[strongSwan] Issue with network unreachable.
hi All,
We are having this issue with route addition. Eth3 is loop back interface. Any
clues why?
Oct 18 14:26:46 ubuntu-28 charon: 07[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQOct 18 14:26:46 ubuntu-28 charon:
07[KNL] getting SPI for reqid {1}Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] got
SPI cdde868a for reqid {1}Oct 18 14:26:46 ubuntu-28 charon: 07[CFG] selecting
traffic selectors for us:Oct 18 14:26:46 ubuntu-28 charon: 07[CFG] config:
0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0Oct 18 14:26:46 ubuntu-28
charon: 07[CFG] selecting traffic selectors for other:Oct 18 14:26:46 ubuntu-28
charon: 07[CFG] config: 100.120.120.1/32, received: 0.0.0.0/0 => match:
100.120.120.1/32Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] adding SAD entry with
SPI cdde868a and reqid {1} (mark 0/0x)Oct 18 14:26:46 ubuntu-28
charon: 07[KNL] using encryption algorithm AES_CBC with key size 128Oct 18
14:26:46 ubuntu-28 charon: 07[KNL] using integrity algorithm HMAC_SHA1_96
with key size 160Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] using replay
window of 32 packetsOct 18 14:26:46 ubuntu-28 charon: 07[KNL] adding SAD entry
with SPI c832aca7 and reqid {1} (mark 0/0x)Oct 18 14:26:46 ubuntu-28
charon: 07[KNL] using encryption algorithm AES_CBC with key size 128Oct 18
14:26:46 ubuntu-28 charon: 07[KNL] using integrity algorithm HMAC_SHA1_96
with key size 160Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] using replay
window of 32 packetsOct 18 14:26:46 ubuntu-28 charon: 07[KNL] adding policy
0.0.0.0/0 === 100.120.120.1/32 out (mark 0/0x)Oct 18 14:26:46
ubuntu-28 charon: 07[KNL] adding policy 100.120.120.1/32 === 0.0.0.0/0 in
(mark 0/0x)Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] adding policy
100.120.120.1/32 === 0.0.0.0/0 fwd (mark 0/0x)Oct 18 14:26:46
ubuntu-28 charon: 07[KNL] getting a local address in traffic selector
0.0.0.0/0Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] using host %anyOct 18
14:26:46 ubuntu-28 charon: 07[KNL] using 10.0.10.1 as nexthop to reach
173.38.168.235Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] 128.107.252.138 is on
interface eth3Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] installing route:
100.120.120.1/32 via 10.0.10.1 src %any dev eth3Oct 18 14:26:46 ubuntu-28
charon: 07[KNL] getting iface index for eth3Oct 18 14:26:46 ubuntu-28 charon:
07[KNL] received netlink error: Network is unreachable (101)Oct 18 14:26:46
ubuntu-28 charon: 07[KNL] unable to install source route for %anyOct 18
14:26:46 ubuntu-28 charon: 07[KNL] policy 0.0.0.0/0 === 100.120.120.1/32 out
(mark 0/0x) already exists, increasing refcountOct 18 14:26:46
ubuntu-28 charon: 07[KNL] updating policy 0.0.0.0/0 === 100.120.120.1/32 out
(mark 0/0x)Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] policy
100.120.120.1/32 === 0.0.0.0/0 in (mark 0/0x) already exists,
increasing refcountOct 18 14:26:46 ubuntu-28 charon: 07[KNL] updating policy
100.120.120.1/32 === 0.0.0.0/0 in (mark 0/0x)Oct 18 14:26:46 ubuntu-28
charon: 07[KNL] policy 100.120.120.1/32 === 0.0.0.0/0 fwd (mark 0/0x)
already exists, increasing refcountOct 18 14:26:46 ubuntu-28 charon: 07[KNL]
updating policy 100.120.120.1/32 === 0.0.0.0/0 fwd (mark 0/0x)Oct 18
14:26:46 ubuntu-28 charon: 07[KNL] getting a local address in traffic selector
0.0.0.0/0Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] using host %anyOct 18
14:26:46 ubuntu-28 charon: 07[KNL] using 10.0.10.1 as nexthop to reach
173.38.168.235Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] 128.107.252.138 is on
interface eth3Oct 18 14:26:46 ubuntu-28 charon: 07[KNL] installing route:
100.120.120.1/32 via 10.0.10.1 src %any dev eth3Oct 18 14:26:46 ubuntu-28
charon: 07[KNL] getting iface index for eth3Oct 18 14:26:46 ubuntu-28 charon:
07[KNL] received netlink error: Network is unreachable (101)Oct 18 14:26:46
ubuntu-28 charon: 07[KNL] unable to install source route for %anyOct 18
14:26:46 ubuntu-28 charon: 07[IKE] CHILD_SA certs-only{1} established with SPIs
cdde868a_i c832aca7_o and TS 0.0.0.0/0 === 100.120.120.1/32
O^Croot@ubuntu-28:/etc# show ip addressThe program 'show' is currently not
installed. You can install it by typing:apt-get install nmhroot@ubuntu-28:/etc#
ip addres show1: lo: mtu 65536 qdisc noqueue state
UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever
inet6 ::1/128 scope host valid_lft forever preferred_lft forever2:
eth0: mtu 1500 qdisc mq state UP group
default qlen 1000 link/ether b8:38:61:7c:24:9e brd ff:ff:ff:ff:ff:ff inet
10.0.10.28/24 brd 10.0.10.255 scope global eth0 valid_lft forever
preferred_lft forever inet6 2001:420:81:ff99:ba38:61ff:fe7c:249e/64 scope
global dynamic valid_lft 2591962sec preferred_lft 604762sec inet6
Re: [strongSwan] Diagram
On 18.10.2016 22:11, Brian O'Connor wrote: > > So, for forwarded traffic (as distinct from locally source packets), I > understand the packet to > flow through the mangle and nat postrouting chains twice, and the other > iptables > output chains for raw, mangle, nat and filter tables only once after > encryption. That depends on where the packet originally came from. If it comes in an ESP/NAT-T packet, it circulates through the INPUT PATH two times (Once as ESP/NAT-T packet and once as unprotected packet). If it is an unprotected packet, it only goes through INPUT path once (as unproteced packet). > On the first pass through the mangle and nat postrouting chains, iptables > rules would > operate on the unencrypted payload packet and on the second pass on the IP > headers of > the encrypted IPsec packet. If the packet matches an IPsec policy with OUTPUT flag set, then yes. We need to strongly differentiate in this discussion where the packet actually comes from and where it goes to (If it was/is in an ESP/NAT-T/AH packet, if there is a matching INPUT policy for it in the SAD and SPD and analog if it's a packet that is going to protected with IPsec (that is, if there's a matching policy in the SPD for it with the correct mode and if it's a policy that has the correct mode). A packet that goes through netfilter *4* times would be a packet that is received as an ESP/NAT-T/AH packet, has a matching SA and SP, is allowed by your netfilter rules, is locally decapsulated, routed, encapsulated and allowed again and then sent to another host again. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Diagram
Noel, I note your last message clearly emphasised that packets from a local process are processed twice via the output path of the graphic. So, for forwarded traffic (as distinct from locally source packets), I understand the packet to flow through the mangle and nat postrouting chains twice, and the other iptables output chains for raw, mangle, nat and filter tables only once after encryption. On the first pass through the mangle and nat postrouting chains, iptables rules would operate on the unencrypted payload packet and on the second pass on the IP headers of the encrypted IPsec packet. Am I headed in the right direction please? Brian ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Diagram
On 18.10.2016 21:43, Brian O'Connor wrote: > I think I have the decryption process clear but was not clear on the iptables > processing for > encrypted packets. From what you said, it looks like the NAT-T header is > added after the > iptables processing of an outbound encrypted packet, on the second pass by the > outbound XFRM lookup. Is my understanding correct? ESP encapsulation and NAT-T are applied in a single step when the packet is processed in xfrm encode. Generally, a packet that is sent *from a local process* and is to be protected with IPsec makes two passes through the OUTPUT PATH part of the graphic: 1) When it is sent by the process and passed through the chains and other parts of Netfilter in the path, until it is catched by xfrm lookup and is fed into xfrm encode. 2) When it is passed from xfrm encode into *raw OUTPUT. When that happens, the original packet that was sent by the kernel is transformed by xfrm into an ESP or NAT-T packet (That is simply ESP in a UDP shell. Nothing fancy about that.) It then traverses through the Netfilter chains as an ESP or UDP packet through the chains and other parts of Netfilter until it reaches egress (qdisc). -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Diagram
Thank you, Noel. I am trying to understand how the inner and outer IP headers for tunneled IPsec packets are processed by iptables, to help troubleshoot an anomalous situation I found. I think I have the decryption process clear but was not clear on the iptables processing for encrypted packets. From what you said, it looks like the NAT-T header is added after the iptables processing of an outbound encrypted packet, on the second pass by the outbound XFRM lookup. Is my understanding correct? TIA, Brian ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Diagram
On 18.10.2016 21:27, Noel Kuntze wrote: > Hello Brian, > > On 18.10.2016 21:05, Brian O'Connor wrote: > >> > 1. Where in the diagram is NAT-T de-capsulation performed? > XFRM lookup. Err actually xfrm decode. >> > >> > 2. Where in the diagram is NAT-T encapsulation performed? > XFRM lookup. actually xfrm encode. >> > >> > 3. Does the NAT-T UDP header have to be removed so the iptables IPsec >> > policy module can operate? > Nope. This question sound suspiciously like you want to check if an ESP/NAT-T > packet has a matching policy. > XFRM does that for you. IPsec policies also work the other way around. They > don't just only allow protected traffic > to or from an IP address, they also implicitely drop unprotected matching > datagrams. The kernel will and does also efficiently drop > spoofed ESP packets. The system design is sound. There's no reason to try to > protect the kernel from invalid ESP packets. > > >> > >> > 4. Traffic from the topmost "local process" block flows to a "routing >> > decision" block. Is this to prevent >> > a local IPsec connection (to loopback address, possibly ) from being >> > encrypted? > No, it's just there to fill in required routing information into the skb in > the kernel. > XFRM is disabled on loopback via a sysctl value. You can enable it, if you > want, but that makes no sense > and there's no need for that. > >> > >> > [1] http://inai.de/images/nf-packet-flow.png >> > >> > TIA, >> > Brian > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > > ___ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Diagram
Hello Brian, On 18.10.2016 21:05, Brian O'Connor wrote: > 1. Where in the diagram is NAT-T de-capsulation performed? XFRM lookup. > > 2. Where in the diagram is NAT-T encapsulation performed? XFRM lookup. > > 3. Does the NAT-T UDP header have to be removed so the iptables IPsec > policy module can operate? Nope. This question sound suspiciously like you want to check if an ESP/NAT-T packet has a matching policy. XFRM does that for you. IPsec policies also work the other way around. They don't just only allow protected traffic to or from an IP address, they also implicitely drop unprotected matching datagrams. The kernel will and does also efficiently drop spoofed ESP packets. The system design is sound. There's no reason to try to protect the kernel from invalid ESP packets. > > 4. Traffic from the topmost "local process" block flows to a "routing > decision" block. Is this to prevent > a local IPsec connection (to loopback address, possibly ) from being > encrypted? No, it's just there to fill in required routing information into the skb in the kernel. XFRM is disabled on loopback via a sysctl value. You can enable it, if you want, but that makes no sense and there's no need for that. > > [1] http://inai.de/images/nf-packet-flow.png > > TIA, > Brian -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Diagram
Hello, The commonly quoted packet flow diagram at [1] does not show where NAT-T is implemented for IPsec MOBIKE. Questions are: 1. Where in the diagram is NAT-T de-capsulation performed? 2. Where in the diagram is NAT-T encapsulation performed? 3. Does the NAT-T UDP header have to be removed so the iptables IPsec policy module can operate? 4. Traffic from the topmost "local process" block flows to a "routing decision" block. Is this to prevent a local IPsec connection (to loopback address, possibly ) from being encrypted? [1] http://inai.de/images/nf-packet-flow.png TIA, Brian ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Error while running Charon
Rajeev,
I guess, the config option '--enable-monolithic' option
builds charon with all plugins compiled into one binary
blob. Try and remove this option. Then remove the
load_modular option from your strongwan.conf, or place
the configuration snippets in your file system as
described in [1]. Then of course, you would have to
remove the load keyword from your strongswan.conf.
Cheers,
Thomas
[1] https://wiki.strongswan.org/projects/strongswan/wiki/Strongswandirectory
On 10/18/2016 04:37 PM, rajeev nohria wrote:
Noel,
I still having issue after going through many hit and trial method to
fix this,
root@Xilinx-ZCU102-2016_1:~# charon
00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0, aarch64)
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon'
has unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon'
has unmet dependency: HASHER:HASH_SHA1
00[LIB] failed to load 3 critical plugin features
00[DMN] initialization failed - aborting charon
Makefile:
CONF_OPTS += --disable-gmp --enable-monolithic --enable-openssl
--enable-pkcs11 --enable-vici --enable-x509 --enable-nonce
strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon {
load_modular = yes
load = sha1 pem pkcs1 x509 revocation constraints pubkey openssl random
nonce curl kernel-netlink socket-default updown vici
plugins {
include strongswan.d/charon/*.conf
}
}
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
default = 10
# flush each line to disk
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem,
overriding the
# default loglevel.
ike = 4
cfg = 4
asn = 4
app = 4
tls = 4
esp = 4
chd = 4
knl = 0
}
}
On Sat, Oct 8, 2016 at 7:41 PM, Noel Kuntze > wrote:
Hello Rajeevm
>
> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0,
aarch64)
> 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
dependency: NONCE_GEN
> 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has
unmet dependency: HASHER:HASH_SHA1
> 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon'
has unmet dependency: HASHER:HASH_SHA1
> 00[LIB] failed to load 3 critical plugin features
> 00[DMN] initialization failed - aborting charon
You need the sha1 or the openssl plugin, as well as the nonce plugin.
Please use google[1] next time.
[1]
https://encrypted.google.com/search?hl=en=site%3Awiki.strongswan.org%20%22libcharon%20in%20critical%20plugin%20%27charon%27%20has%20unmet%20dependency%3A%20NONCE_GEN%22
--
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Error while running Charon
Noel,
I still having issue after going through many hit and trial method to fix
this,
root@Xilinx-ZCU102-2016_1:~# charon
00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0, aarch64)
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has
unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon'
has unmet dependency: HASHER:HASH_SHA1
00[LIB] failed to load 3 critical plugin features
00[DMN] initialization failed - aborting charon
Makefile:
CONF_OPTS += --disable-gmp --enable-monolithic --enable-openssl
--enable-pkcs11 --enable-vici --enable-x509 --enable-nonce
strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon {
load_modular = yes
load = sha1 pem pkcs1 x509 revocation constraints pubkey openssl random
nonce curl kernel-netlink socket-default updown vici
plugins {
include strongswan.d/charon/*.conf
}
}
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
default = 10
# flush each line to disk
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem, overriding
the
# default loglevel.
ike = 4
cfg = 4
asn = 4
app = 4
tls = 4
esp = 4
chd = 4
knl = 0
}
}
On Sat, Oct 8, 2016 at 7:41 PM, Noel Kuntze wrote:
> Hello Rajeevm
> >
> > 00[DMN] Starting IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0,
> aarch64)
> > 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
> dependency: NONCE_GEN
> > 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon'
> has unmet dependency: HASHER:HASH_SHA1
> > 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon'
> has unmet dependency: HASHER:HASH_SHA1
> > 00[LIB] failed to load 3 critical plugin features
> > 00[DMN] initialization failed - aborting charon
>
> You need the sha1 or the openssl plugin, as well as the nonce plugin.
> Please use google[1] next time.
>
> [1] https://encrypted.google.com/search?hl=en=site%3Awiki.
> strongswan.org%20%22libcharon%20in%20critical%20plugin%20%
> 27charon%27%20has%20unmet%20dependency%3A%20NONCE_GEN%22
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] packet loss with make_before_break flag
Hi I was using the make before break feature of strongswan to avoid packet loss in one of our implementation. We have an ipsec offload hardware that forwards packets encrypted/decrypted using IPSec policies and SAs. These SAs and policies are configured by intercepting the strongswan messages to kernel (via pfkey socket). There used to be huge packet loss during rekey because of ike and child SAs tear down before new SAs installed. make_before_break feature, reduced the packet loss significantly but not avoided it. I saw the following sequence of PFKEY messages SADB_ADD(new child SA add), SADB_X_SPDUPDATE (update the policy to new child SA) and SADB_DELETE(delete old child SA). The initiator after establishing new CHILD_SA, sending the delete CHILD_SA(old) message to peer and receiving the delete CHILD_SA request from peer. Initiator, even after deleting its CHILD_SA, seeing some in-flight packets from peer encrypted using old child SA there by dropping them. How does initiator and responder synchronized in strongswan? Will "make before break" completely avoids the packet loss? Thanks Pradeep. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
