[strongSwan] Strongswan, Netns and routing configuration question

[Makarand Pradhan]

Hi All,

I think I've figured this one. I had to set ip_forward in the namespace.

ip netns exec net1 sysctl -w net.ipv4.ip_forward=1

Now I can see the packet come out of the net1_veth0.23 if.

Tx.

Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
#1-1815 Meyerside Drive
Mississauga, Ontario
L5T 1G3
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

-----Original Message-----
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Makarand Pradhan
Sent: May 9, 2019 3:32 PM
To: users at lists.strongswan.org
Subject: [strongSwan] Strongswan, Netns and routing configuration question

Hello All,

I am running strongswan in a netns. My ipsec tunnel is established. I can ping the 2 sides. All the same, I cannot ping any other devices on the subnet. Would highly appreciate any help. 

The setup is described below in detail:

PC 10.10.24.1/24 <-LAN-> 10.10.24.3/24(eth0 Pi 80.0.0.3/24 (eth1)<- strongswan ipsec tunnel -> 80.0.0.2/24 (net1_veth0.80) 10.10.23.2(net1_veth0.23) <-LAN->10.10.23.4

I am now trying to ping 10.10.23.4 from 10.10.24.1.

On 10.10.24.1, the routing table has 10.10.24.3 is via gate way 10.10.24.3

10.10.23.0/24 via 10.10.24.3 dev eth1 

I see the ESP packets come into net1_veth0.80.

13:49:28.620355 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ESP (50), length 156)
    80.0.0.3 > 80.0.0.2: ESP(spi=0xcd75daf6,seq=0x12), length 136
        0x0000:  e8e8 7590 02c1 b827 eb59 2766 0800 4500
        0x0010:  009c 0000 4000 4032 9a2b 5000 0003 5000
        0x0020:  0002 cd75 daf6 0000 0012 d8c5 4673 6d25
        0x0030:  19fc 6857 c12b e6a9 ed44 b901 c3b3 db96
        0x0040:  e9b2 acea 65a2 3fd9 b670 ee41 7886 843b
        0x0050:  0d1a 46ce 3b05 a639 d639 b27a 726d b10d
        0x0060:  4972 002f d922 fbfd 6832 45e8 0adb 73f4
        0x0070:  37f9 fd8e 66e3 6daa 453c a70b 7b44 4ee6
        0x0080:  ac96 597a f20f 0948 307d af63 7146 acab
        0x0090:  40e5 17f0 2b1e b165 e579 1021 40ae 4837
        0x00a0:  fa8b 7827 2464 1f2d 449f

The decrypted packet is seen on net1_veth0.80:

13:49:28.620490 IP (tos 0x0, ttl 63, id 2164, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.24.1 > 10.10.23.4: ICMP echo request, id 375, seq 18, length 64
        0x0000:  e8e8 7590 02c1 b827 eb59 2766 0800 4500
        0x0010:  0054 0874 4000 3f01 f01c 0a0a 1801 0a0a
        0x0020:  1704 0800 1e0e 0177 0012 a46b d45c 0000
        0x0030:  0000 95cd 0b00 0000 0000 1011 1213 1415
        0x0040:  1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
        0x0050:  2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
        0x0060:  3637

The packet does not come out on the net1_veth0.23 interface.

The routing table in the network name space is as follows:
sh-4.3# ip netns exec net1 ip ro
10.10.23.0/24 dev net1_veth0.23  proto kernel  scope link  src 10.10.23.2
80.0.0.0/24 dev net1_veth0.80  proto kernel  scope link  src 80.0.0.2

ip_forward is set:

sh-4.3# cat /proc/sys/net/ipv4/ip_forward
1

Also forwarding is set on all the veth interfaces, e.g.:

sh-4.3# cat /proc/sys/net/ipv4/conf/veth0/forwarding
1

sh-4.3# cat /proc/sys/net/ipv4/conf/veth0.80/forwarding
1

I am probably missing something in my routing config. This is probably more of a routing question.

Thanks for taking the time to read the question.

With Rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
#1-1815 Meyerside Drive
Mississauga, Ontario
L5T 1G3
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.