[strongSwan] Why no entries in route table 220
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Oct 9 14:01:07 CEST 2020
Hello Leroy,
Routes in table 220 are only added when needed now (might be later, but the existence of any is not a suitable indicator of any success or failure, what the IKE daemon reports is what you should look at).
What is the actual issue?
Kind regards
Noel
Am 08.10.20 um 19:40 schrieb Leroy Tennison:
> We're on Strongswan 5.3.5 on Ubuntu 16.04 (kernel 4.0-171-generic). I've searched the web and found very little references to table 220 issues but, after "ipsec start", "ipsec statusall" shows the connection (as does ip xfrm policy and ip xfrm state) and table 220 is empty. This is the first time this has happened to me (admittedly, only two other IPSec setups using Strongswan). Below are the configuration files (except ipsec.secrets which has one uncommented line in the form: 67.nnn.nnn.nnn : PSK <pre-shared key obfuscated>) with IP addresses and conn names (but nothing else) obfuscated. What am I doing wrong? Any further debugging steps I can take? Anything else you need to know? Thanks for your help.
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
>
> # Add connections here.
>
> # Sample VPN connections
>
> conn %default
> authby=psk
> auto=start
> dpdaction=restart
> dpddelay=30s
> esp=aes256-sha256-ecp384
> ike=aes256-sha256-ecp384
> keyexchange=ikev2
> left=67.nnn.nnn.nnn
> leftauth=psk
> leftfirewall=yes
> lifetime=3h
> # mark=77 tested with vti - didn't help
> right=64.mmm.mmm.mmm
> rightauth=psk
> # See strongswan.conf for retransmission settings
>
> conn Rock-Roll-aaa-qqq
> leftsubnet=10.xxx.aaa.0/24
> rightsubnet=10.64.qqq.0/24
>
> conn Rock-Roll-bbb-qqq
> leftsubnet=10.xxx.bbb.0/24
> rightsubnet=10.64.qqq.0/24
>
> conn Rock-Roll-ccc-qqq
> leftsubnet=10.xxx.ccc.0/24
> rightsubnet=10.64.qqq.0/24
>
> conn Rock-Roll-aaa-rrr
> leftsubnet=10.xxx.aaa.0/24
> rightsubnet=10.64.rrr.0/24
>
> conn Rock-Roll-bbb-rrr
> leftsubnet=10.xxx.bbb.0/24
> rightsubnet=10.64.rrr.0/24
>
> conn Rock-Roll-ccc-rrr
> leftsubnet=10.xxx.ccc.0/24
> rightsubnet=10.64.rrr.0/24
>
> # strongswan.conf - strongSwan configuration file
> #
> # Refer to the strongswan.conf(5) manpage for details
> #
> # Configuration changes should be made in the included files
>
> charon {
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> }
> # charon.install_routes=0
> charon.retransmit_base = 2
> charon.retransmit_timeout = 5
> charon.retransmit_tries = 7
> }
>
> include strongswan.d/*.conf
>
> ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-171-generic, i686):
> uptime: 13 seconds, since Oct 08 12:07:47 2020
> malloc: sbrk 1310720, mmap 0, used 305896, free 1004824
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
> Listening IP addresses:
> 192.168.eee.fff
> 67.nnn.nnn.nnn
> 10.xxx.ddd.www
> 10.xxx.ddd.ttt
> 10.xxx.bbb.www
> 10.xxx.bbb.ttt
> 10.xxx.eee.www
> 10.xxx.eee.ttt
> 192.168.ppp.ttt
> 10.xxx.aaa.uuu
> 66.lll.mmm.vvv
> Connections:
> Rock-Roll-aaa-qqq: 67.nnn.nnn.nnn...64.mmm.mmm.mmm IKEv2, dpddelay=30s
> Rock-Roll-aaa-qqq: local: [67.nnn.nnn.nnn] uses pre-shared key authentication
> Rock-Roll-aaa-qqq: remote: [64.mmm.mmm.mmm] uses pre-shared key authentication
> Rock-Roll-aaa-qqq: child: 10.xxx.aaa.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart
> Rock-Roll-bbb-qqq: child: 10.xxx.bbb.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart
> Rock-Roll-ccc-qqq: child: 10.xxx.ccc.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart
> Rock-Roll-aaa-rrr: child: 10.xxx.aaa.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart
> Rock-Roll-bbb-rrr: child: 10.xxx.bbb.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart
> Rock-Roll-ccc-rrr: child: 10.xxx.ccc.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart
> Security Associations (1 up, 0 connecting):
> Rock-Roll-aaa-qqq[1]: ESTABLISHED 13 seconds ago, 67.nnn.nnn.nnn[67.nnn.nnn.nnn]...64.mmm.mmm.mmm[64.mmm.mmm.mmm]
> Rock-Roll-aaa-qqq[1]: IKEv2 SPIs: 8b6302f038b8cd7a_i* 093becf3e02081ef_r, pre-shared key reauthentication in 2 hours
> Rock-Roll-aaa-qqq[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
> Rock-Roll-bbb-rrr{6}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c5a95ea2_i 8d9b26cd_o
> Rock-Roll-bbb-rrr{6}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 2 hours
> Rock-Roll-bbb-rrr{6}: 10.xxx.ccc.0/24 === 10.64.rrr.0/24
>
> ip xfrm state
> src 67.nnn.nnn.nnn dst 64.mmm.mmm.mmm
> proto esp spi 0x8d9b26cd reqid 6 mode tunnel
> replay-window 32 flag af-unspec
> mark 0x4d/0xffffffff
> auth-trunc hmac(sha256) 0x9985013cc2678d13ff4d070f02c72fd1ea49f2c7158bc056d0150de4a5b4a7dc 128
> enc cbc(aes) 0xfcbc30f7ffadddb494d651668b012db11c437164fb430ed809a190b537e016c1
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn
> proto esp spi 0xc5a95ea2 reqid 6 mode tunnel
> replay-window 32 flag af-unspec
> mark 0x4d/0xffffffff
> auth-trunc hmac(sha256) 0xa71506e5ad73a6ad0b1b25bd7d94af7d19906fe9d82bf86e1c21e5a8d9feb22c 128
> enc cbc(aes) 0x6c819631ced958d174d1490ee83f95c1d47ae5ead6df21b08095575e199c9805
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>
> ip xfrm policy
> src 10.64.rrr.0/24 dst 10.xxx.ccc.0/24
> dir fwd priority 2883
> mark 0x4d/0xffffffff
> tmpl src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn
> proto esp reqid 6 mode tunnel
> src 10.64.rrr.0/24 dst 10.xxx.ccc.0/24
> dir in priority 2883
> mark 0x4d/0xffffffff
> tmpl src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn
> proto esp reqid 6 mode tunnel
> src 10.xxx.ccc.0/24 dst 10.64.rrr.0/24
> dir out priority 2883
> mark 0x4d/0xffffffff
> tmpl src 67.nnn.nnn.nnn dst 64.mmm.mmm.mmm
> proto esp reqid 6 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0
> src ::/0 dst ::/0
> socket in priority 0
> src ::/0 dst ::/0
> socket out priority 0
> src ::/0 dst ::/0
> socket in priority 0
> src ::/0 dst ::/0
> socket out priority 0
>
>
> Harriscomputer
>
> *Leroy Tennison
> *Network Information/Cyber Security Specialist
> E: leroy at datavoiceint.com
> P:
>
>
>
>
>
>
> 2220 Bush Dr
> McKinney, Texas
> 75070
> www.datavoiceint.com <http://www..com>
>
> This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc.
>
> If you prefer not to be contacted by Harris Operating Group please notify us <http://subscribe.harriscomputer.com/>.
>
>
>
> This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201009/31dadb87/attachment.sig>
More information about the Users
mailing list