[strongSwan] traffic beyond initiator yes, but no between initiator & server

Thu Nov 5 21:46:32 CET 2020

On 05/11/2020 17:19, Noel Kuntze wrote:
> Hello Lejeczek,
>
> kernel-libipsec (which is required to be loaded for libipsec to be usable) creates a tun interface itself. You can not prescribe it to use one.
I do not see, not on the server nor on initiator, any tun
devices created, unless an 'ipsec0' is such one iface. It's
the only iface I see made by strongswan's libipsec.
>
>>         mode = pass
I've tried all modes available.
> That disables all IPsec processing for traffic that matches the policies. You probably don't want to do that.
>
>> 1) Obvious - how to make it work?
> Completely different from what you configured. Just use a normal roadwarrior config.
If I do not have a iface on the server with 10.3.9.0/24 then
roadwarrior fails with:
...
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
[IKE] failed to establish CHILD_SA, keeping IKE_SA
initiate failed: establishing CHILD_SA 'to-tinyionos' failed

Maybe I should add, in case there is something very
different there, I'm on Centos 8 and libipsec I mention is:
strongswan-libipsec-5.8.2-5.el8.x86_64

What's is not 'normal' in my roadwarrior config?

many thanks, L.

>
> Kind regards
>
> Noel
>
> Am 05.11.20 um 17:45 schrieb lejeczek:
>> Hi guys
>>
>> To start I should say I'm trying this with libipsec.
>>
>> I have an initiator with local 10.3.1.0/24 and a following
>> config:
>>
>>
>> connections {
>>   to-tinyionos {
>>     version = 2
>>     remote_addrs = "A.B.C.D"
>>     vips = "0.0.0.0"
>>     local {
>>       auth = pubkey
>>       certs = "my.cert.der"
>>     }
>>     remote {
>>       certs = "server.cert.der"
>>     }
>>     children {
>>       to-tinyionos {
>>         mark_in = %unique
>>         mark_out = %unique
>>         remote_ts = "10.3.9.0/24"
>>         local_ts = "10.3.1.0/24"
>>         #mode = "tunnel"
>>         mode = pass
>>       }
>>     }
>>   }
>> }
>>
>> and there I have a server with a tun iface:
>>
>> 17: forswan: <NO-CARRIER,POINTOPOINT,MULTICAST,NOARP,UP> mtu
>> 1500 qdisc fq_codel state DOWN group default qlen 500
>>     link/none
>>     inet 10.3.9.1/24 brd 10.3.9.255 scope global
>> noprefixroute forswan
>>        valid_lft forever preferred_lft forever
>>
>> and server config, connection part:
>>
>>
>>   fenbox {
>>     version = 2
>>     pools = "myclient"
>>     vips = "0.0.0.0"
>>     remote {
>>       auth = "pubkey"
>>       id = "O=client, CN=tiny.client"
>>     }
>>     children {
>>       fenbox {
>>         mark_in = %unique
>>         mark_out = %unique
>>         local_ts = "10.3.9.0/24"
>>         remote_ts = "10.3.1.0/24"
>>         #mode = transport
>>         #mode = "tunnel"
>>         mode = pass
>>       }
>>     }
>>   }
>>
>>
>> What I'd like to get, which I'm not for some reason, is:
>> - to access IP of 10.3.9.0/24 subnet.
>> From the server I can get to initiator's 10.3.1.0/24, but
>> the server with 10.3.9.1 on tun iface cannot get to
>> initiator's assigned 10.3.9.254.
>> I have two questions:
>> 1) Obvious - how to make it work?
>> 2) I notice that initiators gets an IP: 10.3.9.254/32 - is
>> this that subnet because how libipsec works and if yes then
>> can it be controlled and changed?
>>
>> many thanks, L.
>>