[strongSwan] StrongSwan w/ multiple local subnets.
TomK
tomkcpr at mdevsys.com
Mon Aug 17 08:40:55 CEST 2020
On 8/16/2020 10:16 PM, TomK wrote:
> On 8/11/2020 1:16 AM, TomK wrote:
>> On 8/9/2020 8:10 PM, TomK wrote:
>>> On 6/30/2020 4:41 AM, Tobias Brunner wrote:
>>>> Hi Tom,
>>>>
>>>>> What I meant to say, is that would confirm all proper kernel modules
>>>>> were already in place to allow the communication would it not?
>>>>> Anything
>>>>> else I could try to, in the least, confirm if the packet was
>>>>> successfully forwarded to the Azure VPN Gateway end?
>>>>>
>>>>> I know the packet arrives at the IPSec ipsec0 interface however,
>>>>> checking just now, I don't see any traffic change on the WAN interface
>>>>> of the on-prem StrongSwan VPN GW.
>>>>
>>>> As explained in previous emails, with kernel-libipsec you are not using
>>>> any of the IPsec-related kernel modules. IPsec processing happens in
>>>> userland via ipsec0 TUN device (see [1] for more on this plugin).
>>>> rp_filter could be an issue when using it.
>>>>
>>>> To check traffic, use packet counters (strongSwan's status output,
>>>> firewall etc.) or traffic captures on the respective hosts to see if
>>>> e.g. ESP packets are exchanged.
>>>>
>>>> Regards,
>>>> Tobias
>>>>
>>>> [1]
>>>> https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
>>>>
>>>
>>>
>>> Hey All,
>>>
>>> So I've given up on DD-WRT for the time being and decided instead to
>>> use an old Raspberry PI 2 and OpenWRT.
>>>
>>> The topology I'll reference is available on the below OpenWRT forum.
>>> For the sake of not replicating all the content (and partially due to
>>> a touch of laziness), here is the link:
>>>
>>> Aug 9th post:
>>>
>>> https://forum.openwrt.org/t/openwrt-support-for-quagga-ospf-strongswan-ipsecv2-1-openvpn-firewalld-ssh-ddns-dnsmasquerade/69528/18
>>>
>>>
>>> I'm effectively running into this error:
>>>
>>> Aug 9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to
>>> 123.123.123.123
>>> Aug 9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [
>>> SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
>>> N(REDIR_SUP) ]
>>> Aug 9 17:04:06 OWRT01 : 14[NET] sending packet: from
>>> 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
>>> Aug 9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network
>>> unreachable
>>> Aug 9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message
>>> ID 0
>>>
>>>
>>> This time, XFRM modules are loaded:
>>>
>>>
>>> root at OWRT01:~# lsmod|grep xfrm
>>> tunnel4 12288 2 sit,xfrm4_tunnel
>>> tunnel6 12288 1 xfrm6_tunnel
>>> xfrm_algo 12288 7
>>> esp6,ah6,esp4,ah4,xfrm_user,xfrm_ipcomp,af_key
>>> xfrm_ipcomp 12288 2 ipcomp6,ipcomp
>>> xfrm_user 28672 0
>>> xfrm4_mode_beet 12288 0
>>> xfrm4_mode_transport 12288 0
>>> xfrm4_mode_tunnel 12288 0
>>> xfrm4_tunnel 12288 0
>>> xfrm6_mode_beet 12288 0
>>> xfrm6_mode_transport 12288 0
>>> xfrm6_mode_tunnel 12288 0
>>> xfrm6_tunnel 12288 1 ipcomp6
>>> root at OWRT01:~#
>>>
>>>
>>> However, from the OpenWRT post, you can see that packets arent' even
>>> making it out of the ipsec0 interface, nor from the br-lan iterface.
>>>
>>>
>>
>>
>> Made it past the above issue. Had to set:
>>
>>
>> left=192.168.0.12
>> type=passthrough
>>
>>
>> since this is a device behind the main router. My bad!.
>>
>>
>> Now I'm receiving a reply back:
>>
>>
>> root at DD-WRT-INTERNET-ASUS:~# tcpdump -n | grep -Ei "123.123.123.123"
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 21:42:10.410556 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp:
>> parent_sa ikev2_init[I]
>> 21:42:10.414404 IP 123.123.123.123.500 > 192.168.0.12.500: isakmp:
>> parent_sa ikev2_init[R]
>>
>>
>> However the result is this error:
>>
>> received NO_PROPOSAL_CHOSEN notify error
>>
>> I've gone and searched the above error but nothing worked so far.
>> Tried different settings for ike= and esp= but no luck either.
>>
>>
>> Perhaps I'm missing something here a trained eye won't? Any help is
>> appreciated.
>>
>>
>> ---------------------------------------------------------
>> Full session:
>>
>>
>> Aug 11 00:41:57 OWRT01 : 00[DMN] signal of type SIGINT received.
>> Shutting down
>> Aug 11 00:42:00 OWRT01 : 00[DMN] Starting IKE charon daemon
>> (strongSwan 5.8.2, Linux 4.14.180, armv7l)
>> Aug 11 00:42:00 OWRT01 : 00[CFG] PKCS11 module '<name>' lacks library
>> path
>> Aug 11 00:42:01 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not
>> supported, https:// disabled
>> Aug 11 00:42:01 OWRT01 : 00[CFG] disabling load-tester plugin, not
>> configured
>> Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'load-tester': failed to load
>> - load_tester_plugin_create returned NULL
>> Aug 11 00:42:01 OWRT01 : 00[LIB] created TUN device: ipsec0
>> Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error
>> relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup:
>> symbol not found
>> Aug 11 00:42:01 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
>> Aug 11 00:42:01 OWRT01 : 00[NET] using forecast interface br-lan
>> Aug 11 00:42:01 OWRT01 : 00[CFG] joining forecast multicast groups:
>> 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading ca certificates from
>> '/etc/ipsec.d/cacerts'
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading aa certificates from
>> '/etc/ipsec.d/aacerts'
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading ocsp signer certificates from
>> '/etc/ipsec.d/ocspcerts'
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading attribute certificates from
>> '/etc/ipsec.d/acerts'
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading secrets from
>> '/etc/ipsec.secrets'
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loaded IKE secret for 192.168.0.12
>> 123.123.123.123
>> Aug 11 00:42:01 OWRT01 : 00[CFG] sql plugin: database URI not set
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
>> Aug 11 00:42:01 OWRT01 : 00[CFG] HA config misses local/remote address
>> Aug 11 00:42:01 OWRT01 : 00[CFG] coupling file path unspecified
>> Aug 11 00:42:01 OWRT01 : 00[LIB] loaded plugins: charon test-vectors
>> ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
>> sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent
>> xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec
>> kernel-netlink resolve socket-default socket-dynamic connmark forecast
>> farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2
>> eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led
>> duplicheck addrblock unity
>> Aug 11 00:42:01 OWRT01 : 00[JOB] spawning 16 worker threads
>> Aug 11 00:42:01 OWRT01 : 13[CFG] received stroke: add connection 'AZURE'
>> Aug 11 00:42:01 OWRT01 : 13[CFG] added configuration 'AZURE'
>> Aug 11 00:42:01 OWRT01 : 15[CFG] received stroke: initiate 'AZURE'
>> Aug 11 00:42:01 OWRT01 : 15[IKE] initiating IKE_SA AZURE[1] to
>> 123.123.123.123
>> Aug 11 00:42:01 OWRT01 : 15[ENC] generating IKE_SA_INIT request 0 [ SA
>> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> Aug 11 00:42:01 OWRT01 : 15[NET] sending packet: from
>> 192.168.0.12[500] to 123.123.123.123[500] (336 bytes)
>> Aug 11 00:42:01 OWRT01 : 10[NET] received packet: from
>> 192.168.0.6[500] to 192.168.0.12[500] (336 bytes)
>> Aug 11 00:42:01 OWRT01 : 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE
>> No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> Aug 11 00:42:01 OWRT01 : 10[IKE] no IKE config found for
>> 192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
>> Aug 11 00:42:01 OWRT01 : 10[ENC] generating IKE_SA_INIT response 0 [
>> N(NO_PROP) ]
>> Aug 11 00:42:01 OWRT01 : 10[NET] sending packet: from
>> 192.168.0.12[500] to 192.168.0.6[500] (36 bytes)
>> Aug 11 00:42:01 OWRT01 : 11[NET] received packet: from
>> 123.123.123.123[500] to 192.168.0.12[500] (36 bytes)
>> Aug 11 00:42:01 OWRT01 : 11[ENC] parsed IKE_SA_INIT response 0 [
>> N(NO_PROP) ]
>> Aug 11 00:42:01 OWRT01 : 11[IKE] received NO_PROPOSAL_CHOSEN notify error
>>
>>
>>
>>
>>
>>
>> root at OWRT01:~# ipsec restart
>> Stopping strongSwan IPsec...
>> Starting strongSwan 5.8.2 IPsec [starter]...
>> root at OWRT01:~# cat /etc/ipsec.conf
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>> # strictcrlpolicy=yes
>> # uniqueids = no
>>
>> conn AZURE
>> authby=secret
>> auto=start
>> type=passthrough
>> keyexchange=ikev2
>> keylife=3600s
>> ikelifetime=28800s
>>
>> left=192.168.0.12
>> leftsubnet=0.0.0.0/0
>> right=123.123.123.123
>> rightsubnet=0.0.0.0/0
>>
>> ike=aes256-sha2_256-modp1024
>> esp=aes256-sha2_256
>>
>> root at OWRT01:~#
>>
>>
>>
>>
>>
>> root at OWRT01:~# cat /etc/strongswan.conf
>> # strongswan.conf - strongSwan configuration file
>> #
>> # Refer to the strongswan.conf(5) manpage for details
>> #
>> # Configuration changes should be made in the included files
>> # Verbosity levels
>> # -1: Absolutely silent
>> # 0: Very basic auditing logs, (e.g. SA up/SA down)
>> # 1: Generic control flow with errors, a good default to see whats
>> going on
>> # 2: More detailed debugging control flow
>> # 3: Including RAW data dumps in Hex
>> # 4: Also include sensitive material in dumps, e.g. keys
>> charon {
>> load_modular = yes
>> plugins {
>> include strongswan.d/charon/*.conf
>> }
>> filelog {
>> charon {
>> path = /var/log/charon.log
>> time_format = %b %e %T
>> append = no
>> default = 0 # in case troubleshoot is
>> required switch this to 2
>> }
>> stderr {
>> ike = 0 # in case troubleshoot is required
>> switch this to 2
>> knl = 0 # in case troubleshoot is required
>> switch this to 3
>> ike_name = yes
>> }
>> }
>> syslog {
>> # enable logging to LOG_DAEMON, use defaults
>> daemon {
>> }
>> # minimalistic IKE auditing logging to LOG_AUTHPRIV
>> auth {
>> default = 0 # in case troubleshoot is
>> required switch this to 2
>> ike = 0 # in case troubleshoot is required
>> switch this to 2
>> }
>> }
>> }
>> include strongswan.d/*.conf
>> root at OWRT01:~#
>>
>>
>>
>>
>>
>>
>>
>
> Given the below:
>
> Azure VPN Gateway (123.123.123.123) -> DD-WRT (On Site PUB IP
> 100.100.100.100, Local Router IP 192.168.0.6: Port Forwarding 500, 4500
> to Raspberry Pi 2) -> Raspberry Pi 2 OpenWRT (OWRT01, 192.168.0.12)
>
>
> Am I correct in thinking that due to this statement in the logs:
>
> Aug 16 01:00:06 OWRT01 : 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Aug 16 01:00:06 OWRT01 : 11[IKE] no IKE config found for
> 192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
>
>
> I now also need an ipsec policy between the DD-WRT router and the
> OpenWRT Raspberry Pi 2? Thank you for taking a look.
>
>
> My config and logs:
>
> root at OWRT01:~# cat /etc/ipsec.conf
> config setup
>
> conn azure
> authby=secret
> auto=start
> type=passthrough
>
> left=192.168.0.12
> leftsubnet=0.0.0.0/0
>
> right=123.123.123.123
> rightsubnet=0.0.0.0/0
>
> ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384
> esp=aes128gcm16-ecp256,aes256gcm16-ecp384
> root at OWRT01:~#
>
>
>
> Aug 16 01:00:00 OWRT01 : 00[DMN] signal of type SIGINT received.
> Shutting down
> Aug 16 01:00:04 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan
> 5.8.2, Linux 4.14.180, armv7l)
> Aug 16 01:00:04 OWRT01 : 00[CFG] PKCS11 module '<name>' lacks library path
> Aug 16 01:00:05 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not
> supported, https:// disabled
> Aug 16 01:00:05 OWRT01 : 00[CFG] disabling load-tester plugin, not
> configured
> Aug 16 01:00:05 OWRT01 : 00[LIB] plugin 'load-tester': failed to load -
> load_tester_plugin_create returned NULL
> Aug 16 01:00:05 OWRT01 : 00[LIB] created TUN device: ipsec0
> Aug 16 01:00:05 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error
> relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup:
> symbol not found
> Aug 16 01:00:05 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
> Aug 16 01:00:05 OWRT01 : 00[NET] using forecast interface br-lan
> Aug 16 01:00:05 OWRT01 : 00[CFG] joining forecast multicast groups:
> 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading ocsp signer certificates from
> '/etc/ipsec.d/ocspcerts'
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading attribute certificates from
> '/etc/ipsec.d/acerts'
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Aug 16 01:00:05 OWRT01 : 00[CFG] loaded IKE secret for 192.168.0.12
> 123.123.123.123
> Aug 16 01:00:05 OWRT01 : 00[CFG] sql plugin: database URI not set
> Aug 16 01:00:05 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
> Aug 16 01:00:05 OWRT01 : 00[CFG] HA config misses local/remote address
> Aug 16 01:00:05 OWRT01 : 00[CFG] coupling file path unspecified
> Aug 16 01:00:05 OWRT01 : 00[LIB] loaded plugins: charon test-vectors
> ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac
> hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink
> resolve socket-default socket-dynamic connmark forecast farp stroke vici
> smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls
> xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
> Aug 16 01:00:05 OWRT01 : 00[JOB] spawning 16 worker threads
> Aug 16 01:00:05 OWRT01 : 09[CFG] received stroke: add connection 'azure'
> Aug 16 01:00:05 OWRT01 : 09[CFG] added configuration 'azure'
> Aug 16 01:00:05 OWRT01 : 12[CFG] received stroke: initiate 'azure'
> Aug 16 01:00:05 OWRT01 : 12[IKE] initiating IKE_SA azure[1] to
> 123.123.123.123
> Aug 16 01:00:05 OWRT01 : 12[ENC] generating IKE_SA_INIT request 0 [ SA
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Aug 16 01:00:05 OWRT01 : 12[NET] sending packet: from 192.168.0.12[500]
> to 123.123.123.123[500] (1152 bytes)
> Aug 16 01:00:05 OWRT01 : 11[NET] received packet: from 192.168.0.6[26]
> to 192.168.0.12[500] (1152 bytes)
> Aug 16 01:00:06 OWRT01 : 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Aug 16 01:00:06 OWRT01 : 11[IKE] no IKE config found for
> 192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
> Aug 16 01:00:06 OWRT01 : 11[ENC] generating IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> Aug 16 01:00:06 OWRT01 : 11[NET] sending packet: from 192.168.0.12[500]
> to 192.168.0.6[26] (36 bytes)
> Aug 16 01:00:06 OWRT01 : 14[NET] received packet: from
> 123.123.123.123[500] to 192.168.0.12[500] (36 bytes)
> Aug 16 01:00:06 OWRT01 : 14[ENC] parsed IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> Aug 16 01:00:06 OWRT01 : 14[IKE] received NO_PROPOSAL_CHOSEN notify error
> Aug 16 01:00:06 OWRT01 : 03[NET] received packet: from 192.168.0.6[500]
> to 192.168.0.12[500] (620 bytes)
> Aug 16 01:00:06 OWRT01 : 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Aug 16 01:00:06 OWRT01 : 03[IKE] no IKE config found for
> 192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
> Aug 16 01:00:06 OWRT01 : 03[ENC] generating IKE_SA_INIT response 0 [
> N(NO_PROP) ]
> Aug 16 01:00:06 OWRT01 : 03[NET] sending packet: from 192.168.0.12[500]
> to 192.168.0.6[500] (36 bytes)
>
>
>
>
>
> Aug 16 01:00:05 11[ENC] parsing rule 0 U_INT_8
> Aug 16 01:00:05 11[ENC] parsing rule 1 RESERVED_BYTE
> Aug 16 01:00:05 11[ENC] parsing rule 2 PAYLOAD_LENGTH
> Aug 16 01:00:05 11[ENC] parsing rule 3 U_INT_8
> Aug 16 01:00:05 11[ENC] parsing rule 4 RESERVED_BYTE
> Aug 16 01:00:05 11[ENC] parsing rule 5 U_INT_16
> Aug 16 01:00:05 11[ENC] parsing rule 6 (1262)
> Aug 16 01:00:05 11[ENC] 4 bytes left, parsing recursively
> TRANSFORM_ATTRIBUTE
> Aug 16 01:00:05 11[ENC] parsing TRANSFORM_ATTRIBUTE payload, 388 bytes left
> Aug 16 01:00:05 11[ENC] parsing rule 0 ATTRIBUTE_FORMAT
> Aug 16 01:00:05 11[ENC] parsing rule 1 ATTRIBUTE_TYPE
> Aug 16 01:00:05 11[ENC] parsing rule 2 ATTRIBUTE_LENGTH_OR_VALUE
> Aug 16 01:00:05 11[ENC] parsing rule 3 ATTRIBUTE_VALUE
> Aug 16 01:00:05 11[ENC] parsing TRANSFORM_ATTRIBUTE payload finished
> Aug 16 01:00:05 11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload finished
> Aug 16 01:00:05 11[ENC] 152 bytes left, parsing recursively
> TRANSFORM_SUBSTRUCTURE
> Aug 16 01:00:05 11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 384
> bytes left
> Aug 16 01:00:05 11[ENC] parsing rule 0 U_INT_8
> Aug 16 01:00:05 11[ENC] parsing rule 1 RESERVED_BYTE
> Aug 16 01:00:05 11[ENC] parsing rule 2 PAYLOAD_LENGTH
> Aug 16 01:00:05 11[ENC] parsing rule 3 U_INT_8
> Aug 16 01:00:05 11[ENC] parsing rule 4 RESERVED_BYTE
> Aug 16 01:00:05 11[ENC] parsing rule 5 U_INT_16
> Aug 16 01:00:05 11[ENC] parsing rule 6 (1262)
> Aug 16 01:00:05 11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload finished
> Aug 16 01:00:05 11[ENC] 144 bytes left, parsing recursively
> TRANSFORM_SUBSTRUCTURE
> .
> .
> .
> .
> .
> .
> .
> .
> Aug 16 01:00:06 11[ENC] parsing NOTIFY payload finished
> Aug 16 01:00:06 11[ENC] verifying payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] NOTIFY payload verified, adding to payload list
> Aug 16 01:00:06 11[ENC] starting parsing a NOTIFY payload
> Aug 16 01:00:06 11[ENC] parsing NOTIFY payload, 8 bytes left
> Aug 16 01:00:06 11[ENC] parsing rule 0 U_INT_8
> Aug 16 01:00:06 11[ENC] parsing rule 1 FLAG
> Aug 16 01:00:06 11[ENC] parsing rule 2 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] parsing rule 3 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] parsing rule 4 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] parsing rule 5 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] parsing rule 6 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] parsing rule 7 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] parsing rule 8 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] parsing rule 9 PAYLOAD_LENGTH
> Aug 16 01:00:06 11[ENC] parsing rule 10 U_INT_8
> Aug 16 01:00:06 11[ENC] parsing rule 11 SPI_SIZE
> Aug 16 01:00:06 11[ENC] parsing rule 12 U_INT_16
> Aug 16 01:00:06 11[ENC] parsing rule 13 SPI
> Aug 16 01:00:06 11[ENC] parsing rule 14 CHUNK_DATA
> Aug 16 01:00:06 11[ENC] parsing NOTIFY payload finished
> Aug 16 01:00:06 11[ENC] verifying payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] NOTIFY payload verified, adding to payload list
> Aug 16 01:00:06 11[ENC] process payload of type SECURITY_ASSOCIATION
> Aug 16 01:00:06 11[ENC] process payload of type KEY_EXCHANGE
> Aug 16 01:00:06 11[ENC] process payload of type NONCE
> Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] verifying message structure
> Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] found payload of type SECURITY_ASSOCIATION
> Aug 16 01:00:06 11[ENC] found payload of type KEY_EXCHANGE
> Aug 16 01:00:06 11[ENC] found payload of type NONCE
> Aug 16 01:00:06 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Aug 16 01:00:06 11[CFG] looking for an IKEv2 config for
> 192.168.0.12...192.168.0.6
> Aug 16 01:00:06 11[IKE] no IKE config found for
> 192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
> Aug 16 01:00:06 11[ENC] added payload of type NOTIFY to message
> Aug 16 01:00:06 11[ENC] order payloads in message
> Aug 16 01:00:06 11[ENC] added payload of type NOTIFY to message
> Aug 16 01:00:06 11[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Aug 16 01:00:06 11[ENC] not encrypting payloads
> Aug 16 01:00:06 11[ENC] generating payload of type HEADER
> Aug 16 01:00:06 11[ENC] generating rule 0 IKE_SPI
> Aug 16 01:00:06 11[ENC] generating rule 1 IKE_SPI
> Aug 16 01:00:06 11[ENC] generating rule 2 U_INT_8
> Aug 16 01:00:06 11[ENC] generating rule 3 U_INT_4
> Aug 16 01:00:06 11[ENC] generating rule 4 U_INT_4
> Aug 16 01:00:06 11[ENC] generating rule 5 U_INT_8
> Aug 16 01:00:06 11[ENC] generating rule 6 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] generating rule 7 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] generating rule 8 FLAG
> Aug 16 01:00:06 11[ENC] generating rule 9 FLAG
> Aug 16 01:00:06 11[ENC] generating rule 10 FLAG
> Aug 16 01:00:06 11[ENC] generating rule 11 FLAG
> Aug 16 01:00:06 11[ENC] generating rule 12 FLAG
> Aug 16 01:00:06 11[ENC] generating rule 13 FLAG
> Aug 16 01:00:06 11[ENC] generating rule 14 U_INT_32
> Aug 16 01:00:06 11[ENC] generating rule 15 HEADER_LENGTH
> Aug 16 01:00:06 11[ENC] generating HEADER payload finished
> Aug 16 01:00:06 11[ENC] generating payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] generating rule 0 U_INT_8
> Aug 16 01:00:06 11[ENC] generating rule 1 FLAG
> Aug 16 01:00:06 11[ENC] generating rule 2 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] generating rule 3 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] generating rule 4 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] generating rule 5 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] generating rule 6 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] generating rule 7 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] generating rule 8 RESERVED_BIT
> Aug 16 01:00:06 11[ENC] generating rule 9 PAYLOAD_LENGTH
> Aug 16 01:00:06 11[ENC] generating rule 10 U_INT_8
> Aug 16 01:00:06 11[ENC] generating rule 11 SPI_SIZE
> Aug 16 01:00:06 11[ENC] generating rule 12 U_INT_16
> Aug 16 01:00:06 11[ENC] generating rule 13 SPI
> Aug 16 01:00:06 11[ENC] generating rule 14 CHUNK_DATA
> Aug 16 01:00:06 11[ENC] generating NOTIFY payload finished
> Aug 16 01:00:06 11[NET] sending packet: from 192.168.0.12[500] to
> 192.168.0.6[26] (36 bytes)
> Aug 16 01:00:06 11[MGR] checkin and destroy IKE_SA (unnamed)[2]
> Aug 16 01:00:06 16[NET] sending packet: from 192.168.0.12[500] to
> 192.168.0.6[26]
> Aug 16 01:00:06 11[IKE] IKE_SA (unnamed)[2] state change: CREATED =>
> DESTROYING
> Aug 16 01:00:06 11[MGR] checkin and destroy of IKE_SA successful
> Aug 16 01:00:06 04[NET] received packet: from 123.123.123.123[500] to
> 192.168.0.12[500]
> Aug 16 01:00:06 04[ENC] parsing header of message
> Aug 16 01:00:06 04[ENC] parsing HEADER payload, 36 bytes left
> Aug 16 01:00:06 04[ENC] parsing rule 0 IKE_SPI
> Aug 16 01:00:06 04[ENC] parsing rule 1 IKE_SPI
> Aug 16 01:00:06 04[ENC] parsing rule 2 U_INT_8
> Aug 16 01:00:06 04[ENC] parsing rule 3 U_INT_4
> Aug 16 01:00:06 04[ENC] parsing rule 4 U_INT_4
> Aug 16 01:00:06 04[ENC] parsing rule 5 U_INT_8
> Aug 16 01:00:06 04[ENC] parsing rule 6 RESERVED_BIT
> Aug 16 01:00:06 04[ENC] parsing rule 7 RESERVED_BIT
> Aug 16 01:00:06 04[ENC] parsing rule 8 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 9 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 10 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 11 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 12 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 13 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 14 U_INT_32
> Aug 16 01:00:06 04[ENC] parsing rule 15 HEADER_LENGTH
> Aug 16 01:00:06 04[ENC] parsing HEADER payload finished
> Aug 16 01:00:06 04[ENC] parsed a IKE_SA_INIT response header
> Aug 16 01:00:06 04[NET] waiting for data on sockets
> Aug 16 01:00:06 14[MGR] checkout IKEv2 SA by message with SPIs
> 5d4dbd5514ee8ae1_i 7e6ea225251f2a77_r
> Aug 16 01:00:06 14[MGR] IKE_SA azure[1] successfully checked out
> Aug 16 01:00:06 14[NET] received packet: from 123.123.123.123[500] to
> 192.168.0.12[500] (36 bytes)
> Aug 16 01:00:06 14[ENC] parsing body of message, first payload is NOTIFY
> Aug 16 01:00:06 14[ENC] starting parsing a NOTIFY payload
> Aug 16 01:00:06 14[ENC] parsing NOTIFY payload, 8 bytes left
> Aug 16 01:00:06 14[ENC] parsing rule 0 U_INT_8
> Aug 16 01:00:06 14[ENC] parsing rule 1 FLAG
> Aug 16 01:00:06 14[ENC] parsing rule 2 RESERVED_BIT
> Aug 16 01:00:06 14[ENC] parsing rule 3 RESERVED_BIT
> Aug 16 01:00:06 14[ENC] parsing rule 4 RESERVED_BIT
> Aug 16 01:00:06 14[ENC] parsing rule 5 RESERVED_BIT
> Aug 16 01:00:06 14[ENC] parsing rule 6 RESERVED_BIT
> Aug 16 01:00:06 14[ENC] parsing rule 7 RESERVED_BIT
> Aug 16 01:00:06 14[ENC] parsing rule 8 RESERVED_BIT
> Aug 16 01:00:06 14[ENC] parsing rule 9 PAYLOAD_LENGTH
> Aug 16 01:00:06 14[ENC] parsing rule 10 U_INT_8
> Aug 16 01:00:06 14[ENC] parsing rule 11 SPI_SIZE
> Aug 16 01:00:06 14[ENC] parsing rule 12 U_INT_16
> Aug 16 01:00:06 14[ENC] parsing rule 13 SPI
> Aug 16 01:00:06 14[ENC] parsing rule 14 CHUNK_DATA
> Aug 16 01:00:06 14[ENC] parsing NOTIFY payload finished
> Aug 16 01:00:06 14[ENC] verifying payload of type NOTIFY
> Aug 16 01:00:06 14[ENC] NOTIFY payload verified, adding to payload list
> Aug 16 01:00:06 14[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 14[ENC] verifying message structure
> Aug 16 01:00:06 14[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 14[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Aug 16 01:00:06 14[IKE] received NO_PROPOSAL_CHOSEN notify error
> Aug 16 01:00:06 14[CFG] configured proposals:
> IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256,
> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
>
> Aug 16 01:00:06 14[MGR] checkin and destroy IKE_SA azure[1]
> Aug 16 01:00:06 14[IKE] IKE_SA azure[1] state change: CONNECTING =>
> DESTROYING
> Aug 16 01:00:06 14[MGR] checkin and destroy of IKE_SA successful
> Aug 16 01:00:06 08[ESP] no matching outbound IPsec policy for
> fe80::f44e:e17a:fbc2:3cc3 == ff02::16 [58]
> Aug 16 01:00:06 04[NET] received packet: from 192.168.0.6[500] to
> 192.168.0.12[500]
> Aug 16 01:00:06 04[ENC] parsing header of message
> Aug 16 01:00:06 04[ENC] parsing HEADER payload, 620 bytes left
> Aug 16 01:00:06 04[ENC] parsing rule 0 IKE_SPI
> Aug 16 01:00:06 04[ENC] parsing rule 1 IKE_SPI
> Aug 16 01:00:06 04[ENC] parsing rule 2 U_INT_8
> Aug 16 01:00:06 04[ENC] parsing rule 3 U_INT_4
> Aug 16 01:00:06 04[ENC] parsing rule 4 U_INT_4
> Aug 16 01:00:06 04[ENC] parsing rule 5 U_INT_8
> Aug 16 01:00:06 04[ENC] parsing rule 6 RESERVED_BIT
> Aug 16 01:00:06 04[ENC] parsing rule 7 RESERVED_BIT
> Aug 16 01:00:06 04[ENC] parsing rule 8 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 9 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 10 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 11 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 12 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 13 FLAG
> Aug 16 01:00:06 04[ENC] parsing rule 14 U_INT_32
> Aug 16 01:00:06 04[ENC] parsing rule 15 HEADER_LENGTH
> Aug 16 01:00:06 04[ENC] parsing HEADER payload finished
> Aug 16 01:00:06 04[ENC] parsed a IKE_SA_INIT request header
> Aug 16 01:00:06 03[MGR] checkout IKEv2 SA by message with SPIs
> 31219711e858bab2_i 0000000000000000_r
> Aug 16 01:00:06 03[MGR] created IKE_SA (unnamed)[3]
> Aug 16 01:00:06 03[NET] received packet: from 192.168.0.6[500] to
> 192.168.0.12[500] (620 bytes)
> Aug 16 01:00:06 03[ENC] parsing body of message, first payload is
> SECURITY_ASSOCIATION
> Aug 16 01:00:06 03[ENC] starting parsing a SECURITY_ASSOCIATION payload
> Aug 16 01:00:06 03[ENC] parsing SECURITY_ASSOCIATION payload, 592 bytes
> left
> .
> .
> .
> .
> .
> .
> .
> Aug 16 01:02:06 06[ENC] generating rule 12 U_INT_16
> Aug 16 01:02:06 06[ENC] generating rule 13 SPI
> Aug 16 01:02:06 06[ENC] generating rule 14 CHUNK_DATA
> Aug 16 01:02:06 06[ENC] generating NOTIFY payload finished
> Aug 16 01:02:06 06[NET] sending packet: from 192.168.0.12[500] to
> 192.168.0.6[500] (36 bytes)
> Aug 16 01:02:06 16[NET] sending packet: from 192.168.0.12[500] to
> 192.168.0.6[500]
> Aug 16 01:02:06 06[MGR] checkin and destroy IKE_SA (unnamed)[4]
> Aug 16 01:02:06 06[IKE] IKE_SA (unnamed)[4] state change: CREATED =>
> DESTROYING
> Aug 16 01:02:06 06[MGR] checkin and destroy of IKE_SA successful
>
>
>
>
>
> On the Azure side:
>
>
>
>
>
On a side note, this configuration off of my internet facing router
(dd-wrt) is working as far as establishing a connection, despite some
minor VLAN mapping issues. But the connection is ESTABLISHED. So I'm
hoping someone could give me a hint as to what do I need to make this
work from my Raspberry Pi 2 behind the DD-WRT internet facing router?
NAT rules I have:
# UDP
iptables -t nat -I PREROUTING -p udp --dport 500 -j DNAT --to
192.168.0.12:500
iptables -I FORWARD -p udp -d 192.168.0.12 --dport 500 -j ACCEPT
iptables -t nat -I PREROUTING -p udp --dport 4500 -j DNAT --to
192.168.0.12:4500
iptables -I FORWARD -p udp -d 192.168.0.12 --dport 4500 -j ACCEPT
Here is the config on the internet-facing router.
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn azure-s2s
authby=secret
auto=start
type=tunnel
keyexchange=ikev2
keylife=3600s
ikelifetime=28800s
rekey=yes
rekeymargin=3m
keyingtries=1
mobike=no
dpdaction=none
lifebytes=102400000
left=100.100.100.100 # IP address of your
on-premises gateway
leftsubnet=192.168.0.0/24,10.0.0.0/24,10.1.0.0/24,10.2.0.0/24,10.3.0.0/24
# Home LAB - Local
# leftsubnet=0.0.0.0/0
# leftnexthop=%defaultroute
right=123.123.123.123 # Remote VPN gateway IP
address
rightsubnet=10.1.10.0/24,10.1.10.0/24,10.1.20.0/24,10.1.30.0/24,10.1.40.0/24,10.1.50.0/24
# Remote network subnet defined in public cloud
# rightsubnet=0.0.0.0/0
ike=aes256-sha1-modp1024
esp=aes256-sha1
I tried the same configuration as above by porting it on the Raspberry
Pi 2, but no luck. Same result:
Aug 17 02:23:46 OWRT01 : 10[NET] sending packet: from
192.168.0.12[500] to 192.168.0.6[500] (36 bytes)
Aug 17 02:25:46 OWRT01 : 03[NET] received packet: from
192.168.0.6[500] to 192.168.0.12[500] (620 bytes)
Aug 17 02:25:46 OWRT01 : 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Aug 17 02:25:46 OWRT01 : 03[IKE] no IKE config found for
192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
Aug 17 02:25:46 OWRT01 : 03[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
Aug 17 02:25:46 OWRT01 : 03[NET] sending packet: from
192.168.0.12[500] to 192.168.0.6[500] (36 bytes)
Thanks,
--
Thx,
TK.
More information about the Users
mailing list