[strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Mar 20 18:21:20 CET 2020


Please send all the data I asked for.
And especially the output of `ipsec statusall`.
strongSwan installs all required routes by default.

Am 20.03.20 um 18:17 schrieb Makarand Pradhan:
> One quick question before I send all the logs. Maybe the tunnel is working as expected. Can you pl go through the set up below to confirm that, there is indeed an issue here:
> 
> Scenario:
> PC1 - Router1 - Router2 - Tunnel - Router3 - Router4 - PC2
> PC1 IP: 10.10.9.3, Network: 10.10.9.0/24
> PC2 IP: 192.168.9.3, Network: 192.168.9.0/24
> Tunnel: Raptor2(91.0.0.3) to (91.0.0.2)Raptor3
> Tunnel is established:
>>>           m1[6]: ESTABLISHED 13 minutes ago, 91.0.0.3[91.0.0.3]...91.0.0.2[91.0.0.2]
>>>           m1{7}:   10.10.9.0/24 === 192.168.9.0/24
> Routing table on Router 2:
> root at t1024rdb:~# ip ro
> 91.0.0.0/8 dev fm1-mac1.0555  proto kernel  scope link  src 91.0.0.3 
> 192.168.9.0/24 via 91.0.0.2 dev fm1-mac1.0555 
> 
> With this the packets are encrypted as they pass the tunnel:
> 22:41:05.941919 IP 10.10.9.3 > 192.168.9.3: ICMP echo request, id 1278, seq 3, length 64
> 22:41:05.942123 IP 91.0.0.3 > 91.0.0.2: ESP(spi=0xc1442109,seq=0x3), length 132
> 22:41:05.943440 IP 91.0.0.2 > 91.0.0.3: ESP(spi=0xc468b8a2,seq=0x3), length 132
> 22:41:05.943612 IP 192.168.9.3 > 10.10.9.3: ICMP echo reply, id 1278, seq 3, length 64
> 
> Question:
> Do I need to have the route "192.168.9.0/24 via 91.0.0.2" when I am running v1? 
> With this route, the packets get encrypted.
> 
> If this is the desired behaviour then we do not have an issue.
> 
> Would appreciate if someone can confirm if v1 needs the route addition. V2 does work without the explicit route addition.
> 
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandpradhan at is5com.com
> Website: www.iS5Com.com
> 
>  
> Confidentiality Notice: 
> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
> 
> -----Original Message-----
> From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> 
> Sent: March 20, 2020 11:23 AM
> To: Makarand Pradhan <MakarandPradhan at is5com.com>; users at lists.strongswan.org
> Subject: Re: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.
> 
> Please provide all information as shown on the HelpRequests[1] page. Then we can go onwards with finding the source of the problem.
> 
> Kind regards
> 
> Noel
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
> 
> Am 20.03.20 um 16:20 schrieb Makarand Pradhan:
>> Thanks for your response Noel. I cannot go to swanctl so have to continue ipsec.conf for now.
>>
>> I changed the config to single subnet:
>>
>> conn m1
>>         type=tunnel
>>         authby=secret
>>         auto=ignore
>>         keyexchange=ikev1
>>         ike=aes128-sha-modp1536!
>>         aggressive=no    
>>         ikelifetime=1500s       
>>         esp=aes128-sha-modp1536!
>>         lifetime=1500s   
>>         right=91.0.0.3          
>>         rightid=91.0.0.3
>>         rightsubnet=10.10.9.0/24
>>         left=91.0.0.2   
>>         leftid=91.0.0.2         
>>         leftsubnet=192.168.9.0/24
>>         leftfirewall=yes
>>
>> Only one subnet. Still the same. Tunnel is up traffic does not go thru unless I add the route. Do I need any iptables configuration to get it to work? 
>>
>> Kind rgds,
>> Makarand Pradhan
>> Senior Software Engineer.
>> iS5 Communications Inc.
>> 5895 Ambler Dr,
>> Mississauga, Ontario
>> L4W 5B7
>> Main Line: +1-844-520-0588 Ext. 129
>> Direct Line: +1-289-724-2296
>> Cell: +1-226-501-5666
>> Fax:+1-289-401-5206
>> Email: makarandpradhan at is5com.com
>> Website: www.iS5Com.com
>>
>>  
>> Confidentiality Notice:
>> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
>>
>> -----Original Message-----
>> From: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
>> Sent: March 20, 2020 11:15 AM
>> To: Makarand Pradhan <MakarandPradhan at is5com.com>; 
>> users at lists.strongswan.org
>> Subject: Re: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.
>>
>> IKEv1 does not support several subnets per side.
>> You need to enumerate all desired combinations in seperate conns. Or just use swanctl, because ipsec is deprecated. Then the configuration is more obvious.
>>
>> Am 20.03.20 um 16:11 schrieb Makarand Pradhan:
>>> Hi All,
>>>
>>> The solution, I mentioned earlier is wrong. If I specify the routes explicitly, then the packets go through even with the tunnel down. 
>>>
>>> If the tunnel is up, the packets are encrypted. That is good.
>>>
>>> So, this issue is still unresolved. Pl do comment. Any advice would be highly appreciated.
>>>
>>> Kind rgds,
>>> Makarand Pradhan
>>> Senior Software Engineer.
>>> iS5 Communications Inc.
>>> 5895 Ambler Dr,
>>> Mississauga, Ontario
>>> L4W 5B7
>>> Main Line: +1-844-520-0588 Ext. 129
>>> Direct Line: +1-289-724-2296
>>> Cell: +1-226-501-5666
>>> Fax:+1-289-401-5206
>>> Email: makarandpradhan at is5com.com
>>> Website: www.iS5Com.com
>>>
>>>  
>>> Confidentiality Notice:
>>> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
>>>
>>> -----Original Message-----
>>> From: Users <users-bounces at lists.strongswan.org> On Behalf Of 
>>> Makarand Pradhan
>>> Sent: March 19, 2020 4:07 PM
>>> To: users at lists.strongswan.org
>>> Subject: Re: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.
>>>
>>> Hi All,
>>>
>>> The wiki gave me a hint. The issue was route.  For v1 the remote protected network route has to be explicitly added:
>>>
>>> For me:
>>> ip ro add 10.10.9.0/24 via 91.0.0.3
>>> ip ro add 192.168.9.0/24 via 91.0.0.2
>>>
>>> Thanks all for looking at the issue.
>>>
>>> Kind rgds,
>>> Makarand Pradhan
>>> Senior Software Engineer.
>>> iS5 Communications Inc.
>>> 5895 Ambler Dr,
>>> Mississauga, Ontario
>>> L4W 5B7
>>> Main Line: +1-844-520-0588 Ext. 129
>>> Direct Line: +1-289-724-2296
>>> Cell: +1-226-501-5666
>>> Fax:+1-289-401-5206
>>> Email: makarandpradhan at is5com.com
>>> Website: www.iS5Com.com
>>>
>>>  
>>> Confidentiality Notice:
>>> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
>>>
>>> -----Original Message-----
>>> From: Users <users-bounces at lists.strongswan.org> On Behalf Of 
>>> Makarand Pradhan
>>> Sent: March 19, 2020 2:28 PM
>>> To: users at lists.strongswan.org
>>> Subject: [strongSwan] ikeV1 tunnel established but packets are not routed. V2 works.
>>>
>>> Hi All,
>>>
>>> I'm having a unique issue. Tunnel is up but packets are not routed when version is ikev1. When I set the version to ikev2, then packets enter the tunnel as expected.
>>>
>>> Config is as follows:
>>>
>>> Running StrongSwan 5.8.2.
>>>
>>> PC - Router1 - Router2 - Tunnel - Router3 - Router4 - PC
>>>
>>> Ipsec.conf:
>>> conn m1
>>>         type=tunnel
>>>         authby=secret
>>>         auto=add
>>>         keyexchange=ikev1
>>>         ike=aes-sha-modp2048!
>>>         aggressive=no
>>>         ikelifetime=1500s
>>>         esp=aes-sha-modp2048!
>>>         lifetime=1500s
>>>         right=91.0.0.2
>>>         rightid=91.0.0.2
>>>         rightsubnet=192.168.9.0/24,192.168.51.0/24
>>>         left=91.0.0.3
>>>         leftid=91.0.0.3
>>>         leftsubnet=10.10.9.0/24,192.168.61.0/24
>>>
>>> Tunnel is established:
>>> sh-4.3# ipsec statusall m1
>>> Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.1.35-rt41, ppc64):
>>>   uptime: 31 minutes, since May 21 23:18:31 2018
>>>   malloc: sbrk 2297856, mmap 0, used 270112, free 2027744
>>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
>>>   loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters Listening IP addresses:
>>>   10.10.5.11
>>>   192.168.61.2
>>>   192.168.62.2
>>>   91.0.0.3
>>>   92.0.0.3
>>> Connections:
>>>           m1:  91.0.0.3...91.0.0.2  IKEv1
>>>           m1:   local:  [91.0.0.3] uses pre-shared key authentication
>>>           m1:   remote: [91.0.0.2] uses pre-shared key authentication
>>>           m1:   child:  10.10.9.0/24 192.168.61.0/24 === 192.168.9.0/24 192.168.51.0/24 TUNNEL
>>> Security Associations (1 up, 0 connecting):
>>>           m1[6]: ESTABLISHED 13 minutes ago, 91.0.0.3[91.0.0.3]...91.0.0.2[91.0.0.2]
>>>           m1[6]: IKEv1 SPIs: fc7af259dcba362f_i b5a3f338c097adc2_r*, pre-shared key reauthentication in 45 seconds
>>>           m1[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>>           m1{5}:  REKEYED, TUNNEL, reqid 4, expires in 6 minutes
>>>           m1{5}:   10.10.9.0/24 === 192.168.9.0/24
>>>           m1{6}:  REKEYED, TUNNEL, reqid 4, expires in 13 minutes
>>>           m1{6}:   10.10.9.0/24 === 192.168.9.0/24
>>>           m1{7}:  INSTALLED, TUNNEL, reqid 4, ESP SPIs: ce0f32d4_i c769cd78_o
>>>           m1{7}:  AES_CBC_128/HMAC_SHA1_96/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 3 minutes
>>>           m1{7}:   10.10.9.0/24 === 192.168.9.0/24
>>>
>>> I see packets coming into router2:
>>> 23:50:15.205527 IP 10.10.9.3 > 192.168.9.3: ICMP echo request, id 1153, seq 1516, length 64 But don't see them routed into the tunnel.
>>>
>>> sh-4.3# ip xfrm policy
>>> src 10.10.9.0/24 dst 192.168.9.0/24
>>>         dir out priority 375423 ptype main
>>>         tmpl src 91.0.0.3 dst 91.0.0.2
>>>                 proto esp spi 0xc769cd78 reqid 4 mode tunnel src 192.168.9.0/24 dst 10.10.9.0/24
>>>         dir fwd priority 375423 ptype main
>>>         tmpl src 91.0.0.2 dst 91.0.0.3
>>>                 proto esp reqid 4 mode tunnel src 192.168.9.0/24 dst 10.10.9.0/24
>>>         dir in priority 375423 ptype main
>>>         tmpl src 91.0.0.2 dst 91.0.0.3
>>>                 proto esp reqid 4 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0
>>>         socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0
>>>         socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0
>>>         socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0
>>>         socket out priority 0 ptype main src ::/0 dst ::/0
>>>         socket in priority 0 ptype main src ::/0 dst ::/0
>>>         socket out priority 0 ptype main src ::/0 dst ::/0
>>>         socket in priority 0 ptype main src ::/0 dst ::/0
>>>         socket out priority 0 ptype main
>>>
>>> From the wiki noticed a NAT command:
>>> iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j 
>>> ACCEPT
>>>
>>> This is not making any difference.
>>>
>>> Any pointers to resolve the issue would be highly appreciated.
>>>
>>>
>>> Kind rgds,
>>> Makarand Pradhan
>>> Senior Software Engineer.
>>> iS5 Communications Inc.
>>> 5895 Ambler Dr,
>>> Mississauga, Ontario
>>> L4W 5B7
>>> Main Line: +1-844-520-0588 Ext. 129
>>> Direct Line: +1-289-724-2296
>>> Cell: +1-226-501-5666
>>> Fax:+1-289-401-5206
>>> Email: makarandpradhan at is5com.com
>>> Website: www.iS5Com.com
>>>
>>>  
>>> Confidentiality Notice:
>>> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
>>>
>>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200320/f3b4bcb4/attachment.sig>


More information about the Users mailing list