[strongSwan] received netlink error: Network is unreachable
Houman
houmie at gmail.com
Thu Jul 18 10:29:34 CEST 2019
Hello Noel.
Sorry, it's still too early in the morning for me.
*> netstat -rn*
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 136.243.104.xxx 0.0.0.0 UG 0 0 0
enp2s0
*> route -n*
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 136.243.104.xxx 0.0.0.0 UG 0 0 0
enp2s0
*> iproute*
default via 136.243.104.xxx dev enp2s0 proto static onlink
If I have missed anything please let me know,
Many Thanks,
Houman
On Thu, 18 Jul 2019 at 08:07, Noel Kuntze <noel.kuntze at thermi.consulting>
wrote:
> Hello Houman,
>
> Those are not *routing* tables. Those are your *iptables* rules.
>
> Kind regards
>
> Noel
>
> Am 18.07.19 um 09:02 schrieb Houman:
> > Hello Noel,
> >
> > You're right. It's interesting that I always get the following error
> right after that. "unable to install source route for %any".
> >
> > Please find both the IPv4 and IPv6 routing tables as well as the
> ipsec.conf below.
> >
> > Please note that IPv6 is disabled since my configuration wasn't entirely
> supported on the latest Ubuntu 18.04 as we had established previously.
> >
> > *IPv4*
> >
> > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
> > *filter
> > :INPUT DROP [2615693:262169077]
> > :FORWARD DROP [4655474:1206379130]
> > :OUTPUT ACCEPT [8219816926:9451426041332]
> > -A INPUT -i lo -j ACCEPT
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> -d 10.10.0.0/17 <
> http://10.10.0.0/17> -j DROP
> > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > COMMIT
> > # Completed on Thu Jul 18 06:54:18 2019
> > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
> > *nat
> > :PREROUTING ACCEPT [212142454:17804580572]
> > :INPUT ACCEPT [1326262:431133155]
> > :OUTPUT ACCEPT [174309:20072403]
> > :POSTROUTING ACCEPT [174309:20072403]
> > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -m
> policy --dir out --pol ipsec -j ACCEPT
> > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -j
> MASQUERADE
> > COMMIT
> > # Completed on Thu Jul 18 06:54:18 2019
> > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
> > *mangle
> > :PREROUTING ACCEPT [78101233478:52605889723396]
> > :INPUT ACCEPT [28473561018:8872181346525]
> > :FORWARD ACCEPT [49618124462:43732105143957]
> > :OUTPUT ACCEPT [34893259071:40508743962892]
> > :POSTROUTING ACCEPT [84492095926:84235652892511]
> > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> -o enp2s0 -p tcp -m
> policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
> 1361:1536 -j TCPMSS --set-mss 1360
> > COMMIT
> > # Completed on Thu Jul 18 06:54:18 2019
> >
> > *and IPv6*
> >
> > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019
> > *filter
> > :INPUT DROP [53380:3843262]
> > :FORWARD DROP [0:0]
> > :OUTPUT ACCEPT [54922:3965190]
> > -A INPUT -i lo -j ACCEPT
> > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > -A FORWARD -s fdd2:54c4:4c90:1::/113 -d fdd2:54c4:4c90:1::/113 -j DROP
> > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > COMMIT
> > # Completed on Thu Jul 18 06:55:55 2019
> > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019
> > *nat
> > :PREROUTING ACCEPT [16411485:1786456120]
> > :INPUT ACCEPT [2:392]
> > :OUTPUT ACCEPT [232:18788]
> > :POSTROUTING ACCEPT [232:18788]
> > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -m policy --dir out
> --pol ipsec -j ACCEPT
> > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -j MASQUERADE
> > COMMIT
> > # Completed on Thu Jul 18 06:55:55 2019
> >
> > *and ipsec.conf*
> >
> > config setup
> > strictcrlpolicy=yes
> > uniqueids=never
> > conn Falkenstein-2
> > auto=add
> > compress=no
> > type=tunnel
> > keyexchange=ikev2
> > fragmentation=yes
> > forceencaps=yes
> >
> ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-ecp521-ecp256-modp4096-modp2048!
> >
> esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
> > dpdaction=clear
> > dpddelay=180s
> > dpdtimeout=3600s
> > rekey=no
> > left=%any
> > leftid=@de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net>
> > leftcert=cert.pem
> > leftsendcert=always
> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>, ::/0
> > right=%any
> > rightid=%any
> > rightauth=eap-radius
> > eap_identity=%any
> > rightdns=8.8.8.8,8.8.4.4
> > rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113 <
> http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113>
> > leftfirewall=no
> >
> >
> > Many Thanks,
> > Houman
> >
> > On Thu, 18 Jul 2019 at 07:42, Noel Kuntze <noel.kuntze at thermi.consulting>
> wrote:
> >
> > Hello Houman,
> >
> > That happens when the main routing table (Or other tables in newer
> kernels) does not have any routes that allow the new route to be installed
> (next hop is not reachable over a local interface).
> > For the exact reason, you'd need to at least provide the IPv6
> routing tables.
> >
> > Kind regards
> >
> > Noel
> >
> > Am 18.07.19 um 00:47 schrieb Houman:
> > > Hello,
> > >
> > > I'm getting this error in the syslog.
> > >
> > > It still connects but I keep getting this error sometimes:
> > > *charon: 15[KNL] received netlink error: Network is unreachable
> (101)*
> > >
> > > Why is that?
> > >
> > > *Syslog:*
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline lease
> to 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual IP
> 10.10.55.127 to peer 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] peer requested virtual IP
> %any6
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline lease
> to 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual IP
> fdd2:54c4:4c90:1::307f to peer 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] received netlink error:
> Network is unreachable (101)
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] unable to install source
> route for %any
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] CHILD_SA
> Falkenstein-2{455771} established with SPIs c6b5caac_i 0c8a8cdf_o and TS
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> ::/0 === 10.10.55.127/32 <
> http://10.10.55.127/32> <http://10.10.55.127/32>
> fdd2:54c4:4c90:1::307f/128
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] sending RADIUS
> Accounting-Request to server 'server-a'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[NET] received packet: from
> 109.177.xx.xxx[4500] to 136.243.xxx.xxx[4500] (112 bytes)
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] received RADIUS
> Accounting-Response from server 'server-a'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[ENC] generating IKE_AUTH
> response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_6_ADDR) ]
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] parsed IKE_AUTH request 6
> [ AUTH ]
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 09[NET] sending packet: from
> 136.243.xxx.xxx[4500] to 86.97.xx.xxx[4500] (368 bytes)
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] authentication of 'VPN'
> with EAP successful
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] authentication of '
> de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net>'
> (myself) with EAP
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] IKE_SA
> Falkenstein-2[549905] established between 136.243.xxx.xxx[
> de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net
> >]...109.177.xx.xxx[VPN]
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer requested virtual IP
> %any
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning offline lease
> to 'b05ccf72-7bad-425e-95e0-xxxxx'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning virtual IP
> 10.10.50.102 to peer 'b05ccf72-7bad-425e-95e0-xxxxx'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer requested virtual IP
> %any6
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning offline lease
> to 'b05ccf72-7bad-425e-95e0-xxxxx'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning virtual IP
> fdd2:54c4:4c90:1::2b66 to peer 'b05ccf72-7bad-425e-95e0-xxxxx'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] received netlink error:
> Network is unreachable (101)
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] unable to install source
> route for %any
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] CHILD_SA
> Falkenstein-2{455772} established with SPIs c23f2271_i 07d2a903_o and TS
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> ::/0 === 10.10.50.102/32 <
> http://10.10.50.102/32> <http://10.10.50.102/32>
> fdd2:54c4:4c90:1::2b66/128
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] sending RADIUS
> Accounting-Request to server 'server-a'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 13[NET] received packet: from
> 94.206.xxx.xxx[4500] to 136.243.xxx.xxx[4500] (368 bytes)
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] received RADIUS
> Accounting-Response from server 'server-a'
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] generating IKE_AUTH
> response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_6_ADDR) ]
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] unknown attribute type
> (25)
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] parsed IKE_AUTH request 1
> [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
> DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 15[NET] sending packet: from
> 136.243.xxx.xxx[4500] to 109.177.xx.xxx[4500] (368 bytes)
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] looking for peer configs
> matching 136.243.xxx.xxx[de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <
> http://de-fsn-2.xxxxx.net>]...94.206.xxx.xxx[VPN]
> > >
> > > Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] selected peer config
> 'Falkenstein-2'
> > >
> > >
> > > Many Thanks,
> > >
> > > Houman
> > >
> >
> > --
> > Noel Kuntze
> > IT security consultant
> >
> > GPG Key ID: 0x0739AD6C
> > Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> >
> >
>
> --
> Noel Kuntze
> IT security consultant
>
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190718/e545d9a1/attachment-0001.html>
More information about the Users
mailing list