[strongSwan] trouble installing the source route
Hello dear strongswan users, I have trouble getting packets from one strongswan gateway to the other to work. (the source route, to be exact). i have two gateways, one is called "gate", the other one is called "conan". conan has 192.168.5.0/24 on the private if, gate has 192.168.99.0/24. conan installs the source route to 192.168.99.0/24 correctly, however gate says: Dec 1 15:40:20 gate charon: 13[KNL] received netlink error: Network is unreachable (101) however, if i add the route myself with ip route add 192.168.5.0/24 via nexthop dev eth4 table 220 src 192.168.99.1 it works fine. I've attached our routing table. Thanks and regards, Johannes default via 217.0.116.242 dev ppp0 table tonline src 87.160.193.119 217.0.116.242 dev ppp0 proto kernel scope link src 87.160.193.119 1.2.3.120/29 dev eth4 proto kernel scope link src 1.2.3.123 192.168.99.0/24 dev eth8 proto kernel scope link src 192.168.99.1 169.254.0.0/16 dev eth8 scope link default via 1.2.3.121 dev eth4 broadcast 192.168.99.255 dev eth8 table 255 proto kernel scope link src 192.168.99.1 broadcast 127.255.255.255 dev lo table 255 proto kernel scope link src 127.0.0.1 local 192.168.99.1 dev eth8 table 255 proto kernel scope host src 192.168.99.1 local 192.168.99.1 dev eth4 table 255 proto kernel scope host src 192.168.99.1 broadcast 192.168.99.0 dev eth8 table 255 proto kernel scope link src 192.168.99.1 broadcast 1.2.3.127 dev eth4 table 255 proto kernel scope link src 1.2.3.123 local 1.2.3.124 dev eth4 table 255 proto kernel scope host src 1.2.3.123 local 1.2.3.125 dev eth4 table 255 proto kernel scope host src 1.2.3.123 local 87.160.193.119 dev ppp0 table 255 proto kernel scope host src 87.160.193.119 local 1.2.3.123 dev eth4 table 255 proto kernel scope host src 1.2.3.123 broadcast 1.2.3.120 dev eth4 table 255 proto kernel scope link src 1.2.3.123 broadcast 127.0.0.0 dev lo table 255 proto kernel scope link src 127.0.0.1 local 127.0.0.1 dev lo table 255 proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo table 255 proto kernel scope host src 127.0.0.1 fe80::/64 dev eth4 metric 256 expires 19757425sec mtu 1500 advmss 1440 hoplimit 4294967295 fe80::/64 dev eth3 metric 256 expires 19757425sec mtu 1500 advmss 1440 hoplimit 4294967295 fe80::/64 dev eth8 metric 256 expires 19757425sec mtu 1500 advmss 1440 hoplimit 4294967295 unreachable default dev lo table unspec proto none metric -1 error -101 hoplimit 255 local ::1 via :: dev lo table 255 proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295 local fe80::a00:20ff:feea:182c via :: dev lo table 255 proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295 local fe80::a00:20ff:feea:182c via :: dev lo table 255 proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295 local fe80::a00:20ff:feed:cd9c via :: dev lo table 255 proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295 ff00::/8 dev eth4 table 255 metric 256 expires 19757425sec mtu 1500 advmss 1440 hoplimit 4294967295 ff00::/8 dev eth3 table 255 metric 256 expires 19757425sec mtu 1500 advmss 1440 hoplimit 4294967295 ff00::/8 dev eth8 table 255 metric 256 expires 19757425sec mtu 1500 advmss 1440 hoplimit 4294967295 unreachable default dev lo table unspec proto none metric -1 error -101 hoplimit 255 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] (no subject)
Hi, I have opened the ports in the LANKOM. Viele Grüße Jan Von: Andreas Steffen [andreas.stef...@strongswan.org] Gesendet: Samstag, 28. November 2009 14:58 An: Jan Luca Naumann Cc: users@lists.strongswan.org Betreff: Re: [strongSwan] Problems with conneting to stongSwan server from Win 7 Hi Jan, if the strongSwan server is a passive responder behind a NAT router it is not sufficient to just open ports 500 and 4500 on the LANCOM router. You must also activate port forwarding which forwards ports 500/4500 of the LANCOM router to ports 500/4500 of the strongSwan gateway. Best regards Andreas BTW - nat_traversal=yes is not required with IKEv2 since NAT traversal is always activated by default and cannot be disabled. Jan Luca wrote: > Hello, > > I have install a strongSwan server with this ipsec.conf: > > # /etc/ipsec.conf - strongSwan IPsec configuration file > > config setup >plutostart=no >nat_traversal=yes > > conn test >left=%any >leftcert= >leftsubnet=192.168.5.0/24 >right=%any >rightsourceip=192.168.254.1 >rightid= >auto=add >keyexchange=ikev2 > > ipsec.secrets: > > : RSA > > The server is after a NAT of a LANCOM 1821 (LANCOM 1821 Wireless ADSL > (Ann.B) 3.36.0026 / 18.05.2004). I open the ports 500 and 4500. > > So now I try to connect to the server with a Win 7 client, but it don't get > a connection (server not found). What do I wrong? > > Viele Grüße > Jan == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] installing DNS server %any to /etc/resolv.conf
> It should either print out 0.0.0.0 or nothing at all. I am not sure > which is more appropriate. 0.0.0.0 is almost as invalid as %any, installing it does not make sense. I pushed a patch that does not install such servers. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [solved] IKEv2
Hi Daniel, Daniel Mentz writes: > >(WAN)(LAN) > > PC2(CF-W8) - NAT router PC1(CF-W7) > > 192.168.0.14 192.168.0.21 192.168.1.1192.168.1.11 > > > > - "ipsec up host-host" must be done from the LAN side (CF-W7), in order to > > create the NAT mapping used for UDP encapsulated IPsec packets. > > Hi Hector, > > why not set up a port forwarding rule on the NAT router so that packets > arriving on the WAN port destined for 192.168.0.21 UDP port 500 or 4500 > are mapped to 192.168.1.11. Of course, that would make an exchange starting from PC2 work. I just wanted to say that in that particular scenario (eg., an unconfigured router of a typical home user) the exchange should start from the LAN side (I realize it is so obvious I shouldn't have written it in the first place...). > > > > I do need to enable VPN passthrough at least in this particular router, > > if VPN passthrough is disabled, the router blocks UDP traffic and the > > VPN can't be set up. > > Thank you for this information. I put the following on record: > > VPN passthrough is counterproductive and does more harm than good. I think it is just a way to make consumer-grade equipment more "user-friendly". For a normal home user, it is easier to follow "turn VPN passthrough on", than "open UDP ports 500 and 4500 of your router in order to use a VPN". Thanks, Hector ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] installing DNS server %any to /etc/resolv.conf
Hi Martin, It is a bug in strongswan. The bug exists in the latest git code as well. In the function: static bool handle(private_resolve_handler_t *this, identification_t *server, configuration_attribute_type_t type, chunk_t data) located inside the file: http://wiki.strongswan.org/repositories/entry/strongswan/src/charon/plugins/resolve/resolve_handler.c The DNS IP address provided by the IPsec gateway is printed out (using the %H mechanism) without any checking. But it looks like (I haven't checked) %H prints "%any" when it is given an IP address of 0.0.0.0 or similar. I can confirm that my IPsec gateway returns 0.0.0.0 as the DNS. It should either print out 0.0.0.0 or nothing at all. I am not sure which is more appropriate. Also looking at the source I can see a possible leak. If 'in' is opened successfully but 'out' cannot be opened then 'in' is leaked. Regards, Dimitrios Siganos Martin Willi wrote: > Hi, > > >> I am assuming it is a mis-configuration or bug. >> > > Maybe both. It seems that your client requests a DNS server, but your > server returns an empty or a 0.0.0.0 address. > > >> The IPsec gateway is a: >> Linux strongSwan U4.2.11/K2.6.28-11-generic >> > > Some time passed since 4.2.11, probably we handle it better now. If you > want to push DNS information to your client, you'll need a more recent > version on the gateway. > > >> The IPsec client is a: >> Linux strongSwan U4.3.3/K2.6.28 >> > > 4.3.3 always includes a DNS request if you request a virtual IP. But you > can skip the installation by disabling the resolve plugin > during ./configure. > > Regards > Martin > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] installing DNS server %any to /etc/resolv.conf
Hi, > I am assuming it is a mis-configuration or bug. Maybe both. It seems that your client requests a DNS server, but your server returns an empty or a 0.0.0.0 address. > The IPsec gateway is a: > Linux strongSwan U4.2.11/K2.6.28-11-generic Some time passed since 4.2.11, probably we handle it better now. If you want to push DNS information to your client, you'll need a more recent version on the gateway. > The IPsec client is a: > Linux strongSwan U4.3.3/K2.6.28 4.3.3 always includes a DNS request if you request a virtual IP. But you can skip the installation by disabling the resolve plugin during ./configure. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] installing DNS server %any to /etc/resolv.conf
I should add that we are not trying to use DNS. As far as we can see, we are not setting any DNS settings, in ipsec.conf or strongswan.conf, in neither the gateway nor the client. Dimitrios Siganos wrote: > Hi, > > I am getting this strange log when I setup a strongswan tunnel > installing DNS server %any to /etc/resolv.conf > > And it adds this line to /etc/resolv.conf: > nameserver %any # by strongSwan, from C=UK, ST= ... > > Does anyone know what is causing this? I am assuming it is a > mis-configuration or bug. > > The IPsec gateway is a: > Linux strongSwan U4.2.11/K2.6.28-11-generic > > The IPsec client is a: > Linux strongSwan U4.3.3/K2.6.28 > > Regards, > Dimitrios Siganos > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] installing DNS server %any to /etc/resolv.conf
Hi, I am getting this strange log when I setup a strongswan tunnel installing DNS server %any to /etc/resolv.conf And it adds this line to /etc/resolv.conf: nameserver %any # by strongSwan, from C=UK, ST= ... Does anyone know what is causing this? I am assuming it is a mis-configuration or bug. The IPsec gateway is a: Linux strongSwan U4.2.11/K2.6.28-11-generic The IPsec client is a: Linux strongSwan U4.3.3/K2.6.28 Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] [solved] IKEv2
Hector Akamine wrote: > to summarize: > >(WAN)(LAN) > PC2(CF-W8) - NAT router PC1(CF-W7) > 192.168.0.14 192.168.0.21 192.168.1.1192.168.1.11 > > - "ipsec up host-host" must be done from the LAN side (CF-W7), in order to > create the NAT mapping used for UDP encapsulated IPsec packets. Hi Hector, why not set up a port forwarding rule on the NAT router so that packets arriving on the WAN port destined for 192.168.0.21 UDP port 500 or 4500 are mapped to 192.168.1.11. > - As an (obvious?) effect, I am able to access CF-W7 from > CF-W8 (that is, from WAN to LAN), since NAT keepalives are periodically sent > from CF-W7 to CF-W8 to "keep alive" the port mapping used by IPsec packets. > If I not were using the VPN, I would normally require to set the router for > accessing a host in the LAN from the WAN. That is the reason why you set up a VPN, isn't it? You have a virtual private network that connects CF-W8 and CF-W7. So it goes without saying that you can access CF-W7 from CF-W8. > >>> VPN passthrough is not needed, IKEv2 will use UDP encapsulation if a NAT >>> device is detected between your hosts. >> If I remember correctly I once had trouble with a router that explicitly >> blocked traffic on UDP ports 500 and 4500 if VPN passthrough was disabled. > > I do need to enable VPN passthrough at least in this particular router, > if VPN passthrough is disabled, the router blocks UDP traffic and the > VPN can't be set up. Thank you for this information. I put the following on record: VPN passthrough is counterproductive and does more harm than good. -Daniel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users