Re: [Swan] Again: VPN connects but not data traffic through tunnel
Hello Paul
I tried that, but with no luck. Still the same.
Best regards
Johannes
Am Mo., 22. Okt. 2018 um 12:30 Uhr schrieb Paul Wouters :
> Try without sha-truncbug=yes
>
> Sent from mobile device
>
> On Oct 22, 2018, at 11:09, Johannes C. Schulz
> wrote:
>
> Good morning Libreswan-folks!
>
> I cannot understand, why my libreswan-VPN does not work correctly. It
> connects but, I get no data through - no ping, no ssh.
>
> Before I start my vpn the routing is like this:
> $ ip ro
> default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100
> 169.254.0.0/16 dev enp0s12u2 scope link metric 1000
> 192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91
> metric 100
> 192.168.42.129 dev enp0s12u2 scope link
>
> for explanation: The client is a roadwarrior, in this case my
> DHCP-server/router is 192.168.42.129 and my local address is 192.168.42.91
>
> Now I start my vpn with following configuration
>
> config setup
> protostack = netkey
> conn Office1
> type= tunnel
> authby = secret
> left = 192.168.42.91
> leftid = @office_vpn_admin
> leftsubnet = 192.168.92.0/24
> leftvti = 192.168.92.234/24
> right = some-domain.tld
> rightid = @Office
> keyexchange = ike
> ike = aes256-sha2;dh14
> phase2 = esp
> phase2alg = aes256-sha2;dh14
> sha2_truncbug = yes
> ikelifetime = 4h
> keylife = 8h
> auto = route
> aggrmode = yes
> vti-interface = vti0
> vti-routing = yes
> mark = 5/0x
>
> The connection show up:
>
> 003 "Office1": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary
> attacks and is cracked on large scale by TLA's
> 002 "Office1" #17: initiating Aggressive Mode
> 112 "Office1" #17: STATE_AGGR_I1: initiate
> 010 "Office1" #17: STATE_AGGR_I1: retransmission; will wait 0.5 seconds
> for response
> 010 "Office1" #17: STATE_AGGR_I1: retransmission; will wait 1 seconds for
> response
> 003 "Office1" #17: ignoring unknown Vendor ID payload
> [0048e2270bea8395ed778d343cc2a076]
> 003 "Office1" #17: ignoring unknown Vendor ID payload
> [5cbeb399eb835a7d7a2eb495905db061]
> 003 "Office1" #17: ignoring unknown Vendor ID payload
> [810fa565f8ab14369105d706fbd57279]
> 002 "Office1" #17: Peer ID is ID_FQDN: '@Office'
> 002 "Office1" #17: WARNING: connection Office1 PSK length of 13 bytes is
> too short for sha2_256 PRF in FIPS mode (16 bytes required)
> 002 "Office1" #17: Peer ID is ID_FQDN: '@Office'
> 004 "Office1" #17: STATE_AGGR_I2: sent AI2, ISAKMP SA established
> {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
> 002 "Office1" #18: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> {using isakmp#17 msgid:d10ecd44
> proposal=AES_CBC_256-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}
> 117 "Office1" #18: STATE_QUICK_I1: initiate
> 010 "Office1" #18: STATE_QUICK_I1: retransmission; will wait 0.5 seconds
> for response
> 002 "Office1" #18: prepare-client output:
> net.ipv4.conf.vti0.disable_policy = 1
> 002 "Office1" #18: prepare-client output: net.ipv4.conf.vti0.rp_filter = 0
> 002 "Office1" #18: prepare-client output: net.ipv4.conf.vti0.forwarding = 1
> 002 "Office1" #18: route-client output: done ip route
> 004 "Office1" #18: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
> mode {ESP/NAT=>0x63b84f91 <0x9be80fa8 xfrm=AES_CBC_256-HMAC_SHA2_256_128
> NATOA=none NATD=xx.yyy.zzz.vv:4500 DPD=passive}
>
> routing then shows
>
> $ ip ro
> default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100
> xx.yyy.zzz.vv dev vti0 scope link
> 169.254.0.0/16 dev enp0s12u2 scope link metric 1000
> 192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91
> metric 100
> 192.168.42.129 dev enp0s12u2 scope link
> 192.168.92.0/24 dev vti0 proto kernel scope link src 192.168.92.234
>
> $ route
> Kernel-IP-Routentabelle
> ZielRouter Genmask Flags Metric RefUse
> Iface
> default _gateway0.0.0.0 UG10000
> enp0s12u2
> paXXX.dip0. 0.0.0.0 255.255.255.255 UH0 00
> vti0
> link-local 0.0.0.0 255.255.0.0 U 1000 00
> enp0s12u2
> 192.168.42.00.0.0.0 255.255.255.0 U 10000
> enp0s12u2
> _gateway0.0.0.0 255.255.255.255 UH0 00
> enp0s12u2
> 192.168.92.00.0.0.0 255.255.255.0 U 0 00
[Swan] Again: VPN connects but not data traffic through tunnel
Good morning Libreswan-folks!
I cannot understand, why my libreswan-VPN does not work correctly. It
connects but, I get no data through - no ping, no ssh.
Before I start my vpn the routing is like this:
$ ip ro
default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100
169.254.0.0/16 dev enp0s12u2 scope link metric 1000
192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91
metric 100
192.168.42.129 dev enp0s12u2 scope link
for explanation: The client is a roadwarrior, in this case my
DHCP-server/router is 192.168.42.129 and my local address is 192.168.42.91
Now I start my vpn with following configuration
config setup
protostack = netkey
conn Office1
type= tunnel
authby = secret
left = 192.168.42.91
leftid = @office_vpn_admin
leftsubnet = 192.168.92.0/24
leftvti = 192.168.92.234/24
right = some-domain.tld
rightid = @Office
keyexchange = ike
ike = aes256-sha2;dh14
phase2 = esp
phase2alg = aes256-sha2;dh14
sha2_truncbug = yes
ikelifetime = 4h
keylife = 8h
auto = route
aggrmode = yes
vti-interface = vti0
vti-routing = yes
mark = 5/0x
The connection show up:
003 "Office1": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary
attacks and is cracked on large scale by TLA's
002 "Office1" #17: initiating Aggressive Mode
112 "Office1" #17: STATE_AGGR_I1: initiate
010 "Office1" #17: STATE_AGGR_I1: retransmission; will wait 0.5 seconds for
response
010 "Office1" #17: STATE_AGGR_I1: retransmission; will wait 1 seconds for
response
003 "Office1" #17: ignoring unknown Vendor ID payload
[0048e2270bea8395ed778d343cc2a076]
003 "Office1" #17: ignoring unknown Vendor ID payload
[5cbeb399eb835a7d7a2eb495905db061]
003 "Office1" #17: ignoring unknown Vendor ID payload
[810fa565f8ab14369105d706fbd57279]
002 "Office1" #17: Peer ID is ID_FQDN: '@Office'
002 "Office1" #17: WARNING: connection Office1 PSK length of 13 bytes is
too short for sha2_256 PRF in FIPS mode (16 bytes required)
002 "Office1" #17: Peer ID is ID_FQDN: '@Office'
004 "Office1" #17: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
002 "Office1" #18: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#17 msgid:d10ecd44
proposal=AES_CBC_256-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}
117 "Office1" #18: STATE_QUICK_I1: initiate
010 "Office1" #18: STATE_QUICK_I1: retransmission; will wait 0.5 seconds
for response
002 "Office1" #18: prepare-client output: net.ipv4.conf.vti0.disable_policy
= 1
002 "Office1" #18: prepare-client output: net.ipv4.conf.vti0.rp_filter = 0
002 "Office1" #18: prepare-client output: net.ipv4.conf.vti0.forwarding = 1
002 "Office1" #18: route-client output: done ip route
004 "Office1" #18: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP/NAT=>0x63b84f91 <0x9be80fa8 xfrm=AES_CBC_256-HMAC_SHA2_256_128
NATOA=none NATD=xx.yyy.zzz.vv:4500 DPD=passive}
routing then shows
$ ip ro
default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100
xx.yyy.zzz.vv dev vti0 scope link
169.254.0.0/16 dev enp0s12u2 scope link metric 1000
192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91
metric 100
192.168.42.129 dev enp0s12u2 scope link
192.168.92.0/24 dev vti0 proto kernel scope link src 192.168.92.234
$ route
Kernel-IP-Routentabelle
ZielRouter Genmask Flags Metric RefUse
Iface
default _gateway0.0.0.0 UG10000
enp0s12u2
paXXX.dip0. 0.0.0.0 255.255.255.255 UH0 00 vti0
link-local 0.0.0.0 255.255.0.0 U 1000 00
enp0s12u2
192.168.42.00.0.0.0 255.255.255.0 U 10000
enp0s12u2
_gateway0.0.0.0 255.255.255.255 UH0 00
enp0s12u2
192.168.92.00.0.0.0 255.255.255.0 U 0 00 vti0
$ ping 192.168.92.10
PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data.
>From 192.168.92.234 icmp_seq=1 Destination Host Unreachable
Again I ask you for help. I cannot understand why this will not work. Maybe
this is special to ubuntu/debian-distro?
--
Best regards
Johannes C. Schulz
„*Programmer - n. [proh-gram-er] an organism that turns caffeine and pizza
into software“*
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
Re: [Swan] roadwarrior connects but no data
Hi Paul Thanks for your answer. But sadly, this did not help. $ ip route default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100 xx.yyy.zzz.vv dev vti0 scope link 169.254.0.0/16 dev enp0s12u2 scope link metric 1000 192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91 metric 100 $ route Kernel-IP-Routentabelle ZielRouter Genmask Flags Metric RefUse Iface default _gateway0.0.0.0 UG10000 enp0s12u2 .dip0. 0.0.0.0 255.255.255.255 UH0 00 vti0 link-local 0.0.0.0 255.255.0.0 U 1000 00 enp0s12u2 192.168.42.00.0.0.0 255.255.255.0 U 10000 enp0s12u2 192.168.42.x is the clients network xx.yyy.zzz.vv is internet-ip of remote network behind some domain 192.168.92.x is the remote network I want to access Whats wrong with my config? Best regards Johannes Am Do., 4. Okt. 2018 um 16:50 Uhr schrieb Paul Wouters : > On Thu, 4 Oct 2018, Johannes C. Schulz wrote: > > > Hello LibreSwan community!It was a long way to get my libreswan > connecting to a vpn-server (which is actually a dsl-router from bintec). > The server accepts IPsec IKEv1 > > connection with PSK. I can connect, but there is no traffic through the > tunnel. > > The problem must be on roadwarriors-side, because I can connect and > transfer data through the tunnel if I connect with a windows machine to the > vpn-server (using > > ShrewSoft). > > > > I wrote this config: > > > > config setup > > protostack = netkey > > > > conn Office1 > > authby = secret > > right = some.domain.tld > > rightid = @Office_admin > > rightnexthop= %defaultroute > > left= 192.168.42.91 > > leftsubnet = 192.168.92.0/24 > > leftvti = 192.168.92.234/24 > > leftid = @Office > > keyexchange = ike > > ike = aes256-sha2;modp2048 > > esp = aes256-sha2;modp2048 > > ikelifetime = 4h > > keylife = 8h > > auto= add > > aggrmode= yes > > vti-interface = vti0 > > vti-routing = yes > > mark= 5/0x > > Try adding sha2_truncbug=yes and see if that fixes your issue. The > router might be doing "broken linux compatibility" mode by default. > > > netstat -r -n > > Kernel-IP-Routentabelle > > ZielRouter Genmask Flags MSS Fenster irtt > Iface > > 0.0.0.0 192.168.42.129 0.0.0.0 UG0 0 0 > enp0s12u2 > > xx.yyy.zzz.vv 0.0.0.0 255.255.255.255 UH0 0 0 > vti0 > > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 > enp0s12u2 > > 192.168.42.00.0.0.0 255.255.255.0 U 0 0 0 > enp0s12u2 > > 192.168.92.00.0.0.0 255.255.255.0 U 0 0 0 > vti0 > > What does "ip route" say. It is important to see if you got the proper > route into the VTI interface. I assume xx.yyy.zzz.vv is some.domain.tld's > IP ? > > > ping 192.168.92.10 > > PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data. > > From 192.168.92.234 icmp_seq=1 Destination Host Unreachable > > Is this in the remote end? because you defined that to be on your end? > > Paul > -- Viele Grüße Johannes C. Schulz „*Programmer - n. [proh-gram-er] an organism that turns caffeine and pizza into software“* ___ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
