[strongSwan] IKE2 4500 Reply Not Making it Out
Info
infosec at quantum-equities.com
Fri Mar 23 19:37:46 CET 2018
Just a mis-paste on my part.
On 03/23/2018 11:23 AM, Noel Kuntze wrote:
> The sysctl.conf looks fine. The file extension has to be .tar.bz2, not just .bz2. I needed to fix that in order to extract the file.
>
> I looked at your routing table and it looks funny. You seem to have the NH for your default route be 192.168.1.1, but you don't have a route to that subnet. Instead, you have a route to 192.168.116.0/24. Maybe that is a problem. Better add a route to 192.168.1.0/24 oneth0 to make sure that's not it. That shouldn't even be possible.
>
>
> On 23.03.2018 02:20, Info wrote:
>> Typo. This is how it is set: 192.168.1.16
>>
>> Idk what to think of this. I do have a special sysctl.d/conf. (attached)
>>
>>
>> On 03/22/2018 03:10 PM, Noel Kuntze wrote:
>>> Typo?
>>> Thu, 2018-03-22 14:32 04[NET] sending packet: from *192.168.111.16*[4500] to 172.56.42.115[40819]
>>> inet *192.168.1.16/24* brd 192.168.1.255 scope global eth0
>>>
>>> Trying to send packets from a non-local IP should fail with error -22, but that doesn't seem to be the case here. Maybe some weird kernel setting permits it, but then it fails actually doing it in kernel space.
>>> Fix the local IP or whatever causes that wrong IP to appear.
>>>
>>> On 22.03.2018 22:54, Info wrote:
>>>> Trying a more complex config, still the problem. pro forma <https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests>:
>>>>
>>>> Thu, 2018-03-22 14:32 15[MGR] IKE_SA (unnamed)[1] successfully checked out
>>>> Thu, 2018-03-22 14:32 15[IKE] <1> sending keep alive to 172.56.42.115[40819]
>>>> Thu, 2018-03-22 14:32 15[MGR] <1> checkin IKE_SA (unnamed)[1]
>>>> Thu, 2018-03-22 14:32 15[MGR] <1> checkin of IKE_SA successful
>>>> Thu, 2018-03-22 14:32 04[NET] sending packet: from 192.168.111.16[4500] to 172.56.42.115[40819]
>>>> Thu, 2018-03-22 14:32 01[JOB] next event in 10s 10ms, waiting
>>>> Thu, 2018-03-22 14:33 01[JOB] got event, queuing job for execution
>>>> Thu, 2018-03-22 14:33 01[JOB] next event in 6s 109ms, waiting
>>>> Thu, 2018-03-22 14:33 11[MGR] checkout IKEv2 SA with SPIs 4bfbf65c4f79d139_i b74ab4f66bc3cb9d_r
>>>> Thu, 2018-03-22 14:33 11[MGR] IKE_SA (unnamed)[1] successfully checked out
>>>> Thu, 2018-03-22 14:33 11[JOB] <1> deleting half open IKE_SA with 172.56.42.115 after timeout
>>>> Thu, 2018-03-22 14:33 11[MGR] <1> checkin and destroy IKE_SA (unnamed)[1]
>>>> Thu, 2018-03-22 14:33 11[IKE] <1> IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING
>>>> Thu, 2018-03-22 14:33 11[MGR] checkin and destroy of IKE_SA successful
>>>>
>>>> _It's still not even reaching the IPSec gateway's eth0 interface_ -- given tcpdump. Never reaches its own interface, much less the LAN gateway's interfaces to be forwarded on to the phone.
>>>>
>>>> -------------------------------------------------------------------------------------------------------
>>>> No port 4500 packet hitting its own interface. Only a keep-alive.
>>>>
>>>> So of course the phone times out and tears down the circuit.
>>>>
>>>> Attached hereto: charon.log and iptables-save. SELinux is Permissive.
>>>>
>>>> I even tried this with # shorewall clear in the IPSec gateway. (stops the firewall and opens everything wide) No change.
>>>>
>>>> -------------------------------------------------------------------------------------------------------_
>>>>
>>>> strongswan.conf:_
>>>> charon {
>>>> load_modular = yes
>>>> plugins {
>>>> include strongswan.d/charon/*.conf
>>>> }
>>>> }
>>>> include strongswan.d/*.conf
>>>>
>>>> _charon.conf_
>>>> charon {
>>>>
>>>>
>>>> # two defined file loggers
>>>> filelog {
>>>> /var/log/charon.log {
>>>> time_format = %a, %Y-%m-%d %R
>>>> ike_name = yes
>>>> append = no
>>>> default = 2
>>>> flush_line = yes
>>>> }
>>>> stderr {
>>>> mgr = 0
>>>> net = 1
>>>> enc = 1
>>>> asn = 1
>>>> job = 1
>>>> knl = 1
>>>> }
>>>> }
>>>>
>>>>
>>>> _swanctl.conf:_
>>>> connections {
>>>>
>>>> ikev2-pubkey {
>>>> version = 2
>>>> rekey_time = 0s
>>>> pools = primary-pool-ipv4 #, primary-pool-ipv6
>>>> fragmentation = yes
>>>> dpd_delay = 30s
>>>> local-1 {
>>>> id = quantum-equities.com
>>>> }
>>>> remote-1 {
>>>> # defaults are fine.
>>>> }
>>>> children {
>>>> ikev2-pubkey {
>>>> local_ts = %any
>>>> remote_ts = %any
>>>> rekey_time = 0s
>>>> dpd_action = clear
>>>> }
>>>> }
>>>> }
>>>> }
>>>>
>>>>
>>>> # swanctl -L
>>>> ikev2-pubkey: IKEv2, no reauthentication, no rekeying
>>>> local: %any
>>>> remote: %any
>>>> local unspecified authentication:
>>>> id: quantum-equities.com
>>>> remote unspecified authentication:
>>>> ikev2-pubkey: TUNNEL, no rekeying
>>>> local: 0.0.0.0/32
>>>> remote: 0.0.0.0/32
>>>> # swanctl -l
>>>>
>>>>
>>>> # ip route show table all
>>>> default via 192.168.1.1 dev eth0
>>>> 169.254.0.0/16 dev eth0 scope link metric 1002
>>>> 192.168.111.0/24 dev eth0 proto kernel scope link src 192.168.1.16
>>>> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
>>>> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
>>>> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
>>>> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
>>>> broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.16
>>>> local 192.168.1.16 dev eth0 table local proto kernel scope host src 192.168.1.16
>>>> broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.16
>>>> unreachable ::/96 dev lo metric 1024 error -113
>>>> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113
>>>> unreachable 2002:a00::/24 dev lo metric 1024 error -113
>>>> unreachable 2002:7f00::/24 dev lo metric 1024 error -113
>>>> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
>>>> unreachable 2002:ac10::/28 dev lo metric 1024 error -113
>>>> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
>>>> unreachable 2002:e000::/19 dev lo metric 1024 error -113
>>>> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113
>>>> fe80::/64 dev eth0 proto kernel metric 256
>>>> fe80::/64 dev ipsec0 proto kernel metric 256
>>>> local ::1 dev lo table local proto kernel metric 0
>>>> local fe80::2ad0:4f3a:fd2c:5f8c dev lo table local proto kernel metric 0
>>>> local fe80::5054:ff:fec0:9330 dev lo table local proto kernel metric 0
>>>> ff00::/8 dev eth0 table local metric 256
>>>> ff00::/8 dev ipsec0 table local metric 256
>>>>
>>>>
>>>> # ip address
>>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
>>>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>>> inet 127.0.0.1/8 scope host lo
>>>> valid_lft forever preferred_lft forever
>>>> inet6 ::1/128 scope host
>>>> valid_lft forever preferred_lft forever
>>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>>>> link/ether 52:54:00:c0:93:30 brd ff:ff:ff:ff:ff:ff
>>>> inet 192.168.1.16/24 brd 192.168.1.255 scope global eth0
>>>> valid_lft forever preferred_lft forever
>>>> inet6 fe80::5054:ff:fec0:9330/64 scope link
>>>> valid_lft forever preferred_lft forever
>>>> 56: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN qlen 500
>>>> link/none
>>>> inet6 fe80::2ad0:4f3a:fd2c:5f8c/64 scope link flags 800
>>>> valid_lft forever preferred_lft forever
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180323/e16aac12/attachment.html>
More information about the Users
mailing list