[strongSwan] IPv6 tunnel and IPv4 traffic: no routing entries in table 220 ?
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Jan 29 13:52:42 CET 2020
Hello Thomas,
You don't have a CHILD_SA up with which to transport packets, only an IKE_SA with which you can negotiate a CHILD_SA.
Negotiate a CHILD_SA with "swanctl -i --child child1".
Kind regards
Noel
Am 29.01.20 um 13:48 schrieb Thomas Rudolph:
> Hello Noel and list,
>
>
>
> yes I’ll try to provide all informations.
>
>
>
> Problem: IPv6 tunnel and IPv4 traffic – no routing entries and no ping LAN<->LAN possible
>
>
>
> Setup: Linux with strongSwan 5.8.0 , site-2-site VPN to another strongSwan 5.8.0
>
> Config below:
>
> eth0 = Interface with IPv6 for tunnel connection
>
> eth2 = LAN
>
>
>
>
>
> daemon start:
>
>
>
> Jan 29 13:17:14 strongswan charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 4.4.0-142-generic, i686)
>
> Jan 29 13:17:14 strongswan kernel: [ 209.226536] Initializing XFRM netlink socket
>
> Jan 29 13:17:14 strongswan charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>
> Jan 29 13:17:14 strongswan charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>
> Jan 29 13:17:14 strongswan charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>
> Jan 29 13:17:14 strongswan charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
>
> Jan 29 13:17:14 strongswan charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>
> Jan 29 13:17:14 strongswan charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>
> Jan 29 13:17:14 strongswan charon: 00[LIB] loaded plugins: charon rc2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 dhcp counters
>
> Jan 29 13:17:14 strongswan charon: 00[JOB] spawning 16 worker threads
>
> Jan 29 13:17:18 strongswan charon: 10[CFG] loaded IKE shared key with id 'ike1' for: 'vpnserver1', 'digibox1'
>
> Jan 29 13:17:18 strongswan charon: 04[CFG] added vici connection: conn1
>
> Jan 29 13:17:32 strongswan charon: 00[DMN] signal of type SIGINT received. Shutting down
>
> Jan 29 13:17:36 strongswan charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 4.4.0-142-generic, i686)
>
> Jan 29 13:17:36 strongswan charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>
> Jan 29 13:17:36 strongswan charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>
> Jan 29 13:17:36 strongswan charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>
> Jan 29 13:17:36 strongswan charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
>
> Jan 29 13:17:36 strongswan charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>
> Jan 29 13:17:36 strongswan charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>
> Jan 29 13:17:36 strongswan charon: 00[LIB] loaded plugins: charon rc2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 dhcp counters
>
> Jan 29 13:17:36 strongswan charon: 00[JOB] spawning 16 worker threads
>
> Jan 29 13:17:42 strongswan charon: 07[CFG] loaded IKE shared key with id 'ike1' for: 'vpnserver1', 'digibox1'
>
> Jan 29 13:17:42 strongswan charon: 11[CFG] added vici connection: conn1
>
>
>
>
>
> Connection up:
>
>
>
> root at strongswan:/home/rudt/projects/vpn-server# swanctl -i --ike conn1
>
> [IKE] initiating IKE_SA conn1[1] to 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0
>
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>
> [NET] sending packet: from 2003:a:769:4100:1::200[500] to 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] (750 bytes)
>
> [NET] received packet: from 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] to 2003:a:769:4100:1::200[500] (38 bytes)
>
> [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
>
> [IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
>
> [IKE] initiating IKE_SA conn1[1] to 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0
>
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>
> [NET] sending packet: from 2003:a:769:4100:1::200[500] to 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] (942 bytes)
>
> [NET] received packet: from 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] to 2003:a:769:4100:1::200[500] (462 bytes)
>
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
>
> [CFG] selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
>
> [IKE] authentication of 'vpnserver1' (myself) with pre-shared key
>
> [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
>
> [NET] sending packet: from 2003:a:769:4100:1::200[500] to 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] (147 bytes)
>
> [NET] received packet: from 2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[500] to 2003:a:769:4100:1::200[500] (97 bytes)
>
> [ENC] parsed IKE_AUTH response 1 [ IDr AUTH ]
>
> [IKE] authentication of 'digibox1' with pre-shared key successful
>
> [IKE] IKE_SA conn1[1] established between 2003:a:769:4100:1::200[vpnserver1]...2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[digibox1]
>
> [IKE] scheduling reauthentication in 9940s
>
> [IKE] maximum IKE_SA lifetime 11020s
>
> initiate completed successfully
>
>
>
>
>
> VPN config:
>
> connections {
>
>
>
> conn1 {
>
> local_addrs = %any
>
> remote_addrs = <IPv6_DYNDNS_NAME>
>
>
>
> local {
>
> auth = psk
>
> id = vpnserver1
>
> }
>
> remote {
>
> auth = psk
>
> id = digibox1
>
> }
>
> children {
>
> child1 {
>
> local_ts = 10.10.10.0/24
>
> remote_ts = 192.168.2.0/24
>
> updown = /usr/libexec/ipsec/_updown iptables
>
> rekey_time = 5400
>
> rekey_bytes = 500000000
>
> rekey_packets = 1000000
>
> }
>
> }
>
> version = 2
>
> mobike = no
>
> reauth_time = 10800
>
> }
>
> }
>
>
>
> secrets {
>
> ike1 {
>
> id1 = vpnserver1
>
> id2 = digibox1
>
> secret = <PASSWORD>
>
> }
>
> }
>
>
>
>
>
> Status:
>
> Status of IKE charon daemon (strongSwan 5.8.0, Linux 4.4.0-142-generic, i686):
>
> uptime: 12 minutes, since Jan 29 13:17:35 2020
>
> malloc: sbrk 1208320, mmap 0, used 180120, free 1028200
>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
>
> loaded plugins: charon rc2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 dhcp counters
>
> Listening IP addresses:
>
> 192.168.0.1
>
> 2003:a:769:4100:1::200
>
> 10.10.10.1
>
> Connections:
>
> conn1: %any...dbzyvpnt1.dynv6.net IKEv2
>
> conn1: local: [vpnserver1] uses pre-shared key authentication
>
> conn1: remote: [digibox1] uses pre-shared key authentication
>
> child1: child: 10.10.10.0/24 === 192.168.2.0/24 TUNNEL
>
> Security Associations (1 up, 0 connecting):
>
> conn1[1]: ESTABLISHED 9 minutes ago, 2003:a:769:4100:1::200[vpnserver1]...2003:ec:efff:c93:5ee2:8cff:fe9b:c4c0[digibox1]
>
> conn1[1]: IKEv2 SPIs: 7166966c8917ccac_i* 9ef970b95e825009_r, pre-shared key reauthentication in 2 hours
>
> conn1[1]: IKE proposal: AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
>
>
>
>
>
>
>
> Firewall:
>
> # Generated by iptables-save v1.4.21 on Wed Jan 29 13:34:58 2020
>
> *filter
>
> :INPUT ACCEPT [7:633]
>
> :FORWARD ACCEPT [0:0]
>
> :OUTPUT ACCEPT [4:544]
>
> COMMIT
>
> # Completed on Wed Jan 29 13:34:58 2020
>
>
>
> Ip6tables-save no output, but there is also all flushed and all policies ACCEPT
>
>
>
>
>
> Routing:
>
> default via 192.168.0.240 dev eth0
>
> 10.10.10.0/24 dev eth2 proto kernel scope link src 10.10.10.1
>
> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
>
> broadcast 10.10.10.0 dev eth2 table local proto kernel scope link src 10.10.10.1
>
> local 10.10.10.1 dev eth2 table local proto kernel scope host src 10.10.10.1
>
> broadcast 10.10.10.255 dev eth2 table local proto kernel scope link src 10.10.10.1
>
> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
>
> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
>
> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
>
> broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
>
> broadcast 192.168.0.0 dev eth0 table local proto kernel scope link src 192.168.0.1
>
> local 192.168.0.1 dev eth0 table local proto kernel scope host src 192.168.0.1
>
> broadcast 192.168.0.255 dev eth0 table local proto kernel scope link src 192.168.0.1
>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
>
> 2003:a:769:4100:1::200 dev eth0 proto kernel metric 256
>
> 2003:a:769:4100::/56 dev eth0 proto kernel metric 256 expires 2591939sec
>
> fe80::/64 dev eth0 proto kernel metric 256
>
> fe80::/64 dev eth2 proto kernel metric 256
>
> default via 2003:a:769:4100:1::240 dev eth0 metric 1024
>
> default via fe80::178:1 dev eth0 proto ra metric 1024 expires 1739sec hoplimit 64
>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
>
> local ::1 dev lo table local proto none metric 0
>
> local 2003:a:769:4100:1::200 dev lo table local proto none metric 0
>
> local fe80::a00:27ff:fe15:5da0 dev lo table local proto none metric 0
>
> local fe80::a00:27ff:fef0:ec33 dev lo table local proto none metric 0
>
> ff00::/8 dev eth0 table local metric 256
>
> ff00::/8 dev eth2 table local metric 256
>
> unreachable default dev lo table unspec proto kernel metric 4294967295 error -101
>
>
>
> IP addresses:
>
>
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
>
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>
> inet 127.0.0.1/8 scope host lo
>
> valid_lft forever preferred_lft forever
>
> inet6 ::1/128 scope host
>
> valid_lft forever preferred_lft forever
>
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>
> link/ether 08:00:27:f0:ec:33 brd ff:ff:ff:ff:ff:ff
>
> inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
>
> valid_lft forever preferred_lft forever
>
> inet6 2003:a:769:4100:1::200/128 scope global
>
> valid_lft forever preferred_lft forever
>
> inet6 fe80::a00:27ff:fef0:ec33/64 scope link
>
> valid_lft forever preferred_lft forever
>
> 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
>
> link/ether 08:00:27:ec:04:ec brd ff:ff:ff:ff:ff:ff
>
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
>
> link/ether 08:00:27:15:5d:a0 brd ff:ff:ff:ff:ff:ff
>
> inet 10.10.10.1/24 brd 10.10.10.255 scope global eth2
>
> valid_lft forever preferred_lft forever
>
> inet6 fe80::a00:27ff:fe15:5da0/64 scope link
>
> valid_lft forever preferred_lft forever
>
>
>
> Test:
>
> ping 192.168.2.1
>
>
>
> Result:
>
> tcpdump -i eth0 host 192.168.2.1
>
> 13:40:25.989010 IP 192.168.0.1 > 192.168.2.1: ICMP echo request, id 1382, seq 31, length 64
>
>
>
> Test:
>
> ping -s 10.10.10.1 192.168.2.1
>
>
>
> Result:
>
> Same as above
>
>
>
> Expected result:
>
> * at least one routing entry in table 220
> * IPv6 ESP packets going out, not unencrypted traffic
>
>
>
>
>
> Please, any hint/help what is wrong ?
>
>
>
> Regards,
>
>
>
> Thomas
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *Von:* Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
> *Gesendet:* Mittwoch, 29. Januar 2020 11:22
> *An:* Thomas Rudolph <rudt at teleconnect.de>; users at lists.strongswan.org
> *Betreff:* Re: [strongSwan] IPv6 tunnel and IPv4 traffic: no routing entries in table 220 ?
>
>
>
> Hello Thomas,
>
> Routes are added when traffic needs to be sent to another destination than the main routing table or existing routes in table 220 do. It's all in C code.
>
> Please provide all information as shown on he HelpRequests page on the wiki if you want any actionable advice.
>
> Kind regards
>
> Noel
>
> Am 29.01.20 um 11:18 schrieb Thomas Rudolph:
>> Hello,
>>
>>
>>
>> I wonder how the routing entries are written to table 220, and which are neccesary. Is there any place , like _updown for firewall rules, where I can see how and what is done ?
>
>>
>>
>>
>> My problem:
>>
>>
>>
>> If I use IPv4 tunnel and traffic, it’s all ok, rules in table 220 appear and VPN works from LAN to LAN.
>>
>> If I use IPv6 tunnel and IPv4 traffic, nothing appears in table 220. What can be the reason for such behavior ?
>>
>>
>>
>> And, I was not able to find myself a rule that works, I tried to add to table 220 rules like
>>
>>
>>
>> ip route add 192.168.2.0/24 proto static scope global dev eth0 src 192.168.0.1 table 220
>>
>>
>>
>> with REMOTE_LAN_NET src LOCAL_LAN_ADDRESS
>>
>>
>>
>> (derived from strongSwan example https://www.strongswan.org/testing/testresults/ipv6/net2net-ip4-in-ip6-ikev2/ )
>>
>>
>>
>>
>>
>> but it dont’t work. VPN connection is up, but no ping from LAN to LAN, it seems the traffic is not thrown into tunnel (policy based VPN).
>
>>
>>
>>
>>
>>
>> ?
>>
>>
>>
>> Can anyone please give a hint ?
>>
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>> Thomas
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200129/8774babf/attachment.sig>
More information about the Users
mailing list