installed and enabled?
> > > > My simplesetup no longer routes back to the client (I can see
> > > > the incoming pingson the server, but nothing goes back). I
> > > > establish a tunnel fine...mysetup looks like this:
> > > > 
> > > > external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
> > > > all I need is to have a connected device able to
> > > > access192.168.1.1...and it's only a single user.
> > > > Please read [1].  From the involved IPs I guess you used the
> > > > farp pluginbefore, so make sure you still have that installed
> > > > and loaded.
> > > > Regards,Tobias
> > > > [1]https://wiki.strongswan.org/projects/strongswan/wiki/Forward
> > > > ingAndSplitTunneling
> > > > Thanks Tobias...I have access to the old server so I'll see
> > > > what's there...I don't recall installing any other plugins, but
> > > > we shall see.  I'll report my findings soon..thanks again.
> > > > James
> > > 
> > > So now I'm super confused.  I changed to the below:
> > > 
> > > conn rw	
> > > leftsubnet=192.168.1.0/24
> > > leftcert=StrongSwanHostCert.pem
> > > right=%any
> > > rightsourceip=172.16.0.1
> > > auto=add 
> > > 
> > > 
> > > 
> > > and added the below top 2 postrouting nat rules:
> > >  pkts bytes target     prot opt
> > > in     out     source               destination         
> > >     0     0 ACCEPT     all  
> > > --  *      *       0.0.0.0/0            0.0.0.0/0            poli
> > > cy match dir out pol ipsec
> > >     0     0 MASQUERADE  all  
> > > --  *      enp0s31f6  172.16.0.1           0.0.0.0/0           
> > > 24519 1646K MASQUERADE  all  
> > > --  *      ppp0    192.168.1.0/24       0.0.0.0/0           
> > > 
> > > 
> > > However when I attempt to ping, I see the ping on the ppp0
> > > interface, and the source isn't 172.16.0.1:
> > > 2018-07-25 18:26:37.085194521      8.0.0.1 → 192.168.1.1 ICMP 100
> > > Echo (ping) request  id=0x0004, seq=1/256, ttl=64
> > > 
> > > 
> > > Not exactly sure where to go next.  I did install the extra
> > > plugins that include farp as well.  Thank you.
> > > 
> > > James
> > 
> > Anything on this?  in testing I made this change:
> > 
> > rightsourceip=10.10.10.0/24
> > 
> > Pinging from the client connected device gets me this:
> > 
> > 1 2018-07-29 07:50:27.606525877     8.0.10.1 → 192.168.1.1 ICMP 100
> > Echo (ping) request  id=0x000f, seq=1/256, ttl=64
> > 
> > 
> > Something seems very broken.  Thank you.
> > 
> > James
> 
> And some startup and connect logs:
> 
> Jul 29 07:29:44 gateway charon: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64)
> Jul 29 07:29:44 gateway charon: 00[CFG] PKCS11 module '<name>' lacks
> library path
> Jul 29 07:29:44 gateway charon: 00[CFG] disabling load-tester plugin,
> not configured
> Jul 29 07:29:44 gateway charon: 00[LIB] plugin 'load-tester': failed
> to load - load_tester_plugin_create returned NULL
> Jul 29 07:29:44 gateway charon: 00[CFG] dnscert plugin is disabled
> Jul 29 07:29:44 gateway charon: 00[CFG] ipseckey plugin is disabled
> Jul 29 07:29:44 gateway charon: 00[CFG] attr-sql plugin: database URI
> not set
> Jul 29 07:29:44 gateway charon: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Jul 29 07:29:44 gateway charon: 00[CFG]   loaded ca certificate
> "C=CH, O=strongSwan, CN=strongSwan Root CA" from
> '/etc/ipsec.d/cacerts/StrongSwanCACert.pem'
> Jul 29 07:29:44 gateway charon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Jul 29 07:29:44 gateway charon: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> Jul 29 07:29:44 gateway charon: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> Jul 29 07:29:44 gateway charon: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Jul 29 07:29:44 gateway charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Jul 29 07:29:44 gateway charon: 00[CFG]   loaded RSA private key from
> '/etc/ipsec.d/private/StrongSwanHostKey.pem'
> Jul 29 07:29:44 gateway charon: 00[CFG] sql plugin: database URI not
> set
> Jul 29 07:29:44 gateway charon: 00[CFG] opening triplet file
> /etc/ipsec.d/triplets.dat failed: No such file or directory
> Jul 29 07:29:44 gateway charon: 00[CFG] eap-simaka-sql database URI
> missing
> Jul 29 07:29:44 gateway charon: 00[CFG] loaded 0 RADIUS server
> configurations
> Jul 29 07:29:44 gateway charon: 00[CFG] HA config misses local/remote
> address
> Jul 29 07:29:44 gateway charon: 00[CFG] no threshold configured for
> systime-fix, disabled
> Jul 29 07:29:44 gateway charon: 00[CFG] coupling file path
> unspecified
> Jul 29 07:29:44 gateway charon: 00[LIB] loaded plugins: charon test-
> vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1
> rdrand random nonce x509 revocation constraints acert pubkey pkcs1
> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl
> gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac
> ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink
> resolve socket-default connmark farp stroke updown eap-identity eap-
> sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-
> simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius
> eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam
> xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist
> lookip error-notify certexpire led radattr addrblock unity counters
> Jul 29 07:29:44 gateway charon: 00[LIB] dropped capabilities, running
> as uid 0, gid 0
> Jul 29 07:29:44 gateway charon: 00[JOB] spawning 16 worker threads
> Jul 29 07:29:44 gateway ipsec[12353]: charon (12392) started after
> 100 ms
> Jul 29 07:29:44 gateway ipsec_starter[12353]: charon (12392) started
> after 100 ms
> Jul 29 07:29:44 gateway charon: 06[CFG] received stroke: add
> connection 'rw'
> Jul 29 07:29:44 gateway charon: 06[CFG] adding virtual IP address
> pool 172.16.0.1
> Jul 29 07:29:44 gateway charon: 06[CFG]   loaded certificate "C=CH,
> O=strongSwan, CN=ns1.domain" from 'StrongSwanHostCert.pem'
> Jul 29 07:29:44 gateway charon: 06[CFG]   id 'external_ip' not
> confirmed by certificate, defaulting to 'C=CH, O=strongSwan,
> CN=ns1.domain'
> Jul 29 07:29:44 gateway charon: 06[CFG] added configuration 'rw'
> Jul 29 07:30:13 gateway charon: 10[NET] received packet: from
> x.x.15.77[7388] to external_ip[500] (716 bytes)
> Jul 29 07:30:13 gateway charon: 10[ENC] parsed IKE_SA_INIT request 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
> N(REDIR_SUP) ]
> Jul 29 07:30:13 gateway charon: 10[IKE] x.x.15.77 is initiating an
> IKE_SA
> Jul 29 07:30:13 gateway charon: 10[IKE] x.x.15.77 is initiating an
> IKE_SA
> Jul 29 07:30:13 gateway charon: 10[IKE] remote host is behind NAT
> Jul 29 07:30:13 gateway charon: 10[IKE] sending cert request for
> "C=CH, O=strongSwan, CN=strongSwan Root CA"
> Jul 29 07:30:13 gateway charon: 10[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP)
> N(HASH_ALG) N(MULT_AUTH) ]
> Jul 29 07:30:13 gateway charon: 10[NET] sending packet: from
> external_ip[500] to x.x.15.77[7388] (297 bytes)
> Jul 29 07:30:15 gateway charon: 11[NET] received packet: from
> x.x.15.77[7380] to external_ip[4500] (1364 bytes)
> Jul 29 07:30:15 gateway charon: 11[ENC] parsed IKE_AUTH request 1 [
> EF(1/4) ]
> Jul 29 07:30:15 gateway charon: 11[ENC] received fragment #1 of 4,
> waiting for complete IKE message
> Jul 29 07:30:15 gateway charon: 12[NET] received packet: from
> x.x.15.77[7380] to external_ip[4500] (1364 bytes)
> Jul 29 07:30:15 gateway charon: 12[ENC] parsed IKE_AUTH request 1 [
> EF(2/4) ]
> Jul 29 07:30:15 gateway charon: 12[ENC] received fragment #2 of 4,
> waiting for complete IKE message
> Jul 29 07:30:15 gateway charon: 13[NET] received packet: from
> x.x.15.77[7380] to external_ip[4500] (1364 bytes)
> Jul 29 07:30:15 gateway charon: 13[ENC] parsed IKE_AUTH request 1 [
> EF(3/4) ]
> Jul 29 07:30:15 gateway charon: 13[ENC] received fragment #3 of 4,
> waiting for complete IKE message
> Jul 29 07:30:15 gateway charon: 14[NET] received packet: from
> x.x.15.77[7380] to external_ip[4500] (1156 bytes)
> Jul 29 07:30:15 gateway charon: 14[ENC] parsed IKE_AUTH request 1 [
> EF(4/4) ]

And startup and session logs from previous, working version:
Apr 18 04:23:33 gateway charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.1.2, Linux 4.4.0-119-generic, x86_64)Apr 18 04:23:34
gateway charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'Apr 18 04:23:34 gateway charon: 00[CFG]   loaded
ca certificate "C=CH, O=strongSwan, CN=strongSwan Root CA" from
'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'Apr 18 04:23:34 gateway
charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'Apr
18 04:23:34 gateway charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'Apr 18 04:23:34 gateway charon: 00[CFG]
loading attribute certificates from '/etc/ipsec.d/acerts'Apr 18
04:23:34 gateway charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'Apr 18 04:23:34 gateway charon: 00[CFG] loading
secrets from '/etc/ipsec.secrets'Apr 18 04:23:34 gateway charon:
00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/StrongSwanHostKey.pem'Apr 18 04:23:34 gateway
charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2
md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8
pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink
resolve socket-default stroke updown eap-identity addrblockApr 18
04:23:34 gateway charon: 00[LIB] unable to load 5 plugin features (5
due to unmet dependencies)Apr 18 04:23:34 gateway charon: 00[LIB]
dropped capabilities, running as uid 0, gid 0Apr 18 04:23:34 gateway
charon: 00[JOB] spawning 16 worker threadsApr 18 04:23:34 gateway
ipsec_starter[26813]: charon (26814) started after 180 msApr 18
04:23:34 gateway charon: 05[CFG] received stroke: add connection
'rw'Apr 18 04:23:34 gateway charon: 05[CFG] left nor right host is our
side, assuming left=localApr 18 04:23:34 gateway charon: 05[CFG] adding
virtual IP address pool 192.168.1.11Apr 18 04:23:34 gateway charon:
05[CFG]   loaded certificate "C=CH, O=strongSwan, CN=ns1.domain" from
'StrongSwanHostCert.pem'Apr 18 04:23:34 gateway charon: 05[CFG]   id
'%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan,
CN=ns1.domain'Apr 18 04:23:34 gateway charon: 05[CFG] added
configuration 'rw'

Apr 22 12:22:52 gateway charon: 11[NET] received packet: from
x.x.9.223[8351] to external_ip[500] (704 bytes)Apr 22 12:22:52 gateway
charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N((16430)) N((16431)) N(REDIR_SUP) ]Apr 22 12:22:52
gateway charon: 11[IKE] x.x.9.223 is initiating an IKE_SAApr 22
12:22:52 gateway charon: 11[IKE] x.x.9.223 is initiating an IKE_SAApr
22 12:22:52 gateway charon: 11[IKE] remote host is behind NATApr 22
12:22:52 gateway charon: 11[IKE] DH group ECP_256 inacceptable,
requesting MODP_2048Apr 22 12:22:52 gateway charon: 11[ENC] generating
IKE_SA_INIT response 0 [ N(INVAL_KE) ]Apr 22 12:22:52 gateway charon:
11[NET] sending packet: from external_ip[500] to x.x.9.223[8351] (38
bytes)Apr 22 12:22:52 gateway charon: 12[NET] received packet: from
x.x.9.223[8351] to external_ip[500] (896 bytes)Apr 22 12:22:52 gateway
charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N((16430)) N((16431)) N(REDIR_SUP) ]Apr 22 12:22:52
gateway charon: 12[IKE] x.x.9.223 is initiating an IKE_SAApr 22
12:22:52 gateway charon: 12[IKE] x.x.9.223 is initiating an IKE_SAApr
22 12:22:52 gateway charon: 12[IKE] remote host is behind NATApr 22
12:22:52 gateway charon: 12[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan Root CA"Apr 22 12:22:52 gateway charon:
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]Apr 22 12:22:52 gateway charon:
12[NET] sending packet: from external_ip[500] to x.x.9.223[8351] (465
bytes)Apr 22 12:22:53 gateway charon: 14[NET] received packet: from
x.x.9.223[8331] to external_ip[4500] (5100 bytes)Apr 22 12:22:53
gateway charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N)
SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY)
N(MSG_ID_SYN_SUP) ]Apr 22 12:22:53 gateway charon: 14[IKE] received
cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"Apr 22
12:22:53 gateway charon: 14[IKE] received 156 cert requests for an
unknown caApr 22 12:22:53 gateway charon: 14[IKE] received end entity
cert "C=CH, O=strongSwan, CN=user at domain"Apr 22 12:22:53 gateway
charon: 14[CFG] looking for peer configs matching
external_ip[%any]...x.x.9.223[C=CH, O=strongSwan, CN=user at domain]Apr 22
12:22:53 gateway charon: 14[CFG] selected peer config 'rw'Apr 22
12:22:53 gateway charon: 14[CFG]   using certificate "C=CH,
O=strongSwan, CN=user at domain"Apr 22 12:22:53 gateway charon:
14[CFG]   using trusted ca certificate "C=CH, O=strongSwan,
CN=strongSwan Root CA"Apr 22 12:22:53 gateway charon: 14[CFG] checking
certificate status of "C=CH, O=strongSwan, CN=user at domain"Apr 22
12:22:53 gateway charon: 14[CFG] certificate status is not availableApr
22 12:22:53 gateway charon: 14[CFG]   reached self-signed root ca with
a path length of 0Apr 22 12:22:53 gateway charon: 14[IKE]
authentication of 'C=CH, O=strongSwan, CN=user at domain' with RSA
signature successfulApr 22 12:22:53 gateway charon: 14[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC paddingApr 22
12:22:53 gateway charon: 14[IKE] peer supports MOBIKEApr 22 12:22:53
gateway charon: 14[IKE] authentication of 'C=CH, O=strongSwan,
CN=ns1.domain' (myself) with RSA signature successfulApr 22 12:22:53
gateway charon: 14[IKE] IKE_SA rw[6] established between
external_ip[C=CH, O=strongSwan, CN=ns1.domain]...x.x.9.223[C=CH,
O=strongSwan, CN=user at domain]Apr 22 12:22:53 gateway charon: 14[IKE]
IKE_SA rw[6] established between external_ip[C=CH, O=strongSwan,
CN=ns1.domain]...x.x.9.223[C=CH, O=strongSwan, CN=user at domain]Apr 22
12:22:53 gateway charon: 14[IKE] scheduling reauthentication in
9726sApr 22 12:22:53 gateway charon: 14[IKE] maximum IKE_SA lifetime
10266sApr 22 12:22:53 gateway charon: 14[IKE] sending end entity cert
"C=CH, O=strongSwan, CN=ns1.domain"Apr 22 12:22:53 gateway charon:
14[IKE] peer requested virtual IP %anyApr 22 12:22:53 gateway charon:
14[CFG] reassigning offline lease to 'C=CH, O=strongSwan, CN=user at domai
n'Apr 22 12:22:53 gateway charon: 14[IKE] assigning virtual IP
192.168.1.11 to peer 'C=CH, O=strongSwan, CN=user at domain'Apr 22
12:22:53 gateway charon: 14[IKE] peer requested virtual IP %any6Apr 22
12:22:53 gateway charon: 14[IKE] no virtual IP found for %any6
requested by 'C=CH, O=strongSwan, CN=user at domain'Apr 22 12:22:53
gateway charon: 14[IKE] CHILD_SA rw{4} established with SPIs cab12a0f_i
17e464af_o and TS 192.168.1.0/24 === 192.168.1.11/32 Apr 22 12:22:53
gateway charon: 14[IKE] CHILD_SA rw{4} established with SPIs cab12a0f_i
17e464af_o and TS 192.168.1.0/24 === 192.168.1.11/32 Apr 22 12:22:53
gateway charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]Apr 22
12:22:53 gateway charon: 14[NET] sending packet: from external_ip[4500]
to x.x.9.223[8331] (2204 bytes)Apr 22 12:22:53 gateway charon: 15[NET]
received packet: from x.x.9.223[8331] to external_ip[4500] (76
bytes)Apr 22 12:22:53 gateway charon: 15[ENC] parsed INFORMATIONAL
request 2 [ N(NO_ADD_ADDR) ]Apr 22 12:22:53 gateway charon: 15[ENC]
generating INFORMATIONAL response 2 [ ]Apr 22 12:22:53 gateway charon:
15[NET] sending packet: from external_ip[4500] to x.x.9.223[8331] (76
bytes)Apr 22 12:23:24 gateway charon: 06[NET] received packet: from
x.x.9.223[8331] to external_ip[4500] (76 bytes)Apr 22 12:23:24 gateway
charon: 06[ENC] parsed INFORMATIONAL request 3 [ D ]Apr 22 12:23:24
gateway charon: 06[IKE] received DELETE for IKE_SA rw[6]Apr 22 12:23:24
gateway charon: 06[IKE] deleting IKE_SA rw[6] between external_ip[C=CH,
O=strongSwan, CN=ns1.domain]...x.x.9.223[C=CH, O=strongSwan, CN=user at do
main]Apr 22 12:23:24 gateway charon: 06[IKE] deleting IKE_SA rw[6]
between external_ip[C=CH, O=strongSwan,
CN=ns1.domain]...x.x.9.223[C=CH, O=strongSwan, CN=user at domain]Apr 22
12:23:24 gateway charon: 06[IKE] IKE_SA deletedApr 22 12:23:24 gateway
charon: 06[IKE] IKE_SA deletedApr 22 12:23:24 gateway charon: 06[ENC]
generating INFORMATIONAL response 3 [ ]Apr 22 12:23:24 gateway charon:
06[NET] sending packet: from external_ip[4500] to x.x.9.223[8331] (76
bytes)Apr 22 12:23:24 gateway charon: 06[CFG] lease 192.168.1.11 by
'C=CH, O=strongSwan, CN=user at domain' went offline
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180729/88adb031/attachment-0001.html>


More information about the Users mailing list