[strongSwan] StrongSwan w/ multiple local subnets.

TomK tomkcpr at mdevsys.com
Mon Aug 10 02:10:36 CEST 2020 

On 6/30/2020 4:41 AM, Tobias Brunner wrote:
> Hi Tom,
> 
>> What I meant to say, is that would confirm all proper kernel modules
>> were already in place to allow the communication would it not?  Anything
>> else I could try to, in the least, confirm if the packet was
>> successfully forwarded to the Azure VPN Gateway end?
>>
>> I know the packet arrives at the IPSec ipsec0 interface however,
>> checking just now, I don't see any traffic change on the WAN interface
>> of the on-prem StrongSwan VPN GW.
> 
> As explained in previous emails, with kernel-libipsec you are not using
> any of the IPsec-related kernel modules.  IPsec processing happens in
> userland via ipsec0 TUN device (see [1] for more on this plugin).
> rp_filter could be an issue when using it.
> 
> To check traffic, use packet counters (strongSwan's status output,
> firewall etc.) or traffic captures on the respective hosts to see if
> e.g. ESP packets are exchanged.
> 
> Regards,
> Tobias
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
> 


Hey All,

So I've given up on DD-WRT for the time being and decided instead to use 
an old Raspberry PI 2 and OpenWRT.

The topology I'll reference is available on the below OpenWRT forum. 
For the sake of not replicating all the content (and partially due to a 
touch of laziness), here is the link:

Aug 9th post:

https://forum.openwrt.org/t/openwrt-support-for-quagga-ospf-strongswan-ipsecv2-1-openvpn-firewalld-ssh-ddns-dnsmasquerade/69528/18

I'm effectively running into this error:

Aug  9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to 
123.123.123.123
Aug  9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug  9 17:04:06 OWRT01 : 14[NET] sending packet: from 
100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
Aug  9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network 
unreachable
Aug  9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message ID 0


This time, XFRM modules are loaded:


root at OWRT01:~# lsmod|grep xfrm
tunnel4                12288  2 sit,xfrm4_tunnel
tunnel6                12288  1 xfrm6_tunnel
xfrm_algo              12288  7 
esp6,ah6,esp4,ah4,xfrm_user,xfrm_ipcomp,af_key
xfrm_ipcomp            12288  2 ipcomp6,ipcomp
xfrm_user              28672  0
xfrm4_mode_beet        12288  0
xfrm4_mode_transport   12288  0
xfrm4_mode_tunnel      12288  0
xfrm4_tunnel           12288  0
xfrm6_mode_beet        12288  0
xfrm6_mode_transport   12288  0
xfrm6_mode_tunnel      12288  0
xfrm6_tunnel           12288  1 ipcomp6
root at OWRT01:~#


However, from the OpenWRT post, you can see that packets arent' even 
making it out of the ipsec0 interface, nor from the br-lan iterface.


-- 
Thx,
TK.

More information about the Users mailing list