[strongSwan] broken arp support in Strongswan 5.7.2 ?
Harald Dunkel
harald.dunkel at aixigo.com
Thu Aug 29 12:03:46 CEST 2019
Hi Noel,
On 8/26/19 6:40 PM, Noel Kuntze wrote:
> Hello Harald,
>
> That by itself is quite useless. Please provide the outputs of `ipsec statusall`
> (or `swanctl -l`, depending on what frontend you're using), `ip route show table all`, `ip rule` and `ip address`.
>
> Kind regards
>
> Noel
>
See attachments. It is the requested information of both
roadwarrior laptop and ipsec gateway.
10.19.96.0/19 is the internal network.
10.100.0.0/16 is the wlan network.
192.168.0.0/27 is the external network.
The network.txt shows the network topology. The roadwarrior
laptop was connected via cable to the 10.19.96.0/19 network.
Its IP address was 10.19.97.9, obtained via dhcp.
"ping -c 3 10.19.96.156" worked as expeceted.
Then the cable was pulled, a wlan connection was established
and the IPsec connection to the gateway (192.168.0.17) was
created. The IPsec gateway used strongswan's dhcp and farp
plugins to obtain and announce an IP address. The 10.19.97.9
got reused here(!).
The laptop should be able to ping 10.19.96.156 again, but
10.19.96.156 sends the echo reply to the "old" mac address
known from the wired connection to the roadwarrior. The
laptop can access other hosts in the 10.19.96.0/19 network,
if they hadn't been accessed via the cable network connection
before.
How comes? The first ping from the "new" 10.19.97.9 should
have changed the arp table on 10.19.96.156, but obviously
it didn't. 10.19.96.156 sent the echo reply back to the
old MAC address of the roadwarriors wired network connection,
as it seems.
Hope this helps to make things clear. Every insightful
comment is highly appreciated.
Regards
Harri
-------------- next part --------------
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.9.0-9-amd64, x86_64):
uptime: 27 days, since Aug 02 06:12:33 2019
malloc: sbrk 9699328, mmap 0, used 2981440, free 6717888
worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1354
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
192.168.0.17
Connections:
IPSec-IKEv2: stargate.example.com...%any IKEv2, dpddelay=90s
IPSec-IKEv2: local: [stargate.example.com] uses public key authentication
IPSec-IKEv2: cert: "C=DE, ST=NRW, L=Aachen, O=example AG, OU=TI, CN=stargate.example.com, E=security at example.com"
IPSec-IKEv2: remote: uses public key authentication
IPSec-IKEv2: ca: "C=DE, O=example AG, OU=example Certificate Authority, CN=root-CA"
IPSec-IKEv2: child: 10.19.96.0/19 === dynamic TUNNEL, dpdaction=clear
Security Associations (32 up, 0 connecting):
:
:
IPSec-IKEv2[18785]: ESTABLISHED 17 minutes ago, 192.168.0.17[stargate.example.com]...192.168.0.13[C=DE, O=example AG, OU=TI, CN=ppcl001.ws.example.de]
IPSec-IKEv2[18785]: IKEv2 SPIs: 5d196fb131ed8f7d_i ad6663180880a37d_r*, public key reauthentication in 23 hours
IPSec-IKEv2[18785]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
IPSec-IKEv2{23582}: INSTALLED, TUNNEL, reqid 7068, ESP in UDP SPIs: cfba0287_i cb8e5e9a_o
IPSec-IKEv2{23582}: AES_CBC_256/HMAC_SHA2_256_128, 638892 bytes_i (971 pkts, 153s ago), 1185197 bytes_o (1493 pkts, 153s ago), rekeying in 7 hours
IPSec-IKEv2{23582}: 10.19.96.0/19 === 10.19.97.9/32
:
:
# ip route show table all
10.19.97.9 via 192.168.0.13 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.50 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.54 via 192.168.0.1 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.55 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.60 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.64 via 192.168.0.13 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.66 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.67 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.69 via 192.168.0.13 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.82 via 192.168.0.1 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.83 via 192.168.0.13 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.84 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.87 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.88 via 192.168.0.13 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.96 via 192.168.0.13 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.107 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.108 via 192.168.0.1 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.109 via 192.168.0.13 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.228 via 192.168.0.13 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.236 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.239 via 192.168.0.1 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.249 dev eth0 table 220 proto static src 10.19.96.153
10.19.97.252 via 192.168.0.13 dev eth0 table 220 proto static src 10.19.96.153
10.19.100.153 dev eth0 table 220 proto static src 10.19.96.153
10.19.100.169 dev eth0 table 220 proto static src 10.19.96.153
10.19.100.172 via 192.168.0.1 dev eth0 table 220 proto static src 10.19.96.153
10.19.100.174 dev eth0 table 220 proto static src 10.19.96.153
10.19.100.175 dev eth0 table 220 proto static src 10.19.96.153
10.19.100.185 dev eth0 table 220 proto static src 10.19.96.153
10.19.100.186 dev eth0 table 220 proto static src 10.19.96.153
10.19.100.194 dev eth0 table 220 proto static src 10.19.96.153
default via 192.168.0.1 dev eth0 onlink
192.168.0.0/27 dev eth0 proto kernel scope link src 192.168.0.17
10.19.96.0/20 dev eth1 proto kernel scope link src 10.19.96.153
10.19.96.0/19 via 10.19.96.1 dev eth1
broadcast 192.168.0.0 dev eth0 table local proto kernel scope link src 192.168.0.17
local 192.168.0.17 dev eth0 table local proto kernel scope host src 192.168.0.17
broadcast 192.168.0.31 dev eth0 table local proto kernel scope link src 192.168.0.17
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 10.19.96.0 dev eth1 table local proto kernel scope link src 10.19.96.153
local 10.19.96.153 dev eth1 table local proto kernel scope host src 10.19.96.153
broadcast 10.19.111.255 dev eth1 table local proto kernel scope link src 10.19.96.153
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
unreachable default dev lo proto kernel metric 4294967295 error -101 pref medium
# ip rule
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 80:ee:73:a2:e6:17 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.17/27 brd 192.168.0.31 scope global eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 80:ee:73:a2:e6:16 brd ff:ff:ff:ff:ff:ff
inet 10.19.96.153/20 brd 10.19.111.255 scope global eth1
valid_lft forever preferred_lft forever
-------------- next part --------------
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-5-amd64, x86_64):
uptime: 3 minutes, since Aug 29 10:07:09 2019
malloc: sbrk 2969600, mmap 0, used 774944, free 2194656
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
10.100.0.69
10.19.97.9
Connections:
Security Associations (0 up, 0 connecting):
none
# ip route show table all
10.47.11.0/24 via 10.100.0.1 dev wlan0 table 220 proto static src 10.19.97.9
10.100.0.0/16 dev wlan0 table 220 proto static src 10.100.0.69
10.19.96.0/19 via 10.100.0.1 dev wlan0 table 220 proto static src 10.19.97.9
10.19.97.9 via 10.100.0.1 dev wlan0 table 220 proto static src 10.19.97.9
default via 10.100.0.1 dev wlan0 proto dhcp metric 600
192.168.0.17 via 10.100.0.1 dev wlan0 proto static metric 600
10.100.0.0/16 dev wlan0 proto kernel scope link src 10.100.0.69 metric 600
10.100.0.1 dev wlan0 proto static scope link metric 600
10.19.97.9 dev wlan0 proto kernel scope link src 10.19.97.9 metric 50
10.19.97.9 dev wlan0 proto kernel scope link src 10.19.97.9 metric 600
broadcast 10.100.0.0 dev wlan0 table local proto kernel scope link src 10.100.0.69
local 10.100.0.69 dev wlan0 table local proto kernel scope host src 10.100.0.69
broadcast 10.100.255.255 dev wlan0 table local proto kernel scope link src 10.100.0.69
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 10.19.97.9 dev wlan0 table local proto kernel scope host src 10.19.97.9
# ip rule
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 28:d2:44:3d:86:74 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 5c:51:4f:87:72:92 brd ff:ff:ff:ff:ff:ff
inet 10.100.0.69/16 brd 10.100.255.255 scope global dynamic noprefixroute wlan0
valid_lft 43041sec preferred_lft 43041sec
inet 10.19.97.9/32 scope global wlan0
valid_lft forever preferred_lft forever
4: wwan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 02:15:e0:ec:01:00 brd ff:ff:ff:ff:ff:ff
-------------- next part --------------
192.168.0.1 /|\
|
|
+-------------------------------+
| |
192.168.0.17 | | 192.168.0.13 (NAT)
+----------+----------+ +----------+----------+
| IPsec gateway | | Wlan gateway |
+----------+----------+ +----------+----------+
10.19.96.153 | | 10.100.0.1/16
| |
+- - - - - - - - + |
| |
10.19.96.156 | | | 10.100.0.69
+----------+----------+ | +-------------------+
| internal server | | +-----| roadwarrior |
+---------------------+ +------+------------+
| | 10.19.97.9
| |
+- - - - - - - - - - - - - -+
More information about the Users
mailing list