[strongSwan] Linux routing issue

Noel Kuntze noel.kuntze at thermi.consulting
Mon Jan 24 20:55:51 CET 2022


Hello Carlos,


 > The mark did take, but the rest (i.e. non secured traffic) is being affected, I may have been unclear about the

Please check the routing rules and tables too. E.g. ask the kernel what the route would be for an IP address using `ip r get X` and check if it matches what you expect it to be.

 > The state shows it:

Can you check `ip xfrm policy`? That shows you the policies, which are the crucial parts. States without policies don't do anything. Policies without states drop everything.

Kind regards
Noel

Am 24.01.22 um 20:49 schrieb Carlos G Mendioroz:
> Noel,
> thanks for answering. Please see inline:
>
> Noel Kuntze @ 24/1/2022 16:24 -0300 dixit:
>> Hello Carlos,
>>
>> Either the mark didn't take, you're using an old version (some had a different behaviour in regards to marks and how routes are set when marks are set on the connection configuration).
>
> I'm using 5.8.2 as distributed by Ubuntu 20.04 LTS.
> The mark did take, but the rest (i.e. non secured traffic) is being affected, I may have been unclear about the issue.
>
> The state shows it:
>
> src <my IP> dst <AWS IP>
>     proto esp spi 0xcf54acd4 reqid 1 mode tunnel
>     replay-window 0 flag af-unspec
>     mark 0x20/0xffffffff
>     auth-trunc hmac(sha256) 0xd5... 128
>     enc cbc(aes) 0x1a...
>     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> src <AWS IP> <my IP>
>     proto esp spi 0xc1a5cd59 reqid 1 mode tunnel
>     replay-window 32 flag af-unspec
>     auth-trunc hmac(sha256) 0xbe... 128
>     enc cbc(aes) 0xd9...
>     encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>     anti-replay context: seq 0x22, oseq 0x0, bitmap 0xffffffff
>
>>
>> If you do not require the setting of source IP addresses for the remote subnets, just disable installing of routes, and use XFRM interfaces so you can use routes to direct traffic instead of dealing with the XFRM policies.
>
> I'm trying to understand, not to have a working config. For now, at least :)
>
> -Carlos
>
>>
>> Kind regards
>> Noel
>>
>> Am 24.01.22 um 12:44 schrieb Carlos G Mendioroz:
>>> Hi,
>>> trying to set up a VPN on a lab system with many interfaces
>>> (Ubuntu 20.04, 2 uplinks, IPv6 tunnel, vlans, openvpn and IPIP tunnel).
>>>
>>> It's been a while since I used strongswan, but it was easy to set up using ipsec command and ipsec.conf policies. ipsec route table (220) played fine with my own rules I use mainly to source route to Internet uplinks.
>>>
>>> Now I want to setup a routed VPN (AWS transit gateway on the other end) and as soon as link comes up, all my traffic gets routed by main table.
>>> (I changed policy to any any and at first did not specifiy mark, and it even disconnected from the local net, not nice on a headless server)
>>> Now with mark it still makes all the traffic ignore rule priorities.
>>>
>>> Any pointer to what to check ?
>>> TIA,
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220124/0f01b899/attachment.sig>


More information about the Users mailing list