[strongSwan] Having forwarding issue in a basic StrongSwan setup

MOHIT CHALLA (mochalla) mochalla at cisco.com
Wed Jan 26 14:30:31 CET 2022 

Hello group,

I am trying to run some tests in my lab setup with a Cisco cloud service router on one side and running StrongSwan version 5.8.2 on the other side (Ubuntu 20.04LTS).

I am using loopback interface on the Cisco side, and a normal interface on the Ubuntu side to simulate LAN networks and there is no NAT involved in-between.

The connection has come up properly (verified on both sides). However, end-to-end ping connectivity from the LAN to LAN is not going through due to what appears to me to be a forwarding issue on the Ubuntu side.

I suspect I am missing something basic here, but I am not able to figure it out. Any pointers are deeply appreciated.


root at mochalla:~# swanctl -l
csr: #2, ESTABLISHED, IKEv2, e3613778f4d39f6d_i ec5d278f976b8165_r*
  local  '192.168.1.2' @ 192.168.1.2[500]
  remote '192.168.1.1' @ 192.168.1.1[500]
  AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
  established 581s ago, rekeying in 13147s
  csr: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 15s ago, rekeying in 262s, expires in 315s
    in  c33426a5,      0 bytes,     0 packets
    out a790e4e9,      0 bytes,     0 packets
    local  172.16.1.0/24
    remote 172.17.1.0/24


root at mochalla:~# ip add
<…>
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:bd:6d:f7 brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.1.2/24 brd 192.168.1.255 scope global noprefixroute ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::145d:7f77:fb57:e349/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
4: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:bd:aa:76 brd ff:ff:ff:ff:ff:ff
    altname enp19s0
    inet 172.16.1.1/24 brd 172.16.1.255 scope global noprefixroute ens224
       valid_lft forever preferred_lft forever
    inet6 fe80::f1b7:4eb:7e:fd89/64 scope link noprefixroute
       valid_lft forever preferred_lft forever



On the Cisco side, I can see that the ping packets  are getting encrypted


Router#sh cry sess de | i pkts
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4608000/3590
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/3590
Router#ping 172.16.1.1 so 172.17.1.1 re 10 ti 1
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 172.16.1.1, timeout is 1 seconds:
Packet sent with a source address of 172.17.1.1
..........
Success rate is 0 percent (0/10)
Router#sh cry sess de | i pkts
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4608000/3526
        Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4607999/3526



The ESP packets can be seen reaching the ens192 interface on Ubuntu in tcpdump.

root at mochalla:~# tcpdump -i ens192
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
18:47:29.855345 IP 192.168.1.1 > mochalla: ESP(spi=0xce02423e,seq=0x1), length 148
18:47:30.854815 IP 192.168.1.1 > mochalla: ESP(spi=0xce02423e,seq=0x2), length 148
18:47:31.854795 IP 192.168.1.1 > mochalla: ESP(spi=0xce02423e,seq=0x3), length 148
18:47:32.855670 IP 192.168.1.1 > mochalla: ESP(spi=0xce02423e,seq=0x4), length 148
18:47:33.855818 IP 192.168.1.1 > mochalla: ESP(spi=0xce02423e,seq=0x5), length 148
18:47:34.856440 IP 192.168.1.1 > mochalla: ESP(spi=0xce02423e,seq=0x6), length 148
18:47:35.856364 IP 192.168.1.1 > mochalla: ESP(spi=0xce02423e,seq=0x7), length 148
18:47:36.855871 IP 192.168.1.1 > mochalla: ESP(spi=0xce02423e,seq=0x8), length 148
18:47:37.856339 IP 192.168.1.1 > mochalla: ESP(spi=0xce02423e,seq=0x9), length 148
18:47:38.856668 IP 192.168.1.1 > mochalla: ESP(spi=0xce02423e,seq=0xa), length 148


Looks like the route is also getting installed in table 220 as expected.
root at mochalla:~# ip route show table 220
172.17.1.0/24 via 192.168.1.1 dev ens192 proto static src 172.16.1.1

If I try pinging from StrongSwan side to Cisco, I can see the reply ESP packets are reaching the ens192 interface, but not getting forwarded to ens224.


root at mochalla:~# ping 172.17.1.1 -I ens224 -c10 -W1
PING 172.17.1.1 (172.17.1.1) from 172.16.1.1 ens224: 56(84) bytes of data.

root at mochalla:~# tcpdump -i ens192
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
18:54:31.317527 IP mochalla > 192.168.1.1: ESP(spi=0x2816000e,seq=0x9), length 132
18:54:31.317771 IP 192.168.1.1 > mochalla: ESP(spi=0xc9a37c21,seq=0x1d), length 132
18:54:32.325385 IP mochalla > 192.168.1.1: ESP(spi=0x2816000e,seq=0xa), length 132
18:54:32.325675 IP 192.168.1.1 > mochalla: ESP(spi=0xc9a37c21,seq=0x1e), length 132
18:54:33.349423 IP mochalla > 192.168.1.1: ESP(spi=0x2816000e,seq=0xb), length 132
18:54:33.349699 IP 192.168.1.1 > mochalla: ESP(spi=0xc9a37c21,seq=0x1f), length 132
18:54:34.373418 IP mochalla > 192.168.1.1: ESP(spi=0x2816000e,seq=0xc), length 132
18:54:34.373637 IP 192.168.1.1 > mochalla: ESP(spi=0xc9a37c21,seq=0x20), length 132
18:54:35.397405 IP mochalla > 192.168.1.1: ESP(spi=0x2816000e,seq=0xd), length 132
18:54:35.397704 IP 192.168.1.1 > mochalla: ESP(spi=0xc9a37c21,seq=0x21), length 132
18:54:36.421384 IP mochalla > 192.168.1.1: ESP(spi=0x2816000e,seq=0xe), length 132
18:54:36.421756 IP 192.168.1.1 > mochalla: ESP(spi=0xc9a37c21,seq=0x22), length 132
18:54:37.445419 IP mochalla > 192.168.1.1: ESP(spi=0x2816000e,seq=0xf), length 132
18:54:37.445743 IP 192.168.1.1 > mochalla: ESP(spi=0xc9a37c21,seq=0x23), length 132
18:54:38.469436 IP mochalla > 192.168.1.1: ESP(spi=0x2816000e,seq=0x10), length 132
18:54:38.469731 IP 192.168.1.1 > mochalla: ESP(spi=0xc9a37c21,seq=0x24), length 132
18:54:39.493356 IP mochalla > 192.168.1.1: ESP(spi=0x2816000e,seq=0x11), length 132
18:54:39.493734 IP 192.168.1.1 > mochalla: ESP(spi=0xc9a37c21,seq=0x25), length 132
18:54:40.517449 IP mochalla > 192.168.1.1: ESP(spi=0x2816000e,seq=0x12), length 132
18:54:40.517762 IP 192.168.1.1 > mochalla: ESP(spi=0xc9a37c21,seq=0x26), length 132



root at mochalla:~# sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1


root at mochalla:~# iptables-save
# Generated by iptables-save v1.8.4 on Wed Jan 26 18:57:04 2022
*filter
:INPUT ACCEPT [1438:141334]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1780:162854]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
COMMIT


I am not sure why the ping packets are not getting forwarded to the ens224 interface. Though the ipv4 forwarding option is set, I observe that the FORWARD chain counter is not increasing.

Am I missing something basic here? Any pointers are deeply appreciated.


Thanks,
Mohit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220126/698af1c1/attachment-0001.html>

More information about the Users mailing list