[strongSwan] IPv6 tunnel and IPv4 traffic: no routing entries in table 220 ?
Thomas Rudolph
rudt at teleconnect.de
Wed Jan 29 13:48:13 CET 2020
Hello Noel and list,
yes I'll try to provide all informations.
Problem: IPv6 tunnel and IPv4 traffic - no routing entries and no ping LAN<->LAN possible
Setup: Linux with strongSwan 5.8.0 , site-2-site VPN to another strongSwan 5.8.0
Config below:
eth0 = Interface with IPv6 for tunnel connection
eth2 = LAN
daemon start:
Jan 29 13:17:14 strongswan charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 4.4.0-142-generic, i686)
Jan 29 13:17:14 strongswan kernel: [ 209.226536] Initializing XFRM netlink socket
Jan 29 13:17:14 strongswan charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jan 29 13:17:14 strongswan charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jan 29 13:17:14 strongswan charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jan 29 13:17:14 strongswan charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jan 29 13:17:14 strongswan charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jan 29 13:17:14 strongswan charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jan 29 13:17:14 strongswan charon: 00[LIB] loaded plugins: charon rc2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 dhcp counters
Jan 29 13:17:14 strongswan charon: 00[JOB] spawning 16 worker threads
Jan 29 13:17:18 strongswan charon: 10[CFG] loaded IKE shared key with id 'ike1' for: 'vpnserver1', 'digibox1'
Jan 29 13:17:18 strongswan charon: 04[CFG] added vici connection: conn1
Jan 29 13:17:32 strongswan charon: 00[DMN] signal of type SIGINT received. Shutting down
Jan 29 13:17:36 strongswan charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 4.4.0-142-generic, i686)
Jan 29 13:17:36 strongswan charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Jan 29 13:17:36 strongswan charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Jan 29 13:17:36 strongswan charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Jan 29 13:17:36 strongswan charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Jan 29 13:17:36 strongswan charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Jan 29 13:17:36 strongswan charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Jan 29 13:17:36 strongswan charon: 00[LIB] loaded plugins: charon rc2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 dhcp counters
Jan 29 13:17:36 strongswan charon: 00[JOB] spawning 16 worker threads
Jan 29 13:17:42 strongswan charon: 07[CFG] loaded IKE shared key with id 'ike1' for: 'vpnserver1', 'digibox1'
Jan 29 13:17:42 strongswan charon: 11[CFG] added vici connection: conn1
Connection up:
root at strongswan:/home/rudt/projects/vpn-server# swanctl -i --ike conn1
[IKE] initiating IKE_SA conn1[1] to 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 2003:a:769:4100:1::200[500] to 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] (750 bytes)
[NET] received packet: from 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] to 2003:a:769:4100:1::200[500] (38 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
[IKE] initiating IKE_SA conn1[1] to 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 2003:a:769:4100:1::200[500] to 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] (942 bytes)
[NET] received packet: from 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] to 2003:a:769:4100:1::200[500] (462 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
[IKE] authentication of 'vpnserver1' (myself) with pre-shared key
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 2003:a:769:4100:1::200[500] to 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] (147 bytes)
[NET] received packet: from 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] to 2003:a:769:4100:1::200[500] (97 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH ]
[IKE] authentication of 'digibox1' with pre-shared key successful
[IKE] IKE_SA conn1[1] established between 2003:a:769:4100:1::200[vpnserver1]...2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[digibox1]
[IKE] scheduling reauthentication in 9940s
[IKE] maximum IKE_SA lifetime 11020s
initiate completed successfully
VPN config:
connections {
conn1 {
local_addrs = %any
remote_addrs = <IPv6_DYNDNS_NAME>
local {
auth = psk
id = vpnserver1
}
remote {
auth = psk
id = digibox1
}
children {
child1 {
local_ts = 10.10.10.0/24
remote_ts = 192.168.2.0/24
updown = /usr/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
}
}
version = 2
mobike = no
reauth_time = 10800
}
}
secrets {
ike1 {
id1 = vpnserver1
id2 = digibox1
secret = <PASSWORD>
}
}
Status:
Status of IKE charon daemon (strongSwan 5.8.0, Linux 4.4.0-142-generic, i686):
uptime: 12 minutes, since Jan 29 13:17:35 2020
malloc: sbrk 1208320, mmap 0, used 180120, free 1028200
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon rc2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 dhcp counters
Listening IP addresses:
192.168.0.1
2003:a:769:4100:1::200
10.10.10.1
Connections:
conn1: %any...dbzyvpnt1.dynv6.net IKEv2
conn1: local: [vpnserver1] uses pre-shared key authentication
conn1: remote: [digibox1] uses pre-shared key authentication
child1: child: 10.10.10.0/24 === 192.168.2.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
conn1[1]: ESTABLISHED 9 minutes ago, 2003:a:769:4100:1::200[vpnserver1]...2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[digibox1]
conn1[1]: IKEv2 SPIs: 7166966c8917ccac_i* 9ef970b95e825009_r, pre-shared key reauthentication in 2 hours
conn1[1]: IKE proposal: AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
Firewall:
# Generated by iptables-save v1.4.21 on Wed Jan 29 13:34:58 2020
*filter
:INPUT ACCEPT [7:633]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:544]
COMMIT
# Completed on Wed Jan 29 13:34:58 2020
Ip6tables-save no output, but there is also all flushed and all policies ACCEPT
Routing:
default via 192.168.0.240 dev eth0
10.10.10.0/24 dev eth2 proto kernel scope link src 10.10.10.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
broadcast 10.10.10.0 dev eth2 table local proto kernel scope link src 10.10.10.1
local 10.10.10.1 dev eth2 table local proto kernel scope host src 10.10.10.1
broadcast 10.10.10.255 dev eth2 table local proto kernel scope link src 10.10.10.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth0 table local proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev eth0 table local proto kernel scope host src 192.168.0.1
broadcast 192.168.0.255 dev eth0 table local proto kernel scope link src 192.168.0.1
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
2003:a:769:4100:1::200 dev eth0 proto kernel metric 256
2003:a:769:4100::/56 dev eth0 proto kernel metric 256 expires 2591939sec
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth2 proto kernel metric 256
default via 2003:a:769:4100:1::240 dev eth0 metric 1024
default via fe80::178:1 dev eth0 proto ra metric 1024 expires 1739sec hoplimit 64
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
local ::1 dev lo table local proto none metric 0
local 2003:a:769:4100:1::200 dev lo table local proto none metric 0
local fe80::a00:27ff:fe15:5da0 dev lo table local proto none metric 0
local fe80::a00:27ff:fef0:ec33 dev lo table local proto none metric 0
ff00::/8 dev eth0 table local metric 256
ff00::/8 dev eth2 table local metric 256
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
IP addresses:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:f0:ec:33 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2003:a:769:4100:1::200/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fef0:ec33/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 08:00:27:ec:04:ec brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:15:5d:a0 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.1/24 brd 10.10.10.255 scope global eth2
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe15:5da0/64 scope link
valid_lft forever preferred_lft forever
Test:
ping 192.168.2.1
Result:
tcpdump -i eth0 host 192.168.2.1
13:40:25.989010 IP 192.168.0.1 > 192.168.2.1: ICMP echo request, id 1382, seq 31, length 64
Test:
ping -s 10.10.10.1 192.168.2.1
Result:
Same as above
Expected result:
* at least one routing entry in table 220
* IPv6 ESP packets going out, not unencrypted traffic
Please, any hint/help what is wrong ?
Regards,
Thomas
Von: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
Gesendet: Mittwoch, 29. Januar 2020 11:22
An: Thomas Rudolph <rudt at teleconnect.de>; users at lists.strongswan.org
Betreff: Re: [strongSwan] IPv6 tunnel and IPv4 traffic: no routing entries in table 220 ?
Hello Thomas,
Routes are added when traffic needs to be sent to another destination than the main routing table or existing routes in table 220 do. It's all in C code.
Please provide all information as shown on he HelpRequests page on the wiki if you want any actionable advice.
Kind regards
Noel
Am 29.01.20 um 11:18 schrieb Thomas Rudolph:
> Hello,
>
>
>
> I wonder how the routing entries are written to table 220, and which are neccesary. Is there any place , like _updown for firewall rules, where I can see how and what is done ?
>
>
>
> My problem:
>
>
>
> If I use IPv4 tunnel and traffic, it's all ok, rules in table 220 appear and VPN works from LAN to LAN.
>
> If I use IPv6 tunnel and IPv4 traffic, nothing appears in table 220. What can be the reason for such behavior ?
>
>
>
> And, I was not able to find myself a rule that works, I tried to add to table 220 rules like
>
>
>
> ip route add 192.168.2.0/24 proto static scope global dev eth0 src 192.168.0.1 table 220
>
>
>
> with REMOTE_LAN_NET src LOCAL_LAN_ADDRESS
>
>
>
> (derived from strongSwan example https://www.strongswan.org/testing/testresults/ipv6/net2net-ip4-in-ip6-ikev2/ )
>
>
>
>
>
> but it dont't work. VPN connection is up, but no ping from LAN to LAN, it seems the traffic is not thrown into tunnel (policy based VPN).
>
>
>
>
>
> ?
>
>
>
> Can anyone please give a hint ?
>
>
>
>
>
> Regards,
>
>
>
> Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200129/f13e675b/attachment-0001.html>
More information about the Users
mailing list