[strongSwan] Simple road warrior setup no longer routing after upgrade

James Lay jlay at slave-tothe-box.net
Tue Oct 16 14:30:05 CEST 2018


Bumping this one last time before I give up and move on to something
else ☺  Thanks for any insight.

James

On Sun, 2018-07-29 at 08:43 -0600, James Lay wrote:
> On Sun, 2018-07-29 at 08:00 -0600, James Lay wrote:
> On Sun, 2018-07-29 at 07:53 -0600, James Lay wrote:
> On Wed, 2018-07-25 at 18:33 -0600, James Lay wrote:
> On Wed, 2018-07-25 at 06:53 -0600, James Lay wrote:
> On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,So I moved to
> Strongswan 5.6.2 during a distribution upgrade.What
> distribution?  What was the previous version?  Do youstill havethe
> same plugins installed and enabled?My simplesetup no longer routes
> back to the client (I can seethe incoming pingson the server, but
> nothing goes back). Iestablish a tunnel fine...mysetup looks like
> this:
> external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnetall I need
> is to have a connected device able toaccess192.168.1.1...and it's
> only a single user.Please read [1].  From the involved IPs I guess
> you used thefarp pluginbefore, so make sure you still have that
> installedand loaded.Regards,Tobias[1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunnelingThanks
>  Tobias...I have access to the old server so I'll seewhat's there...I
> don't recall installing any other plugins, butwe shall see.  I'll
> report my findings soon..thanks again.James
> So now I'm super confused.  I changed to the below:
> conn rw	leftsubnet=192.168.1.0/24leftcert=StrongSwanHostCert.pe
> mright=%anyrightsourceip=172.16.0.1auto=add 
> 
> 
> and added the below top 2 postrouting nat rules: pkts bytes
> target     prot
> optin     out     source               destination             0     
> 0 ACCEPT     all  
> --  *      *       0.0.0.0/0            0.0.0.0/0            policy
> match dir out pol ipsec    0     0 MASQUERADE  all  
> --  *      enp0s31f6  172.16.0.1           0.0.0.0/0           24519
> 1646K MASQUERADE  all  
> --  *      ppp0    192.168.1.0/24       0.0.0.0/0           
> 
> However when I attempt to ping, I see the ping on the ppp0interface,
> and the source isn't 172.16.0.1:2018-07-25
> 18:26:37.085194521      8.0.0.1 → 192.168.1.1 ICMP 100Echo (ping)
> request  id=0x0004, seq=1/256, ttl=64
> 
> Not exactly sure where to go next.  I did install the extraplugins
> that include farp as well.  Thank you.
> James
> Anything on this?  in testing I made this change:
> rightsourceip=10.10.10.0/24
> Pinging from the client connected device gets me this:
> 1 2018-07-29 07:50:27.606525877     8.0.10.1 → 192.168.1.1 ICMP
> 100Echo (ping) request  id=0x000f, seq=1/256, ttl=64
> 
> Something seems very broken.  Thank you.
> James
> And some startup and connect logs:
> Jul 29 07:29:44 gateway charon: 00[DMN] Starting IKE charon
> daemon(strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64)Jul 29
> 07:29:44 gateway charon: 00[CFG] PKCS11 module '<name>' lackslibrary
> pathJul 29 07:29:44 gateway charon: 00[CFG] disabling load-tester
> plugin,not configuredJul 29 07:29:44 gateway charon: 00[LIB] plugin
> 'load-tester': failedto load - load_tester_plugin_create returned
> NULLJul 29 07:29:44 gateway charon: 00[CFG] dnscert plugin is
> disabledJul 29 07:29:44 gateway charon: 00[CFG] ipseckey plugin is
> disabledJul 29 07:29:44 gateway charon: 00[CFG] attr-sql plugin:
> database URInot setJul 29 07:29:44 gateway charon: 00[CFG] loading ca
> certificates from'/etc/ipsec.d/cacerts'Jul 29 07:29:44 gateway
> charon: 00[CFG]   loaded ca certificate"C=CH, O=strongSwan,
> CN=strongSwan Root CA"
> from'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'Jul 29 07:29:44
> gateway charon: 00[CFG] loading aa certificates
> from'/etc/ipsec.d/aacerts'Jul 29 07:29:44 gateway charon: 00[CFG]
> loading ocsp signercertificates from '/etc/ipsec.d/ocspcerts'Jul 29
> 07:29:44 gateway charon: 00[CFG] loading attributecertificates from
> '/etc/ipsec.d/acerts'Jul 29 07:29:44 gateway charon: 00[CFG] loading
> crls from'/etc/ipsec.d/crls'Jul 29 07:29:44 gateway charon: 00[CFG]
> loading secrets from'/etc/ipsec.secrets'Jul 29 07:29:44 gateway
> charon: 00[CFG]   loaded RSA private key
> from'/etc/ipsec.d/private/StrongSwanHostKey.pem'Jul 29 07:29:44
> gateway charon: 00[CFG] sql plugin: database URI notsetJul 29
> 07:29:44 gateway charon: 00[CFG] opening triplet
> file/etc/ipsec.d/triplets.dat failed: No such file or directoryJul 29
> 07:29:44 gateway charon: 00[CFG] eap-simaka-sql database
> URImissingJul 29 07:29:44 gateway charon: 00[CFG] loaded 0 RADIUS
> serverconfigurationsJul 29 07:29:44 gateway charon: 00[CFG] HA config
> misses local/remoteaddressJul 29 07:29:44 gateway charon: 00[CFG] no
> threshold configured forsystime-fix, disabledJul 29 07:29:44 gateway
> charon: 00[CFG] coupling file pathunspecifiedJul 29 07:29:44 gateway
> charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap
> pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1rdrand random nonce
> x509 revocation constraints acert pubkey pkcs1pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey dnscert ipseckey pem opensslgcrypt af-alg fips-prf gmp
> curve25519 agent chapoly xcbc cmac hmacctr ccm gcm ntru bliss curl
> soup mysql sqlite attr kernel-netlinkresolve socket-default connmark
> farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-
> 3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-
> mschapv2 eap-dynamic eap-radiuseap-tls eap-ttls eap-peap eap-tnc
> xauth-generic xauth-eap xauth-pamxauth-noauth tnc-tnccs tnccs-20
> tnccs-11 tnccs-dynamic dhcp whitelistlookip error-notify certexpire
> led radattr addrblock unity countersJul 29 07:29:44 gateway charon:
> 00[LIB] dropped capabilities, runningas uid 0, gid 0Jul 29 07:29:44
> gateway charon: 00[JOB] spawning 16 worker threadsJul 29 07:29:44
> gateway ipsec[12353]: charon (12392) started after100 msJul 29
> 07:29:44 gateway ipsec_starter[12353]: charon (12392) startedafter
> 100 msJul 29 07:29:44 gateway charon: 06[CFG] received stroke:
> addconnection 'rw'Jul 29 07:29:44 gateway charon: 06[CFG] adding
> virtual IP addresspool 172.16.0.1Jul 29 07:29:44 gateway charon:
> 06[CFG]   loaded certificate "C=CH,O=strongSwan, CN=ns1.domain" from
> 'StrongSwanHostCert.pem'Jul 29 07:29:44 gateway charon: 06[CFG]   id
> 'external_ip' notconfirmed by certificate, defaulting to 'C=CH,
> O=strongSwan,CN=ns1.domain'Jul 29 07:29:44 gateway charon: 06[CFG]
> added configuration 'rw'Jul 29 07:30:13 gateway charon: 10[NET]
> received packet: fromx.x.15.77[7388] to external_ip[500] (716
> bytes)Jul 29 07:30:13 gateway charon: 10[ENC] parsed IKE_SA_INIT
> request 0[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
> N(HASH_ALG)N(REDIR_SUP) ]Jul 29 07:30:13 gateway charon: 10[IKE]
> x.x.15.77 is initiating anIKE_SAJul 29 07:30:13 gateway charon:
> 10[IKE] x.x.15.77 is initiating anIKE_SAJul 29 07:30:13 gateway
> charon: 10[IKE] remote host is behind NATJul 29 07:30:13 gateway
> charon: 10[IKE] sending cert request for"C=CH, O=strongSwan,
> CN=strongSwan Root CA"Jul 29 07:30:13 gateway charon: 10[ENC]
> generating IKE_SA_INITresponse 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(FRAG_SUP)N(HASH_ALG) N(MULT_AUTH) ]Jul 29 07:30:13 gateway
> charon: 10[NET] sending packet: fromexternal_ip[500] to
> x.x.15.77[7388] (297 bytes)Jul 29 07:30:15 gateway charon: 11[NET]
> received packet: fromx.x.15.77[7380] to external_ip[4500] (1364
> bytes)Jul 29 07:30:15 gateway charon: 11[ENC] parsed IKE_AUTH request
> 1 [EF(1/4) ]Jul 29 07:30:15 gateway charon: 11[ENC] received fragment
> #1 of 4,waiting for complete IKE messageJul 29 07:30:15 gateway
> charon: 12[NET] received packet: fromx.x.15.77[7380] to
> external_ip[4500] (1364 bytes)Jul 29 07:30:15 gateway charon: 12[ENC]
> parsed IKE_AUTH request 1 [EF(2/4) ]Jul 29 07:30:15 gateway charon:
> 12[ENC] received fragment #2 of 4,waiting for complete IKE messageJul
> 29 07:30:15 gateway charon: 13[NET] received packet:
> fromx.x.15.77[7380] to external_ip[4500] (1364 bytes)Jul 29 07:30:15
> gateway charon: 13[ENC] parsed IKE_AUTH request 1 [EF(3/4) ]Jul 29
> 07:30:15 gateway charon: 13[ENC] received fragment #3 of 4,waiting
> for complete IKE messageJul 29 07:30:15 gateway charon: 14[NET]
> received packet: fromx.x.15.77[7380] to external_ip[4500] (1156
> bytes)Jul 29 07:30:15 gateway charon: 14[ENC] parsed IKE_AUTH request
> 1 [EF(4/4) ]
> And startup and session logs from previous, working version:Apr 18
> 04:23:33 gateway charon: 00[DMN] Starting IKE charon
> daemon(strongSwan 5.1.2, Linux 4.4.0-119-generic, x86_64)Apr 18
> 04:23:34gateway charon: 00[CFG] loading ca certificates
> from'/etc/ipsec.d/cacerts'Apr 18 04:23:34 gateway charon:
> 00[CFG]   loadedca certificate "C=CH, O=strongSwan, CN=strongSwan
> Root CA" from'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'Apr 18
> 04:23:34 gatewaycharon: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'Apr18 04:23:34 gateway charon: 00[CFG] loading
> ocsp signer certificatesfrom '/etc/ipsec.d/ocspcerts'Apr 18 04:23:34
> gateway charon: 00[CFG]loading attribute certificates from
> '/etc/ipsec.d/acerts'Apr 1804:23:34 gateway charon: 00[CFG] loading
> crls from'/etc/ipsec.d/crls'Apr 18 04:23:34 gateway charon: 00[CFG]
> loadingsecrets from '/etc/ipsec.secrets'Apr 18 04:23:34 gateway
> charon:00[CFG]   loaded RSA private key
> from'/etc/ipsec.d/private/StrongSwanHostKey.pem'Apr 18 04:23:34
> gatewaycharon: 00[LIB] loaded plugins: charon test-vectors aes rc2
> sha1 sha2md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7
> pkcs8pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-
> netlinkresolve socket-default stroke updown eap-identity addrblockApr
> 1804:23:34 gateway charon: 00[LIB] unable to load 5 plugin features
> (5due to unmet dependencies)Apr 18 04:23:34 gateway charon:
> 00[LIB]dropped capabilities, running as uid 0, gid 0Apr 18 04:23:34
> gatewaycharon: 00[JOB] spawning 16 worker threadsApr 18 04:23:34
> gatewayipsec_starter[26813]: charon (26814) started after 180 msApr
> 1804:23:34 gateway charon: 05[CFG] received stroke: add
> connection'rw'Apr 18 04:23:34 gateway charon: 05[CFG] left nor right
> host is ourside, assuming left=localApr 18 04:23:34 gateway charon:
> 05[CFG] addingvirtual IP address pool 192.168.1.11Apr 18 04:23:34
> gateway charon:05[CFG]   loaded certificate "C=CH, O=strongSwan,
> CN=ns1.domain" from'StrongSwanHostCert.pem'Apr 18 04:23:34 gateway
> charon: 05[CFG]   id'%any' not confirmed by certificate, defaulting
> to 'C=CH, O=strongSwan,CN=ns1.domain'Apr 18 04:23:34 gateway charon:
> 05[CFG] addedconfiguration 'rw'
> Apr 22 12:22:52 gateway charon: 11[NET] received packet:
> fromx.x.9.223[8351] to external_ip[500] (704 bytes)Apr 22 12:22:52
> gatewaycharon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP)N(NATD_D_IP) N((16430)) N((16431)) N(REDIR_SUP) ]Apr 22
> 12:22:52gateway charon: 11[IKE] x.x.9.223 is initiating an IKE_SAApr
> 2212:22:52 gateway charon: 11[IKE] x.x.9.223 is initiating an
> IKE_SAApr22 12:22:52 gateway charon: 11[IKE] remote host is behind
> NATApr 2212:22:52 gateway charon: 11[IKE] DH group ECP_256
> inacceptable,requesting MODP_2048Apr 22 12:22:52 gateway charon:
> 11[ENC] generatingIKE_SA_INIT response 0 [ N(INVAL_KE) ]Apr 22
> 12:22:52 gateway charon:11[NET] sending packet: from external_ip[500]
> to x.x.9.223[8351] (38bytes)Apr 22 12:22:52 gateway charon: 12[NET]
> received packet: fromx.x.9.223[8351] to external_ip[500] (896
> bytes)Apr 22 12:22:52 gatewaycharon: 12[ENC] parsed IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP)N(NATD_D_IP) N((16430)) N((16431))
> N(REDIR_SUP) ]Apr 22 12:22:52gateway charon: 12[IKE] x.x.9.223 is
> initiating an IKE_SAApr 2212:22:52 gateway charon: 12[IKE] x.x.9.223
> is initiating an IKE_SAApr22 12:22:52 gateway charon: 12[IKE] remote
> host is behind NATApr 2212:22:52 gateway charon: 12[IKE] sending cert
> request for "C=CH,O=strongSwan, CN=strongSwan Root CA"Apr 22 12:22:52
> gateway charon:12[ENC] generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP)N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]Apr 22 12:22:52
> gateway charon:12[NET] sending packet: from external_ip[500] to
> x.x.9.223[8351] (465bytes)Apr 22 12:22:53 gateway charon: 14[NET]
> received packet: fromx.x.9.223[8331] to external_ip[4500] (5100
> bytes)Apr 22 12:22:53gateway charon: 14[ENC] parsed IKE_AUTH request
> 1 [ IDi CERTN(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6)
> N(ESP_TFC_PAD_N)SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
> N(EAP_ONLY)N(MSG_ID_SYN_SUP) ]Apr 22 12:22:53 gateway charon: 14[IKE]
> receivedcert request for "C=CH, O=strongSwan, CN=strongSwan Root
> CA"Apr 2212:22:53 gateway charon: 14[IKE] received 156 cert requests
> for anunknown caApr 22 12:22:53 gateway charon: 14[IKE] received end
> entitycert "C=CH, O=strongSwan, CN=user at domain"Apr 22 12:22:53
> gatewaycharon: 14[CFG] looking for peer configs
> matchingexternal_ip[%any]...x.x.9.223[C=CH, O=strongSwan, 
> CN=user at domain]Apr 2212:22:53 gateway charon: 14[CFG] selected peer
> config 'rw'Apr 2212:22:53 gateway charon: 14[CFG]   using certificate
> "C=CH,O=strongSwan, CN=user at domain"Apr 22 12:22:53 gateway
> charon:14[CFG]   using trusted ca certificate "C=CH,
> O=strongSwan,CN=strongSwan Root CA"Apr 22 12:22:53 gateway charon:
> 14[CFG] checkingcertificate status of "C=CH, O=strongSwan, 
> CN=user at domain"Apr 2212:22:53 gateway charon: 14[CFG] certificate
> status is not availableApr22 12:22:53 gateway charon:
> 14[CFG]   reached self-signed root ca witha path length of 0Apr 22
> 12:22:53 gateway charon: 14[IKE]authentication of 'C=CH,
> O=strongSwan, CN=user at domain' with RSAsignature successfulApr 22
> 12:22:53 gateway charon: 14[IKE]
> receivedESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC paddingApr
> 2212:22:53 gateway charon: 14[IKE] peer supports MOBIKEApr 22
> 12:22:53gateway charon: 14[IKE] authentication of 'C=CH,
> O=strongSwan,CN=ns1.domain' (myself) with RSA signature successfulApr
> 22 12:22:53gateway charon: 14[IKE] IKE_SA rw[6] established
> betweenexternal_ip[C=CH, O=strongSwan,
> CN=ns1.domain]...x.x.9.223[C=CH,O=strongSwan, CN=user at domain]Apr 22
> 12:22:53 gateway charon: 14[IKE]IKE_SA rw[6] established between
> external_ip[C=CH, O=strongSwan,CN=ns1.domain]...x.x.9.223[C=CH,
> O=strongSwan, CN=user at domain]Apr 2212:22:53 gateway charon: 14[IKE]
> scheduling reauthentication in9726sApr 22 12:22:53 gateway charon:
> 14[IKE] maximum IKE_SA lifetime10266sApr 22 12:22:53 gateway charon:
> 14[IKE] sending end entity cert"C=CH, O=strongSwan, CN=ns1.domain"Apr
> 22 12:22:53 gateway charon:14[IKE] peer requested virtual IP %anyApr
> 22 12:22:53 gateway charon:14[CFG] reassigning offline lease to
> 'C=CH, O=strongSwan, CN=user at domain'Apr 22 12:22:53 gateway charon:
> 14[IKE] assigning virtual IP192.168.1.11 to peer 'C=CH, O=strongSwan,
> CN=user at domain'Apr 2212:22:53 gateway charon: 14[IKE] peer requested
> virtual IP %any6Apr 2212:22:53 gateway charon: 14[IKE] no virtual IP
> found for %any6requested by 'C=CH, O=strongSwan, CN=user at domain'Apr
> 22 12:22:53gateway charon: 14[IKE] CHILD_SA rw{4} established with
> SPIs cab12a0f_i17e464af_o and TS 192.168.1.0/24 === 192.168.1.11/32
> Apr 22 12:22:53gateway charon: 14[IKE] CHILD_SA rw{4} established
> with SPIs cab12a0f_i17e464af_o and TS 192.168.1.0/24 ===
> 192.168.1.11/32 Apr 22 12:22:53gateway charon: 14[ENC] generating
> IKE_AUTH response 1 [ IDr CERT AUTHCPRP(ADDR) SA TSi TSr N(AUTH_LFT)
> N(MOBIKE_SUP) N(ADD_4_ADDR) ]Apr 2212:22:53 gateway charon: 14[NET]
> sending packet: from external_ip[4500]to x.x.9.223[8331] (2204
> bytes)Apr 22 12:22:53 gateway charon: 15[NET]received packet: from
> x.x.9.223[8331] to external_ip[4500] (76bytes)Apr 22 12:22:53 gateway
> charon: 15[ENC] parsed INFORMATIONALrequest 2 [ N(NO_ADD_ADDR) ]Apr
> 22 12:22:53 gateway charon: 15[ENC]generating INFORMATIONAL response
> 2 [ ]Apr 22 12:22:53 gateway charon:15[NET] sending packet: from
> external_ip[4500] to x.x.9.223[8331] (76bytes)Apr 22 12:23:24 gateway
> charon: 06[NET] received packet: fromx.x.9.223[8331] to
> external_ip[4500] (76 bytes)Apr 22 12:23:24 gatewaycharon: 06[ENC]
> parsed INFORMATIONAL request 3 [ D ]Apr 22 12:23:24gateway charon:
> 06[IKE] received DELETE for IKE_SA rw[6]Apr 22 12:23:24gateway
> charon: 06[IKE] deleting IKE_SA rw[6] between
> external_ip[C=CH,O=strongSwan, CN=ns1.domain]...x.x.9.223[C=CH,
> O=strongSwan, CN=user at domain]Apr 22 12:23:24 gateway charon: 06[IKE]
> deleting IKE_SA rw[6]between external_ip[C=CH,
> O=strongSwan,CN=ns1.domain]...x.x.9.223[C=CH, O=strongSwan, 
> CN=user at domain]Apr 2212:23:24 gateway charon: 06[IKE] IKE_SA
> deletedApr 22 12:23:24 gatewaycharon: 06[IKE] IKE_SA deletedApr 22
> 12:23:24 gateway charon: 06[ENC]generating INFORMATIONAL response 3 [
> ]Apr 22 12:23:24 gateway charon:06[NET] sending packet: from
> external_ip[4500] to x.x.9.223[8331] (76bytes)Apr 22 12:23:24 gateway
> charon: 06[CFG] lease 192.168.1.11 by'C=CH, O=strongSwan, 
> CN=user at domain' went offline

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181016/49934fdc/attachment-0001.html>


More information about the Users mailing list