[strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.
Makarand Pradhan
MakarandPradhan at is5com.com
Thu Mar 19 19:27:48 CET 2020
Hi All,
I'm having a unique issue. Tunnel is up but packets are not routed when version is ikev1. When I set the version to ikev2, then packets enter the tunnel as expected.
Config is as follows:
Running StrongSwan 5.8.2.
PC - Router1 - Router2 - Tunnel - Router3 - Router4 - PC
Ipsec.conf:
conn m1
type=tunnel
authby=secret
auto=add
keyexchange=ikev1
ike=aes-sha-modp2048!
aggressive=no
ikelifetime=1500s
esp=aes-sha-modp2048!
lifetime=1500s
right=91.0.0.2
rightid=91.0.0.2
rightsubnet=192.168.9.0/24,192.168.51.0/24
left=91.0.0.3
leftid=91.0.0.3
leftsubnet=10.10.9.0/24,192.168.61.0/24
Tunnel is established:
sh-4.3# ipsec statusall m1
Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.1.35-rt41, ppc64):
uptime: 31 minutes, since May 21 23:18:31 2018
malloc: sbrk 2297856, mmap 0, used 270112, free 2027744
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
10.10.5.11
192.168.61.2
192.168.62.2
91.0.0.3
92.0.0.3
Connections:
m1: 91.0.0.3...91.0.0.2 IKEv1
m1: local: [91.0.0.3] uses pre-shared key authentication
m1: remote: [91.0.0.2] uses pre-shared key authentication
m1: child: 10.10.9.0/24 192.168.61.0/24 === 192.168.9.0/24 192.168.51.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
m1[6]: ESTABLISHED 13 minutes ago, 91.0.0.3[91.0.0.3]...91.0.0.2[91.0.0.2]
m1[6]: IKEv1 SPIs: fc7af259dcba362f_i b5a3f338c097adc2_r*, pre-shared key reauthentication in 45 seconds
m1[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
m1{5}: REKEYED, TUNNEL, reqid 4, expires in 6 minutes
m1{5}: 10.10.9.0/24 === 192.168.9.0/24
m1{6}: REKEYED, TUNNEL, reqid 4, expires in 13 minutes
m1{6}: 10.10.9.0/24 === 192.168.9.0/24
m1{7}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: ce0f32d4_i c769cd78_o
m1{7}: AES_CBC_128/HMAC_SHA1_96/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 3 minutes
m1{7}: 10.10.9.0/24 === 192.168.9.0/24
I see packets coming into router2:
23:50:15.205527 IP 10.10.9.3 > 192.168.9.3: ICMP echo request, id 1153, seq 1516, length 64
But don't see them routed into the tunnel.
sh-4.3# ip xfrm policy
src 10.10.9.0/24 dst 192.168.9.0/24
dir out priority 375423 ptype main
tmpl src 91.0.0.3 dst 91.0.0.2
proto esp spi 0xc769cd78 reqid 4 mode tunnel
src 192.168.9.0/24 dst 10.10.9.0/24
dir fwd priority 375423 ptype main
tmpl src 91.0.0.2 dst 91.0.0.3
proto esp reqid 4 mode tunnel
src 192.168.9.0/24 dst 10.10.9.0/24
dir in priority 375423 ptype main
tmpl src 91.0.0.2 dst 91.0.0.3
proto esp reqid 4 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
>From the wiki noticed a NAT command:
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
This is not making any difference.
Any pointers to resolve the issue would be highly appreciated.
Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com
Confidentiality Notice:
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
More information about the Users
mailing list