[strongSwan] received netlink error: Network is unreachable
Houman
houmie at gmail.com
Fri Jul 19 20:24:23 CEST 2019
Hello Noel,
It works! I tested it for 24 hours and not a single issue anymore. Thank
you very much for your help.
For the record, this is the file I have edited.
/etc/strongswan.d/charon.conf
I uncommented the line *install_routes = yes* and changed it to *install_routes
= no*
Thanks,
Houman
On Thu, 18 Jul 2019 at 12:35, Noel Kuntze <noel.kuntze at thermi.consulting>
wrote:
> Hello Houman,
>
> I took a look at it and it seems the problem is that your default route is
>
> default via fe80::1 dev enp2s0 proto static metric 1024 pref medium
>
> fe80::1 is a link-local address, so I assume the problem is that the
> kernel doesn't have a clue which interface it exactly can be reached over.
>
> but that doesn't matter, because you can disable route installation
> anyway, because you don't need it in your use case.
> So just set charon.install_routes=no and you're fine. It will improve
> performance on your setup, too.
>
> Kind regards
>
> Noel
>
> Am 18.07.19 um 13:24 schrieb Houman:
> > Hi Noel,
> >
> > I just tried to send it to the group but the message body was larger
> than 100kb and it was held back.
> >
> > I hope it's ok that I'm attaching them here directly. I hope this is
> what you were looking for.
> >
> > Many Thanks,
> > Houman
> >
> >
> > On Thu, 18 Jul 2019 at 10:04, Noel Kuntze <noel.kuntze at thermi.consulting>
> wrote:
> >
> > Hello Houman,
> >
> > Those are still not all the IPv4 *and IPv6* routing tables.
> > Use `ip route show table all` for IPv4 and `ip -6 route show table
> all` for IPv6.
> >
> > Kind regards
> >
> > Noel
> >
> > Am 18.07.19 um 10:29 schrieb Houman:
> > > Hello Noel.
> > >
> > > Sorry, it's still too early in the morning for me.
> > >
> > > *> netstat -rn*
> > > *
> > > *
> > > Kernel IP routing table
> > > Destination Gateway Genmask Flags MSS Window
> irtt Iface
> > > 0.0.0.0 136.243.104.xxx 0.0.0.0 UG 0 0
> 0 enp2s0
> > >
> > > *> route -n*
> > > Kernel IP routing table
> > > Destination Gateway Genmask Flags Metric Ref
> Use Iface
> > > 0.0.0.0 136.243.104.xxx 0.0.0.0 UG 0 0
> 0 enp2s0
> > >
> > > *> iproute*
> > > default via 136.243.104.xxx dev enp2s0 proto static onlink
> > >
> > > If I have missed anything please let me know,
> > >
> > > Many Thanks,
> > > Houman
> > >
> > >
> > > On Thu, 18 Jul 2019 at 08:07, Noel Kuntze
> <noel.kuntze at thermi.consulting> wrote:
> > >
> > > Hello Houman,
> > >
> > > Those are not *routing* tables. Those are your *iptables*
> rules.
> > >
> > > Kind regards
> > >
> > > Noel
> > >
> > > Am 18.07.19 um 09:02 schrieb Houman:
> > > > Hello Noel,
> > > >
> > > > You're right. It's interesting that I always get the
> following error right after that. "unable to install source route for %any".
> > > >
> > > > Please find both the IPv4 and IPv6 routing tables as well as
> the ipsec.conf below.
> > > >
> > > > Please note that IPv6 is disabled since my configuration
> wasn't entirely supported on the latest Ubuntu 18.04 as we had established
> previously.
> > > >
> > > > *IPv4*
> > > >
> > > > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18
> 2019
> > > > *filter
> > > > :INPUT DROP [2615693:262169077]
> > > > :FORWARD DROP [4655474:1206379130]
> > > > :OUTPUT ACCEPT [8219816926:9451426041332]
> > > > -A INPUT -i lo -j ACCEPT
> > > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > > > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> > > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> <http://10.10.0.0/17> -d 10.10.0.0/17 <
> http://10.10.0.0/17> <http://10.10.0.0/17> <http://10.10.0.0/17> -j DROP
> > > > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> > > > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > > > COMMIT
> > > > # Completed on Thu Jul 18 06:54:18 2019
> > > > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18
> 2019
> > > > *nat
> > > > :PREROUTING ACCEPT [212142454:17804580572]
> > > > :INPUT ACCEPT [1326262:431133155]
> > > > :OUTPUT ACCEPT [174309:20072403]
> > > > :POSTROUTING ACCEPT [174309:20072403]
> > > > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> <http://10.10.0.0/17> -o enp2s0 -m policy --dir out
> --pol ipsec -j ACCEPT
> > > > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> <http://10.10.0.0/17> -o enp2s0 -j MASQUERADE
> > > > COMMIT
> > > > # Completed on Thu Jul 18 06:54:18 2019
> > > > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18
> 2019
> > > > *mangle
> > > > :PREROUTING ACCEPT [78101233478:52605889723396]
> > > > :INPUT ACCEPT [28473561018:8872181346525]
> > > > :FORWARD ACCEPT [49618124462:43732105143957]
> > > > :OUTPUT ACCEPT [34893259071:40508743962892]
> > > > :POSTROUTING ACCEPT [84492095926:84235652892511]
> > > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> <http://10.10.0.0/17> -o enp2s0 -p tcp -m policy
> --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
> 1361:1536 -j TCPMSS --set-mss 1360
> > > > COMMIT
> > > > # Completed on Thu Jul 18 06:54:18 2019
> > > >
> > > > *and IPv6*
> > > >
> > > > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55
> 2019
> > > > *filter
> > > > :INPUT DROP [53380:3843262]
> > > > :FORWARD DROP [0:0]
> > > > :OUTPUT ACCEPT [54922:3965190]
> > > > -A INPUT -i lo -j ACCEPT
> > > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > > > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> > > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > > > -A FORWARD -s fdd2:54c4:4c90:1::/113 -d
> fdd2:54c4:4c90:1::/113 -j DROP
> > > > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> > > > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > > > COMMIT
> > > > # Completed on Thu Jul 18 06:55:55 2019
> > > > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55
> 2019
> > > > *nat
> > > > :PREROUTING ACCEPT [16411485:1786456120]
> > > > :INPUT ACCEPT [2:392]
> > > > :OUTPUT ACCEPT [232:18788]
> > > > :POSTROUTING ACCEPT [232:18788]
> > > > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -m policy
> --dir out --pol ipsec -j ACCEPT
> > > > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -j
> MASQUERADE
> > > > COMMIT
> > > > # Completed on Thu Jul 18 06:55:55 2019
> > > >
> > > > *and ipsec.conf*
> > > >
> > > > config setup
> > > > strictcrlpolicy=yes
> > > > uniqueids=never
> > > > conn Falkenstein-2
> > > > auto=add
> > > > compress=no
> > > > type=tunnel
> > > > keyexchange=ikev2
> > > > fragmentation=yes
> > > > forceencaps=yes
> > > >
> ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-ecp521-ecp256-modp4096-modp2048!
> > > >
> esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
> > > > dpdaction=clear
> > > > dpddelay=180s
> > > > dpdtimeout=3600s
> > > > rekey=no
> > > > left=%any
> > > > leftid=@de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <
> http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net>
> > > > leftcert=cert.pem
> > > > leftsendcert=always
> > > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>, ::/0
> > > > right=%any
> > > > rightid=%any
> > > > rightauth=eap-radius
> > > > eap_identity=%any
> > > > rightdns=8.8.8.8,8.8.4.4
> > > > rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113 <
> http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113> <
> http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113> <
> http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113>
> > > > leftfirewall=no
> > > >
> > > >
> > > > Many Thanks,
> > > > Houman
> > > >
> > > > On Thu, 18 Jul 2019 at 07:42, Noel Kuntze
> <noel.kuntze at thermi.consulting> wrote:
> > > >
> > > > Hello Houman,
> > > >
> > > > That happens when the main routing table (Or other
> tables in newer kernels) does not have any routes that allow the new route
> to be installed (next hop is not reachable over a local interface).
> > > > For the exact reason, you'd need to at least provide the
> IPv6 routing tables.
> > > >
> > > > Kind regards
> > > >
> > > > Noel
> > > >
> > > > Am 18.07.19 um 00:47 schrieb Houman:
> > > > > Hello,
> > > > >
> > > > > I'm getting this error in the syslog.
> > > > >
> > > > > It still connects but I keep getting this error
> sometimes:
> > > > > *charon: 15[KNL] received netlink error: Network is
> unreachable (101)*
> > > > >
> > > > > Why is that?
> > > > >
> > > > > *Syslog:*
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning
> offline lease to 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning
> virtual IP 10.10.55.127 to peer 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] peer
> requested virtual IP %any6
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning
> offline lease to 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning
> virtual IP fdd2:54c4:4c90:1::307f to peer 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] received
> netlink error: Network is unreachable (101)
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] unable to
> install source route for %any
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] CHILD_SA
> Falkenstein-2{455771} established with SPIs c6b5caac_i 0c8a8cdf_o and TS
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> ::/0 === 10.10.55.127/32 <http://10.10.55.127/32> <
> http://10.10.55.127/32> <http://10.10.55.127/32> <http://10.10.55.127/32>
> fdd2:54c4:4c90:1::307f/128
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] sending
> RADIUS Accounting-Request to server 'server-a'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[NET] received
> packet: from 109.177.xx.xxx[4500] to 136.243.xxx.xxx[4500] (112 bytes)
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] received
> RADIUS Accounting-Response from server 'server-a'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[ENC] generating
> IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr
> N(MOBIKE_SUP) N(ADD_6_ADDR) ]
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] parsed
> IKE_AUTH request 6 [ AUTH ]
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 09[NET] sending
> packet: from 136.243.xxx.xxx[4500] to 86.97.xx.xxx[4500] (368 bytes)
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE]
> authentication of 'VPN' with EAP successful
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE]
> authentication of 'de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <
> http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net> <
> http://de-fsn-2.xxxxx.net>' (myself) with EAP
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] IKE_SA
> Falkenstein-2[549905] established between 136.243.xxx.xxx[
> de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net>
> <http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net
> >]...109.177.xx.xxx[VPN]
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer
> requested virtual IP %any
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning
> offline lease to 'b05ccf72-7bad-425e-95e0-xxxxx'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning
> virtual IP 10.10.50.102 to peer 'b05ccf72-7bad-425e-95e0-xxxxx'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer
> requested virtual IP %any6
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning
> offline lease to 'b05ccf72-7bad-425e-95e0-xxxxx'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning
> virtual IP fdd2:54c4:4c90:1::2b66 to peer 'b05ccf72-7bad-425e-95e0-xxxxx'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] received
> netlink error: Network is unreachable (101)
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] unable to
> install source route for %any
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] CHILD_SA
> Falkenstein-2{455772} established with SPIs c23f2271_i 07d2a903_o and TS
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> ::/0 === 10.10.50.102/32 <http://10.10.50.102/32> <
> http://10.10.50.102/32> <http://10.10.50.102/32> <http://10.10.50.102/32>
> fdd2:54c4:4c90:1::2b66/128
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] sending
> RADIUS Accounting-Request to server 'server-a'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 13[NET] received
> packet: from 94.206.xxx.xxx[4500] to 136.243.xxx.xxx[4500] (368 bytes)
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] received
> RADIUS Accounting-Response from server 'server-a'
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] generating
> IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr
> N(MOBIKE_SUP) N(ADD_6_ADDR) ]
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] unknown
> attribute type (25)
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] parsed
> IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP
> DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi
> TSr N(EAP_ONLY) ]
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 15[NET] sending
> packet: from 136.243.xxx.xxx[4500] to 109.177.xx.xxx[4500] (368 bytes)
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] looking for
> peer configs matching 136.243.xxx.xxx[de-fsn-2.xxxxx.net <
> http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net> <
> http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net
> >]...94.206.xxx.xxx[VPN]
> > > > >
> > > > > Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] selected peer
> config 'Falkenstein-2'
> > > > >
> > > > >
> > > > > Many Thanks,
> > > > >
> > > > > Houman
> > > > >
> > > >
> > > > --
> > > > Noel Kuntze
> > > > IT security consultant
> > > >
> > > > GPG Key ID: 0x0739AD6C
> > > > Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B
> 0739 AD6C
> > > >
> > > >
> > >
> > > --
> > > Noel Kuntze
> > > IT security consultant
> > >
> > > GPG Key ID: 0x0739AD6C
> > > Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> > >
> > >
> >
> > --
> > Noel Kuntze
> > IT security consultant
> >
> > GPG Key ID: 0x0739AD6C
> > Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> >
> >
>
> --
> Noel Kuntze
> IT security consultant
>
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190719/8be9267a/attachment-0001.html>
More information about the Users
mailing list