[strongSwan] IKE2 4500 Reply Not Making it Out

Info infosec at quantum-equities.com
Thu Mar 22 19:07:32 CET 2018


Back to pro forma
<https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests>.

It is clear that a substantial amount of the IKE2 negotiation is taking
place, but a pivotal port 4500 packet being emitted by the daemon:
...
Thu, 2018-03-22 09:51 12[IKE] <3> sending keep alive to 172.56.42.76[49548]
Thu, 2018-03-22 09:51 12[MGR] <3> checkin IKE_SA (unnamed)[3]
Thu, 2018-03-22 09:51 12[MGR] <3> checkin of IKE_SA successful
Thu, 2018-03-22 09:51 04[NET] sending packet: from 192.168.1.16[4500] to
172.56.42.76[49548]
Thu, 2018-03-22 09:51 01[JOB] next event in 10s 3ms, waiting
...
_is not even reaching the IPSec gateway's eth0 interface_ -- given
# tcpdump -i eth0 'port 4500'
-- which should show port 4500 packets whether source or destination. 
Never reaches its own interface, much less the LAN gateway's interfaces
to be forwarded on to the phone.

tcpdump -i eth0 'port 4500'
verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:51:19.856709 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:19.866511 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:19.868865 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:19.877097 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:19.892642 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:19.900879 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:19.907531 IP 172.56.42.76.49548 >
cygnus.darkmstter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:19.912761 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:21.859074 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:21.865476 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:21.871270 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:21.876364 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:21.892450 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:21.898712 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:21.903636 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:21.907806 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:24.661125 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:24.667805 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:24.675749 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:24.681522 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:24.705097 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:24.705549 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:24.718250 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:24.718301 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:28.577816 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:28.583546 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:28.589597 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:28.594677 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:28.600772 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:28.614748 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:28.618611 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:28.621593 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
ikev2_auth[I]
09:51:38.119194 IP cygnus.darkmatter.org.ipsec-nat-t >
172.56.42.76.49548: isakmp-nat-keep-alive
^C
33 packets captured
35 packets received by filter
0 packets dropped by kernel

-------------------------------------------------------------------------------------------------------
No port 4500 packet hitting its own interface.  Only a keep-alive.

Since that port 4500 packet never makes it out the IPSec gateway's
interface, through the LAN gateway, and out to the phone, of course the
phone times out and tears down the circuit.  And since the daemon never
gets a response to its 4500 out, it eventually tears down its circuit too.

Attached hereto:  charon.log,  Ss Android app log,  iptables-save. 
SELinux is Permissive.

-------------------------------------------------------------------------------------------------------

_strongswan.conf:_
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}
include strongswan.d/*.conf


_charon.conf_
charon {

# two defined file loggers
    filelog {
        /var/log/charon.log {
            time_format = %a, %Y-%m-%d %R
            ike_name = yes
            append = no
            default = 2
            flush_line = yes
        }
        stderr {
                mgr = 0
                net = 1
                enc = 1
                asn = 1
                job = 1
                knl = 1
        }
    }


_swanctl.conf:_
connections {
       ikev2-pubkey {
                version = 2
                rekey_time = 0s
                local {
                        id = quantum-equities.com
                        id = zeta.darkmtter.org
                }
                remote {
                        # defaults are fine.
                }
                children {
                        ikev2-pubkey {
                                local_ts = 192.168.1.0/24
                                mode = transport
                        }
                }
        }
}


# swanctl -L
ikev2-pubkey: IKEv2, no reauthentication, no rekeying
  local:  %any
  remote: %any
  local unspecified authentication:
    id: zeta.darkmtter.org
  remote unspecified authentication:
  ikev2-pubkey: TRANSPORT, rekeying every 3600s
    local:  192.168.1.0/24
    remote: dynamic
# swanctl -l
#

# ip route show table all
default via 192.168.111.1 dev wlp3s0 proto static metric 600
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.2 metric
600
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src
127.0.0.1
broadcast 192.168.1.0 dev wlp3s0 table local proto kernel scope link src
192.168.1.2
local 192.168.1.2 dev wlp3s0 table local proto kernel scope host src
192.168.1.2
broadcast 192.168.1.255 dev wlp3s0 table local proto kernel scope link
src 192.168.1.2
unreachable ::/96 dev lo metric 1024 error -113
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113
unreachable 2002:a00::/24 dev lo metric 1024 error -113
unreachable 2002:7f00::/24 dev lo metric 1024 error -113
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
unreachable 2002:ac10::/28 dev lo metric 1024 error -113
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
unreachable 2002:e000::/19 dev lo metric 1024 error -113
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113
fe80::/64 dev wlp3s0 proto kernel metric 256
local ::1 dev lo table local proto kernel metric 0
local fe80::3602:86ff:fe43:de1f dev wlp3s0 table local proto kernel
metric 0
ff00::/8 dev wlp3s0 table local metric 256


# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen
1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast state DOWN qlen 1000
    link/ether 54:ee:75:54:80:4a brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
qlen 1000
    link/ether 34:02:86:43:de:1f brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global wlp3s0
       valid_lft forever preferred_lft forever
    inet6 fe80::3602:86ff:fe43:de1f/64 scope link
       valid_lft forever preferred_lft forever


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180322/ef70927d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon.log.bz2
Type: application/x-bzip
Size: 9005 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180322/ef70927d/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongSwanApp.log.bz2
Type: application/x-bzip
Size: 4923 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180322/ef70927d/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iptables-save.bz2
Type: application/x-bzip
Size: 2325 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180322/ef70927d/attachment-0005.bin>


More information about the Users mailing list