[strongSwan] [EDIT] Traffic selection problems

Brian Topping brian.topping at gmail.com
Tue Feb 26 00:52:38 CET 2019 

[Apologies for accidentally hitting send on previous email…]

Hi all, I’m trying to resolve an issue with traffic selection and am running out of ideas on how to do so. Hopefully someone here can recognize what I am doing wrong. My two endpoints are `strongSwan 5.7.2, Linux 4.20.3-1.el7.elrepo.x86_64, x86_64` and `strongSwan 5.6.3` from OpenWRT `opkg` repositories. 

In my config (below), I have worked on several iterations and have always seen the selectors presented to the opposite side specifying the /32 of the external interface to each other, never the networks that I am trying to route between. I am using `type=transport` as I need to pass OSPF traffic over the links. In an effort to cover all bases before posting here, I have mapped my configuration to that in https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario <https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario>, also with the same results. 

When I remove the `left/rightsubnet` configurations, the TS negotiates cleanly and passes traffic bound for to the opposite public endpoint, but then of course no xfrm policy exists between the `10.10.0.0/22` and `10.10.4.0/22` networks, which is the final goal.

In all cases, SA is being negotiated cleanly, so I have clipped those sections for brevity. Apologies if I have lost information and thanks for your consideration!

Brian

Common:
> config setup
> 	charondebug="ike 2, knl 2, cfg 2, mgr 2"
> 
> conn %default
> 	keyingtries=3
> 	authby=secret
> 	type=transport
> 	ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
> 	esp=aes192gcm16-aes128gcm16-ecp256-modp3072,aes192-sha256-ecp256-modp3072
> 

Dynamic:
> conn site-2-dynamic-ip
> 	left=%defaultroute
> 	leftsubnet=10.9.254.252/30,10.9.254.248/30
> 	leftfirewall=no
> 	right=dy.na.mi.cip
> 	rightsubnet=10.10.0.0/22
> 	rightid=%specific.example.com <http://specific.example.com/>
> 	auto=add


Static:
> conn site-1-static-ip
> 	left=st.at <http://st.at/>.ic.ip
> 	leftsubnet=10.9.254.252/30,10.9.254.248/30
> 	leftid=%specific.example.com <http://specific.example.com/>	leftfirewall=no
> 	right=%any
> 	rightsubnet=10.10.4.0/22
> 	auto=add


Dynamic side logs:
> 05[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> 05[NET] sending packet: from dy.na.mi.cip[4500] to st.at.ic.ip[4500] (445 bytes)
> 05[MGR] checkin IKE_SA site-2-dynamic-ip[10]
> 05[MGR] checkin of IKE_SA successful
> received packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 bytes)
> 13[MGR] checkout IKEv2 SA by message with SPIs 666aa985fa6a1f6b_i 354556de7cfce172_r
> 13[MGR] IKE_SA site-2-dynamic-ip[10] successfully checked out
> 13[NET] received packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 bytes)
> parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
> 13[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
> 13[IKE] authentication of 'specific.example.com <http://specific.example.com/>' with pre-shared key successful
> 13[IKE] IKE_SA site-2-dynamic-ip[10] established between dy.na.mi.cip[dy.na.mi.cip]...st.at.ic.ip[specific.example.com <http://specific.example.com/>]
> : 13[IKE] IKE_SA site-2-dynamic-ip[10] established between dy.na.mi.cip[dy.na.mi.cip]...st.at.ic.ip[specific.example.com <http://specific.example.com/>]
> 13[IKE] IKE_SA site-2-dynamic-ip[10] state change: CONNECTING => ESTABLISHED
> 13[IKE] scheduling reauthentication in 9950s
> 13[IKE] maximum IKE_SA lifetime 10490s
> 13[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
> 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
> 13[KNL] deleting SAD entry with SPI cee22084
> 13[KNL] deleted SAD entry with SPI cee22084
> 13[IKE] received AUTH_LIFETIME of 9756s, scheduling reauthentication in 9216s
> 13[IKE] peer supports MOBIKE
> 13[IKE] got additional MOBIKE peer address: 10.10.0.41
> 13[IKE] got additional MOBIKE peer address: 172.17.0.1
> 13[IKE] got additional MOBIKE peer address: fc00::10ca:1
> 13[IKE] activating new tasks
> 13[IKE] nothing to initiate
> 13[MGR] checkin IKE_SA site-2-dynamic-ip[10]

Static side logs:
> 07[NET] received packet: from 71.211.224.100[4500] to 173.248.143.113[4500] (445 bytes)
> 07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> 07[CFG] looking for a child config for st.at.ic.ip/32 === dy.na.mi.cip/32
> 07[CFG] proposing traffic selectors for us:
> 07[CFG]  st.at.ic.ip/32
> 07[CFG]  st.at.ic.ip/32
> 07[CFG] proposing traffic selectors for other:
> 07[CFG]  dy.na.mi.cip/32
> 07[CFG]   candidate "site-1-static-ip" with prio 5+5
> 07[CFG] found matching child config "site-1-static-ip" with prio 10
> 07[CFG] selecting proposal:
> 07[CFG]   proposal matches
> 07[CFG] received proposals: ESP:AES_GCM_16_192/AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
> 07[CFG] configured proposals: ESP:AES_GCM_16_192/AES_GCM_16_128/ECP_256/MODP_3072/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/ECP_256/MODP_3072/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HM
> HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
> 07[CFG] selected proposal: ESP:AES_GCM_16_192/NO_EXT_SEQ
> 07[KNL] got SPI cd351083
> 07[CFG] selecting traffic selectors for us:
> 07[CFG]  config: 10.9.254.252/30, received: st.at.ic.ip/32 => no match
> 07[CFG]  config: 10.9.254.248/30, received: st.at.ic.ip/32 => no match
> 07[CFG] selecting traffic selectors for other:
> 07[CFG]  config: 10.10.4.0/22, received: dy.na.mi.cip/32 => no match
> 07[IKE] no acceptable traffic selectors found
> 07[IKE] failed to establish CHILD_SA, keeping IKE_SA
> 07[KNL] deleting SAD entry with SPI cd351083
> 07[KNL] deleted SAD entry with SPI cd351083
> 07[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
> 07[NET] sending packet: from st.at.ic.ip[4500] to dy.na.mi.cip[4500] (205 bytes)
> 07[MGR] checkin IKE_SA site-1-static-ip[1]
> 07[MGR] checkin of IKE_SA successful
> 07[MGR] checkout IKEv2 SA with SPIs 666aa985fa6a1f6b_i 354556de7cfce172_r
> 07[MGR] IKE_SA site-1-static-ip[1] successfully checked out
> 07[MGR] checkin IKE_SA site-1-static-ip[1]
> 07[MGR] checkin of IKE_SA successful


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190225/7c9c03f1/attachment-0001.html>

More information about the Users mailing list