[strongSwan] received netlink error: Network is unreachable
Houman
houmie at gmail.com
Thu Jul 18 13:19:58 CEST 2019
Hi Noel,
I hope it is ok that I'm attaching these two files, as they were a bit too
large to paste in here otherwise.
If that's not ok, please let me know and I paste them in here anyway.
Many Thanks,
Houman
On Thu, 18 Jul 2019 at 10:04, Noel Kuntze <noel.kuntze at thermi.consulting>
wrote:
> Hello Houman,
>
> Those are still not all the IPv4 *and IPv6* routing tables.
> Use `ip route show table all` for IPv4 and `ip -6 route show table all`
> for IPv6.
>
> Kind regards
>
> Noel
>
> Am 18.07.19 um 10:29 schrieb Houman:
> > Hello Noel.
> >
> > Sorry, it's still too early in the morning for me.
> >
> > *> netstat -rn*
> > *
> > *
> > Kernel IP routing table
> > Destination Gateway Genmask Flags MSS Window irtt
> Iface
> > 0.0.0.0 136.243.104.xxx 0.0.0.0 UG 0 0 0
> enp2s0
> >
> > *> route -n*
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric Ref Use
> Iface
> > 0.0.0.0 136.243.104.xxx 0.0.0.0 UG 0 0 0
> enp2s0
> >
> > *> iproute*
> > default via 136.243.104.xxx dev enp2s0 proto static onlink
> >
> > If I have missed anything please let me know,
> >
> > Many Thanks,
> > Houman
> >
> >
> > On Thu, 18 Jul 2019 at 08:07, Noel Kuntze <noel.kuntze at thermi.consulting>
> wrote:
> >
> > Hello Houman,
> >
> > Those are not *routing* tables. Those are your *iptables* rules.
> >
> > Kind regards
> >
> > Noel
> >
> > Am 18.07.19 um 09:02 schrieb Houman:
> > > Hello Noel,
> > >
> > > You're right. It's interesting that I always get the following
> error right after that. "unable to install source route for %any".
> > >
> > > Please find both the IPv4 and IPv6 routing tables as well as the
> ipsec.conf below.
> > >
> > > Please note that IPv6 is disabled since my configuration wasn't
> entirely supported on the latest Ubuntu 18.04 as we had established
> previously.
> > >
> > > *IPv4*
> > >
> > > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
> > > *filter
> > > :INPUT DROP [2615693:262169077]
> > > :FORWARD DROP [4655474:1206379130]
> > > :OUTPUT ACCEPT [8219816926:9451426041332]
> > > -A INPUT -i lo -j ACCEPT
> > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> -d 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> -j DROP
> > > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> > > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > > COMMIT
> > > # Completed on Thu Jul 18 06:54:18 2019
> > > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
> > > *nat
> > > :PREROUTING ACCEPT [212142454:17804580572]
> > > :INPUT ACCEPT [1326262:431133155]
> > > :OUTPUT ACCEPT [174309:20072403]
> > > :POSTROUTING ACCEPT [174309:20072403]
> > > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> -o enp2s0 -m policy --dir out --pol ipsec -j ACCEPT
> > > -A POSTROUTING -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> -o enp2s0 -j MASQUERADE
> > > COMMIT
> > > # Completed on Thu Jul 18 06:54:18 2019
> > > # Generated by iptables-save v1.6.1 on Thu Jul 18 06:54:18 2019
> > > *mangle
> > > :PREROUTING ACCEPT [78101233478:52605889723396]
> > > :INPUT ACCEPT [28473561018:8872181346525]
> > > :FORWARD ACCEPT [49618124462:43732105143957]
> > > :OUTPUT ACCEPT [34893259071:40508743962892]
> > > :POSTROUTING ACCEPT [84492095926:84235652892511]
> > > -A FORWARD -s 10.10.0.0/17 <http://10.10.0.0/17> <
> http://10.10.0.0/17> -o enp2s0 -p tcp -m policy --dir in --pol ipsec -m
> tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss
> 1360
> > > COMMIT
> > > # Completed on Thu Jul 18 06:54:18 2019
> > >
> > > *and IPv6*
> > >
> > > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019
> > > *filter
> > > :INPUT DROP [53380:3843262]
> > > :FORWARD DROP [0:0]
> > > :OUTPUT ACCEPT [54922:3965190]
> > > -A INPUT -i lo -j ACCEPT
> > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> > > -A INPUT -p tcp -m tcp --dport 2022 -j ACCEPT
> > > -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
> > > -A FORWARD -s fdd2:54c4:4c90:1::/113 -d fdd2:54c4:4c90:1::/113 -j
> DROP
> > > -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
> > > -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT
> > > COMMIT
> > > # Completed on Thu Jul 18 06:55:55 2019
> > > # Generated by ip6tables-save v1.6.1 on Thu Jul 18 06:55:55 2019
> > > *nat
> > > :PREROUTING ACCEPT [16411485:1786456120]
> > > :INPUT ACCEPT [2:392]
> > > :OUTPUT ACCEPT [232:18788]
> > > :POSTROUTING ACCEPT [232:18788]
> > > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -m policy --dir
> out --pol ipsec -j ACCEPT
> > > -A POSTROUTING -s fdd2:54c4:4c90:1::/113 -o eth0 -j MASQUERADE
> > > COMMIT
> > > # Completed on Thu Jul 18 06:55:55 2019
> > >
> > > *and ipsec.conf*
> > >
> > > config setup
> > > strictcrlpolicy=yes
> > > uniqueids=never
> > > conn Falkenstein-2
> > > auto=add
> > > compress=no
> > > type=tunnel
> > > keyexchange=ikev2
> > > fragmentation=yes
> > > forceencaps=yes
> > >
> ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-ecp521-ecp256-modp4096-modp2048!
> > >
> esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
> aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
> > > dpdaction=clear
> > > dpddelay=180s
> > > dpdtimeout=3600s
> > > rekey=no
> > > left=%any
> > > leftid=@de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <
> http://de-fsn-2.xxxxx.net>
> > > leftcert=cert.pem
> > > leftsendcert=always
> > > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0>, ::/0
> > > right=%any
> > > rightid=%any
> > > rightauth=eap-radius
> > > eap_identity=%any
> > > rightdns=8.8.8.8,8.8.4.4
> > > rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113 <
> http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113> <
> http://10.10.10.0/17,fdd2:54c4:4c90:1::300/113>
> > > leftfirewall=no
> > >
> > >
> > > Many Thanks,
> > > Houman
> > >
> > > On Thu, 18 Jul 2019 at 07:42, Noel Kuntze
> <noel.kuntze at thermi.consulting> wrote:
> > >
> > > Hello Houman,
> > >
> > > That happens when the main routing table (Or other tables in
> newer kernels) does not have any routes that allow the new route to be
> installed (next hop is not reachable over a local interface).
> > > For the exact reason, you'd need to at least provide the IPv6
> routing tables.
> > >
> > > Kind regards
> > >
> > > Noel
> > >
> > > Am 18.07.19 um 00:47 schrieb Houman:
> > > > Hello,
> > > >
> > > > I'm getting this error in the syslog.
> > > >
> > > > It still connects but I keep getting this error sometimes:
> > > > *charon: 15[KNL] received netlink error: Network is
> unreachable (101)*
> > > >
> > > > Why is that?
> > > >
> > > > *Syslog:*
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline
> lease to 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual
> IP 10.10.55.127 to peer 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] peer requested
> virtual IP %any6
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] reassigning offline
> lease to 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] assigning virtual
> IP fdd2:54c4:4c90:1::307f to peer 'c8c09c88-8a67-4af6-8620-xxxxxx'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] received netlink
> error: Network is unreachable (101)
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[KNL] unable to install
> source route for %any
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[IKE] CHILD_SA
> Falkenstein-2{455771} established with SPIs c6b5caac_i 0c8a8cdf_o and TS
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> ::/0
> === 10.10.55.127/32 <http://10.10.55.127/32> <http://10.10.55.127/32> <
> http://10.10.55.127/32> fdd2:54c4:4c90:1::307f/128
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] sending RADIUS
> Accounting-Request to server 'server-a'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[NET] received packet:
> from 109.177.xx.xxx[4500] to 136.243.xxx.xxx[4500] (112 bytes)
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[CFG] received RADIUS
> Accounting-Response from server 'server-a'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[ENC] generating IKE_AUTH
> response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_6_ADDR) ]
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] parsed IKE_AUTH
> request 6 [ AUTH ]
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 09[NET] sending packet:
> from 136.243.xxx.xxx[4500] to 86.97.xx.xxx[4500] (368 bytes)
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] authentication of
> 'VPN' with EAP successful
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] authentication of '
> de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net>
> <http://de-fsn-2.xxxxx.net>' (myself) with EAP
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] IKE_SA
> Falkenstein-2[549905] established between 136.243.xxx.xxx[
> de-fsn-2.xxxxx.net <http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net>
> <http://de-fsn-2.xxxxx.net>]...109.177.xx.xxx[VPN]
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer requested
> virtual IP %any
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning offline
> lease to 'b05ccf72-7bad-425e-95e0-xxxxx'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning virtual
> IP 10.10.50.102 to peer 'b05ccf72-7bad-425e-95e0-xxxxx'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] peer requested
> virtual IP %any6
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] reassigning offline
> lease to 'b05ccf72-7bad-425e-95e0-xxxxx'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] assigning virtual
> IP fdd2:54c4:4c90:1::2b66 to peer 'b05ccf72-7bad-425e-95e0-xxxxx'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] received netlink
> error: Network is unreachable (101)
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[KNL] unable to install
> source route for %any
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[IKE] CHILD_SA
> Falkenstein-2{455772} established with SPIs c23f2271_i 07d2a903_o and TS
> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> ::/0
> === 10.10.50.102/32 <http://10.10.50.102/32> <http://10.10.50.102/32> <
> http://10.10.50.102/32> fdd2:54c4:4c90:1::2b66/128
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] sending RADIUS
> Accounting-Request to server 'server-a'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 13[NET] received packet:
> from 94.206.xxx.xxx[4500] to 136.243.xxx.xxx[4500] (368 bytes)
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[CFG] received RADIUS
> Accounting-Response from server 'server-a'
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[ENC] generating IKE_AUTH
> response 6 [ AUTH CPRP(ADDR ADDR6 DNS DNS) SA TSi TSr N(MOBIKE_SUP)
> N(ADD_6_ADDR) ]
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] unknown attribute
> type (25)
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 13[ENC] parsed IKE_AUTH
> request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK
> ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr
> N(EAP_ONLY) ]
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 15[NET] sending packet:
> from 136.243.xxx.xxx[4500] to 109.177.xx.xxx[4500] (368 bytes)
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] looking for peer
> configs matching 136.243.xxx.xxx[de-fsn-2.xxxxx.net <
> http://de-fsn-2.xxxxx.net> <http://de-fsn-2.xxxxx.net> <
> http://de-fsn-2.xxxxx.net>]...94.206.xxx.xxx[VPN]
> > > >
> > > > Jul 17 21:31:08 de-fsn-2 charon: 13[CFG] selected peer
> config 'Falkenstein-2'
> > > >
> > > >
> > > > Many Thanks,
> > > >
> > > > Houman
> > > >
> > >
> > > --
> > > Noel Kuntze
> > > IT security consultant
> > >
> > > GPG Key ID: 0x0739AD6C
> > > Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> > >
> > >
> >
> > --
> > Noel Kuntze
> > IT security consultant
> >
> > GPG Key ID: 0x0739AD6C
> > Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
> >
> >
>
> --
> Noel Kuntze
> IT security consultant
>
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190718/f5325f05/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipv4.log
Type: application/octet-stream
Size: 56527 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190718/f5325f05/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipv6.log
Type: application/octet-stream
Size: 56145 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190718/f5325f05/attachment-0003.obj>
More information about the Users
mailing list