[strongSwan] Strongswan, Netns and routing configuration question
Makarand Pradhan
MakarandPradhan at is5com.com
Thu May 9 22:11:51 CEST 2019
Hi All,
I think I've figured this one. I had to set ip_forward in the namespace.
ip netns exec net1 sysctl -w net.ipv4.ip_forward=1
Now I can see the packet come out of the net1_veth0.23 if.
Tx.
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
#1-1815 Meyerside Drive
Mississauga, Ontario
L5T 1G3
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com
Confidentiality Notice:
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
-----Original Message-----
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Makarand Pradhan
Sent: May 9, 2019 3:32 PM
To: users at lists.strongswan.org
Subject: [strongSwan] Strongswan, Netns and routing configuration question
Hello All,
I am running strongswan in a netns. My ipsec tunnel is established. I can ping the 2 sides. All the same, I cannot ping any other devices on the subnet. Would highly appreciate any help.
The setup is described below in detail:
PC 10.10.24.1/24 <-LAN-> 10.10.24.3/24(eth0 Pi 80.0.0.3/24 (eth1)<- strongswan ipsec tunnel -> 80.0.0.2/24 (net1_veth0.80) 10.10.23.2(net1_veth0.23) <-LAN->10.10.23.4
I am now trying to ping 10.10.23.4 from 10.10.24.1.
On 10.10.24.1, the routing table has 10.10.24.3 is via gate way 10.10.24.3
10.10.23.0/24 via 10.10.24.3 dev eth1
I see the ESP packets come into net1_veth0.80.
13:49:28.620355 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 156)
80.0.0.3 > 80.0.0.2: ESP(spi=0xcd75daf6,seq=0x12), length 136
0x0000: e8e8 7590 02c1 b827 eb59 2766 0800 4500
0x0010: 009c 0000 4000 4032 9a2b 5000 0003 5000
0x0020: 0002 cd75 daf6 0000 0012 d8c5 4673 6d25
0x0030: 19fc 6857 c12b e6a9 ed44 b901 c3b3 db96
0x0040: e9b2 acea 65a2 3fd9 b670 ee41 7886 843b
0x0050: 0d1a 46ce 3b05 a639 d639 b27a 726d b10d
0x0060: 4972 002f d922 fbfd 6832 45e8 0adb 73f4
0x0070: 37f9 fd8e 66e3 6daa 453c a70b 7b44 4ee6
0x0080: ac96 597a f20f 0948 307d af63 7146 acab
0x0090: 40e5 17f0 2b1e b165 e579 1021 40ae 4837
0x00a0: fa8b 7827 2464 1f2d 449f
The decrypted packet is seen on net1_veth0.80:
13:49:28.620490 IP (tos 0x0, ttl 63, id 2164, offset 0, flags [DF], proto ICMP (1), length 84)
10.10.24.1 > 10.10.23.4: ICMP echo request, id 375, seq 18, length 64
0x0000: e8e8 7590 02c1 b827 eb59 2766 0800 4500
0x0010: 0054 0874 4000 3f01 f01c 0a0a 1801 0a0a
0x0020: 1704 0800 1e0e 0177 0012 a46b d45c 0000
0x0030: 0000 95cd 0b00 0000 0000 1011 1213 1415
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
0x0060: 3637
The packet does not come out on the net1_veth0.23 interface.
The routing table in the network name space is as follows:
sh-4.3# ip netns exec net1 ip ro
10.10.23.0/24 dev net1_veth0.23 proto kernel scope link src 10.10.23.2
80.0.0.0/24 dev net1_veth0.80 proto kernel scope link src 80.0.0.2
ip_forward is set:
sh-4.3# cat /proc/sys/net/ipv4/ip_forward
1
Also forwarding is set on all the veth interfaces, e.g.:
sh-4.3# cat /proc/sys/net/ipv4/conf/veth0/forwarding
1
sh-4.3# cat /proc/sys/net/ipv4/conf/veth0.80/forwarding
1
I am probably missing something in my routing config. This is probably more of a routing question.
Thanks for taking the time to read the question.
With Rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
#1-1815 Meyerside Drive
Mississauga, Ontario
L5T 1G3
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com
Confidentiality Notice:
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
More information about the Users
mailing list