[strongSwan] Strongswan IPSec VPN is up but does not pass traffic

Shuchen He georgehsc at hotmail.com
Mon Mar 12 11:45:52 CET 2018


Hi,

I have setup a VPN between ASA and strongswan using IKE1. The strongswan work as remote VPN using PSK XAuth.

The VPN tunnel is up but I can not ping the remote site. Below is the configuration and some output.

My observation at the moment is that the Linux kernel has setup everything but the TS traffic just does not leave the Linux box.  When I ping remote site, I can see "ip xfrm state" actually shows a flow for my traffic... but the flow is somehow dropped by either the kernel or strongswan.

 Can you please let me know what else I should do to further troubleshoot the issue?

Configuration

connections {
    home {
        aggressive = yes
        dpd_delay = 30
        dpd_timeout = 90
        version = 1
        remote_addrs = 126.2.1.4
        # uncomment if the responder only supports crappy crypto. But seriously,
        # every single one of those algorithms is broken. Better spend some $$$
        # on a better solution.
        proposals = aes256-sha1-modp1024
        vips = 0.0.0.0,::
        local-1 {
            auth = psk
        id = acompanyTest
        }
        local-2 {
            auth = xauth-generic
            xauth_id = acompanyTest
        }
        remote-1 {
            auth = psk
            # You might have to set this to the correct value, if the responder isn't configure correctly.
            #id = 126.2.1.4
        }
        children {
            home {
                remote_ts = 10.2.1.0/24
        #local_ts=192.168.199.0/24,0.0.0.0
                # uncomment if the responder only supports crappy crypto. But seriously,
                # every single one of those algorithms is broken. Better spend some $$$
                # on a better solution.
                # esp_proposals = 3des-md5!
                # Use this, if you want PFS with DH group 2.
                # esp_proposals = 3des-md5-modp1024!
        esp_proposals = aes128-sha1-modp768
            }
        }
   }
}
    secrets {
        ike-home {
            id = 126.2.1.4
            secret = "acompany123"
        }
        eap-home {
            id = acompanyTest
            secret = "acompany123"
        }
    }

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.0.35-2666-gbdde708-g889281e-dirty, armv7l):
  uptime: 18 minutes, since Mar 12 18:15:45 2018
  malloc: sbrk 253952, mmap 0, used 158560, free 95392
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
  192.168.199.100
  192.168.199.254
  192.168.199.141
  192.168.126.1
  10.39.63.211
Connections:
        site:  %any...126.2.1.4  IKEv1
        site:   local:  [mylocalsite] uses pre-shared key authentication
        site:   remote: uses pre-shared key authentication
        site:   child:  192.168.199.0/24 === 10.2.1.0/24 TUNNEL
        home:  %any...126.2.1.4  IKEv1 Aggressive, dpddelay=30s
        home:   local:  [acompanyTest] uses pre-shared key authentication
        home:   local:  uses XAuth authentication: generic with XAuth identity 'acompanyTest'
        home:   remote: uses pre-shared key authentication
        home:   child:  dynamic === 10.2.1.0/24 TUNNEL, dpdaction=clear
Routed Connections:
        site{1}:  ROUTED, TUNNEL, reqid 1
        site{1}:   192.168.199.0/24 === 10.2.1.0/24
Security Associations (1 up, 0 connecting):
        home[1]: ESTABLISHED 17 minutes ago, 10.39.63.211[acompanyTest]...126.2.1.4[126.2.1.4]
        home[1]: IKEv1 SPIs: 504550d01ee905e2_i* 2311e0ae0c6c454f_r, rekeying in 3 hours
        home[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        home{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cc621d5e_i 3545bd6a_o
        home{2}:  AES_CBC_128/HMAC_SHA1_96/MODP_768, 0 bytes_i, 0 bytes_o, rekeying in 40 minutes
        home{2}:   10.2.1.211/32 === 10.2.1.0/24
root at wheezy-armel:~ 18:33:49
# ifconfig
eth0      Link encap:Ethernet  HWaddr 50:ff:99:30:13:10
          inet addr:192.168.199.100  Bcast:192.168.199.255  Mask:255.255.255.0
          inet6 addr: fe80::52ff:99ff:fe30:1310/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:3585 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1318 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:422967 (413.0 KiB)  TX bytes:177070 (172.9 KiB)
eth1      Link encap:Ethernet  HWaddr 50:ff:99:30:13:11
          inet addr:192.168.199.141  Bcast:192.168.199.255  Mask:255.255.255.0
          inet6 addr: fe80::52ff:99ff:fe30:1311/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:11288 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2799722 (2.6 MiB)  TX bytes:3078 (3.0 KiB)
          Interrupt:155 Base address:0x8000
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1334 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1334 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:465386 (454.4 KiB)  TX bytes:465386 (454.4 KiB)
usb0      Link encap:Ethernet  HWaddr 02:1e:10:1f:00:00
          inet addr:10.39.63.211  Bcast:10.39.63.215  Mask:255.255.255.248
          inet6 addr: fe80::1e:10ff:fe1f:0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1049 errors:0 dropped:0 overruns:0 frame:0
          TX packets:973 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:67244 (65.6 KiB)  TX bytes:153707 (150.1 KiB)
wlan0     Link encap:Ethernet  HWaddr 08:ea:40:72:28:b7
          inet addr:192.168.126.1  Bcast:192.168.126.255  Mask:255.255.255.0
          inet6 addr: fe80::aea:40ff:fe72:28b7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3229 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:112 (112.0 B)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.39.63.209    0.0.0.0         UG    0      0        0 usb0
10.39.63.208    0.0.0.0         255.255.255.248 U     0      0        0 usb0
192.168.126.0   0.0.0.0         255.255.255.0   U     0      0        0 wlan0
192.168.199.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.199.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1

# ip route show table 220
10.2.1.0/24 via 10.39.63.209 dev usb0  proto static  src 192.168.199.100

# ip -s xfrm state
src 10.39.63.211 dst 126.2.1.4
    proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel
    replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
    auth-trunc hmac(sha1) 0xaeb85f4b30fec0ccc1240cf9f6204a74e1785df5 (160 bits) 96
    enc cbc(aes) 0xa0711780a30caaad143960ede951ef46 (128 bits)
    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 3501(sec), hard 3960(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:52 use -
    stats:
      replay-window 0 replay 0 failed 0
src 126.2.1.4 dst 10.39.63.211
    proto esp spi 0xcc621d5e(3428982110) reqid 2(0x00000002) mode tunnel
    replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
    auth-trunc hmac(sha1) 0xbe6d3dc8b3c032f0059ece1a0234cbd87858d25e (160 bits) 96
    enc cbc(aes) 0x7d99b233194ab31328cec11ea2ce7aa1 (128 bits)
    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 3596(sec), hard 3960(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:52 use -
    stats:
      replay-window 0 replay 0 failed 0
root at wheezy-armel:~ 18:34:25
# ping -i 192.168.199.100 10.2.1.60
PING 10.2.1.60 (10.2.1.60) 56(84) bytes of data.
^C
--- 10.2.1.60 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

# ip -s xfrm state
src 10.39.63.211 dst 126.2.1.4
    proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
    replay-window 0 seq 0x00000003 flag  (0x00000000)
    sel src 192.168.199.100/32 dst 10.2.1.60/32 proto udp sport 48645 dport 1025 uid 0
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 165(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:34:35 use -
    stats:
      replay-window 0 replay 0 failed 0
src 10.39.63.211 dst 126.2.1.4
    proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel
    replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
    auth-trunc hmac(sha1) 0xaeb85f4b30fec0ccc1240cf9f6204a74e1785df5 (160 bits) 96
    enc cbc(aes) 0xa0711780a30caaad143960ede951ef46 (128 bits)
    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 3501(sec), hard 3960(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:52 use -
    stats:
      replay-window 0 replay 0 failed 0
src 126.2.1.4 dst 10.39.63.211
    proto esp spi 0xcc621d5e(3428982110) reqid 2(0x00000002) mode tunnel
    replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
    auth-trunc hmac(sha1) 0xbe6d3dc8b3c032f0059ece1a0234cbd87858d25e (160 bits) 96
    enc cbc(aes) 0x7d99b233194ab31328cec11ea2ce7aa1 (128 bits)
    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 3596(sec), hard 3960(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:52 use -
    stats:
      replay-window 0 replay 0 failed 0
root at wheezy-armel:~ 18:34:37
# ip -s xfrm policy
src 10.2.1.211/32 dst 10.2.1.0/24 uid 0
    dir out action allow index 105 priority 371327 share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:52 use -
    tmpl src 10.39.63.211 dst 126.2.1.4
        proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.2.1.0/24 dst 10.2.1.211/32 uid 0
    dir fwd action allow index 98 priority 371327 share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:52 use -
    tmpl src 126.2.1.4 dst 10.39.63.211
        proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.2.1.0/24 dst 10.2.1.211/32 uid 0
    dir in action allow index 88 priority 371327 share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:52 use -
    tmpl src 126.2.1.4 dst 10.39.63.211
        proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.199.0/24 dst 10.2.1.0/24 uid 0
    dir out action allow index 81 priority 375424 share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:48 use -
    tmpl src 10.39.63.211 dst 126.2.1.4
        proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.2.1.0/24 dst 192.168.199.0/24 uid 0
    dir fwd action allow index 74 priority 375424 share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:48 use -
    tmpl src 126.2.1.4 dst 10.39.63.211
        proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.2.1.0/24 dst 192.168.199.0/24 uid 0
    dir in action allow index 64 priority 375424 share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:48 use -
    tmpl src 126.2.1.4 dst 10.39.63.211
        proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 59 priority 0 share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:44 use 2018-03-12 18:34:33
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 52 priority 0 share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:44 use 2018-03-12 18:34:28
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket in action allow index 43 priority 0 share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:44 use 2018-03-12 18:34:39
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
    socket out action allow index 36 priority 0 share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:44 use 2018-03-12 18:34:39
src ::/0 dst ::/0 uid 0
    socket in action allow index 27 priority 0 share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:44 use -
src ::/0 dst ::/0 uid 0
    socket out action allow index 20 priority 0 share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:44 use -
src ::/0 dst ::/0 uid 0
    socket in action allow index 11 priority 0 share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:44 use -
src ::/0 dst ::/0 uid 0
    socket out action allow index 4 priority 0 share any flag  (0x00000000)
    lifetime config:
      limit: soft 0(bytes), hard 0(bytes)
      limit: soft 0(packets), hard 0(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2018-03-12 18:15:44 use -


Thanks

George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180312/a22a66a7/attachment-0001.html>


More information about the Users mailing list