[strongSwan] StrongSwan w/ multiple local subnets.
TomK
tomkcpr at mdevsys.com
Sat Jun 20 03:28:37 CEST 2020
ipsec0 receives the packet from the ping request but nothing comes back:
# tcpdump -i ipsec0 -s 0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type RAW (Raw IP), snapshot length 262144 bytes
21:21:55.601249 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id
29010, seq 94, length 64
21:21:56.610601 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id
29010, seq 95, length 64
21:21:57.619999 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id
29010, seq 96, length 64
Logs:
# cat /opt/tmp/charon.log |grep -Ev "ENC|NET" | tail -n 30
Jun 19 19:57:07 10[KNL] error installing route with policy 10.3.0.0/24
=== 10.10.0.0/24 out
Jun 19 19:57:07 10[IKE] unable to install IPsec policies (SPD) in kernel
Jun 19 19:57:07 10[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 19 19:57:08 15[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 19 19:57:08 15[KNL] error installing route with policy 10.3.0.0/24
=== 10.10.0.0/24 out
Jun 19 19:57:08 15[IKE] unable to install IPsec policies (SPD) in kernel
Jun 19 19:57:08 15[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 19 19:57:09 12[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 19 19:57:09 12[KNL] error installing route with policy 10.3.0.0/24
=== 10.10.0.0/24 out
Jun 19 19:57:09 12[IKE] unable to install IPsec policies (SPD) in kernel
Jun 19 19:57:09 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 19 19:57:10 16[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 19 19:57:10 16[KNL] error installing route with policy 10.3.0.0/24
=== 10.10.0.0/24 out
Jun 19 19:57:10 16[IKE] unable to install IPsec policies (SPD) in kernel
Jun 19 19:57:10 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 19 19:57:11 14[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 19 19:57:11 14[KNL] error installing route with policy 10.3.0.0/24
=== 10.10.0.0/24 out
Jun 19 19:57:11 14[IKE] unable to install IPsec policies (SPD) in kernel
Jun 19 19:57:11 14[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 19 20:37:26 06[KNL] creating rekey job for CHILD_SA
ESP/0xe223cf04/52.188.11.203
Jun 19 20:37:26 11[IKE] establishing CHILD_SA REMOTE-VLAN1{47} reqid 4
Jun 19 20:37:26 11[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 19 20:37:26 11[IKE] inbound CHILD_SA REMOTE-VLAN1{47} established
with SPIs d60f2974_i 34a12944_o and TS 10.0.0.0/24 10.1.0.0/24
10.2.0.0/24 10.3.0.0/24 192.168.0.0/24 === 10.10.0.0/24 10.10.1.0/24
10.10.2.0/24 10.10.3.0/24 10.10.4.0/24
Jun 19 20:37:26 11[KNL] error installing route with policy 10.0.0.0/24
=== 10.10.0.0/24 out
Jun 19 20:37:26 11[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 19 20:37:26 11[IKE] closing CHILD_SA REMOTE-VLAN1{4} with SPIs
28539651_i (840 bytes) e223cf04_o (840 bytes) and TS 192.168.0.0/24 ===
10.10.0.0/24
Jun 19 20:37:26 11[IKE] sending DELETE for ESP CHILD_SA with SPI 28539651
Jun 19 20:37:26 12[IKE] received DELETE for ESP CHILD_SA with SPI e223cf04
Jun 19 20:37:26 12[IKE] CHILD_SA closed
Of interest, are these messages:
charon: 10[ESP] no matching outbound IPsec policy for 100.100.100.100 ==
10.10.0.4 [1]
On 6/19/2020 3:38 AM, TomK wrote:
> Hello,
>
> I have an Asus router using DD-WRT. On this router I've enabled ospf.
> The router sits on VLAN1: 192.168.0.0/24
>
>
> There are two more VLAN's within the space:
>
>
> VLAN2: 10.0.0.0/24
> VLAN3: 10.1.0.0/24
> VLAN4: 10.2.0.0/24
> VLAN5: 10.3.0.0/24
>
> I've installed StrongSwan on top of this router and looking to configure
> site-to-site VLAN via IKEv2 to 4 more external VLAN's:
>
> VLAN1: 10.10.0.0/24
> VLAN2: 10.10.1.0/24
> VLAN3: 10.10.2.0/24
> VLAN4: 10.10.3.0/24
>
> So my config looks like this:
>
> /opt/etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
>
> # Add connections here.
>
> conn REMOTE-VLAN1
> authby=secret
> auto=start
> type=tunnel
> keyexchange=ikev2
> keylife=3600s
> ikelifetime=28800s
> left=100.100.100.100
> leftsubnet=192.168.0.0/24
> # leftnexthop=%defaultroute
> right=123.123.123.123
>
> rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
>
> ike=aes256-sha1-modp1024
> esp=aes256-sha1
>
> conn REMOTE-VLAN2
> authby=secret
> auto=start
> type=tunnel
> keyexchange=ikev2
> keylife=3600s
> ikelifetime=28800s
> left=100.100.100.100
> leftsubnet=10.0.0.0/24
> # leftnexthop=%defaultroute
> right=123.123.123.123
>
> rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
>
> ike=aes256-sha1-modp1024
> esp=aes256-sha1
>
> conn REMOTE-VLAN5
> authby=secret
> auto=start
> type=tunnel
> keyexchange=ikev2
> keylife=3600s
> ikelifetime=28800s
> left=100.100.100.100
> leftsubnet=10.3.0.0/24
> # leftnexthop=%defaultroute
> right=123.123.123.123
>
> rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
>
> ike=aes256-sha1-modp1024
> esp=aes256-sha1
>
>
>
> root at ASUS01:~# ipsec status
> Security Associations (1 up, 0 connecting):
> REMOTE-VLAN1[1]: ESTABLISHED 3 seconds ago, 100.100.100.100
> [100.100.100.100 ]...123.123.123.123[123.123.123.123]
> REMOTE-VLAN1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
> ada5f39c_i a96955ba_o
> REMOTE-VLAN1{1}: 192.168.0.0/24 === 10.10.0.0/24 10.10.1.0/24
> 10.10.2.0/24 10.10.3.0/24 10.10.4.0/24
> root at ASUS01:~#
>
> Just by the effect of the configuration file and what is happening on
> restart, doesn't appear I can create any other VLAN routes other then
> from the VLAN I'm currently on.
>
> How do I effectively make a site-to-site VPN configuration using
> StrongSwan between all 10 VLAN's?
>
> Additionally, for the VLAN that does have a tunnel created, I can ping a
> local (left) subnet directly but not vice versa.
>
> I'm interested in the correct configuration to use first since I'm very
> new to this. If this still doesn't work, I'll post the logs from a good
> known configuration.
>
--
Thx,
TK.
More information about the Users
mailing list