[strongSwan] IKE2 4500 Reply Not Making it Out

Info infosec at quantum-equities.com
Fri Mar 23 02:20:04 CET 2018


Typo.  This is how it is set:  192.168.1.16

Idk what to think of this.  I do have a special sysctl.d/conf. (attached)


On 03/22/2018 03:10 PM, Noel Kuntze wrote:
> Typo?
> Thu, 2018-03-22 14:32 04[NET] sending packet: from *192.168.111.16*[4500] to 172.56.42.115[40819]
> inet *192.168.1.16/24* brd 192.168.1.255 scope global eth0
>
> Trying to send packets from a non-local IP should fail with error -22, but that doesn't seem to be the case here. Maybe some weird kernel setting permits it, but then it fails actually doing it in kernel space.
> Fix the local IP or whatever causes that wrong IP to appear.
>
> On 22.03.2018 22:54, Info wrote:
>> Trying a more complex config, still the problem.  pro forma <https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests>:
>>
>> Thu, 2018-03-22 14:32 15[MGR] IKE_SA (unnamed)[1] successfully checked out
>> Thu, 2018-03-22 14:32 15[IKE] <1> sending keep alive to 172.56.42.115[40819]
>> Thu, 2018-03-22 14:32 15[MGR] <1> checkin IKE_SA (unnamed)[1]
>> Thu, 2018-03-22 14:32 15[MGR] <1> checkin of IKE_SA successful
>> Thu, 2018-03-22 14:32 04[NET] sending packet: from 192.168.111.16[4500] to 172.56.42.115[40819]
>> Thu, 2018-03-22 14:32 01[JOB] next event in 10s 10ms, waiting
>> Thu, 2018-03-22 14:33 01[JOB] got event, queuing job for execution
>> Thu, 2018-03-22 14:33 01[JOB] next event in 6s 109ms, waiting
>> Thu, 2018-03-22 14:33 11[MGR] checkout IKEv2 SA with SPIs 4bfbf65c4f79d139_i b74ab4f66bc3cb9d_r
>> Thu, 2018-03-22 14:33 11[MGR] IKE_SA (unnamed)[1] successfully checked out
>> Thu, 2018-03-22 14:33 11[JOB] <1> deleting half open IKE_SA with 172.56.42.115 after timeout
>> Thu, 2018-03-22 14:33 11[MGR] <1> checkin and destroy IKE_SA (unnamed)[1]
>> Thu, 2018-03-22 14:33 11[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
>> Thu, 2018-03-22 14:33 11[MGR] checkin and destroy of IKE_SA successful
>>
>> _It's still not even reaching the IPSec gateway's eth0 interface_ -- given tcpdump.  Never reaches its own interface, much less the LAN gateway's interfaces to be forwarded on to the phone.
>>
>> -------------------------------------------------------------------------------------------------------
>> No port 4500 packet hitting its own interface.  Only a keep-alive.
>>
>> So of course the phone times out and tears down the circuit.
>>
>> Attached hereto:  charon.log and iptables-save.  SELinux is Permissive.
>>
>> I even tried this with # shorewall clear in the IPSec gateway.  (stops the firewall and opens everything wide)  No change.
>>
>> -------------------------------------------------------------------------------------------------------_
>>
>> strongswan.conf:_
>> charon {
>>         load_modular = yes
>>         plugins {
>>                 include strongswan.d/charon/*.conf
>>         }
>> }
>> include strongswan.d/*.conf
>>
>> _charon.conf_
>> charon {
>>
>>
>> # two defined file loggers
>>     filelog {
>>         /var/log/charon.log {
>>             time_format = %a, %Y-%m-%d %R
>>             ike_name = yes
>>             append = no
>>             default = 2
>>             flush_line = yes
>>         }
>>         stderr {
>>                 mgr = 0
>>                 net = 1
>>                 enc = 1
>>                 asn = 1
>>                 job = 1
>>                 knl = 1
>>         }
>>     }
>>
>>
>> _swanctl.conf:_
>> connections {
>>
>>         ikev2-pubkey {
>>                 version = 2
>>                 rekey_time = 0s
>>                 pools = primary-pool-ipv4 #, primary-pool-ipv6
>>                 fragmentation = yes
>>                 dpd_delay = 30s
>>                 local-1 {
>>                         id = quantum-equities.com
>>                 }
>>         remote-1 {
>>                 # defaults are fine.
>>         }
>>         children {
>>                 ikev2-pubkey {
>> local_ts = %any
>> remote_ts = %any
>>                 rekey_time = 0s
>>                 dpd_action = clear
>>                 }
>>         }
>>         }
>> }
>>
>>
>> # swanctl -L
>> ikev2-pubkey: IKEv2, no reauthentication, no rekeying
>>   local:  %any
>>   remote: %any
>>   local unspecified authentication:
>>     id: quantum-equities.com
>>   remote unspecified authentication:
>>   ikev2-pubkey: TUNNEL, no rekeying
>>     local:  0.0.0.0/32
>>     remote: 0.0.0.0/32
>> # swanctl -l
>>
>>
>> # ip route show table all
>> default via 192.168.1.1 dev eth0
>> 169.254.0.0/16 dev eth0 scope link metric 1002
>> 192.168.111.0/24 dev eth0 proto kernel scope link src 192.168.1.16
>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
>> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
>> broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.16
>> local 192.168.1.16 dev eth0 table local proto kernel scope host src 192.168.1.16
>> broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.16
>> unreachable ::/96 dev lo metric 1024 error -113
>> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113
>> unreachable 2002:a00::/24 dev lo metric 1024 error -113
>> unreachable 2002:7f00::/24 dev lo metric 1024 error -113
>> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
>> unreachable 2002:ac10::/28 dev lo metric 1024 error -113
>> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
>> unreachable 2002:e000::/19 dev lo metric 1024 error -113
>> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113
>> fe80::/64 dev eth0 proto kernel metric 256
>> fe80::/64 dev ipsec0 proto kernel metric 256
>> local ::1 dev lo table local proto kernel metric 0
>> local fe80::2ad0:4f3a:fd2c:5f8c dev lo table local proto kernel metric 0
>> local fe80::5054:ff:fec0:9330 dev lo table local proto kernel metric 0
>> ff00::/8 dev eth0 table local metric 256
>> ff00::/8 dev ipsec0 table local metric 256
>>
>>
>> # ip address
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
>>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>     inet 127.0.0.1/8 scope host lo
>>        valid_lft forever preferred_lft forever
>>     inet6 ::1/128 scope host
>>        valid_lft forever preferred_lft forever
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>>     link/ether 52:54:00:c0:93:30 brd ff:ff:ff:ff:ff:ff
>>     inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0
>>        valid_lft forever preferred_lft forever
>>     inet6 fe80::5054:ff:fec0:9330/64 scope link
>>        valid_lft forever preferred_lft forever
>> 56: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 500
>>     link/none
>>     inet6 fe80::2ad0:4f3a:fd2c:5f8c/64 scope link flags 800
>>        valid_lft forever preferred_lft forever
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180322/5857bfed/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 50-sysctl.conf.bz2
Type: application/x-bzip
Size: 2048 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180322/5857bfed/attachment-0001.bin>


More information about the Users mailing list