[strongSwan] Why no entries in route table 220
Leroy Tennison
leroy at datavoiceint.com
Thu Oct 8 19:40:35 CEST 2020
We're on Strongswan 5.3.5 on Ubuntu 16.04 (kernel 4.0-171-generic). I've searched the web and found very little references to table 220 issues but, after "ipsec start", "ipsec statusall" shows the connection (as does ip xfrm policy and ip xfrm state) and table 220 is empty. This is the first time this has happened to me (admittedly, only two other IPSec setups using Strongswan). Below are the configuration files (except ipsec.secrets which has one uncommented line in the form: 67.nnn.nnn.nnn : PSK <pre-shared key obfuscated>) with IP addresses and conn names (but nothing else) obfuscated. What am I doing wrong? Any further debugging steps I can take? Anything else you need to know? Thanks for your help.
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
authby=psk
auto=start
dpdaction=restart
dpddelay=30s
esp=aes256-sha256-ecp384
ike=aes256-sha256-ecp384
keyexchange=ikev2
left=67.nnn.nnn.nnn
leftauth=psk
leftfirewall=yes
lifetime=3h
# mark=77 tested with vti - didn't help
right=64.mmm.mmm.mmm
rightauth=psk
# See strongswan.conf for retransmission settings
conn Rock-Roll-aaa-qqq
leftsubnet=10.xxx.aaa.0/24
rightsubnet=10.64.qqq.0/24
conn Rock-Roll-bbb-qqq
leftsubnet=10.xxx.bbb.0/24
rightsubnet=10.64.qqq.0/24
conn Rock-Roll-ccc-qqq
leftsubnet=10.xxx.ccc.0/24
rightsubnet=10.64.qqq.0/24
conn Rock-Roll-aaa-rrr
leftsubnet=10.xxx.aaa.0/24
rightsubnet=10.64.rrr.0/24
conn Rock-Roll-bbb-rrr
leftsubnet=10.xxx.bbb.0/24
rightsubnet=10.64.rrr.0/24
conn Rock-Roll-ccc-rrr
leftsubnet=10.xxx.ccc.0/24
rightsubnet=10.64.rrr.0/24
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
# charon.install_routes=0
charon.retransmit_base = 2
charon.retransmit_timeout = 5
charon.retransmit_tries = 7
}
include strongswan.d/*.conf
ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-171-generic, i686):
uptime: 13 seconds, since Oct 08 12:07:47 2020
malloc: sbrk 1310720, mmap 0, used 305896, free 1004824
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
192.168.eee.fff
67.nnn.nnn.nnn
10.xxx.ddd.www
10.xxx.ddd.ttt
10.xxx.bbb.www
10.xxx.bbb.ttt
10.xxx.eee.www
10.xxx.eee.ttt
192.168.ppp.ttt
10.xxx.aaa.uuu
66.lll.mmm.vvv
Connections:
Rock-Roll-aaa-qqq: 67.nnn.nnn.nnn...64.mmm.mmm.mmm IKEv2, dpddelay=30s
Rock-Roll-aaa-qqq: local: [67.nnn.nnn.nnn] uses pre-shared key authentication
Rock-Roll-aaa-qqq: remote: [64.mmm.mmm.mmm] uses pre-shared key authentication
Rock-Roll-aaa-qqq: child: 10.xxx.aaa.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart
Rock-Roll-bbb-qqq: child: 10.xxx.bbb.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart
Rock-Roll-ccc-qqq: child: 10.xxx.ccc.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart
Rock-Roll-aaa-rrr: child: 10.xxx.aaa.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart
Rock-Roll-bbb-rrr: child: 10.xxx.bbb.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart
Rock-Roll-ccc-rrr: child: 10.xxx.ccc.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
Rock-Roll-aaa-qqq[1]: ESTABLISHED 13 seconds ago, 67.nnn.nnn.nnn[67.nnn.nnn.nnn]...64.mmm.mmm.mmm[64.mmm.mmm.mmm]
Rock-Roll-aaa-qqq[1]: IKEv2 SPIs: 8b6302f038b8cd7a_i* 093becf3e02081ef_r, pre-shared key reauthentication in 2 hours
Rock-Roll-aaa-qqq[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Rock-Roll-bbb-rrr{6}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c5a95ea2_i 8d9b26cd_o
Rock-Roll-bbb-rrr{6}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 2 hours
Rock-Roll-bbb-rrr{6}: 10.xxx.ccc.0/24 === 10.64.rrr.0/24
ip xfrm state
src 67.nnn.nnn.nnn dst 64.mmm.mmm.mmm
proto esp spi 0x8d9b26cd reqid 6 mode tunnel
replay-window 32 flag af-unspec
mark 0x4d/0xffffffff
auth-trunc hmac(sha256) 0x9985013cc2678d13ff4d070f02c72fd1ea49f2c7158bc056d0150de4a5b4a7dc 128
enc cbc(aes) 0xfcbc30f7ffadddb494d651668b012db11c437164fb430ed809a190b537e016c1
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn
proto esp spi 0xc5a95ea2 reqid 6 mode tunnel
replay-window 32 flag af-unspec
mark 0x4d/0xffffffff
auth-trunc hmac(sha256) 0xa71506e5ad73a6ad0b1b25bd7d94af7d19906fe9d82bf86e1c21e5a8d9feb22c 128
enc cbc(aes) 0x6c819631ced958d174d1490ee83f95c1d47ae5ead6df21b08095575e199c9805
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
ip xfrm policy
src 10.64.rrr.0/24 dst 10.xxx.ccc.0/24
dir fwd priority 2883
mark 0x4d/0xffffffff
tmpl src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn
proto esp reqid 6 mode tunnel
src 10.64.rrr.0/24 dst 10.xxx.ccc.0/24
dir in priority 2883
mark 0x4d/0xffffffff
tmpl src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn
proto esp reqid 6 mode tunnel
src 10.xxx.ccc.0/24 dst 10.64.rrr.0/24
dir out priority 2883
mark 0x4d/0xffffffff
tmpl src 67.nnn.nnn.nnn dst 64.mmm.mmm.mmm
proto esp reqid 6 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
Harriscomputer
Leroy Tennison
Network Information/Cyber Security Specialist
E: leroy at datavoiceint.com
P:
[cid:Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG]
2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com<http://www..com>
This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc.
If you prefer not to be contacted by Harris Operating Group please notify us<http://subscribe.harriscomputer.com/>.
This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201008/c6adb5f7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 8276 bytes
Desc: Data-Voice-International-LOGO_aa3d1c6e-5cfb-451f-ba2c-af8059e69609.PNG
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201008/c6adb5f7/attachment-0001.png>
More information about the Users
mailing list