[strongSwan] Connect to one site through another

VTwin Farriers vtwin at cox.net
Thu Jul 14 12:50:09 CEST 2022 

> On July 14, 2022 at 2:32 AM Michael Schwartzkopff <ms at sys4.de> wrote:

> Just Add the site-c subnet to the tunnel of A-B.

I tried that. It doesn't work. I get an error on Site B when attempting to establish the child SAs

Subnets:

siteA: 192.168.127.254/24
siteB: 192.168.126.254/24
siteC: 192.168.125.254/24


Site A config:

siteA {
 version=2
 local_addrs=A.A.A.A
 remote_addrs=B.B.B.B
 proposals=aes256-sha1-modp1024
 local {
  auth = psk
 }
 remote {
  auth = psk
 }
 children {
  siteBC {
   esp_proposals=aes256-sha1
   local_ts=192.168.127.0/24
   remote_ts=192.168.125.0/24,192.168.126.0/24
   updown=/usr/libexec/strongswan/_updown iptables
   hostaccess=yes
  }
 }
}

site B:

siteBC {
 version=2
 local_addrs=B.B.B.B
 remote_addrs=A.A.A.A
 proposals=aes256-sha1-modp1024
 local {
  auth = psk
 }
 remote {
  auth = psk
 }
 children {
  siteA {
   esp_proposals=aes256-sha1
   remote_ts=192.168.127.0/24
   local_ts=192.168.126.0/24,192.168.125.0/24
   updown=/usr/libexec/strongswan/_updown iptables
   hostaccess=yes
  }
 }
}

swanctl --initiate --ike siteBC --child siteA

[IKE] initiating IKE_SA siteBC[2] to A.A.A.A
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from B.B.B.B[500] to A.A.A.A[500] (336 bytes)
[NET] received packet: from A.A.A.A[500] to B.B.B.B[500] (344 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[IKE] remote host is behind NAT
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of 'B.B.B.B' (myself) with pre-shared key
[IKE] establishing CHILD_SA siteA{2}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (316 bytes)
[NET] received packet: from A.A.A.A[4500] to B.B.B.B[4500] (316 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
[IKE] authentication of 'A.A.A.A' with pre-shared key successful
[IKE] IKE_SA siteA[2] established between B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
[IKE] scheduling rekeying in 13618s
[IKE] maximum IKE_SA lifetime 15058s
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[KNL] error installing route with policy 192.168.125.0/24 === 192.168.127.0/24 out
[IKE] unable to install IPsec policies (SPD) in kernel
[IKE] failed to establish CHILD_SA, keeping IKE_SA
[IKE] peer supports MOBIKE
[IKE] sending DELETE for ESP CHILD_SA with SPI 1caca0b6
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (76 bytes)
[NET] received packet: from A.A.A.A[4500] to B.B.B.B[4500] (220 bytes)
[ENC] parsed CREATE_CHILD_SA request 0 [ SA No TSi TSr ]
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[KNL] error installing route with policy 192.168.125.0/24 === 192.168.127.0/24 out
[IKE] unable to install IPsec policies (SPD) in kernel
[IKE] failed to establish CHILD_SA, keeping IKE_SA
[ENC] generating CREATE_CHILD_SA response 0 [ N(TS_UNACCEPT) ]
[NET] sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (76 bytes)
initiate failed: establishing CHILD_SA 'siteA' failed


If I modify siteBC config and remove site C subnet from the local_ts, it works:

[IKE] initiating IKE_SA siteBC[4] to A.A.A.A
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from B.B.B.B[500] to A.A.A.A[500] (336 bytes)
[NET] received packet: from A.A.A.A[500] to B.B.B.B[500] (344 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[IKE] remote host is behind NAT
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of 'B.B.B.B' (myself) with pre-shared key
[IKE] establishing CHILD_SA siteA{2}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from B.B.B.B[4500] to A.A.A.A[4500] (300 bytes)
[NET] received packet: from A.A.A.A[4500] to B.B.B.B[4500] (300 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
[IKE] authentication of 'A.A.A.A' with pre-shared key successful
[IKE] IKE_SA siteA[4] established between B.B.B.B[B.B.B.B]...A.A.A.A[A.A.A.A]
[IKE] scheduling rekeying in 13270s
[IKE] maximum IKE_SA lifetime 14710s
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
[IKE] CHILD_SA siteA{2} established with SPIs 73a57791_i 00e2cfd8_o and TS 192.168.126.0/24 === 192.168.127.0/24


So simply adding the siteC subnet to the local/remote ts entries for the site A and Site B connections doesn't seem to work, unless I'm missing something else I need to add in my configuration.

I'm running these connections on CentOS linux with strongswan from the EPEL repo. Currently at U5.9.6/K5.4.204-1.el8.elrepo.x86_64

More information about the Users mailing list