[strongSwan] auto=route, but packet can't trigger a acquire to negotiate a ipsec tunnel
陆晓萍
piaoliugirl at 163.com
Fri May 25 08:08:22 CEST 2018
hello all:
My ipsec tunnel can't established by a traffic.
I configured a ikev2 , net-to-net, psk, i can use "ipsec up" command to establish tunnel, but it can't established by a coming traffic, of course, the ttraffic can match the rule.
the network:
--------------------------
pc------------------------------------client-----------------------server-----------------------------pc2
192.168.4.2 192.168.4.1 10.0.0.1 10.0.0.2 192.168.10.1 192.168.10.2
[client:ipsec.conf]
---------------------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default
reauth=yes
ikelifetime=60m
keylife=20m
rekeymargin=5m
keyingtries=1
dpdaction=clear
dpddelay=10s
#dpdtimeout=20s
keyexchange=ikev2
authby=psk
type=tunnel
installpolicy=yes
conn nat-t
left=10.0.0.1
leftsubnet=192.168.4.0/24
leftfirewall=yes
right=10.0.0.2
rightsubnet=192.168.10.0/24
auto=route
[server:ipsec.conf]
---------------------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default
reauth=yes
ikelifetime=60m
keylife=20m
rekeymargin=5m
keyingtries=1
keyexchange=ikev2
authby=psk
dpdaction=clear
dpddelay=10s
type=tunnel
conn nat-t
left=10.0.0.2
leftsubnet=192.168.10.0/24
leftfirewall=yes
right=%any
rightsubnet=192.168.4.0/24
auto=route
[client and server :strongswan.conf]
-----------------------
# /etc/strongswan.conf - strongSwan configuration file
charon {
# two defined file loggers
filelog {
/var/log/charon.log {
time_format = %b %e %T
ike_name = yes
append = no
default = 2
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem, overriding the
# default loglevel.
ike = 2
knl = 3
chd = 2
esp = 2
job = 2
lib = 2
mgr = 2
net = 2
}
}
# and two loggers using syslog
syslog {
identifier = charon-custom
daemon {
}
auth {
default = -1
ike = 0
}
}
load_modular = yes
duplicheck.enable = no
compress = yes
port = 0
port_nat_t = 0
install_routes = yes
plugins {
include strongswan.d/charon/*.conf
}
dns1 = 114.114.114.114
nbns1 = 114.114.114.114
}
include strongswan.d/*.conf
command:
--------------------
ipsec start
ipsec statusall
-------------------
[root at epcaas-client ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.10.0-693.11.1.el7.x86_64, x86_64):
uptime: 57 seconds, since May 25 11:46:38 2018
malloc: sbrk 1351680, mmap 0, used 281552, free 1070128
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf curve25519 xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke vici updown xauth-generic radattr counters
Listening IP addresses:
10.0.0.1
192.168.4.1
Connections:
nat-t: 10.0.0.1...10.0.0.2 IKEv2, dpddelay=10s
nat-t: local: [10.0.0.1] uses pre-shared key authentication
nat-t: remote: [10.0.0.2] uses pre-shared key authentication
nat-t: child: 192.168.4.0/24 === 192.168.10.0/24 TUNNEL, dpdaction=clear
Routed Connections:
nat-t{1}: ROUTED, TUNNEL, reqid 1
nat-t{1}: 192.168.4.0/24 === 192.168.10.0/24
Security Associations (0 up, 0 connecting):
none
at pc command
------------------------------------
ping 192.168.10.2 from 192.168.4.2:
[client:/var/log/charon.log]
-----------------------
May 25 11:46:38 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 3.10.0-693.11.1.el7.x86_64, x86_64)
May 25 11:46:38 00[LIB] plugin 'aes': loaded successfully
May 25 11:46:38 00[LIB] plugin 'des': loaded successfully
May 25 11:46:38 00[LIB] plugin 'rc2': loaded successfully
May 25 11:46:38 00[LIB] plugin 'sha2': loaded successfully
May 25 11:46:38 00[LIB] plugin 'sha1': loaded successfully
May 25 11:46:38 00[LIB] plugin 'md5': loaded successfully
May 25 11:46:38 00[LIB] plugin 'random': loaded successfully
May 25 11:46:38 00[LIB] plugin 'nonce': loaded successfully
May 25 11:46:38 00[LIB] plugin 'x509': loaded successfully
May 25 11:46:38 00[LIB] plugin 'revocation': loaded successfully
May 25 11:46:38 00[LIB] plugin 'constraints': loaded successfully
May 25 11:46:38 00[LIB] plugin 'pubkey': loaded successfully
May 25 11:46:38 00[LIB] plugin 'pkcs1': loaded successfully
May 25 11:46:38 00[LIB] plugin 'pkcs7': loaded successfully
May 25 11:46:38 00[LIB] plugin 'pkcs8': loaded successfully
May 25 11:46:38 00[LIB] plugin 'pkcs12': loaded successfully
May 25 11:46:38 00[LIB] plugin 'pgp': loaded successfully
May 25 11:46:38 00[LIB] plugin 'dnskey': loaded successfully
May 25 11:46:38 00[LIB] plugin 'sshkey': loaded successfully
May 25 11:46:38 00[LIB] plugin 'pem': loaded successfully
May 25 11:46:38 00[LIB] plugin 'fips-prf': loaded successfully
May 25 11:46:38 00[LIB] plugin 'curve25519': loaded successfully
May 25 11:46:38 00[LIB] plugin 'xcbc': loaded successfully
May 25 11:46:38 00[LIB] plugin 'cmac': loaded successfully
May 25 11:46:38 00[LIB] plugin 'hmac': loaded successfully
May 25 11:46:38 00[CFG] loaded legacy entry attribute INTERNAL_IP4_DNS: 72:72:72:72
May 25 11:46:38 00[CFG] loaded legacy entry attribute INTERNAL_IP4_NBNS: 72:72:72:72
May 25 11:46:38 00[LIB] plugin 'attr': loaded successfully
May 25 11:46:38 00[LIB] created TUN device: ipsec0
May 25 11:46:38 00[LIB] plugin 'kernel-libipsec': loaded successfully
May 25 11:46:38 00[LIB] plugin 'kernel-pfkey': loaded successfully
May 25 11:46:38 00[LIB] plugin 'kernel-netlink': loaded successfully
May 25 11:46:38 00[LIB] plugin 'resolve': loaded successfully
May 25 11:46:38 00[LIB] plugin 'socket-default': loaded successfully
May 25 11:46:38 00[LIB] plugin 'stroke': loaded successfully
May 25 11:46:38 00[LIB] plugin 'vici': loaded successfully
May 25 11:46:38 00[LIB] plugin 'updown': loaded successfully
May 25 11:46:38 00[LIB] plugin 'xauth-generic': loaded successfully
May 25 11:46:38 00[LIB] plugin 'radattr': loaded successfully
May 25 11:46:38 00[LIB] plugin 'counters': loaded successfully
May 25 11:46:38 00[LIB] feature CUSTOM:kernel-ipsec in plugin 'kernel-pfkey' failed to load
May 25 11:46:38 00[LIB] feature CUSTOM:kernel-ipsec in plugin 'kernel-netlink' failed to load
May 25 11:46:38 00[KNL] known interfaces and IP addresses:
May 25 11:46:38 00[KNL] lo
May 25 11:46:38 00[KNL] 127.0.0.1
May 25 11:46:38 00[KNL] ::1
May 25 11:46:38 00[KNL] eth0
May 25 11:46:38 00[KNL] 10.0.0.1
May 25 11:46:38 00[KNL] fe80::f816:3eff:fe32:c093
May 25 11:46:38 00[KNL] eth1
May 25 11:46:38 00[KNL] 192.168.4.1
May 25 11:46:38 00[KNL] fe80::f816:3eff:fed6:573a
May 25 11:46:38 00[KNL] eth2
May 25 11:46:38 00[KNL] 192.168.6.61
May 25 11:46:38 00[KNL] fe80::f816:3eff:fe77:5cc6
May 25 11:46:38 00[KNL] ipsec0
May 25 11:46:38 00[KNL] fe80::dda:9afd:25a6:e916
May 25 11:46:38 00[LIB] feature PUBKEY:ECDSA in plugin 'pem' has unmet dependency: PUBKEY:ECDSA
May 25 11:46:38 00[LIB] feature PUBKEY:BLISS in plugin 'pem' has unmet dependency: PUBKEY:BLISS
May 25 11:46:38 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
May 25 11:46:38 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA
May 25 11:46:38 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS
May 25 11:46:38 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
May 25 11:46:38 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in plugin 'xcbc' has unmet dependency: CRYPTER:CAMELLIA_CBC-16
May 25 11:46:38 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in plugin 'xcbc' has unmet dependency: CRYPTER:CAMELLIA_CBC-16
May 25 11:46:38 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 25 11:46:38 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 25 11:46:38 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 25 11:46:38 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 25 11:46:38 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 25 11:46:38 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 25 11:46:38 00[CFG] loaded IKE secret for 10.0.0.1
May 25 11:46:38 00[CFG] expanding file expression '/etc/ipsec.*.secrets' failed
May 25 11:46:38 00[LIB] unloading plugin 'kernel-pfkey' without loaded features
May 25 11:46:38 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf curve25519 xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke vici updown xauth-generic radattr counters
May 25 11:46:38 00[LIB] unable to load 10 plugin features (8 due to unmet dependencies)
May 25 11:46:38 00[JOB] spawning 16 worker threads
May 25 11:46:38 01[LIB] created thread 01 [2687]
May 25 11:46:38 01[JOB] started worker thread 01
May 25 11:46:38 01[JOB] no events, waiting
May 25 11:46:38 02[LIB] created thread 02 [2689]
May 25 11:46:38 02[JOB] started worker thread 02
May 25 11:46:38 02[NET] waiting for data on sockets
May 25 11:46:38 03[LIB] created thread 03 [2690]
May 25 11:46:38 03[JOB] started worker thread 03
May 25 11:46:38 04[LIB] created thread 04 [2688]
May 25 11:46:38 04[JOB] started worker thread 04
May 25 11:46:38 04[JOB] watcher going to poll() 4 fds
May 25 11:46:38 04[JOB] watcher got notification, rebuilding
May 25 11:46:38 04[JOB] watcher going to poll() 4 fds
May 25 11:46:38 04[JOB] watched FD 16 ready to read
May 25 11:46:38 04[JOB] watcher going to poll() 3 fds
May 25 11:46:38 05[LIB] created thread 05 [2684]
May 25 11:46:38 05[JOB] started worker thread 05
May 25 11:46:38 06[LIB] created thread 06 [2680]
May 25 11:46:38 06[JOB] started worker thread 06
May 25 11:46:38 07[LIB] created thread 07 [2676]
May 25 11:46:38 07[JOB] started worker thread 07
May 25 11:46:38 08[LIB] created thread 08 [2677]
May 25 11:46:38 08[JOB] started worker thread 08
May 25 11:46:38 09[LIB] created thread 09 [2678]
May 25 11:46:38 09[JOB] started worker thread 09
May 25 11:46:38 10[LIB] created thread 10 [2681]
May 25 11:46:38 10[JOB] started worker thread 10
May 25 11:46:38 11[LIB] created thread 11 [2682]
May 25 11:46:38 11[JOB] started worker thread 11
May 25 11:46:38 12[LIB] created thread 12 [2683]
May 25 11:46:38 12[JOB] started worker thread 12
May 25 11:46:38 13[LIB] created thread 13 [2686]
May 25 11:46:38 13[JOB] started worker thread 13
May 25 11:46:38 14[LIB] created thread 14 [2691]
May 25 11:46:38 14[JOB] started worker thread 14
May 25 11:46:38 15[LIB] created thread 15 [2679]
May 25 11:46:38 15[JOB] started worker thread 15
May 25 11:46:38 16[LIB] created thread 16 [2685]
May 25 11:46:38 16[JOB] started worker thread 16
May 25 11:46:38 07[ESP] no matching outbound IPsec policy for fe80::dda:9afd:25a6:e916 == ff02::2 [58]
May 25 11:46:38 04[JOB] watcher got notification, rebuilding
May 25 11:46:38 04[JOB] watcher going to poll() 4 fds
May 25 11:46:38 04[JOB] watched FD 16 ready to read
May 25 11:46:38 04[JOB] watcher going to poll() 3 fds
May 25 11:46:38 04[JOB] watcher got notification, rebuilding
May 25 11:46:38 04[JOB] watcher going to poll() 4 fds
May 25 11:46:38 04[JOB] watched FD 19 ready to read
May 25 11:46:38 04[JOB] watcher going to poll() 3 fds
May 25 11:46:38 10[CFG] received stroke: add connection 'nat-t'
May 25 11:46:38 10[CFG] conn nat-t
May 25 11:46:38 10[CFG] left=10.0.0.1
May 25 11:46:38 10[CFG] leftsubnet=192.168.4.0/24
May 25 11:46:38 10[CFG] leftauth=psk
May 25 11:46:38 10[CFG] leftupdown=ipsec _updown iptables
May 25 11:46:38 10[CFG] right=10.0.0.2
May 25 11:46:38 10[CFG] rightsubnet=192.168.10.0/24
May 25 11:46:38 10[CFG] rightauth=psk
May 25 11:46:38 10[CFG] dpddelay=10
May 25 11:46:38 10[CFG] dpdtimeout=150
May 25 11:46:38 10[CFG] dpdaction=1
May 25 11:46:38 10[CFG] sha256_96=no
May 25 11:46:38 10[CFG] mediation=no
May 25 11:46:38 10[CFG] keyexchange=ikev2
May 25 11:46:38 10[KNL] 10.0.0.2 is not a local address or the interface is down
May 25 11:46:38 10[CFG] added configuration 'nat-t'
May 25 11:46:38 04[JOB] watcher got notification, rebuilding
May 25 11:46:38 04[JOB] watcher going to poll() 4 fds
May 25 11:46:38 04[JOB] watched FD 19 ready to read
May 25 11:46:38 04[JOB] watcher going to poll() 3 fds
May 25 11:46:38 12[CFG] received stroke: route 'nat-t'
May 25 11:46:38 12[CFG] proposing traffic selectors for us:
May 25 11:46:38 12[CFG] 192.168.4.0/24
May 25 11:46:38 12[CFG] proposing traffic selectors for other:
May 25 11:46:38 12[CFG] 192.168.10.0/24
May 25 11:46:38 12[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
May 25 11:46:38 12[ESP] adding policy 192.168.10.0/24 === 192.168.4.0/24 in
May 25 11:46:39 12[ESP] adding policy 192.168.4.0/24 === 192.168.10.0/24 out
May 25 11:46:39 12[KNL] getting a local address in traffic selector 192.168.4.0/24
May 25 11:46:39 12[KNL] using host 192.168.4.1
May 25 11:46:39 12[KNL] installing route: 192.168.10.0/24 src 192.168.4.1 dev ipsec0
May 25 11:46:39 12[KNL] getting iface index for ipsec0
May 25 11:46:39 12[CHD] CHILD_SA nat-t{1} state change: CREATED => ROUTED
May 25 11:46:39 04[JOB] watcher got notification, rebuilding
May 25 11:46:39 04[JOB] watcher going to poll() 4 fds
May 25 11:46:39 04[JOB] watched FD 16 ready to read
May 25 11:46:39 04[JOB] watcher going to poll() 3 fds
May 25 11:46:39 04[JOB] watcher got notification, rebuilding
May 25 11:46:39 04[JOB] watcher going to poll() 4 fds
May 25 11:46:42 07[ESP] no matching outbound IPsec policy for fe80::dda:9afd:25a6:e916 == ff02::2 [58]
May 25 11:46:46 07[ESP] no matching outbound IPsec policy for fe80::dda:9afd:25a6:e916 == ff02::2 [58]
May 25 11:46:50 04[JOB] watched FD 19 ready to read
May 25 11:46:50 04[JOB] watcher going to poll() 3 fds
May 25 11:46:50 15[CFG] proposing traffic selectors for us:
May 25 11:46:50 15[CFG] 192.168.4.0/24
May 25 11:46:50 15[CFG] proposing traffic selectors for other:
May 25 11:46:50 15[CFG] 192.168.10.0/24
May 25 11:46:50 04[JOB] watcher got notification, rebuilding
May 25 11:46:50 04[JOB] watcher going to poll() 4 fds
May 25 11:47:35 04[JOB] watched FD 19 ready to read
May 25 11:47:35 04[JOB] watcher going to poll() 3 fds
May 25 11:47:35 09[CFG] proposing traffic selectors for us:
May 25 11:47:35 09[CFG] 192.168.4.0/24
May 25 11:47:35 09[CFG] proposing traffic selectors for other:
May 25 11:47:35 09[CFG] 192.168.10.0/24
May 25 11:47:35 04[JOB] watcher got notification, rebuilding
May 25 11:47:35 04[JOB] watcher going to poll() 4 fds
May 25 11:53:10 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
May 25 11:53:15 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
May 25 11:53:20 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
May 25 11:53:25 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
the log show me "could not find an outbound IPsec SA for reqid {1}, dropping packet", but not "creating acquire job".
thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180525/99f09330/attachment-0001.html>
More information about the Users
mailing list