[strongSwan] Request for help with failed GRE-over-IPSec config

[Philip Prindeville]

Hi.

I’m using 64-bit CentOS 8 Stream on a pair of Raspberry Pi4’s as hotspots.

I’m using a self-signed Cert and derived public certs per this article:

https://www.howtoforge.com/tutorial/strongswan-based-ipsec-vpn-using-certificates-and-pre-shared-key-on-ubuntu-16-04/

There’s (hostnames) Pelican2 (gw1) and Pelican1 (gw5).  But I’ll refer to them by their Strongswan configuration names.

The capture is from gw1, which is at XX.XX.XX.246, and has dummy0 (10.5.28.1/24) as the internal test subnet.

Gw5 is at XX.XX.XX.245, and has dummy0 (10.5.30.1/24) as the internal test subnet.

If I try to ping from gw5 to 10.5.28.1 then I get Unreachables.

If I ping from gw1 to gw5 on 10.5.30.1 then it sometimes works, and I can briefly ping back in the reverse direction (i.e. to 10.5.28.1 from gw5 which previously didn’t work).

My issues are:

(1) I can’t confirm that the PING is being encapsulated in GRE, then the GRE goes over IPSec ESP transport mode.

(2) If that is in fact working, it looks like the decapsulated PING is being rejected by the firewall on gw1, or else there’s a misconfiguration…

Unlike a Cisco router, which I can set an ACL and do full packet tracing, I’m not sure if there’s an equivalent way to do marking and logging in Linux + NFT in the kernel (because of the known limitations of how BPF interacts with the IPSec stack in Linux).  Any pointers would be appreciated.

Do I need to set up a “policy” rule that allows incoming decapsulated PING (ICMP Echo Request) packets?

Are there known issues or additional configuration required to interoperate with firewalld?

Thanks,

-Philip

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: strongswan.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200814/147b9f8c/attachment-0001.txt>
-------------- next part --------------