[strongSwan] Strongswan IPSec VPN is up but does not pass traffic

Shuchen He georgehsc at hotmail.com
Wed Mar 14 00:49:25 CET 2018


Hi Andreas,

Thanks for the help. Please see the command result.

# ip route list table 220
10.2.1.0/24 via 10.168.60.226 dev usb0  proto static  src 192.168.199.100

Cheers

George
________________________________
From: Andreas Steffen <andreas.steffen at strongswan.org>
Sent: Tuesday, 13 March 2018 7:36 PM
To: Shuchen He; users at lists.strongswan.org
Subject: Re: [strongSwan] Strongswan IPSec VPN is up but does not pass traffic

Hi,

I don't see the virtual IP address 10.2.1.211/32 installed on your
physical USB interface with IP address 10.39.63.211. Does the command

  ip route list table 220

show any source route entries?

Regards

Andreas

On 12.03.2018 11:45, Shuchen He wrote:
> Hi,
>
> I have setup a VPN between ASA and strongswan using IKE1. The strongswan
> work as remote VPN using PSK XAuth.
>
> The VPN tunnel is up but I can not ping the remote site. Below is the
> configuration and some output.
>
> My observation at the moment is that the Linux kernel has setup
> everything but the TS traffic just does not leave the Linux box.  When I
> ping remote site, I can see "ip xfrm state" actually shows a flow for my
> traffic... but the flow is somehow dropped by either the kernel or
> strongswan.
>
>  Can you please let me know what else I should do to further
> troubleshoot the issue?
>
> *Configuration
> *
> connections {
>     home {
>         aggressive = yes
>         dpd_delay = 30
>         dpd_timeout = 90
>         version = 1
>         remote_addrs = 126.2.1.4
>         # uncomment if the responder only supports crappy crypto. But
> seriously,
>         # every single one of those algorithms is broken. Better spend
> some $$$
>         # on a better solution.
>         proposals = aes256-sha1-modp1024
>         vips = 0.0.0.0,::
>         local-1 {
>             auth = psk
>         id = acompanyTest
>         }
>         local-2 {
>             auth = xauth-generic
>             xauth_id = acompanyTest
>         }
>         remote-1 {
>             auth = psk
>             # You might have to set this to the correct value, if the
> responder isn't configure correctly.
>             #id = 126.2.1.4
>         }
>         children {
>             home {
>                 remote_ts = 10.2.1.0/24
>         #local_ts=192.168.199.0/24,0.0.0.0
>                 # uncomment if the responder only supports crappy
> crypto. But seriously,
>                 # every single one of those algorithms is broken. Better
> spend some $$$
>                 # on a better solution.
>                 # esp_proposals = 3des-md5!
>                 # Use this, if you want PFS with DH group 2.
>                 # esp_proposals = 3des-md5-modp1024!
>         esp_proposals = aes128-sha1-modp768
>             }
>         }
>    }
> }
>     secrets {
>         ike-home {
>             id = 126.2.1.4
>             secret = "acompany123"
>         }
>         eap-home {
>             id = acompanyTest
>             secret = "acompany123"
>         }
>     }
>
> # ipsec statusall
> Status of IKE charon daemon (strongSwan 5.6.2, Linux
> 3.0.35-2666-gbdde708-g889281e-dirty, armv7l):
>   uptime: 18 minutes, since Mar 12 18:15:45 2018
>   malloc: sbrk 253952, mmap 0, used 158560, free 95392
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 6
>   loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce
> x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
> sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink
> resolve socket-default stroke vici updown xauth-generic counters
> Listening IP addresses:
>   192.168.199.100
>   192.168.199.254
>   192.168.199.141
>   192.168.126.1
>   10.39.63.211
> Connections:
>         site:  %any...126.2.1.4  IKEv1
>         site:   local:  [mylocalsite] uses pre-shared key authentication
>         site:   remote: uses pre-shared key authentication
>         site:   child:  192.168.199.0/24 === 10.2.1.0/24 TUNNEL
>         home:  %any...126.2.1.4  IKEv1 Aggressive, dpddelay=30s
>         home:   local:  [acompanyTest] uses pre-shared key authentication
>         home:   local:  uses XAuth authentication: generic with XAuth
> identity 'acompanyTest'
>         home:   remote: uses pre-shared key authentication
>         home:   child:  dynamic === 10.2.1.0/24 TUNNEL, dpdaction=clear
> Routed Connections:
>         site{1}:  ROUTED, TUNNEL, reqid 1
>         site{1}:   192.168.199.0/24 === 10.2.1.0/24
> Security Associations (1 up, 0 connecting):
>         home[1]: ESTABLISHED 17 minutes ago,
> 10.39.63.211[acompanyTest]...126.2.1.4[126.2.1.4]
>         home[1]: IKEv1 SPIs: 504550d01ee905e2_i* 2311e0ae0c6c454f_r,
> rekeying in 3 hours
>         home[1]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>         home{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs:
> cc621d5e_i 3545bd6a_o
>         home{2}:  AES_CBC_128/HMAC_SHA1_96/MODP_768, 0 bytes_i, 0
> bytes_o, rekeying in 40 minutes
>         home{2}:   10.2.1.211/32 === 10.2.1.0/24
> root at wheezy-armel:~ 18:33:49
> # ifconfig
> eth0      Link encap:Ethernet  HWaddr 50:ff:99:30:13:10
>           inet addr:192.168.199.100  Bcast:192.168.199.255
> Mask:255.255.255.0
>           inet6 addr: fe80::52ff:99ff:fe30:1310/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:3585 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1318 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:422967 (413.0 KiB)  TX bytes:177070 (172.9 KiB)
> eth1      Link encap:Ethernet  HWaddr 50:ff:99:30:13:11
>           inet addr:192.168.199.141  Bcast:192.168.199.255
> Mask:255.255.255.0
>           inet6 addr: fe80::52ff:99ff:fe30:1311/64 Scope:Link
>           UP BROADCAST MULTICAST  MTU:1500  Metric:1
>           RX packets:11288 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:2799722 (2.6 MiB)  TX bytes:3078 (3.0 KiB)
>           Interrupt:155 Base address:0x8000
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:1334 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1334 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:465386 (454.4 KiB)  TX bytes:465386 (454.4 KiB)
> usb0      Link encap:Ethernet  HWaddr 02:1e:10:1f:00:00
>           inet addr:10.39.63.211  Bcast:10.39.63.215  Mask:255.255.255.248
>           inet6 addr: fe80::1e:10ff:fe1f:0/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:1049 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:973 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:67244 (65.6 KiB)  TX bytes:153707 (150.1 KiB)
> wlan0     Link encap:Ethernet  HWaddr 08:ea:40:72:28:b7
>           inet addr:192.168.126.1  Bcast:192.168.126.255  Mask:255.255.255.0
>           inet6 addr: fe80::aea:40ff:fe72:28b7/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:3229 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:0 (0.0 B)  TX bytes:112 (112.0 B)
>
> # route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 0.0.0.0         10.39.63.209    0.0.0.0         UG    0      0        0 usb0
> 10.39.63.208    0.0.0.0         255.255.255.248 U     0      0        0 usb0
> 192.168.126.0   0.0.0.0         255.255.255.0   U     0      0        0
> wlan0
> 192.168.199.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 192.168.199.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
>
> # ip route show table 220
> 10.2.1.0/24 via 10.39.63.209 dev usb0  proto static  src 192.168.199.100
>
> # ip -s xfrm state
> src 10.39.63.211 dst 126.2.1.4
>     proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel
>     replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
>     auth-trunc hmac(sha1) 0xaeb85f4b30fec0ccc1240cf9f6204a74e1785df5
> (160 bits) 96
>     enc cbc(aes) 0xa0711780a30caaad143960ede951ef46 (128 bits)
>     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 3501(sec), hard 3960(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     stats:
>       replay-window 0 replay 0 failed 0
> src 126.2.1.4 dst 10.39.63.211
>     proto esp spi 0xcc621d5e(3428982110) reqid 2(0x00000002) mode tunnel
>     replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
>     auth-trunc hmac(sha1) 0xbe6d3dc8b3c032f0059ece1a0234cbd87858d25e
> (160 bits) 96
>     enc cbc(aes) 0x7d99b233194ab31328cec11ea2ce7aa1 (128 bits)
>     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 3596(sec), hard 3960(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     stats:
>       replay-window 0 replay 0 failed 0
> root at wheezy-armel:~ 18:34:25
> # ping -i 192.168.199.100 10.2.1.60
> PING 10.2.1.60 (10.2.1.60) 56(84) bytes of data.
> ^C
> --- 10.2.1.60 ping statistics ---
> 1 packets transmitted, 0 received, 100% packet loss, time 0ms
>
> # ip -s xfrm state
> src 10.39.63.211 dst 126.2.1.4
>     proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>     replay-window 0 seq 0x00000003 flag  (0x00000000)
>     sel src 192.168.199.100/32 dst 10.2.1.60/32 proto udp sport 48645
> dport 1025 uid 0
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 165(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:34:35 use -
>     stats:
>       replay-window 0 replay 0 failed 0
> src 10.39.63.211 dst 126.2.1.4
>     proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel
>     replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
>     auth-trunc hmac(sha1) 0xaeb85f4b30fec0ccc1240cf9f6204a74e1785df5
> (160 bits) 96
>     enc cbc(aes) 0xa0711780a30caaad143960ede951ef46 (128 bits)
>     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 3501(sec), hard 3960(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     stats:
>       replay-window 0 replay 0 failed 0
> src 126.2.1.4 dst 10.39.63.211
>     proto esp spi 0xcc621d5e(3428982110) reqid 2(0x00000002) mode tunnel
>     replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
>     auth-trunc hmac(sha1) 0xbe6d3dc8b3c032f0059ece1a0234cbd87858d25e
> (160 bits) 96
>     enc cbc(aes) 0x7d99b233194ab31328cec11ea2ce7aa1 (128 bits)
>     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 3596(sec), hard 3960(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     stats:
>       replay-window 0 replay 0 failed 0
> root at wheezy-armel:~ 18:34:37
> # ip -s xfrm policy
> src 10.2.1.211/32 dst 10.2.1.0/24 uid 0
>     dir out action allow index 105 priority 371327 share any flag
> (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     tmpl src 10.39.63.211 dst 126.2.1.4
>         proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.2.1.0/24 dst 10.2.1.211/32 uid 0
>     dir fwd action allow index 98 priority 371327 share any flag
> (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     tmpl src 126.2.1.4 dst 10.39.63.211
>         proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.2.1.0/24 dst 10.2.1.211/32 uid 0
>     dir in action allow index 88 priority 371327 share any flag
> (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:52 use -
>     tmpl src 126.2.1.4 dst 10.39.63.211
>         proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 192.168.199.0/24 dst 10.2.1.0/24 uid 0
>     dir out action allow index 81 priority 375424 share any flag
> (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:48 use -
>     tmpl src 10.39.63.211 dst 126.2.1.4
>         proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.2.1.0/24 dst 192.168.199.0/24 uid 0
>     dir fwd action allow index 74 priority 375424 share any flag
> (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:48 use -
>     tmpl src 126.2.1.4 dst 10.39.63.211
>         proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.2.1.0/24 dst 192.168.199.0/24 uid 0
>     dir in action allow index 64 priority 375424 share any flag
> (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:48 use -
>     tmpl src 126.2.1.4 dst 10.39.63.211
>         proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>     socket in action allow index 59 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use 2018-03-12 18:34:33
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>     socket out action allow index 52 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use 2018-03-12 18:34:28
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>     socket in action allow index 43 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use 2018-03-12 18:34:39
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>     socket out action allow index 36 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use 2018-03-12 18:34:39
> src ::/0 dst ::/0 uid 0
>     socket in action allow index 27 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use -
> src ::/0 dst ::/0 uid 0
>     socket out action allow index 20 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use -
> src ::/0 dst ::/0 uid 0
>     socket in action allow index 11 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use -
> src ::/0 dst ::/0 uid 0
>     socket out action allow index 4 priority 0 share any flag  (0x00000000)
>     lifetime config:
>       limit: soft 0(bytes), hard 0(bytes)
>       limit: soft 0(packets), hard 0(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2018-03-12 18:15:44 use -
>
>
> Thanks
>
> George

--
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org<http://www.strongswan.org>
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180313/10d6ee17/attachment-0001.html>


More information about the Users mailing list