[strongSwan] SA established while no traffic
Volodymyr Litovka
doka.ua at gmx.com
Wed Sep 26 10:55:50 CEST 2018
And one more debug info - when I'm pinging server from client, I see
packets arrived on server's ingress interface:
08:15:24.352861 IP client.4500 > server.4500: UDP-encap:
ESP(spi=0xc5f7be04,seq=0x2e), length 104
08:15:24.456173 IP client.4500 > server.4500: UDP-encap:
ESP(spi=0xc5f7be04,seq=0x2f), length 120
08:15:24.620758 IP client.4500 > server.4500: UDP-encap:
ESP(spi=0xc5f7be04,seq=0x30), length 120
08:15:24.795823 IP client.4500 > server.4500: UDP-encap:
ESP(spi=0xc5f7be04,seq=0x31), length 104
so traffic selectors agreed and at least work on client side, but
nothing in reply from server. I can't even imagine where to look into
problem, so any suggestions are highly welcome.
Thank you.
On 9/25/18 6:54 PM, Volodymyr Litovka wrote:
> Hello colleagues,
>
> I'm facing a problem of routing between hosts over established SA.
>
> [Ubuntu 18.04/Strongswan 5.6.2] <--> [PAT/Cisco] <--> [OSX 10.12.6]
>
> OSX is client, Ubuntu is server and they're able to establish connection:
>
> Sep 25 15:43:27 vpn strongswan: 04[IKE] <ikev2-eap-mschapv2|4>
> CHILD_SA pinocchio{5} established with SPIs c61c704d_i 00121be9_o and
> TS 25.1.1.0/24 === 192.168.1.1/32
>
> # swanctl --list-sas
> ikev2-eap-mschapv2: #2, ESTABLISHED, IKEv2, bd64dfef8156901f_i
> 22426a0bf50a3047_r*
> local 'server' @ X.X.X.252[4500]
> remote 'doka' @ Y.Y.Y.194[4500] [192.168.1.1]
> AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> established 217s ago, rekeying in 10083s
> pinocchio: #2, reqid 2, INSTALLED, TUNNEL-in-UDP,
> ESP:AES_CBC-256/HMAC_SHA2_256_128
> installed 217s ago, rekeying in 3165s, expires in 3743s
> in c94f7412 (0x00000003), 0 bytes, 0 packets
> out 0f4f18d1 (0x00000004), 0 bytes, 0 packets
> local 25.1.1.0/24
> remote 192.168.1.1/32
>
> Routing table on client side (OXS) looks correct:
> 25.1.1/24 192.168.1.1 UGSc 0 1 ipsec0
> 192.168.1.1 192.168.1.1 UH 1 0 ipsec0
>
> Routing configuration on server side (Ubuntu):
> root at vpn:~# ip rule show
> 0: from all lookup local
> 220: from all lookup 220
> 32766: from all lookup main
> 32767: from all lookup default
>
> root at vpn:~# ip route show table 220
> 192.168.1.1 via X.X.X.254 dev wan0 proto static src 25.1.1.1
>
> root at vpn:~# ip route show table 0
> 192.168.1.1 via X.X.X.254 dev wan0 table 220 proto static src 25.1.1.1
> default via X.X.X.254 dev wan0 proto static
>
> root at vpn:/etc# ip route
> default via X.X.X.254 dev wan0 proto static
> 25.1.1.0/24 dev wan0 proto kernel scope link src 25.1.1.1
>
> and local address is up and accessible:
>
> root at vpn:/etc# ping 25.1.1.1
> PING 25.1.1.1 (25.1.1.1) 56(84) bytes of data.
> 64 bytes from 25.1.1.1: icmp_seq=1 ttl=64 time=0.024 ms
>
> Debug shows the following:
>
> Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> adding
> policy 192.168.1.1/32 === 25.1.1.0/24 in (mark 5/0xffffffff) [priority
> 371327, refcount 1]
> Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> adding
> policy 192.168.1.1/32 === 25.1.1.0/24 fwd (mark 5/0xffffffff)
> [priority 371327, refcount 1]
> Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> adding
> policy 25.1.1.0/24 === 192.168.1.1/32 out (mark 6/0xffffffff)
> [priority 371327, refcount 1]
> Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> getting
> a local address in traffic selector 25.1.1.0/24
> Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> using
> host 25.1.1.1
> Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> getting
> iface name for index 2
> Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> using
> X.X.X.254 as nexthop and wan0 as dev to reach Y.Y.Y.194/32
> Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4>
> installing route: 192.168.1.1/32 via X.X.X.254 src 25.1.1.1 dev wan0
> Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> getting
> iface index for wan0
> Sep 25 15:43:27 vpn strongswan: 04[IKE] <ikev2-eap-mschapv2|4>
> CHILD_SA pinocchio{5} established with SPIs c61c704d_i 00121be9_o and
> TS 25.1.1.0/24 === 192.168.1.1/32
> Sep 25 15:43:27 vpn strongswan: 04[CHD] <ikev2-eap-mschapv2|4>
> CHILD_SA pinocchio{5} state change: INSTALLING => INSTALLED
>
> on server side there is neither NAT nor other iptable rules, it's
> accessible from Internet from everywhere. Also, ipv4 forwarding is on
> (net.ipv4.ip_forward=1 @ sysctl.conf)
>
> but no traffic (ping -I 25.1.1.1 192.168.1.1) between these addresses
>
> swanctl configuration:
>
> connections {
> ikev2-eap-mschapv2 {
> version = 2
> local_addrs = X.X.X.252
> remote_addrs = %any
> proposals =
> aes256gcm16-prfsha256-modp2048,aes128gcm16-prfaescmac-modp2048,aes256-sha256-prfsha256-modp2048
> encap = yes
> fragmentation = yes
> mobike = yes(NOTE: tried NO as well)
> dpd_delay = 300s
> send_cert = always
> unique = keep
> rekey_time = 3h
> pools = mypool
> local-1 {
> certs = fullchain.pem
> id = @myfqdn
> }
> remote-1 {
> id = %any
> auth = eap-mschapv2
> }
> children {
> pinocchio {
> ah_proposals =
> esp_proposals =
> aes256gcm16-modp2048,aes128gcm16-modp2048,aes256-sha256
> local_ts = 25.1.1.0/24
> remote_ts = dynamic
> mode = tunnel
> dpd_action = clear
> ipcomp = no
> mark_in = %unique-dir
> mark_out = %unique-dir
> tfc_padding = mtu
> hw_offload = yes (NOTE: tried NO as well)
> }
> }
> }
> }
> secrets {
> include conf.d/secret-*.conf
> }
>
> pools {
> mypool {
> addrs = 192.168.1.0/24
> }
> }
>
> Actually, I don't understand where to look into problem. Can anybody
> suggest the way I need to follow in order to narrow and fix the problem?
>
> Thanks!
>
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
More information about the Users
mailing list