[strongSwan] updown on client side not called strongSwan 5.8.1

bls s bls3427 at outlook.com
Sun Sep 8 04:40:24 CEST 2019


Forgot the logs.

Client log:   https://pastebin.com/Lb0ZsrC4 
Server log:  https://pastebin.com/x3uHLnLV


From: Users <users-bounces at lists.strongswan.org> on behalf of bls s <bls3427 at outlook.com>
Sent: Saturday, September 7, 2019 5:22 PM
To: users at lists.strongswan.org <users at lists.strongswan.org>
Subject: [strongSwan] updown on client side not called strongSwan 5.8.1

I'm trying to set up a Linux roadwarrior client on Raspbian Buster (strongSwan 5.8.1) connecting to a Raspbian Buster server
(strongSwan 5.8.0) using /etc/swanctl.conf. strongSwan was built from source on both systems. The client is connected to the network via my phone hotspot to test an outside-the-firewall connection.

When I swanctl --initiate theclient-theserver --child theclient-theserver the connection and the child (from the client), the VPN
connection and child connection appear to be established.

iptables seems to be set up correctly on the server, but there are no iptables entries added on the client.

I added a 'printenv >> /tmp/updown.log" to /libexec/ipsec/_updown on both ends. The printenv output is logged on the server side, but the client side never calls the updown script. There are no iptables entries made for the connection, and of course, no traffic is passed over the VPN.

I'm stumped as to why my updown script isn't called. Any thoughts?

Thanks!

Here's the Server connection from the server's /etc/swanctl/swanctl.conf

    ikev2-pubkey-linux {
        version = 2
        proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
        rekey_time = 0s
        pools = primary-pool-ipv4
        fragmentation = yes
        dpd_delay = 30s
        local-1 {
             auth = pubkey
             cacerts = strongSwanCACert.pem
             certs = linux-strongSwanVPNCert.pem
             id = linux.domain.com
        }
        remote-1 {
             auth = pubkey
        }
        children {
            ikev2-pubkey {
                local_ts  = 0.0.0.0/0
                updown = /libexec/ipsec/_updown iptables
            }
        }
    }

And here's the Client connection from the client's /etc/swanctl/swanctl.conf

    theclient-theserver {
        version = 2
        local_addrs  = %any
        remote_addrs = theserver.domain.com
        vips = 0.0.0.0
        mobike = no
        reauth_time = 10800

        local-1 {
            auth = pubkey
            certs = theclient-pi-theserverCert.pem
             id = theclient-pi-theserver at myvpn.net
        }
        remote-1 {
            id = linux.domain.com
        }
        children {
            theclient-theserver {
                ikev2-pubkey {
                    remote_ts = 0.0.0.0/0
                    updown = /libexec/ipsec/_updown iptables
                    esp_proposals = aes128gcm128-x25519
                }
            }
        }
    }

>From the server:

theserver/libexec/ipsec# swanctl --list-sas
ikev2-pubkey-linux: #2, ESTABLISHED, IKEv2, 087489bd226c45e3_i 43a903a639bf6081_r*
  local  'linux.domain.com' @ 192.168.92.3[4500]
  remote 'theclient-pi-theserver at myvpn.net' @ my.phone.ip.address[54007] [10.92.10.1]
  AES_GCM_16-192/PRF_HMAC_SHA2_256/ECP_256
  established 990s ago
  ikev2-pubkey: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128
    installed 990s ago, rekeying in 2373s, expires in 2970s
    in  c638a5f3,      0 bytes,     0 packets
    out c6a7423c,      0 bytes,     0 packets
    local  my.external.ip.address/32
    remote 10.92.10.1/32

>From the client:

theclient/etc/swanctl# swanctl --list-sas
theclient-theserver: #2, ESTABLISHED, IKEv2, 087489bd226c45e3_i* 43a903a639bf6081_r
  local  'theclient-pi-theserver at myvpn.net' @ 172.20.10.6[4500] [10.92.10.1]
  remote 'linux.domain.com' @ my.external.ip.address[4500]
  AES_GCM_16-192/PRF_HMAC_SHA2_256/ECP_256
  established 1034s ago, reauth in 9763s
  theclient-theserver: #2, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA2_256_128
    installed 1034s ago, rekeying in 2409s, expires in 2926s
    in  c6a7423c,      0 bytes,     0 packets
    out c638a5f3,      0 bytes,     0 packets
    local  10.92.10.1/32
    remote my.external.ip.address/32


More information about the Users mailing list