[strongSwan] Traffic selection problems

Brian Topping brian.topping at gmail.com
Tue Feb 26 00:44:51 CET 2019


Hi all, I’m tryisite-2-dynamic-ipg to resolve an issue with traffic selection and am running out of ideas on how to resolve it. Hopefully someone here can recognize what I am doing wrong. My two endpoints are `strongSwan 5.7.2, Linux 4.20.3-1.el7.elrepo.x86_64, x86_64` and `strongSwan 5.6.3` from OpenWRT `opkg` repositories. 

In my config (below), I have worked on several iterations and have always seen the selectors presented to the opposite side specifying the /32 of the external interface to each other, never the networks that I am trying to route between. I am using `type=transport` as I need to pass OSPF traffic over the links. In an effort to cover all bases before posting here, I have mapped my configuration to that in https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario <https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario>, also with the same results. 

When I remove the `left/rightsubnet` configurations, the TS negotiates cleanly and passes traffic bound for to the opposite public endpoint, but no xfrm policy exists between the networks themselves.

The final goal is that traffic can pass cleanly between `10.10.0.0/22` and `10.10.4.0/22` through the IPSEC established between the two networks.

In all cases, SA is being negotiated cleanly, so I have clipped those sections for brevity. Apologies if I have lost information and thanks for your consideration!

Brian

Common:
> config setup
> 	charondebug="ike 2, knl 2, cfg 2, mgr 2"
> 
> conn %default
> 	keyingtries=3
> 	authby=secret
> 	type=transport
> 	ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
> 	esp=aes192gcm16-aes128gcm16-ecp256-modp3072,aes192-sha256-ecp256-modp3072
> 

Dynamic:
> conn site-2-dynamic-ip
> 	left=%defaultroute
> 	leftsubnet=10.9.254.252/30,10.9.254.248/30
> 	leftfirewall=no
> 	right=dy.na.mi.cip
> 	rightsubnet=10.10.0.0/22
> 	rightid=%specific.example.com
> 	auto=add


Static:
> conn site-1-static-ip
> 	left=st.at <http://st.at/>.ic.ip
> 	leftsubnet=10.9.254.252/30,10.9.254.248/30
> 	leftid=%specific.example.com
> 	leftfirewall=no
> 	right=%any
> 	rightsubnet=10.10.4.0/22
> 	auto=add


Dynamic side logs:
> 05[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> 05[NET] sending packet: from dy.na.mi.cip[4500] to st.at.ic.ip[4500] (445 bytes)
> 05[MGR] checkin IKE_SA site-2-dynamic-ip[10]
> 05[MGR] checkin of IKE_SA successful
> received packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 bytes)
> 13[MGR] checkout IKEv2 SA by message with SPIs 666aa985fa6a1f6b_i 354556de7cfce172_r
> 13[MGR] IKE_SA site-2-dynamic-ip[10] successfully checked out
> 13[NET] received packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 bytes)
> parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
> 13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
> 13[IKE] authentication of 'specific.example.com' with pre-shared key successful
> 13[IKE] IKE_SA site-2-dynamic-ip[10] established between dy.na.mi.cip[dy.na.mi.cip]...st.at.ic.ip[specific.example.com]
> : 13[IKE] IKE_SA site-2-dynamic-ip[10] established between dy.na.mi.cip[dy.na.mi.cip]...st.at.ic.ip[specific.example.com]
> 13[IKE] IKE_SA site-2-dynamic-ip[10] state change: CONNECTING => ESTABLISHED
> 13[IKE] scheduling reauthentication in 9950s
> 13[IKE] maximum IKE_SA lifetime 10490s
> 13[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
> 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
> 13[KNL] deleting SAD entry with SPI cee22084
> 13[KNL] deleted SAD entry with SPI cee22084
> 13[IKE] received AUTH_LIFETIME of 9756s, scheduling reauthentication in 9216s
> 13[IKE] peer supports MOBIKE
> 13[IKE] got additional MOBIKE peer address: 10.10.0.41
> 13[IKE] got additional MOBIKE peer address: 172.17.0.1
> 13[IKE] got additional MOBIKE peer address: fc00::10ca:1
> 13[IKE] activating new tasks
> 13[IKE] nothing to initiate
> 13[MGR] checkin IKE_SA site-2-dynamic-ip[10]

Static side logs:
> 07[NET] received packet: from 71.211.224.100[4500] to 173.248.143.113[4500] (445 bytes)
> 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> 07[CFG] looking for a child config for st.at.ic.ip/32 === dy.na.mi.cip/32
> 07[CFG] proposing traffic selectors for us:
> 07[CFG]  st.at.ic.ip/32
> 07[CFG]  st.at.ic.ip/32
> 07[CFG] proposing traffic selectors for other:
> 07[CFG]  dy.na.mi.cip/32
> 07[CFG]   candidate "site-1-static-ip" with prio 5+5
> 07[CFG] found matching child config "site-1-static-ip" with prio 10
> 07[CFG] selecting proposal:
> 07[CFG]   proposal matches
> 07[CFG] received proposals: ESP:AES_GCM_16_192/AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
> 07[CFG] configured proposals: ESP:AES_GCM_16_192/AES_GCM_16_128/ECP_256/MODP_3072/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/ECP_256/MODP_3072/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HM
> HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
> 07[CFG] selected proposal: ESP:AES_GCM_16_192/NO_EXT_SEQ
> 07[KNL] got SPI cd351083
> 07[CFG] selecting traffic selectors for us:
> 07[CFG]  config: 10.9.254.252/30, received: st.at.ic.ip/32 => no match
> 07[CFG]  config: 10.9.254.248/30, received: st.at.ic.ip/32 => no match
> 07[CFG] selecting traffic selectors for other:
> 07[CFG]  config: 10.10.4.0/22, received: dy.na.mi.cip/32 => no match
> 07[IKE] no acceptable traffic selectors found
> 07[IKE] failed to establish CHILD_SA, keeping IKE_SA
> 07[KNL] deleting SAD entry with SPI cd351083
> 07[KNL] deleted SAD entry with SPI cd351083
> 07[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
> 07[NET] sending packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 bytes)
> 07[MGR] checkin IKE_SA site-1-static-ip[1]
> 07[MGR] checkin of IKE_SA successful
> 07[MGR] checkout IKEv2 SA with SPIs 666aa985fa6a1f6b_i 354556de7cfce172_r
> 07[MGR] IKE_SA site-1-static-ip[1] successfully checked out
> 07[MGR] checkin IKE_SA site-1-static-ip[1]
> 07[MGR] checkin of IKE_SA successful



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190225/6cc72f11/attachment.html>


More information about the Users mailing list