Re: [strongSwan] Why no entries in route table 220

[Noel Kuntze]

Hello Leroy,

Routes in table 220 are only added when needed now (might be later, but the 
existence of any is not a suitable indicator of any success or failure, what 
the IKE daemon reports is what you should look at).

What is the actual issue?

Kind regards

Noel

Am 08.10.20 um 19:40 schrieb Leroy Tennison:
> We're on Strongswan 5.3.5 on Ubuntu 16.04 (kernel 4.0-171-generic).  I've 
> searched the web and found very little references to table 220 issues but, 
> after "ipsec start", "ipsec statusall" shows the connection (as does ip xfrm 
> policy and ip xfrm state) and table 220 is empty.  This is the first time 
> this has happened to me (admittedly, only two other IPSec setups using 
> Strongswan).  Below are the configuration files (except ipsec.secrets which 
> has one uncommented line in the form: 67.nnn.nnn.nnn : PSK  obfuscated>) with IP addresses and conn names (but nothing else) obfuscated.  
> What am I doing wrong?  Any further debugging steps I can take? Anything else 
> you need to know?  Thanks for your help.
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
>         # strictcrlpolicy=yes
>         # uniqueids = no
> 
> # Add connections here.
> 
> # Sample VPN connections
> 
> conn %default
>         authby=psk
>         auto=start
>         dpdaction=restart
>         dpddelay=30s
>         esp=aes256-sha256-ecp384
>         ike=aes256-sha256-ecp384
>         keyexchange=ikev2
>         left=67.nnn.nnn.nnn
>         leftauth=psk
>         leftfirewall=yes
>         lifetime=3h
> #        mark=77    tested with vti - didn't help
>         right=64.mmm.mmm.mmm
>         rightauth=psk
> # See strongswan.conf for retransmission settings
> 
> conn Rock-Roll-aaa-qqq
>         leftsubnet=10.xxx.aaa.0/24
>         rightsubnet=10.64.qqq.0/24
> 
> conn Rock-Roll-bbb-qqq
>         leftsubnet=10.xxx.bbb.0/24
>         rightsubnet=10.64.qqq.0/24
> 
> conn Rock-Roll-ccc-qqq
>         leftsubnet=10.xxx.ccc.0/24
>         rightsubnet=10.64.qqq.0/24
> 
> conn Rock-Roll-aaa-rrr
>         leftsubnet=10.xxx.aaa.0/24
>         rightsubnet=10.64.rrr.0/24
> 
> conn Rock-Roll-bbb-rrr
>         leftsubnet=10.xxx.bbb.0/24
>         rightsubnet=10.64.rrr.0/24
> 
> conn Rock-Roll-ccc-rrr
>         leftsubnet=10.xxx.ccc.0/24
>         rightsubnet=10.64.rrr.0/24
> 
> # strongswan.conf - strongSwan configuration file
> #
> # Refer to the strongswan.conf(5) manpage for details
> #
> # Configuration changes should be made in the included files
> 
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>         }
> #       charon.install_routes=0
>         charon.retransmit_base = 2
>         charon.retransmit_timeout = 5
>         charon.retransmit_tries = 7
> }
> 
> include strongswan.d/*.conf
> 
> ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-171-generic, i686):
>   uptime: 13 seconds, since Oct 08 12:07:47 2020
>   malloc: sbrk 1310720, mmap 0, used 305896, free 1004824
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
> scheduled: 3
>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce 
> x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
> pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
> socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc 
> eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc 
> eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc 
> xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 
> tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
> Listening IP addresses:
>   192.168.eee.fff
>   67.nnn.nnn.nnn
>   10.xxx.ddd.www
>   10.xxx.ddd.ttt
>   10.xxx.bbb.www
>   10.xxx.bbb.ttt
>   10.xxx.eee.www
>   10.xxx.eee.ttt
>   192.168.ppp.ttt
>   10.xxx.aaa.uuu
>   66.lll.mmm.vvv
> Connections:
> Rock-Roll-aaa-qqq:  67.nnn.nnn.nnn...64.mmm.mmm.mmm  IKEv2, dpddelay=30s
> Rock-Roll-aaa-qqq:   local:  [67.nnn.nnn.nnn] uses pre-shared key 
> authentication
> Rock-Roll-aaa-qqq:   remote: [64.mmm.mmm.mmm] uses pre-shared key 
> authentication
> Rock-Roll-aaa-qqq:   child:  10.xxx.aaa.0/24 === 10.64.qqq.0/24 TUNNEL, 
> dpdaction=restart
> Rock-Roll-bbb-qqq:   child:  10.xxx.bbb.0/24 === 10.64.qqq.0/24 TUNNEL, 
> dpdaction=restart
> Rock-Roll-ccc-qqq:   child:  10.xxx.ccc.0/24 === 10.64.qqq.0/24 TUNNEL, 
> dpdaction=restart
> Rock-Roll-aaa-rrr:   child:  10.xxx.aaa.0/24 === 10.64.rrr.0/24 TUNNEL, 
> dpdaction=restart
> Rock-Roll-bbb-rrr:   child:  10.xxx.bbb.0/24 === 10.64.rrr.0/24 TUNNEL, 
> dpdaction=restart
> Rock-Roll-ccc-rrr:   child:  10.xxx.ccc.0/24 === 10.64.rrr.0/24 TUNNEL, 
> dpdaction=restart
> Security Associations (1 up, 0 connecting):
> Rock-Roll-aaa-qqq[1]: ESTABLISHED 13 seconds ago, 
> 67.nnn.nnn.nnn[67.nnn.nnn.nnn]...64.mmm.mmm.mmm[64.mmm.mmm.mmm]
> 

[strongSwan] Why no entries in route table 220

[Leroy Tennison]

We're on Strongswan 5.3.5 on Ubuntu 16.04 (kernel 4.0-171-generic).  I've 
searched the web and found very little references to table 220 issues but, 
after "ipsec start", "ipsec statusall" shows the connection (as does ip xfrm 
policy and ip xfrm state) and table 220 is empty.  This is the first time this 
has happened to me (admittedly, only two other IPSec setups using Strongswan).  
Below are the configuration files (except ipsec.secrets which has one 
uncommented line in the form: 67.nnn.nnn.nnn : PSK ) 
with IP addresses and conn names (but nothing else) obfuscated.  What am I 
doing wrong?  Any further debugging steps I can take? Anything else you need to 
know?  Thanks for your help.

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
# strictcrlpolicy=yes
# uniqueids = no

# Add connections here.

# Sample VPN connections

conn %default
authby=psk
auto=start
dpdaction=restart
dpddelay=30s
esp=aes256-sha256-ecp384
ike=aes256-sha256-ecp384
keyexchange=ikev2
left=67.nnn.nnn.nnn
leftauth=psk
leftfirewall=yes
lifetime=3h
#mark=77tested with vti - didn't help
right=64.mmm.mmm.mmm
rightauth=psk
# See strongswan.conf for retransmission settings

conn Rock-Roll-aaa-qqq
leftsubnet=10.xxx.aaa.0/24
rightsubnet=10.64.qqq.0/24

conn Rock-Roll-bbb-qqq
leftsubnet=10.xxx.bbb.0/24
rightsubnet=10.64.qqq.0/24

conn Rock-Roll-ccc-qqq
leftsubnet=10.xxx.ccc.0/24
rightsubnet=10.64.qqq.0/24

conn Rock-Roll-aaa-rrr
leftsubnet=10.xxx.aaa.0/24
rightsubnet=10.64.rrr.0/24

conn Rock-Roll-bbb-rrr
leftsubnet=10.xxx.bbb.0/24
rightsubnet=10.64.rrr.0/24

conn Rock-Roll-ccc-rrr
leftsubnet=10.xxx.ccc.0/24
rightsubnet=10.64.rrr.0/24

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
#   charon.install_routes=0
charon.retransmit_base = 2
charon.retransmit_timeout = 5
charon.retransmit_tries = 7
}

include strongswan.d/*.conf

ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-171-generic, i686):
  uptime: 13 seconds, since Oct 08 12:07:47 2020
  malloc: sbrk 1310720, mmap 0, used 305896, free 1004824
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 3
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce 
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve 
socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc 
eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc 
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc 
xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 
tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
  192.168.eee.fff
  67.nnn.nnn.nnn
  10.xxx.ddd.www
  10.xxx.ddd.ttt
  10.xxx.bbb.www
  10.xxx.bbb.ttt
  10.xxx.eee.www
  10.xxx.eee.ttt
  192.168.ppp.ttt
  10.xxx.aaa.uuu
  66.lll.mmm.vvv
Connections:
Rock-Roll-aaa-qqq:  67.nnn.nnn.nnn...64.mmm.mmm.mmm  IKEv2, dpddelay=30s
Rock-Roll-aaa-qqq:   local:  [67.nnn.nnn.nnn] uses pre-shared key authentication
Rock-Roll-aaa-qqq:   remote: [64.mmm.mmm.mmm] uses pre-shared key authentication
Rock-Roll-aaa-qqq:   child:  10.xxx.aaa.0/24 === 10.64.qqq.0/24 TUNNEL, 
dpdaction=restart
Rock-Roll-bbb-qqq:   child:  10.xxx.bbb.0/24 === 10.64.qqq.0/24 TUNNEL, 
dpdaction=restart
Rock-Roll-ccc-qqq:   child:  10.xxx.ccc.0/24 === 10.64.qqq.0/24 TUNNEL, 
dpdaction=restart
Rock-Roll-aaa-rrr:   child:  10.xxx.aaa.0/24 === 10.64.rrr.0/24 TUNNEL, 
dpdaction=restart
Rock-Roll-bbb-rrr:   child:  10.xxx.bbb.0/24 === 10.64.rrr.0/24 TUNNEL, 
dpdaction=restart
Rock-Roll-ccc-rrr:   child:  10.xxx.ccc.0/24 === 10.64.rrr.0/24 TUNNEL, 
dpdaction=restart
Security Associations (1 up, 0 connecting):
Rock-Roll-aaa-qqq[1]: ESTABLISHED 13 seconds ago, 
67.nnn.nnn.nnn[67.nnn.nnn.nnn]...64.mmm.mmm.mmm[64.mmm.mmm.mmm]
Rock-Roll-aaa-qqq[1]: IKEv2 SPIs: 8b6302f038b8cd7a_i* 093becf3e02081ef_r, 
pre-shared key reauthentication in 2 hours
Rock-Roll-aaa-qqq[1]: IKE proposal: 
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Rock-Roll-bbb-rrr{6}:  INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c5a95ea2_i 
8d9b26cd_o
Rock-Roll-bbb-rrr{6}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, 
rekeying in 2 hours
Rock-Roll-bbb-rrr{6}:   10.xxx.ccc.0/24 === 10.64.rrr.0/24

ip xfrm state
src 67.nnn.nnn.nnn dst 64.mmm.mmm.mmm
proto esp spi 0x8d9b26cd reqid 6 mode tunnel
replay-window