[strongSwan] received netlink error: Network is unreachable

Houman houmie at gmail.com
Fri Jul 19 20:24:23 CEST 2019


Hello Noel,

It works! I tested it for 24 hours and not a single issue anymore. Thank
you very much for your help.

For the record, this is the file I have edited.

/etc/strongswan.d/charon.conf

I uncommented the line *install_routes = yes* and changed it to *install_routes
= no*

Thanks,
Houman

On Thu, 18 Jul 2019 at 12:35, Noel Kuntze <noel.kuntze at thermi.consulting>
wrote:

> Hello Houman,
>
> I took a look at it and it seems the problem is that your default route is
>
> default via fe80::1 dev enp2s0 proto static metric 1024 pref medium
>
> fe80::1 is a link-local address, so I assume the problem is that the
> kernel doesn't have a clue which interface it exactly can be reached over.
>
> but that doesn't matter, because you can disable route installation
> anyway, because you don't need it in your use case.
> So just set charon.install_routes=no and you're fine. It will improve
> performance on your setup, too.
>
> Kind regards
>
> Noel
>
> Am 18.07.19 um 13:24 schrieb Houman:
> > Hi Noel,
> >
> > I just tried to send it to the group but the message body was larger
> than 100kb and it was held back.
> >
> > I hope it's ok that I'm attaching them here directly. I hope this is
> what you were looking for.
> >
> > Many Thanks,
> > Houman
> >
> >
> > On Thu, 18 Jul 2019 at 10:04, Noel Kuntze <noel.kuntze at thermi.consulting>
> wrote:
> >
> >     Hello Houman,
> >
> >     Those are still not all the IPv4 *and IPv6* routing tables.
> >     Use `ip route show table all` for IPv4 and `ip -6 route show table
> all` for IPv6.
> >
> >     Kind regards
> >
> >     Noel
> >
> >     Am 18.07.19 um 10:29 schrieb Houman:
> >     > Hello Noel.
> >     >
> >     > Sorry, it's still too early in the morning for me.
> >     >
> >     > *> netstat -rn*
> >     > *
> >     > *
> >     > Kernel IP routing table
> >     > Destination     Gateway         Genmask         Flags   MSS Window
>  irtt Iface
> >     > 0.0.0.0         136.243.104.xxx 0.0.0.0         UG        0 0
>      0 enp2s0
> >     >
> >     > *> route -n*
> >     > Kernel IP routing table
> >     > Destination     Gateway         Genmask         Flags Metric Ref
>  Use Iface
> >     > 0.0.0.0         136.243.104.xxx 0.0.0.0         UG    0      0
>    0 enp2s0
> >     >
> >     > *> iproute*
> >     > default via 136.243.104.xxx dev enp2s0 proto static onlink
> >     >
> >     > If I have missed anything please let me know,
> >     >
> >     > Many Thanks,
> >     > Houman
> >     >
> >     >
> >     > On Thu, 18 Jul 2019 at 08:07, Noel Kuntze
> <noel.kuntze at thermi.consulting> wrote:
> >     >
> >     >     Hello Houman,
> >     >
> >     >     Those are not *routing* tables. Those are your *iptables*
> rules.
> >     >
> >     >     Kind regards
> >     >
> >     >     Noel
> >     >
> >     >     Am 18.07.19 um 09:02 schrieb Houman:
> >     >     > Hello Noel,
> >     >     >
> >     >     > You're right. It's interesting that I always get the
> following error right after that. "unable to install source route for %any".
> >     >     >
> >     >     > Please find both the IPv4 and IPv6 routing tables as well as
> the ipsec.conf below.
> >     >     >
> >     >     > Please note that IPv6 is disabled since my configuration
> wasn't entirely supported on the latest Ubuntu 18.04 as we had established
> previously.
> >     >     >
> >     >     > *IPv4*
> >     >     >
> >     >     > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18
> 2019
> >     >     > *filter
> >     >     > :INPUT DROP [2615693:262169077]
> >     >     > :FORWARD DROP [4655474:1206379130]
> >     >     > :OUTPUT ACCEPT [8219816926:9451426041332]
> >     >     > -A INPUT -i lo -j ACCEPT
> >     >     > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> >     >     > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> >     >     > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> >     >     > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> >     >     > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> >     >     > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> <http://10.10.0.0/17> -d 10.10.0.0/17 <
> http://10.10.0.0/17> <http://10.10.0.0/17> <http://10.10.0.0/17> -j DROP
> >     >     > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> >     >     > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> >     >     > COMMIT
> >     >     > # Completed on Thu Jul 18 06:54:18 2019
> >     >     > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18
> 2019
> >     >     > *nat
> >     >     > :PREROUTING ACCEPT [212142454:17804580572]
> >     >     > :INPUT ACCEPT [1326262:431133155]
> >     >     > :OUTPUT ACCEPT [174309:20072403]
> >     >     > :POSTROUTING ACCEPT [174309:20072403]
> >     >     > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> <http://10.10.0.0/17> -o enp2s0 -m policy --dir out
> --pol ipsec -j ACCEPT
> >     >     > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> <http://10.10.0.0/17> -o enp2s0 -j MASQUERADE
> >     >     > COMMIT
> >     >     > # Completed on Thu Jul 18 06:54:18 2019
> >     >     > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18
> 2019
> >     >     > *mangle
> >     >     > :PREROUTING ACCEPT [78101233478:52605889723396]
> >     >     > :INPUT ACCEPT [28473561018:8872181346525]
> >     >     > :FORWARD ACCEPT [49618124462:43732105143957]
> >     >     > :OUTPUT ACCEPT [34893259071:40508743962892]
> >     >     > :POSTROUTING ACCEPT [84492095926:84235652892511]
> >     >     > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> <http://10.10.0.0/17> -o enp2s0 -p tcp -m policy
> --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
> 1361:1536 -j TCPMSS --set-mss 1360
> >     >     > COMMIT
> >     >     > # Completed on Thu Jul 18 06:54:18 2019
> >     >     >
> >     >     > *and IPv6*
> >     >     >
> >     >     > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55
> 2019
> >     >     > *filter
> >     >     > :INPUT DROP [53380:3843262]
> >     >     > :FORWARD DROP [0:0]
> >     >     > :OUTPUT ACCEPT [54922:3965190]
> >     >     > -A INPUT -i lo -j ACCEPT
> >     >     > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> >     >     > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> >     >     > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> >     >     > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> >     >     > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> >     >     > -A FORWARD -s fdd2:54c4:4c90:1::/113 -d
> fdd2:54c4:4c90:1::/113 -j DROP
> >     >     > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> >     >     > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> >     >     > COMMIT
> >     >     > # Completed on Thu Jul 18 06:55:55 2019
> >     >     > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55
> 2019
> >     >     > *nat
> >     >     > :PREROUTING ACCEPT [16411485:1786456120]
> >     >     > :INPUT ACCEPT [2:392]
> >     >     > :OUTPUT ACCEPT [232:18788]
> >     >     > :POSTROUTING ACCEPT [232:18788]
> >     >     > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -m policy
> --dir out --pol ipsec -j ACCEPT
> >     >     > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -j
> MASQUERADE
> >     >     > COMMIT
> >     >     > # Completed on Thu Jul 18 06:55:55 2019
> >     >     >
> >     >     > *and ipsec.conf*
> >     >     >
> >     >     > config setup
> >     >     >   strictcrlpolicy=yes
> >     >     >   uniqueids=never
> >     >     > conn Falkenstein-2
> >     >     >   auto=add
> >     >     >   compress=no
> >     >     >   type=tunnel
> >     >     >   keyexchange=ikev2
> >     >     >   fragmentation=yes
> >     >     >   forceencaps=yes
> >     >     >
> ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-ecp521-ecp256-modp4096-modp2048!
> >     >     >
> esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
> >     >     >   dpdaction=clear
> >     >     >   dpddelay=180s
> >     >     >   dpdtimeout=3600s
> >     >     >   rekey=no
> >     >     >   left=%any
> >     >     >   leftid=@de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <
> http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net>
> >     >     >   leftcert=cert.pem
> >     >     >   leftsendcert=always
> >     >     >   leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>
> <http://0.0.0.0/0>, ::/0
> >     >     >   right=%any
> >     >     >   rightid=%any
> >     >     >   rightauth=eap-radius
> >     >     >   eap_identity=%any
> >     >     >   rightdns=8.8.8.8,8.8.4.4
> >     >     >   rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113 <
> http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113> <
> http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113> <
> http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113>
> >     >     >   leftfirewall=no
> >     >     >
> >     >     >
> >     >     > Many Thanks,
> >     >     > Houman
> >     >     >
> >     >     > On Thu, 18 Jul 2019 at 07:42, Noel Kuntze
> <noel.kuntze at thermi.consulting> wrote:
> >     >     >
> >     >     >     Hello Houman,
> >     >     >
> >     >     >     That happens when the main routing table (Or other
> tables in newer kernels) does not have any routes that allow the new route
> to be installed (next hop is not reachable over a local interface).
> >     >     >     For the exact reason, you'd need to at least provide the
> IPv6 routing tables.
> >     >     >
> >     >     >     Kind regards
> >     >     >
> >     >     >     Noel
> >     >     >
> >     >     >     Am 18.07.19 um 00:47 schrieb Houman:
> >     >     >     > Hello,
> >     >     >     >
> >     >     >     > I'm getting this error in the syslog.
> >     >     >     >
> >     >     >     > It still connects but I keep getting this error
> sometimes:
> >     >     >     > *charon: 15[KNL] received netlink error: Network is
> unreachable (101)*
> >     >     >     >
> >     >     >     > Why is that?
> >     >     >     >
> >     >     >     > *Syslog:*
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning
> offline lease to 'c8c09c88-8a67-4af6-8620-xxxxxx'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning
> virtual IP 10.10.55.127 to peer 'c8c09c88-8a67-4af6-8620-xxxxxx'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] peer
> requested virtual IP %any6
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning
> offline lease to 'c8c09c88-8a67-4af6-8620-xxxxxx'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning
> virtual IP fdd2:54c4:4c90:1::307f to peer 'c8c09c88-8a67-4af6-8620-xxxxxx'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] received
> netlink error: Network is unreachable (101)
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] unable to
> install source route for %any
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] CHILD_SA
> Falkenstein-2{455771} established with SPIs c6b5caac_i 0c8a8cdf_o and TS
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> ::/0 === 10.10.55.127/32 <http://10.10.55.127/32> <
> http://10.10.55.127/32> <http://10.10.55.127/32> <http://10.10.55.127/32>
> fdd2:54c4:4c90:1::307f/128
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] sending
> RADIUS Accounting-Request to server 'server-a'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[NET] received
> packet: from 109.177.xx.xxx[4500] to 136.243.xxx.xxx[4500] (112 bytes)
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] received
> RADIUS Accounting-Response from server 'server-a'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[ENC] generating
> IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr
> N(MOBIKE_SUP) N(ADD_6_ADDR) ]
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] parsed
> IKE_AUTH request 6 [ AUTH ]
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 09[NET] sending
> packet: from 136.243.xxx.xxx[4500] to 86.97.xx.xxx[4500] (368 bytes)
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE]
> authentication of 'VPN' with EAP successful
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE]
> authentication of 'de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <
> http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net> <
> http://de-fsn-2.xxxxx.net>' (myself) with EAP
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] IKE_SA
> Falkenstein-2[549905] established between 136.243.xxx.xxx[
> de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net>
> <http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net
> >]...109.177.xx.xxx[VPN]
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer
> requested virtual IP %any
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning
> offline lease to 'b05ccf72-7bad-425e-95e0-xxxxx'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning
> virtual IP 10.10.50.102 to peer 'b05ccf72-7bad-425e-95e0-xxxxx'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer
> requested virtual IP %any6
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning
> offline lease to 'b05ccf72-7bad-425e-95e0-xxxxx'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning
> virtual IP fdd2:54c4:4c90:1::2b66 to peer 'b05ccf72-7bad-425e-95e0-xxxxx'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] received
> netlink error: Network is unreachable (101)
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] unable to
> install source route for %any
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] CHILD_SA
> Falkenstein-2{455772} established with SPIs c23f2271_i 07d2a903_o and TS
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> <
> http://0.0.0.0/0> ::/0 === 10.10.50.102/32 <http://10.10.50.102/32> <
> http://10.10.50.102/32> <http://10.10.50.102/32> <http://10.10.50.102/32>
> fdd2:54c4:4c90:1::2b66/128
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] sending
> RADIUS Accounting-Request to server 'server-a'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 13[NET] received
> packet: from 94.206.xxx.xxx[4500] to 136.243.xxx.xxx[4500] (368 bytes)
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] received
> RADIUS Accounting-Response from server 'server-a'
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] generating
> IKE_AUTH response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr
> N(MOBIKE_SUP) N(ADD_6_ADDR) ]
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] unknown
> attribute type (25)
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] parsed
> IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP
> DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi
> TSr N(EAP_ONLY) ]
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 15[NET] sending
> packet: from 136.243.xxx.xxx[4500] to 109.177.xx.xxx[4500] (368 bytes)
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] looking for
> peer configs matching 136.243.xxx.xxx[de-fsn-2.xxxxx.net <
> http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net> <
> http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net
> >]...94.206.xxx.xxx[VPN]
> >     >     >     >
> >     >     >     > Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] selected peer
> config 'Falkenstein-2'
> >     >     >     >
> >     >     >     >
> >     >     >     > Many Thanks,
> >     >     >     >
> >     >     >     > Houman
> >     >     >     >
> >     >     >
> >     >     >     --
> >     >     >     Noel Kuntze
> >     >     >     IT security consultant
> >     >     >
> >     >     >     GPG Key ID: 0x0739AD6C
> >     >     >     Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B
> 0739 AD6C
> >     >     >
> >     >     >
> >     >
> >     >     --
> >     >     Noel Kuntze
> >     >     IT security consultant
> >     >
> >     >     GPG Key ID: 0x0739AD6C
> >     >     Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> >     >
> >     >
> >
> >     --
> >     Noel Kuntze
> >     IT security consultant
> >
> >     GPG Key ID: 0x0739AD6C
> >     Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> >
> >
>
> --
> Noel Kuntze
> IT security consultant
>
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190719/8be9267a/attachment-0001.html>


More information about the Users mailing list