Re: [strongSwan] Why no entries in route table 220
Hello Leroy, Routes in table 220 are only added when needed now (might be later, but the existence of any is not a suitable indicator of any success or failure, what the IKE daemon reports is what you should look at). What is the actual issue? Kind regards Noel Am 08.10.20 um 19:40 schrieb Leroy Tennison: > We're on Strongswan 5.3.5 on Ubuntu 16.04 (kernel 4.0-171-generic). I've > searched the web and found very little references to table 220 issues but, > after "ipsec start", "ipsec statusall" shows the connection (as does ip xfrm > policy and ip xfrm state) and table 220 is empty. This is the first time > this has happened to me (admittedly, only two other IPSec setups using > Strongswan). Below are the configuration files (except ipsec.secrets which > has one uncommented line in the form: 67.nnn.nnn.nnn : PSK obfuscated>) with IP addresses and conn names (but nothing else) obfuscated. > What am I doing wrong? Any further debugging steps I can take? Anything else > you need to know? Thanks for your help. > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > # strictcrlpolicy=yes > # uniqueids = no > > # Add connections here. > > # Sample VPN connections > > conn %default > authby=psk > auto=start > dpdaction=restart > dpddelay=30s > esp=aes256-sha256-ecp384 > ike=aes256-sha256-ecp384 > keyexchange=ikev2 > left=67.nnn.nnn.nnn > leftauth=psk > leftfirewall=yes > lifetime=3h > # mark=77 tested with vti - didn't help > right=64.mmm.mmm.mmm > rightauth=psk > # See strongswan.conf for retransmission settings > > conn Rock-Roll-aaa-qqq > leftsubnet=10.xxx.aaa.0/24 > rightsubnet=10.64.qqq.0/24 > > conn Rock-Roll-bbb-qqq > leftsubnet=10.xxx.bbb.0/24 > rightsubnet=10.64.qqq.0/24 > > conn Rock-Roll-ccc-qqq > leftsubnet=10.xxx.ccc.0/24 > rightsubnet=10.64.qqq.0/24 > > conn Rock-Roll-aaa-rrr > leftsubnet=10.xxx.aaa.0/24 > rightsubnet=10.64.rrr.0/24 > > conn Rock-Roll-bbb-rrr > leftsubnet=10.xxx.bbb.0/24 > rightsubnet=10.64.rrr.0/24 > > conn Rock-Roll-ccc-rrr > leftsubnet=10.xxx.ccc.0/24 > rightsubnet=10.64.rrr.0/24 > > # strongswan.conf - strongSwan configuration file > # > # Refer to the strongswan.conf(5) manpage for details > # > # Configuration changes should be made in the included files > > charon { > load_modular = yes > plugins { > include strongswan.d/charon/*.conf > } > # charon.install_routes=0 > charon.retransmit_base = 2 > charon.retransmit_timeout = 5 > charon.retransmit_tries = 7 > } > > include strongswan.d/*.conf > > ipsec statusall > Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-171-generic, i686): > uptime: 13 seconds, since Oct 08 12:07:47 2020 > malloc: sbrk 1310720, mmap 0, used 305896, free 1004824 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 3 > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce > x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey > pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve > socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc > eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc > eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc > xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 > tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity > Listening IP addresses: > 192.168.eee.fff > 67.nnn.nnn.nnn > 10.xxx.ddd.www > 10.xxx.ddd.ttt > 10.xxx.bbb.www > 10.xxx.bbb.ttt > 10.xxx.eee.www > 10.xxx.eee.ttt > 192.168.ppp.ttt > 10.xxx.aaa.uuu > 66.lll.mmm.vvv > Connections: > Rock-Roll-aaa-qqq: 67.nnn.nnn.nnn...64.mmm.mmm.mmm IKEv2, dpddelay=30s > Rock-Roll-aaa-qqq: local: [67.nnn.nnn.nnn] uses pre-shared key > authentication > Rock-Roll-aaa-qqq: remote: [64.mmm.mmm.mmm] uses pre-shared key > authentication > Rock-Roll-aaa-qqq: child: 10.xxx.aaa.0/24 === 10.64.qqq.0/24 TUNNEL, > dpdaction=restart > Rock-Roll-bbb-qqq: child: 10.xxx.bbb.0/24 === 10.64.qqq.0/24 TUNNEL, > dpdaction=restart > Rock-Roll-ccc-qqq: child: 10.xxx.ccc.0/24 === 10.64.qqq.0/24 TUNNEL, > dpdaction=restart > Rock-Roll-aaa-rrr: child: 10.xxx.aaa.0/24 === 10.64.rrr.0/24 TUNNEL, > dpdaction=restart > Rock-Roll-bbb-rrr: child: 10.xxx.bbb.0/24 === 10.64.rrr.0/24 TUNNEL, > dpdaction=restart > Rock-Roll-ccc-rrr: child: 10.xxx.ccc.0/24 === 10.64.rrr.0/24 TUNNEL, > dpdaction=restart > Security Associations (1 up, 0 connecting): > Rock-Roll-aaa-qqq[1]: ESTABLISHED 13 seconds ago, > 67.nnn.nnn.nnn[67.nnn.nnn.nnn]...64.mmm.mmm.mmm[64.mmm.mmm.mmm] >
[strongSwan] Why no entries in route table 220
We're on Strongswan 5.3.5 on Ubuntu 16.04 (kernel 4.0-171-generic). I've searched the web and found very little references to table 220 issues but, after "ipsec start", "ipsec statusall" shows the connection (as does ip xfrm policy and ip xfrm state) and table 220 is empty. This is the first time this has happened to me (admittedly, only two other IPSec setups using Strongswan). Below are the configuration files (except ipsec.secrets which has one uncommented line in the form: 67.nnn.nnn.nnn : PSK ) with IP addresses and conn names (but nothing else) obfuscated. What am I doing wrong? Any further debugging steps I can take? Anything else you need to know? Thanks for your help. # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections conn %default authby=psk auto=start dpdaction=restart dpddelay=30s esp=aes256-sha256-ecp384 ike=aes256-sha256-ecp384 keyexchange=ikev2 left=67.nnn.nnn.nnn leftauth=psk leftfirewall=yes lifetime=3h #mark=77tested with vti - didn't help right=64.mmm.mmm.mmm rightauth=psk # See strongswan.conf for retransmission settings conn Rock-Roll-aaa-qqq leftsubnet=10.xxx.aaa.0/24 rightsubnet=10.64.qqq.0/24 conn Rock-Roll-bbb-qqq leftsubnet=10.xxx.bbb.0/24 rightsubnet=10.64.qqq.0/24 conn Rock-Roll-ccc-qqq leftsubnet=10.xxx.ccc.0/24 rightsubnet=10.64.qqq.0/24 conn Rock-Roll-aaa-rrr leftsubnet=10.xxx.aaa.0/24 rightsubnet=10.64.rrr.0/24 conn Rock-Roll-bbb-rrr leftsubnet=10.xxx.bbb.0/24 rightsubnet=10.64.rrr.0/24 conn Rock-Roll-ccc-rrr leftsubnet=10.xxx.ccc.0/24 rightsubnet=10.64.rrr.0/24 # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } # charon.install_routes=0 charon.retransmit_base = 2 charon.retransmit_timeout = 5 charon.retransmit_tries = 7 } include strongswan.d/*.conf ipsec statusall Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-171-generic, i686): uptime: 13 seconds, since Oct 08 12:07:47 2020 malloc: sbrk 1310720, mmap 0, used 305896, free 1004824 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity Listening IP addresses: 192.168.eee.fff 67.nnn.nnn.nnn 10.xxx.ddd.www 10.xxx.ddd.ttt 10.xxx.bbb.www 10.xxx.bbb.ttt 10.xxx.eee.www 10.xxx.eee.ttt 192.168.ppp.ttt 10.xxx.aaa.uuu 66.lll.mmm.vvv Connections: Rock-Roll-aaa-qqq: 67.nnn.nnn.nnn...64.mmm.mmm.mmm IKEv2, dpddelay=30s Rock-Roll-aaa-qqq: local: [67.nnn.nnn.nnn] uses pre-shared key authentication Rock-Roll-aaa-qqq: remote: [64.mmm.mmm.mmm] uses pre-shared key authentication Rock-Roll-aaa-qqq: child: 10.xxx.aaa.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart Rock-Roll-bbb-qqq: child: 10.xxx.bbb.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart Rock-Roll-ccc-qqq: child: 10.xxx.ccc.0/24 === 10.64.qqq.0/24 TUNNEL, dpdaction=restart Rock-Roll-aaa-rrr: child: 10.xxx.aaa.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart Rock-Roll-bbb-rrr: child: 10.xxx.bbb.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart Rock-Roll-ccc-rrr: child: 10.xxx.ccc.0/24 === 10.64.rrr.0/24 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): Rock-Roll-aaa-qqq[1]: ESTABLISHED 13 seconds ago, 67.nnn.nnn.nnn[67.nnn.nnn.nnn]...64.mmm.mmm.mmm[64.mmm.mmm.mmm] Rock-Roll-aaa-qqq[1]: IKEv2 SPIs: 8b6302f038b8cd7a_i* 093becf3e02081ef_r, pre-shared key reauthentication in 2 hours Rock-Roll-aaa-qqq[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384 Rock-Roll-bbb-rrr{6}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c5a95ea2_i 8d9b26cd_o Rock-Roll-bbb-rrr{6}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 2 hours Rock-Roll-bbb-rrr{6}: 10.xxx.ccc.0/24 === 10.64.rrr.0/24 ip xfrm state src 67.nnn.nnn.nnn dst 64.mmm.mmm.mmm proto esp spi 0x8d9b26cd reqid 6 mode tunnel replay-window