[strongSwan] StrongSwan w/ multiple local subnets.

TomK tomkcpr at mdevsys.com
Sat Jun 27 00:36:12 CEST 2020 

On 6/26/2020 10:04 AM, TomK wrote:
> On 6/24/2020 10:40 AM, TomK wrote:
>> On 6/24/2020 9:19 AM, Tobias Brunner wrote:
>>> Hi Tom,
>>>
>>>> May I ask which exact line above told you I'm missing sfrm_user?  The
>>>> ones that start with CUSTOM?
>>>
>>> Yes, the first one is logged after the kernel-netlink plugin failed to
>>> open a Netlink/XFRM socket, plus it is obviously missing in the module
>>> lists you posted after that.
>>
>> Kool
>>
>>>
>>>> This is DD-WRT so it's a minimized router kernel. I was surprised as 
>>>> the
>>>> next guy learning that module isn't available.
>>>
>>> Yeah, makes not much sense to enable the other IPsec-related modules
>>> without a means to actually use them.  But why did you use the 2.6.23
>>> kernel sources to build the missing module if your router uses a 4.4.190
>>> kernel?
>>
>> Was questions my sanity around that as well but initially only found 
>> the wiki page for 2.6.33 .  The SVN appeared a bit messy to me, 
>> probably because I'm not familiar with it yet, so wasn't sure if they 
>> just reused the folder name or if it was truly for Linux 2.6.33.  And 
>> couldn't find the Linux 4.4's at the time until I rummaged through the 
>> SVN the next day.
>>
>> Look further down on the post.  I've tried the Linux 4.4 branch but 
>> couldn't get that to work.  There's some missing Makefiles.
>>
>>>
>>>> I tinkered around with this at some point.  I had it originating from
>>>> 192.168.0.6 > 10.10.0.4 but same results.  Based on what you wrote,
>>>> unless I get xfrm_user module installed, this won't work regardless of
>>>> what source IP it's coming from?
>>>
>>> No, that's unrelated.  You need that module to use the IPsec stack in
>>> the kernel (i.e. to run without kernel-libipsec or ipsec0 interface).
>>> The whole point of the userland IPsec stack is that it bypasses the
>>> kernel and can run with reduced privileges (e.g. on Android where apps
>>> can create TUN devices via VpnService API but can't access the kernel's
>>> IPsec stack via Netlink/XFRM).
>>>
>>>> instead of originating from the WAN IP. No reply of course.  My routes
>>>
>>> Are ESP packets sent?  If yes, are any returned?  If not, then this
>>> seems to be an issue on the other end.  So try to follow the traffic 
>>> there.
>>
>> That is what I'm not sure about.  Between StrongSwan (SSW) and Azure 
>> VPN Gateway, I'm not able to find which one is it.  I've setup a 
>> packet trace from the Azure VPN Gateway but the only option it gave me 
>> as a target was against one of the Azure VM's.  Not between Azure VPN 
>> Gateway and the on-prem gateway.
>>
>> So in the least I was hoping to confirm if everything was sent 
>> correctly from SSW then I'll be more sure that the issue is really 
>> with Azure VPN Gateway blocking traffic.
>>
>> What I do know is that I can ping from the Azure VM's back down to my 
>> on-prem VLAN (192.168.0.X/24 ) but NOT FROM my router that's running 
>> SSW. In other words, traffic flows only one way.  Down.
>>
>> So to me this looked like an issue where:
>>
>> 1) Like you said, ESP packets are not getting sent properly from SSW 
>> to Azure VPN Gateway.  (  How do I confirm this with 100% certainty?  
>> What should I look for to determine if there's any dropped packets on 
>> my on-prem F/W that's on this router? )
>>
>> 2) The Azure VPN Gateway is blocking on-prem to itself.  I've made 
>> sure the F/W on the Azure side is not an issue.
>>
>>
>>
>>>
>>>> root at DD-WRT:~# ip route
>>>
>>> Again, strongSwan installs its routes in table 220, that is, use `ip
>>> route show table 220` (or `all`).
>>
>> root at DD-WRT:~# ip route show table all
>> default via 100.100.100.50 dev vlan2
>> 10.0.0.0/24 via 192.168.0.1 dev br0  metric 20
>> 10.1.0.0/24 via 192.168.0.1 dev br0  metric 20
>> 10.1.1.0/24 dev tun2 scope link  src 10.1.1.1
>> 10.2.0.0/24 via 192.168.0.1 dev br0  metric 20
>> 10.3.0.0/24 via 192.168.0.1 dev br0  metric 20
>> 100.100.100.75/27 dev vlan2 scope link  src 100.100.100.100
>> 127.0.0.0/8 dev lo scope link
>> 192.168.0.0/24 dev br0 scope link  src 192.168.0.6
>> 192.168.45.0/24 dev wl0.1 scope link  src 192.168.45.1
>> 192.168.75.0/24 dev wl1.1 scope link  src 192.168.75.1
>> broadcast 10.1.1.0 dev tun2 table local scope link  src 10.1.1.1
>> local 10.1.1.1 dev tun2 table local scope host  src 10.1.1.1
>> broadcast 10.1.1.255 dev tun2 table local scope link  src 10.1.1.1
>> broadcast 100.100.100.75 dev vlan2 table local scope link  src 
>> 100.100.100.100
>> local 100.100.100.100 dev vlan2 table local scope host  src 
>> 100.100.100.100
>> broadcast 100.100.100.25 dev vlan2 table local scope link  src 
>> 100.100.100.100
>> broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
>> local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
>> local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
>> broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
>> broadcast 192.168.0.0 dev br0 table local scope link  src 192.168.0.6
>> local 192.168.0.6 dev br0 table local scope host  src 192.168.0.6
>> broadcast 192.168.0.255 dev br0 table local scope link  src 192.168.0.6
>> broadcast 192.168.45.0 dev wl0.1 table local scope link  src 192.168.45.1
>> local 192.168.45.1 dev wl0.1 table local scope host  src 192.168.45.1
>> broadcast 192.168.45.255 dev wl0.1 table local scope link  src 
>> 192.168.45.1
>> broadcast 192.168.75.0 dev wl1.1 table local scope link  src 192.168.75.1
>> local 192.168.75.1 dev wl1.1 table local scope host  src 192.168.75.1
>> broadcast 192.168.75.255 dev wl1.1 table local scope link  src 
>> 192.168.75.1
>> root at DD-WRT:~#
>>
>>
>> root at DD-WRT:~# ip route show table 220
>> root at DD-WRT:~#
>>
>>
>> ( Redacted the IP hence why you see 100.100.100.X for the ISP GW )
>>
>>>
>>> Regards,
>>> Tobias
>>>
>>
>>
> 
> What are the dependencies of all these modules listed here?  I'm close 
> and was able to load quite a few:
> 
> https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1209261#1209261
> 
> https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
> 
> but xfrm_user.ko doesn't insert and suspecting due to missing dependencies:
> 
> root at DD-WRT:/opt/xfrm4# lsmod
> Module                  Size  Used by
> tunnel6                 1691  0
> xfrm4_mode_tunnel       1354  0
> xfrm4_mode_transport      778  0
> xfrm4_mode_beet         1418  0
> ah4                     4540  0
> esp4                    5175  0
> xfrm_ipcomp             2853  0
> xfrm4_tunnel            1368  0
> xfrm_algo               3645  3 ah4,esp4,xfrm_ipcomp
> ip_tunnel              10496  0
> tunnel4                 1692  1 xfrm4_tunnel
> ext4                  319105  1
> jbd2                   50250  1 ext4
> mbcache                 7009  1 ext4
> crc16                   1060  1 ext4
> vhci_hcd               12705  0
> usbip_host             12201  0
> usbip_core              4593  2 vhci_hcd,usbip_host
> usblp                   8913  0
> usb_storage            37587  1
> sr_mod                 11005  0
> cdrom                  24153  1 sr_mod
> sd_mod                 24627  1
> scsi_mod               83966  3 usb_storage,sr_mod,sd_mod
> xhci_plat_hcd           2116  0
> xhci_pci                2632  0
> xhci_hcd               84444  2 xhci_plat_hcd,xhci_pci
> ohci_pci                2157  0
> ohci_hcd               23292  1 ohci_pci
> ehci_pci                2829  0
> ehci_hcd               33905  1 ehci_pci
> usbcore               127988 12 
> vhci_hcd,usbip_host,usblp,usb_storage,xhci_plat_hcd,xhci_pci,xhci_hcd,ohci_pci,ohci_hcd,ehci_pci,ehci_hcd 
> 
> usb_common              1589  2 vhci_hcd,usbcore
> ip6_tables              9261  0
> xt_ndpi               344541  0
> tun                    15569  4
> fast_classifier       138897  0
> jffs2                  92216  1
> lzo_decompress          1764  0
> lzo_compress            1828  0
> lzma_decompress         8228  1 jffs2
> lzma_compress          23664  1 jffs2
> wl                   4384906  0
> switch_robo            13611  0
> switch_core             5449  1 switch_robo
> et                     42648  0
> root at DD-WRT:/opt/xfrm4#
> 
> 
> All others insert just fine as long as they are added in a specific 
> sequence:
> 
> 
> root at DD-WRT:/opt/xfrm4# for mods in $(echo tunnel4.ko ip_tunnel.ko 
> xfrm_algo.ko xfrm4_tunnel.ko xfrm_ipcomp.ko esp4.ko ah4.ko 
> xfrm4_mode_beet.ko xfrm4
> _mode_beet.ko xfrm4_mode_transport.ko xfrm4_mode_tunnel.ko 
> xfrm_user.ko); do insmod $mods; done
> insmod: cannot insert 'tunnel4.ko': File exists
> insmod: cannot insert 'ip_tunnel.ko': File exists
> insmod: cannot insert 'xfrm_algo.ko': File exists
> insmod: cannot insert 'xfrm4_tunnel.ko': File exists
> insmod: cannot insert 'xfrm_ipcomp.ko': File exists
> insmod: cannot insert 'esp4.ko': File exists
> insmod: cannot insert 'ah4.ko': File exists
> insmod: cannot insert 'xfrm4_mode_beet.ko': File exists
> insmod: cannot insert 'xfrm4_mode_beet.ko': File exists
> insmod: cannot insert 'xfrm4_mode_transport.ko': File exists
> insmod: cannot insert 'xfrm4_mode_tunnel.ko': File exists
> insmod: cannot insert 'xfrm_user.ko': unknown symbol in module
> root at DD-WRT:/opt/xfrm4#
> 
> 
> root at DD-WRT:/opt/xfrm4# strings xfrm_user.ko|grep -Ei depends
> depends=xfrm_algo
> root at DD-WRT:/opt/xfrm4# insmod xfrm_algo.ko
> insmod: cannot insert 'xfrm_algo.ko': File exists
> root at DD-WRT:/opt/xfrm4# lsmod|grep xfrm_algo
> xfrm_algo               3645  3 ah4,esp4,xfrm_ipcomp
> root at DD-WRT:/opt/xfrm4#
> 
> 
> 

Is the xfrm_user.ko module used for both traffic going out and coming 
back in via StrongSwan / IPSEC ?



-- 
Thx,
TK.

More information about the Users mailing list