[strongSwan] StrongSwan w/ multiple local subnets.
TomK
tomkcpr at mdevsys.com
Tue Aug 11 07:16:40 CEST 2020
On 8/9/2020 8:10 PM, TomK wrote:
> On 6/30/2020 4:41 AM, Tobias Brunner wrote:
>> Hi Tom,
>>
>>> What I meant to say, is that would confirm all proper kernel modules
>>> were already in place to allow the communication would it not? Anything
>>> else I could try to, in the least, confirm if the packet was
>>> successfully forwarded to the Azure VPN Gateway end?
>>>
>>> I know the packet arrives at the IPSec ipsec0 interface however,
>>> checking just now, I don't see any traffic change on the WAN interface
>>> of the on-prem StrongSwan VPN GW.
>>
>> As explained in previous emails, with kernel-libipsec you are not using
>> any of the IPsec-related kernel modules. IPsec processing happens in
>> userland via ipsec0 TUN device (see [1] for more on this plugin).
>> rp_filter could be an issue when using it.
>>
>> To check traffic, use packet counters (strongSwan's status output,
>> firewall etc.) or traffic captures on the respective hosts to see if
>> e.g. ESP packets are exchanged.
>>
>> Regards,
>> Tobias
>>
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
>>
>
>
> Hey All,
>
> So I've given up on DD-WRT for the time being and decided instead to use
> an old Raspberry PI 2 and OpenWRT.
>
> The topology I'll reference is available on the below OpenWRT forum. For
> the sake of not replicating all the content (and partially due to a
> touch of laziness), here is the link:
>
> Aug 9th post:
>
> https://forum.openwrt.org/t/openwrt-support-for-quagga-ospf-strongswan-ipsecv2-1-openvpn-firewalld-ssh-ddns-dnsmasquerade/69528/18
>
>
> I'm effectively running into this error:
>
> Aug 9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to
> 123.123.123.123
> Aug 9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Aug 9 17:04:06 OWRT01 : 14[NET] sending packet: from
> 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
> Aug 9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network
> unreachable
> Aug 9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message ID 0
>
>
> This time, XFRM modules are loaded:
>
>
> root at OWRT01:~# lsmod|grep xfrm
> tunnel4 12288 2 sit,xfrm4_tunnel
> tunnel6 12288 1 xfrm6_tunnel
> xfrm_algo 12288 7
> esp6,ah6,esp4,ah4,xfrm_user,xfrm_ipcomp,af_key
> xfrm_ipcomp 12288 2 ipcomp6,ipcomp
> xfrm_user 28672 0
> xfrm4_mode_beet 12288 0
> xfrm4_mode_transport 12288 0
> xfrm4_mode_tunnel 12288 0
> xfrm4_tunnel 12288 0
> xfrm6_mode_beet 12288 0
> xfrm6_mode_transport 12288 0
> xfrm6_mode_tunnel 12288 0
> xfrm6_tunnel 12288 1 ipcomp6
> root at OWRT01:~#
>
>
> However, from the OpenWRT post, you can see that packets arent' even
> making it out of the ipsec0 interface, nor from the br-lan iterface.
>
>
Made it past the above issue. Had to set:
left=192.168.0.12
type=passthrough
since this is a device behind the main router. My bad!.
Now I'm receiving a reply back:
root at DD-WRT-INTERNET-ASUS:~# tcpdump -n | grep -Ei "123.123.123.123"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:42:10.410556 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp:
parent_sa ikev2_init[I]
21:42:10.414404 IP 123.123.123.123.500 > 192.168.0.12.500: isakmp:
parent_sa ikev2_init[R]
However the result is this error:
received NO_PROPOSAL_CHOSEN notify error
I've gone and searched the above error but nothing worked so far. Tried
different settings for ike= and esp= but no luck either.
Perhaps I'm missing something here a trained eye won't? Any help is
appreciated.
---------------------------------------------------------
Full session:
Aug 11 00:41:57 OWRT01 : 00[DMN] signal of type SIGINT received.
Shutting down
Aug 11 00:42:00 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan
5.8.2, Linux 4.14.180, armv7l)
Aug 11 00:42:00 OWRT01 : 00[CFG] PKCS11 module '<name>' lacks library path
Aug 11 00:42:01 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not
supported, https:// disabled
Aug 11 00:42:01 OWRT01 : 00[CFG] disabling load-tester plugin, not
configured
Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'load-tester': failed to load -
load_tester_plugin_create returned NULL
Aug 11 00:42:01 OWRT01 : 00[LIB] created TUN device: ipsec0
Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error
relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup:
symbol not found
Aug 11 00:42:01 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
Aug 11 00:42:01 OWRT01 : 00[NET] using forecast interface br-lan
Aug 11 00:42:01 OWRT01 : 00[CFG] joining forecast multicast groups:
224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Aug 11 00:42:01 OWRT01 : 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 11 00:42:01 OWRT01 : 00[CFG] loaded IKE secret for 192.168.0.12
123.123.123.123
Aug 11 00:42:01 OWRT01 : 00[CFG] sql plugin: database URI not set
Aug 11 00:42:01 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
Aug 11 00:42:01 OWRT01 : 00[CFG] HA config misses local/remote address
Aug 11 00:42:01 OWRT01 : 00[CFG] coupling file path unspecified
Aug 11 00:42:01 OWRT01 : 00[LIB] loaded plugins: charon test-vectors
ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac
hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink
resolve socket-default socket-dynamic connmark forecast farp stroke vici
smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls
xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Aug 11 00:42:01 OWRT01 : 00[JOB] spawning 16 worker threads
Aug 11 00:42:01 OWRT01 : 13[CFG] received stroke: add connection 'AZURE'
Aug 11 00:42:01 OWRT01 : 13[CFG] added configuration 'AZURE'
Aug 11 00:42:01 OWRT01 : 15[CFG] received stroke: initiate 'AZURE'
Aug 11 00:42:01 OWRT01 : 15[IKE] initiating IKE_SA AZURE[1] to
123.123.123.123
Aug 11 00:42:01 OWRT01 : 15[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 11 00:42:01 OWRT01 : 15[NET] sending packet: from 192.168.0.12[500]
to 123.123.123.123[500] (336 bytes)
Aug 11 00:42:01 OWRT01 : 10[NET] received packet: from 192.168.0.6[500]
to 192.168.0.12[500] (336 bytes)
Aug 11 00:42:01 OWRT01 : 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 11 00:42:01 OWRT01 : 10[IKE] no IKE config found for
192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
Aug 11 00:42:01 OWRT01 : 10[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
Aug 11 00:42:01 OWRT01 : 10[NET] sending packet: from 192.168.0.12[500]
to 192.168.0.6[500] (36 bytes)
Aug 11 00:42:01 OWRT01 : 11[NET] received packet: from
123.123.123.123[500] to 192.168.0.12[500] (36 bytes)
Aug 11 00:42:01 OWRT01 : 11[ENC] parsed IKE_SA_INIT response 0 [
N(NO_PROP) ]
Aug 11 00:42:01 OWRT01 : 11[IKE] received NO_PROPOSAL_CHOSEN notify error
root at OWRT01:~# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.8.2 IPsec [starter]...
root at OWRT01:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn AZURE
authby=secret
auto=start
type=passthrough
keyexchange=ikev2
keylife=3600s
ikelifetime=28800s
left=192.168.0.12
leftsubnet=0.0.0.0/0
right=123.123.123.123
rightsubnet=0.0.0.0/0
ike=aes256-sha2_256-modp1024
esp=aes256-sha2_256
root at OWRT01:~#
root at OWRT01:~# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
# Verbosity levels
# -1: Absolutely silent
# 0: Very basic auditing logs, (e.g. SA up/SA down)
# 1: Generic control flow with errors, a good default to see whats going on
# 2: More detailed debugging control flow
# 3: Including RAW data dumps in Hex
# 4: Also include sensitive material in dumps, e.g. keys
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
charon {
path = /var/log/charon.log
time_format = %b %e %T
append = no
default = 0 # in case troubleshoot is required
switch this to 2
}
stderr {
ike = 0 # in case troubleshoot is required
switch this to 2
knl = 0 # in case troubleshoot is required
switch this to 3
ike_name = yes
}
}
syslog {
# enable logging to LOG_DAEMON, use defaults
daemon {
}
# minimalistic IKE auditing logging to LOG_AUTHPRIV
auth {
default = 0 # in case troubleshoot is required
switch this to 2
ike = 0 # in case troubleshoot is required
switch this to 2
}
}
}
include strongswan.d/*.conf
root at OWRT01:~#
--
Thx,
TK.
More information about the Users
mailing list