[strongSwan] StrongSwan w/ multiple local subnets.

TomK tomkcpr at mdevsys.com
Mon Aug 17 08:40:55 CEST 2020


On 8/16/2020 10:16 PM, TomK wrote:
> On 8/11/2020 1:16 AM, TomK wrote:
>> On 8/9/2020 8:10 PM, TomK wrote:
>>> On 6/30/2020 4:41 AM, Tobias Brunner wrote:
>>>> Hi Tom,
>>>>
>>>>> What I meant to say, is that would confirm all proper kernel modules
>>>>> were already in place to allow the communication would it not? 
>>>>> Anything
>>>>> else I could try to, in the least, confirm if the packet was
>>>>> successfully forwarded to the Azure VPN Gateway end?
>>>>>
>>>>> I know the packet arrives at the IPSec ipsec0 interface however,
>>>>> checking just now, I don't see any traffic change on the WAN interface
>>>>> of the on-prem StrongSwan VPN GW.
>>>>
>>>> As explained in previous emails, with kernel-libipsec you are not using
>>>> any of the IPsec-related kernel modules.  IPsec processing happens in
>>>> userland via ipsec0 TUN device (see [1] for more on this plugin).
>>>> rp_filter could be an issue when using it.
>>>>
>>>> To check traffic, use packet counters (strongSwan's status output,
>>>> firewall etc.) or traffic captures on the respective hosts to see if
>>>> e.g. ESP packets are exchanged.
>>>>
>>>> Regards,
>>>> Tobias
>>>>
>>>> [1] 
>>>> https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
>>>>
>>>
>>>
>>> Hey All,
>>>
>>> So I've given up on DD-WRT for the time being and decided instead to 
>>> use an old Raspberry PI 2 and OpenWRT.
>>>
>>> The topology I'll reference is available on the below OpenWRT forum. 
>>> For the sake of not replicating all the content (and partially due to 
>>> a touch of laziness), here is the link:
>>>
>>> Aug 9th post:
>>>
>>> https://forum.openwrt.org/t/openwrt-support-for-quagga-ospf-strongswan-ipsecv2-1-openvpn-firewalld-ssh-ddns-dnsmasquerade/69528/18 
>>>
>>>
>>> I'm effectively running into this error:
>>>
>>> Aug  9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to 
>>> 123.123.123.123
>>> Aug  9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ 
>>> SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) 
>>> N(REDIR_SUP) ]
>>> Aug  9 17:04:06 OWRT01 : 14[NET] sending packet: from 
>>> 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
>>> Aug  9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network 
>>> unreachable
>>> Aug  9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message 
>>> ID 0
>>>
>>>
>>> This time, XFRM modules are loaded:
>>>
>>>
>>> root at OWRT01:~# lsmod|grep xfrm
>>> tunnel4                12288  2 sit,xfrm4_tunnel
>>> tunnel6                12288  1 xfrm6_tunnel
>>> xfrm_algo              12288  7 
>>> esp6,ah6,esp4,ah4,xfrm_user,xfrm_ipcomp,af_key
>>> xfrm_ipcomp            12288  2 ipcomp6,ipcomp
>>> xfrm_user              28672  0
>>> xfrm4_mode_beet        12288  0
>>> xfrm4_mode_transport   12288  0
>>> xfrm4_mode_tunnel      12288  0
>>> xfrm4_tunnel           12288  0
>>> xfrm6_mode_beet        12288  0
>>> xfrm6_mode_transport   12288  0
>>> xfrm6_mode_tunnel      12288  0
>>> xfrm6_tunnel           12288  1 ipcomp6
>>> root at OWRT01:~#
>>>
>>>
>>> However, from the OpenWRT post, you can see that packets arent' even 
>>> making it out of the ipsec0 interface, nor from the br-lan iterface.
>>>
>>>
>>
>>
>> Made it past the above issue.  Had to set:
>>
>>
>> left=192.168.0.12
>> type=passthrough
>>
>>
>> since this is a device behind the main router.  My bad!.
>>
>>
>> Now I'm receiving a reply back:
>>
>>
>> root at DD-WRT-INTERNET-ASUS:~# tcpdump -n | grep -Ei "123.123.123.123"
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
>> decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 21:42:10.410556 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: 
>> parent_sa ikev2_init[I]
>> 21:42:10.414404 IP 123.123.123.123.500 > 192.168.0.12.500: isakmp: 
>> parent_sa ikev2_init[R]
>>
>>
>> However the result is this error:
>>
>> received NO_PROPOSAL_CHOSEN notify error
>>
>> I've gone and searched the above error but nothing worked so far.  
>> Tried different settings for ike= and esp= but no luck either.
>>
>>
>> Perhaps I'm missing something here a trained eye won't?  Any help is 
>> appreciated.
>>
>>
>> ---------------------------------------------------------
>> Full session:
>>
>>
>> Aug 11 00:41:57 OWRT01 : 00[DMN] signal of type SIGINT received. 
>> Shutting down
>> Aug 11 00:42:00 OWRT01 : 00[DMN] Starting IKE charon daemon 
>> (strongSwan 5.8.2, Linux 4.14.180, armv7l)
>> Aug 11 00:42:00 OWRT01 : 00[CFG] PKCS11 module '<name>' lacks library 
>> path
>> Aug 11 00:42:01 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not 
>> supported, https:// disabled
>> Aug 11 00:42:01 OWRT01 : 00[CFG] disabling load-tester plugin, not 
>> configured
>> Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'load-tester': failed to load 
>> - load_tester_plugin_create returned NULL
>> Aug 11 00:42:01 OWRT01 : 00[LIB] created TUN device: ipsec0
>> Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error 
>> relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: 
>> symbol not found
>> Aug 11 00:42:01 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
>> Aug 11 00:42:01 OWRT01 : 00[NET] using forecast interface br-lan
>> Aug 11 00:42:01 OWRT01 : 00[CFG] joining forecast multicast groups: 
>> 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading ca certificates from 
>> '/etc/ipsec.d/cacerts'
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading aa certificates from 
>> '/etc/ipsec.d/aacerts'
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading ocsp signer certificates from 
>> '/etc/ipsec.d/ocspcerts'
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading attribute certificates from 
>> '/etc/ipsec.d/acerts'
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loading secrets from 
>> '/etc/ipsec.secrets'
>> Aug 11 00:42:01 OWRT01 : 00[CFG]   loaded IKE secret for 192.168.0.12 
>> 123.123.123.123
>> Aug 11 00:42:01 OWRT01 : 00[CFG] sql plugin: database URI not set
>> Aug 11 00:42:01 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
>> Aug 11 00:42:01 OWRT01 : 00[CFG] HA config misses local/remote address
>> Aug 11 00:42:01 OWRT01 : 00[CFG] coupling file path unspecified
>> Aug 11 00:42:01 OWRT01 : 00[LIB] loaded plugins: charon test-vectors 
>> ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
>> sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent 
>> xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec 
>> kernel-netlink resolve socket-default socket-dynamic connmark forecast 
>> farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 
>> eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led 
>> duplicheck addrblock unity
>> Aug 11 00:42:01 OWRT01 : 00[JOB] spawning 16 worker threads
>> Aug 11 00:42:01 OWRT01 : 13[CFG] received stroke: add connection 'AZURE'
>> Aug 11 00:42:01 OWRT01 : 13[CFG] added configuration 'AZURE'
>> Aug 11 00:42:01 OWRT01 : 15[CFG] received stroke: initiate 'AZURE'
>> Aug 11 00:42:01 OWRT01 : 15[IKE] initiating IKE_SA AZURE[1] to 
>> 123.123.123.123
>> Aug 11 00:42:01 OWRT01 : 15[ENC] generating IKE_SA_INIT request 0 [ SA 
>> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> Aug 11 00:42:01 OWRT01 : 15[NET] sending packet: from 
>> 192.168.0.12[500] to 123.123.123.123[500] (336 bytes)
>> Aug 11 00:42:01 OWRT01 : 10[NET] received packet: from 
>> 192.168.0.6[500] to 192.168.0.12[500] (336 bytes)
>> Aug 11 00:42:01 OWRT01 : 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
>> No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> Aug 11 00:42:01 OWRT01 : 10[IKE] no IKE config found for 
>> 192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
>> Aug 11 00:42:01 OWRT01 : 10[ENC] generating IKE_SA_INIT response 0 [ 
>> N(NO_PROP) ]
>> Aug 11 00:42:01 OWRT01 : 10[NET] sending packet: from 
>> 192.168.0.12[500] to 192.168.0.6[500] (36 bytes)
>> Aug 11 00:42:01 OWRT01 : 11[NET] received packet: from 
>> 123.123.123.123[500] to 192.168.0.12[500] (36 bytes)
>> Aug 11 00:42:01 OWRT01 : 11[ENC] parsed IKE_SA_INIT response 0 [ 
>> N(NO_PROP) ]
>> Aug 11 00:42:01 OWRT01 : 11[IKE] received NO_PROPOSAL_CHOSEN notify error
>>
>>
>>
>>
>>
>>
>> root at OWRT01:~# ipsec restart
>> Stopping strongSwan IPsec...
>> Starting strongSwan 5.8.2 IPsec [starter]...
>> root at OWRT01:~# cat /etc/ipsec.conf
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>>          # strictcrlpolicy=yes
>>          # uniqueids = no
>>
>> conn AZURE
>>          authby=secret
>>          auto=start
>>          type=passthrough
>>          keyexchange=ikev2
>>          keylife=3600s
>>          ikelifetime=28800s
>>
>>          left=192.168.0.12
>>          leftsubnet=0.0.0.0/0
>>          right=123.123.123.123
>>          rightsubnet=0.0.0.0/0
>>
>>          ike=aes256-sha2_256-modp1024
>>          esp=aes256-sha2_256
>>
>> root at OWRT01:~#
>>
>>
>>
>>
>>
>> root at OWRT01:~# cat /etc/strongswan.conf
>> # strongswan.conf - strongSwan configuration file
>> #
>> # Refer to the strongswan.conf(5) manpage for details
>> #
>> # Configuration changes should be made in the included files
>> # Verbosity levels
>> # -1: Absolutely silent
>> # 0: Very basic auditing logs, (e.g. SA up/SA down)
>> # 1: Generic control flow with errors, a good default to see whats 
>> going on
>> # 2: More detailed debugging control flow
>> # 3: Including RAW data dumps in Hex
>> # 4: Also include sensitive material in dumps, e.g. keys
>> charon {
>>          load_modular = yes
>>          plugins {
>>                  include strongswan.d/charon/*.conf
>>          }
>>          filelog {
>>                  charon {
>>                          path = /var/log/charon.log
>>                          time_format = %b %e %T
>>                          append = no
>>                          default = 0 # in case troubleshoot is 
>> required switch this to 2
>>                  }
>>                  stderr {
>>                          ike = 0 # in case troubleshoot is required 
>> switch this to 2
>>                          knl = 0 # in case troubleshoot is required 
>> switch this to 3
>>                          ike_name = yes
>>                  }
>>          }
>>          syslog {
>>                  # enable logging to LOG_DAEMON, use defaults
>>                  daemon {
>>                  }
>>                  # minimalistic IKE auditing logging to LOG_AUTHPRIV
>>                  auth {
>>                          default = 0 # in case troubleshoot is 
>> required switch this to 2
>>                          ike = 0 # in case troubleshoot is required 
>> switch this to 2
>>                  }
>>          }
>> }
>> include strongswan.d/*.conf
>> root at OWRT01:~#
>>
>>
>>
>>
>>
>>
>>
> 
> Given the below:
> 
> Azure VPN Gateway (123.123.123.123) -> DD-WRT (On Site PUB IP 
> 100.100.100.100, Local Router IP 192.168.0.6: Port Forwarding 500, 4500 
> to Raspberry Pi 2) -> Raspberry Pi 2 OpenWRT (OWRT01, 192.168.0.12)
> 
> 
> Am I correct in thinking that due to this statement in the logs:
> 
> Aug 16 01:00:06 OWRT01 : 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Aug 16 01:00:06 OWRT01 : 11[IKE] no IKE config found for 
> 192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
> 
> 
> I now also need an ipsec policy between the DD-WRT router and the 
> OpenWRT Raspberry Pi 2?  Thank you for taking a look.
> 
> 
> My config and logs:
> 
> root at OWRT01:~# cat /etc/ipsec.conf
> config setup
> 
> conn azure
>          authby=secret
>          auto=start
>          type=passthrough
> 
>          left=192.168.0.12
>          leftsubnet=0.0.0.0/0
> 
>          right=123.123.123.123
>          rightsubnet=0.0.0.0/0
> 
>          ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384
>          esp=aes128gcm16-ecp256,aes256gcm16-ecp384
> root at OWRT01:~#
> 
> 
> 
> Aug 16 01:00:00 OWRT01 : 00[DMN] signal of type SIGINT received. 
> Shutting down
> Aug 16 01:00:04 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan 
> 5.8.2, Linux 4.14.180, armv7l)
> Aug 16 01:00:04 OWRT01 : 00[CFG] PKCS11 module '<name>' lacks library path
> Aug 16 01:00:05 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not 
> supported, https:// disabled
> Aug 16 01:00:05 OWRT01 : 00[CFG] disabling load-tester plugin, not 
> configured
> Aug 16 01:00:05 OWRT01 : 00[LIB] plugin 'load-tester': failed to load - 
> load_tester_plugin_create returned NULL
> Aug 16 01:00:05 OWRT01 : 00[LIB] created TUN device: ipsec0
> Aug 16 01:00:05 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error 
> relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: 
> symbol not found
> Aug 16 01:00:05 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
> Aug 16 01:00:05 OWRT01 : 00[NET] using forecast interface br-lan
> Aug 16 01:00:05 OWRT01 : 00[CFG] joining forecast multicast groups: 
> 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading ca certificates from 
> '/etc/ipsec.d/cacerts'
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading aa certificates from 
> '/etc/ipsec.d/aacerts'
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading ocsp signer certificates from 
> '/etc/ipsec.d/ocspcerts'
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading attribute certificates from 
> '/etc/ipsec.d/acerts'
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Aug 16 01:00:05 OWRT01 : 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Aug 16 01:00:05 OWRT01 : 00[CFG]   loaded IKE secret for 192.168.0.12 
> 123.123.123.123
> Aug 16 01:00:05 OWRT01 : 00[CFG] sql plugin: database URI not set
> Aug 16 01:00:05 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
> Aug 16 01:00:05 OWRT01 : 00[CFG] HA config misses local/remote address
> Aug 16 01:00:05 OWRT01 : 00[CFG] coupling file path unspecified
> Aug 16 01:00:05 OWRT01 : 00[LIB] loaded plugins: charon test-vectors 
> ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
> pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac 
> hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink 
> resolve socket-default socket-dynamic connmark forecast farp stroke vici 
> smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls 
> xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
> Aug 16 01:00:05 OWRT01 : 00[JOB] spawning 16 worker threads
> Aug 16 01:00:05 OWRT01 : 09[CFG] received stroke: add connection 'azure'
> Aug 16 01:00:05 OWRT01 : 09[CFG] added configuration 'azure'
> Aug 16 01:00:05 OWRT01 : 12[CFG] received stroke: initiate 'azure'
> Aug 16 01:00:05 OWRT01 : 12[IKE] initiating IKE_SA azure[1] to 
> 123.123.123.123
> Aug 16 01:00:05 OWRT01 : 12[ENC] generating IKE_SA_INIT request 0 [ SA 
> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Aug 16 01:00:05 OWRT01 : 12[NET] sending packet: from 192.168.0.12[500] 
> to 123.123.123.123[500] (1152 bytes)
> Aug 16 01:00:05 OWRT01 : 11[NET] received packet: from 192.168.0.6[26] 
> to 192.168.0.12[500] (1152 bytes)
> Aug 16 01:00:06 OWRT01 : 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Aug 16 01:00:06 OWRT01 : 11[IKE] no IKE config found for 
> 192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
> Aug 16 01:00:06 OWRT01 : 11[ENC] generating IKE_SA_INIT response 0 [ 
> N(NO_PROP) ]
> Aug 16 01:00:06 OWRT01 : 11[NET] sending packet: from 192.168.0.12[500] 
> to 192.168.0.6[26] (36 bytes)
> Aug 16 01:00:06 OWRT01 : 14[NET] received packet: from 
> 123.123.123.123[500] to 192.168.0.12[500] (36 bytes)
> Aug 16 01:00:06 OWRT01 : 14[ENC] parsed IKE_SA_INIT response 0 [ 
> N(NO_PROP) ]
> Aug 16 01:00:06 OWRT01 : 14[IKE] received NO_PROPOSAL_CHOSEN notify error
> Aug 16 01:00:06 OWRT01 : 03[NET] received packet: from 192.168.0.6[500] 
> to 192.168.0.12[500] (620 bytes)
> Aug 16 01:00:06 OWRT01 : 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
> N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Aug 16 01:00:06 OWRT01 : 03[IKE] no IKE config found for 
> 192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
> Aug 16 01:00:06 OWRT01 : 03[ENC] generating IKE_SA_INIT response 0 [ 
> N(NO_PROP) ]
> Aug 16 01:00:06 OWRT01 : 03[NET] sending packet: from 192.168.0.12[500] 
> to 192.168.0.6[500] (36 bytes)
> 
> 
> 
> 
> 
> Aug 16 01:00:05 11[ENC]   parsing rule 0 U_INT_8
> Aug 16 01:00:05 11[ENC]   parsing rule 1 RESERVED_BYTE
> Aug 16 01:00:05 11[ENC]   parsing rule 2 PAYLOAD_LENGTH
> Aug 16 01:00:05 11[ENC]   parsing rule 3 U_INT_8
> Aug 16 01:00:05 11[ENC]   parsing rule 4 RESERVED_BYTE
> Aug 16 01:00:05 11[ENC]   parsing rule 5 U_INT_16
> Aug 16 01:00:05 11[ENC]   parsing rule 6 (1262)
> Aug 16 01:00:05 11[ENC]   4 bytes left, parsing recursively 
> TRANSFORM_ATTRIBUTE
> Aug 16 01:00:05 11[ENC] parsing TRANSFORM_ATTRIBUTE payload, 388 bytes left
> Aug 16 01:00:05 11[ENC]   parsing rule 0 ATTRIBUTE_FORMAT
> Aug 16 01:00:05 11[ENC]   parsing rule 1 ATTRIBUTE_TYPE
> Aug 16 01:00:05 11[ENC]   parsing rule 2 ATTRIBUTE_LENGTH_OR_VALUE
> Aug 16 01:00:05 11[ENC]   parsing rule 3 ATTRIBUTE_VALUE
> Aug 16 01:00:05 11[ENC] parsing TRANSFORM_ATTRIBUTE payload finished
> Aug 16 01:00:05 11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload finished
> Aug 16 01:00:05 11[ENC]   152 bytes left, parsing recursively 
> TRANSFORM_SUBSTRUCTURE
> Aug 16 01:00:05 11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload, 384 
> bytes left
> Aug 16 01:00:05 11[ENC]   parsing rule 0 U_INT_8
> Aug 16 01:00:05 11[ENC]   parsing rule 1 RESERVED_BYTE
> Aug 16 01:00:05 11[ENC]   parsing rule 2 PAYLOAD_LENGTH
> Aug 16 01:00:05 11[ENC]   parsing rule 3 U_INT_8
> Aug 16 01:00:05 11[ENC]   parsing rule 4 RESERVED_BYTE
> Aug 16 01:00:05 11[ENC]   parsing rule 5 U_INT_16
> Aug 16 01:00:05 11[ENC]   parsing rule 6 (1262)
> Aug 16 01:00:05 11[ENC] parsing TRANSFORM_SUBSTRUCTURE payload finished
> Aug 16 01:00:05 11[ENC]   144 bytes left, parsing recursively 
> TRANSFORM_SUBSTRUCTURE
> .
> .
> .
> .
> .
> .
> .
> .
> Aug 16 01:00:06 11[ENC] parsing NOTIFY payload finished
> Aug 16 01:00:06 11[ENC] verifying payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] NOTIFY payload verified, adding to payload list
> Aug 16 01:00:06 11[ENC] starting parsing a NOTIFY payload
> Aug 16 01:00:06 11[ENC] parsing NOTIFY payload, 8 bytes left
> Aug 16 01:00:06 11[ENC]   parsing rule 0 U_INT_8
> Aug 16 01:00:06 11[ENC]   parsing rule 1 FLAG
> Aug 16 01:00:06 11[ENC]   parsing rule 2 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   parsing rule 3 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   parsing rule 4 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   parsing rule 5 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   parsing rule 6 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   parsing rule 7 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   parsing rule 8 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   parsing rule 9 PAYLOAD_LENGTH
> Aug 16 01:00:06 11[ENC]   parsing rule 10 U_INT_8
> Aug 16 01:00:06 11[ENC]   parsing rule 11 SPI_SIZE
> Aug 16 01:00:06 11[ENC]   parsing rule 12 U_INT_16
> Aug 16 01:00:06 11[ENC]   parsing rule 13 SPI
> Aug 16 01:00:06 11[ENC]   parsing rule 14 CHUNK_DATA
> Aug 16 01:00:06 11[ENC] parsing NOTIFY payload finished
> Aug 16 01:00:06 11[ENC] verifying payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] NOTIFY payload verified, adding to payload list
> Aug 16 01:00:06 11[ENC] process payload of type SECURITY_ASSOCIATION
> Aug 16 01:00:06 11[ENC] process payload of type KEY_EXCHANGE
> Aug 16 01:00:06 11[ENC] process payload of type NONCE
> Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] verifying message structure
> Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 11[ENC] found payload of type SECURITY_ASSOCIATION
> Aug 16 01:00:06 11[ENC] found payload of type KEY_EXCHANGE
> Aug 16 01:00:06 11[ENC] found payload of type NONCE
> Aug 16 01:00:06 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
> N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Aug 16 01:00:06 11[CFG] looking for an IKEv2 config for 
> 192.168.0.12...192.168.0.6
> Aug 16 01:00:06 11[IKE] no IKE config found for 
> 192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
> Aug 16 01:00:06 11[ENC] added payload of type NOTIFY to message
> Aug 16 01:00:06 11[ENC] order payloads in message
> Aug 16 01:00:06 11[ENC] added payload of type NOTIFY to message
> Aug 16 01:00:06 11[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Aug 16 01:00:06 11[ENC] not encrypting payloads
> Aug 16 01:00:06 11[ENC] generating payload of type HEADER
> Aug 16 01:00:06 11[ENC]   generating rule 0 IKE_SPI
> Aug 16 01:00:06 11[ENC]   generating rule 1 IKE_SPI
> Aug 16 01:00:06 11[ENC]   generating rule 2 U_INT_8
> Aug 16 01:00:06 11[ENC]   generating rule 3 U_INT_4
> Aug 16 01:00:06 11[ENC]   generating rule 4 U_INT_4
> Aug 16 01:00:06 11[ENC]   generating rule 5 U_INT_8
> Aug 16 01:00:06 11[ENC]   generating rule 6 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   generating rule 7 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   generating rule 8 FLAG
> Aug 16 01:00:06 11[ENC]   generating rule 9 FLAG
> Aug 16 01:00:06 11[ENC]   generating rule 10 FLAG
> Aug 16 01:00:06 11[ENC]   generating rule 11 FLAG
> Aug 16 01:00:06 11[ENC]   generating rule 12 FLAG
> Aug 16 01:00:06 11[ENC]   generating rule 13 FLAG
> Aug 16 01:00:06 11[ENC]   generating rule 14 U_INT_32
> Aug 16 01:00:06 11[ENC]   generating rule 15 HEADER_LENGTH
> Aug 16 01:00:06 11[ENC] generating HEADER payload finished
> Aug 16 01:00:06 11[ENC] generating payload of type NOTIFY
> Aug 16 01:00:06 11[ENC]   generating rule 0 U_INT_8
> Aug 16 01:00:06 11[ENC]   generating rule 1 FLAG
> Aug 16 01:00:06 11[ENC]   generating rule 2 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   generating rule 3 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   generating rule 4 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   generating rule 5 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   generating rule 6 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   generating rule 7 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   generating rule 8 RESERVED_BIT
> Aug 16 01:00:06 11[ENC]   generating rule 9 PAYLOAD_LENGTH
> Aug 16 01:00:06 11[ENC]   generating rule 10 U_INT_8
> Aug 16 01:00:06 11[ENC]   generating rule 11 SPI_SIZE
> Aug 16 01:00:06 11[ENC]   generating rule 12 U_INT_16
> Aug 16 01:00:06 11[ENC]   generating rule 13 SPI
> Aug 16 01:00:06 11[ENC]   generating rule 14 CHUNK_DATA
> Aug 16 01:00:06 11[ENC] generating NOTIFY payload finished
> Aug 16 01:00:06 11[NET] sending packet: from 192.168.0.12[500] to 
> 192.168.0.6[26] (36 bytes)
> Aug 16 01:00:06 11[MGR] checkin and destroy IKE_SA (unnamed)[2]
> Aug 16 01:00:06 16[NET] sending packet: from 192.168.0.12[500] to 
> 192.168.0.6[26]
> Aug 16 01:00:06 11[IKE] IKE_SA (unnamed)[2] state change: CREATED => 
> DESTROYING
> Aug 16 01:00:06 11[MGR] checkin and destroy of IKE_SA successful
> Aug 16 01:00:06 04[NET] received packet: from 123.123.123.123[500] to 
> 192.168.0.12[500]
> Aug 16 01:00:06 04[ENC] parsing header of message
> Aug 16 01:00:06 04[ENC] parsing HEADER payload, 36 bytes left
> Aug 16 01:00:06 04[ENC]   parsing rule 0 IKE_SPI
> Aug 16 01:00:06 04[ENC]   parsing rule 1 IKE_SPI
> Aug 16 01:00:06 04[ENC]   parsing rule 2 U_INT_8
> Aug 16 01:00:06 04[ENC]   parsing rule 3 U_INT_4
> Aug 16 01:00:06 04[ENC]   parsing rule 4 U_INT_4
> Aug 16 01:00:06 04[ENC]   parsing rule 5 U_INT_8
> Aug 16 01:00:06 04[ENC]   parsing rule 6 RESERVED_BIT
> Aug 16 01:00:06 04[ENC]   parsing rule 7 RESERVED_BIT
> Aug 16 01:00:06 04[ENC]   parsing rule 8 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 9 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 10 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 11 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 12 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 13 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 14 U_INT_32
> Aug 16 01:00:06 04[ENC]   parsing rule 15 HEADER_LENGTH
> Aug 16 01:00:06 04[ENC] parsing HEADER payload finished
> Aug 16 01:00:06 04[ENC] parsed a IKE_SA_INIT response header
> Aug 16 01:00:06 04[NET] waiting for data on sockets
> Aug 16 01:00:06 14[MGR] checkout IKEv2 SA by message with SPIs 
> 5d4dbd5514ee8ae1_i 7e6ea225251f2a77_r
> Aug 16 01:00:06 14[MGR] IKE_SA azure[1] successfully checked out
> Aug 16 01:00:06 14[NET] received packet: from 123.123.123.123[500] to 
> 192.168.0.12[500] (36 bytes)
> Aug 16 01:00:06 14[ENC] parsing body of message, first payload is NOTIFY
> Aug 16 01:00:06 14[ENC] starting parsing a NOTIFY payload
> Aug 16 01:00:06 14[ENC] parsing NOTIFY payload, 8 bytes left
> Aug 16 01:00:06 14[ENC]   parsing rule 0 U_INT_8
> Aug 16 01:00:06 14[ENC]   parsing rule 1 FLAG
> Aug 16 01:00:06 14[ENC]   parsing rule 2 RESERVED_BIT
> Aug 16 01:00:06 14[ENC]   parsing rule 3 RESERVED_BIT
> Aug 16 01:00:06 14[ENC]   parsing rule 4 RESERVED_BIT
> Aug 16 01:00:06 14[ENC]   parsing rule 5 RESERVED_BIT
> Aug 16 01:00:06 14[ENC]   parsing rule 6 RESERVED_BIT
> Aug 16 01:00:06 14[ENC]   parsing rule 7 RESERVED_BIT
> Aug 16 01:00:06 14[ENC]   parsing rule 8 RESERVED_BIT
> Aug 16 01:00:06 14[ENC]   parsing rule 9 PAYLOAD_LENGTH
> Aug 16 01:00:06 14[ENC]   parsing rule 10 U_INT_8
> Aug 16 01:00:06 14[ENC]   parsing rule 11 SPI_SIZE
> Aug 16 01:00:06 14[ENC]   parsing rule 12 U_INT_16
> Aug 16 01:00:06 14[ENC]   parsing rule 13 SPI
> Aug 16 01:00:06 14[ENC]   parsing rule 14 CHUNK_DATA
> Aug 16 01:00:06 14[ENC] parsing NOTIFY payload finished
> Aug 16 01:00:06 14[ENC] verifying payload of type NOTIFY
> Aug 16 01:00:06 14[ENC] NOTIFY payload verified, adding to payload list
> Aug 16 01:00:06 14[ENC] process payload of type NOTIFY
> Aug 16 01:00:06 14[ENC] verifying message structure
> Aug 16 01:00:06 14[ENC] found payload of type NOTIFY
> Aug 16 01:00:06 14[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
> Aug 16 01:00:06 14[IKE] received NO_PROPOSAL_CHOSEN notify error
> Aug 16 01:00:06 14[CFG] configured proposals: 
> IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, 
> IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384, 
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, 
> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 
> 
> Aug 16 01:00:06 14[MGR] checkin and destroy IKE_SA azure[1]
> Aug 16 01:00:06 14[IKE] IKE_SA azure[1] state change: CONNECTING => 
> DESTROYING
> Aug 16 01:00:06 14[MGR] checkin and destroy of IKE_SA successful
> Aug 16 01:00:06 08[ESP] no matching outbound IPsec policy for 
> fe80::f44e:e17a:fbc2:3cc3 == ff02::16 [58]
> Aug 16 01:00:06 04[NET] received packet: from 192.168.0.6[500] to 
> 192.168.0.12[500]
> Aug 16 01:00:06 04[ENC] parsing header of message
> Aug 16 01:00:06 04[ENC] parsing HEADER payload, 620 bytes left
> Aug 16 01:00:06 04[ENC]   parsing rule 0 IKE_SPI
> Aug 16 01:00:06 04[ENC]   parsing rule 1 IKE_SPI
> Aug 16 01:00:06 04[ENC]   parsing rule 2 U_INT_8
> Aug 16 01:00:06 04[ENC]   parsing rule 3 U_INT_4
> Aug 16 01:00:06 04[ENC]   parsing rule 4 U_INT_4
> Aug 16 01:00:06 04[ENC]   parsing rule 5 U_INT_8
> Aug 16 01:00:06 04[ENC]   parsing rule 6 RESERVED_BIT
> Aug 16 01:00:06 04[ENC]   parsing rule 7 RESERVED_BIT
> Aug 16 01:00:06 04[ENC]   parsing rule 8 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 9 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 10 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 11 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 12 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 13 FLAG
> Aug 16 01:00:06 04[ENC]   parsing rule 14 U_INT_32
> Aug 16 01:00:06 04[ENC]   parsing rule 15 HEADER_LENGTH
> Aug 16 01:00:06 04[ENC] parsing HEADER payload finished
> Aug 16 01:00:06 04[ENC] parsed a IKE_SA_INIT request header
> Aug 16 01:00:06 03[MGR] checkout IKEv2 SA by message with SPIs 
> 31219711e858bab2_i 0000000000000000_r
> Aug 16 01:00:06 03[MGR] created IKE_SA (unnamed)[3]
> Aug 16 01:00:06 03[NET] received packet: from 192.168.0.6[500] to 
> 192.168.0.12[500] (620 bytes)
> Aug 16 01:00:06 03[ENC] parsing body of message, first payload is 
> SECURITY_ASSOCIATION
> Aug 16 01:00:06 03[ENC] starting parsing a SECURITY_ASSOCIATION payload
> Aug 16 01:00:06 03[ENC] parsing SECURITY_ASSOCIATION payload, 592 bytes 
> left
> .
> .
> .
> .
> .
> .
> .
> Aug 16 01:02:06 06[ENC]   generating rule 12 U_INT_16
> Aug 16 01:02:06 06[ENC]   generating rule 13 SPI
> Aug 16 01:02:06 06[ENC]   generating rule 14 CHUNK_DATA
> Aug 16 01:02:06 06[ENC] generating NOTIFY payload finished
> Aug 16 01:02:06 06[NET] sending packet: from 192.168.0.12[500] to 
> 192.168.0.6[500] (36 bytes)
> Aug 16 01:02:06 16[NET] sending packet: from 192.168.0.12[500] to 
> 192.168.0.6[500]
> Aug 16 01:02:06 06[MGR] checkin and destroy IKE_SA (unnamed)[4]
> Aug 16 01:02:06 06[IKE] IKE_SA (unnamed)[4] state change: CREATED => 
> DESTROYING
> Aug 16 01:02:06 06[MGR] checkin and destroy of IKE_SA successful
> 
> 
> 
> 
> 
> On the Azure side:
> 
> 
> 
> 
> 



On a side note, this configuration off of my internet facing router 
(dd-wrt) is working as far as establishing a connection, despite some 
minor VLAN mapping issues. But the connection is ESTABLISHED. So I'm 
hoping someone could give me a hint as to what do I need to make this 
work from my Raspberry Pi 2 behind the DD-WRT internet facing router?

NAT rules I have:


# UDP
iptables -t nat -I PREROUTING -p udp --dport 500 -j DNAT --to 
192.168.0.12:500
iptables -I FORWARD -p udp -d 192.168.0.12 --dport 500 -j ACCEPT

iptables -t nat -I PREROUTING -p udp --dport 4500 -j DNAT --to 
192.168.0.12:4500
iptables -I FORWARD -p udp -d 192.168.0.12 --dport 4500 -j ACCEPT


Here is the config on the internet-facing router.

  # ipsec.conf - strongSwan IPsec configuration file

  # basic configuration

  config setup
          # strictcrlpolicy=yes
          # uniqueids = no

  # Add connections here.

  conn azure-s2s
          authby=secret
          auto=start
          type=tunnel
          keyexchange=ikev2
          keylife=3600s
          ikelifetime=28800s
          rekey=yes
          rekeymargin=3m
          keyingtries=1
          mobike=no
          dpdaction=none
          lifebytes=102400000

          left=100.100.100.100                 # IP address of your 
on-premises gateway

 
leftsubnet=192.168.0.0/24,10.0.0.0/24,10.1.0.0/24,10.2.0.0/24,10.3.0.0/24 
       # Home LAB - Local
          # leftsubnet=0.0.0.0/0
          # leftnexthop=%defaultroute

          right=123.123.123.123                  # Remote VPN gateway IP 
address
 
rightsubnet=10.1.10.0/24,10.1.10.0/24,10.1.20.0/24,10.1.30.0/24,10.1.40.0/24,10.1.50.0/24 
    # Remote network subnet defined in public cloud
          # rightsubnet=0.0.0.0/0

          ike=aes256-sha1-modp1024
          esp=aes256-sha1

I tried the same configuration as above by porting it on the Raspberry 
Pi 2, but no luck. Same result:


  Aug 17 02:23:46 OWRT01 : 10[NET] sending packet: from 
192.168.0.12[500] to 192.168.0.6[500] (36 bytes)
  Aug 17 02:25:46 OWRT01 : 03[NET] received packet: from 
192.168.0.6[500] to 192.168.0.12[500] (620 bytes)
  Aug 17 02:25:46 OWRT01 : 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
  Aug 17 02:25:46 OWRT01 : 03[IKE] no IKE config found for 
192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
  Aug 17 02:25:46 OWRT01 : 03[ENC] generating IKE_SA_INIT response 0 [ 
N(NO_PROP) ]
  Aug 17 02:25:46 OWRT01 : 03[NET] sending packet: from 
192.168.0.12[500] to 192.168.0.6[500] (36 bytes)


Thanks,





-- 
Thx,
TK.


More information about the Users mailing list