[strongSwan] StrongSwan w/ multiple local subnets.

TomK tomkcpr at mdevsys.com
Wed Jun 24 15:00:35 CEST 2020


On 6/24/2020 5:48 AM, Tobias Brunner wrote:
> Hi Tom,
> 
>> This is a DD-WRT router. Uses a pre-built kernel I might not have too
>> much option in customizing it.  But I tried removing it
> 
> kernel-libipsec is a userland IPsec implementation (read the wiki page),
> it has nothing to do with the kernel (except that it has to be able to
> create TUN devices).
> 
> However, to use the kernel's IPsec stack, it is missing an important module:
> 
>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[KNL] unable to create
>> netlink socket: Protocol not supported (93)
>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] could not open
>> socket: Address family not supported by protocol
>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] could not open IPv6
>> socket, IPv6 disabled
>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] installing IKE bypass
>> policy failed
>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] installing IKE bypass
>> policy failed
>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] enabling UDP
>> decapsulation for IPv4 on port 4500 failed
>> Jun 22 08:12:15 DD-WRT daemon.info charon: 00[LIB] feature
>> CUSTOM:libcharon in critical plugin 'charon' has unmet dependency:
>> CUSTOM:kernel-ipsec
> 
>> Interestingly, what I do have is:
> 
> What you are definitely missing is xfrm_user, which is required for the
> daemon to communicate with the kernel.  Without that module all the
> others are pretty much useless, so no idea why your kernel is configured
> like that.

May I ask which exact line above told you I'm missing sfrm_user?  The 
ones that start with CUSTOM?

Have a post to try and get one compiled in.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1208983#1208983

This is DD-WRT so it's a minimized router kernel. I was surprised as the 
next guy learning that module isn't available. Since I'm trying to get 
the remote VLAN's mapped over to my VLAN's here, this router is the best 
spot to do that from.

> 
>> I no longer have to run:
>>
>> ip route add 10.10.0.0/24 dev ipsec0
>>
>> for packets to show up on ipsec0:
> 
> As I mentioned, strongSwan installs a route automatically if there is a
> local IP in the local traffic selector.  You can see those in table 220.
> 
>> root at DD-WRT:~# tcpdump -i ipsec0 -s 0 -n
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on ipsec0, link-type RAW (Raw IP), snapshot length 262144 bytes
>> 08:44:28.318516 IP 100.100.100.100  > 10.10.0.4: ICMP echo request, id
>> 36426, seq 0, length 64
>> 08:44:29.325741 IP 100.100.100.100  > 10.10.0.4: ICMP echo request, id
>> 36426, seq 1, length 64
>>
>> but not anymore.
> 
> No you won't as these packets don't match the negotiated traffic
> selectors.  The local TS is 192.168.0.0/24, which obviously doesn't
> match 100.100.100.100 so libipsec will drop the packet.   If there was a
> route in table 220 it should list a source IP in the local traffic
> selector, so it's interesting that a different source IP was selected -
> or was that IP forced somehow?

I tinkered around with this at some point.  I had it originating from 
192.168.0.6 > 10.10.0.4 but same results.  Based on what you wrote, 
unless I get xfrm_user module installed, this won't work regardless of 
what source IP it's coming from?  Here's what I had earlier and retried 
just now:

iptables -t nat -I POSTROUTING -d 10.10.0.0/24 -j SNAT --to $(nvram get 
lan_ipaddr)

This resulted in:

# tcpdump -i ipsec0 -s 0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type RAW (Raw IP), snapshot length 262144 bytes
08:48:19.481357 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, 
seq 3, length 64
08:48:20.490676 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, 
seq 4, length 64
08:48:21.500060 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, 
seq 5, length 64
08:48:22.509503 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, 
seq 6, length 64

instead of originating from the WAN IP. No reply of course.  My routes

root at DD-WRT:~# ip route
default via 100.100.100.50 dev vlan2
10.0.0.0/24 via 192.168.0.1 dev br0  metric 20
10.1.0.0/24 via 192.168.0.1 dev br0  metric 20
10.1.1.0/24 dev tun2 scope link  src 10.1.1.1
10.2.0.0/24 via 192.168.0.1 dev br0  metric 20
10.3.0.0/24 via 192.168.0.1 dev br0  metric 20
100.100.100.50/27 dev vlan2 scope link  src 100.100.100.100
127.0.0.0/8 dev lo scope link
192.168.0.0/24 dev br0 scope link  src 192.168.0.6
192.168.45.0/24 dev wl0.1 scope link  src 192.168.45.1
192.168.75.0/24 dev wl1.1 scope link  src 192.168.75.1


> 
>> Still
>> looking at Brian's recommendations however:
>>
>> root at DD-WRT:~# ip link add xfrm0 type xfrm dev ipsec0 if_id 42
>> ip: RTNETLINK answers: Not supported
>> root at DD-WRT:~# ip link add vti0 type vti dev ipsec0 if_id 42
>> ip: RTNETLINK answers: Not supported
>> root at DD-WRT:~#
>>
>> Trying GRE but:
>>
>> root at DD-WRT:~# ip tunnel add ipsec01 local 100.100.100.100 remote
>> 123.123.123.123 mode gre
>> ip: ioctl 0x89f1 failed: No such device
>> root at DD-WRT:~#
> 
> None of these will work without kernel IPsec support (and XFRM
> interfaces are only available in 4.19+ kernels anyway).  But they should
> also not be necessary for simple site-to-site tunnels.

So just the xfrm_user module is needed by StrongSwan / IPSec then?

> 
> Regards,
> Tobias
> 


-- 
Thx,
TK.


More information about the Users mailing list