Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 8/16/2020 10:16 PM, TomK wrote: On 8/11/2020 1:16 AM, TomK wrote: On 8/9/2020 8:10 PM, TomK wrote: On 6/30/2020 4:41 AM, Tobias Brunner wrote: Hi Tom, What I meant to say, is that would confirm all proper kernel modules were already in place to allow the communication would it not? Anything else I could try to, in the least, confirm if the packet was successfully forwarded to the Azure VPN Gateway end? I know the packet arrives at the IPSec ipsec0 interface however, checking just now, I don't see any traffic change on the WAN interface of the on-prem StrongSwan VPN GW. As explained in previous emails, with kernel-libipsec you are not using any of the IPsec-related kernel modules. IPsec processing happens in userland via ipsec0 TUN device (see [1] for more on this plugin). rp_filter could be an issue when using it. To check traffic, use packet counters (strongSwan's status output, firewall etc.) or traffic captures on the respective hosts to see if e.g. ESP packets are exchanged. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec Hey All, So I've given up on DD-WRT for the time being and decided instead to use an old Raspberry PI 2 and OpenWRT. The topology I'll reference is available on the below OpenWRT forum. For the sake of not replicating all the content (and partially due to a touch of laziness), here is the link: Aug 9th post: https://forum.openwrt.org/t/openwrt-support-for-quagga-ospf-strongswan-ipsecv2-1-openvpn-firewalld-ssh-ddns-dnsmasquerade/69528/18 I'm effectively running into this error: Aug 9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to 123.123.123.123 Aug 9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Aug 9 17:04:06 OWRT01 : 14[NET] sending packet: from 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes) Aug 9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network unreachable Aug 9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message ID 0 This time, XFRM modules are loaded: root@OWRT01:~# lsmod|grep xfrm tunnel4 12288 2 sit,xfrm4_tunnel tunnel6 12288 1 xfrm6_tunnel xfrm_algo 12288 7 esp6,ah6,esp4,ah4,xfrm_user,xfrm_ipcomp,af_key xfrm_ipcomp 12288 2 ipcomp6,ipcomp xfrm_user 28672 0 xfrm4_mode_beet 12288 0 xfrm4_mode_transport 12288 0 xfrm4_mode_tunnel 12288 0 xfrm4_tunnel 12288 0 xfrm6_mode_beet 12288 0 xfrm6_mode_transport 12288 0 xfrm6_mode_tunnel 12288 0 xfrm6_tunnel 12288 1 ipcomp6 root@OWRT01:~# However, from the OpenWRT post, you can see that packets arent' even making it out of the ipsec0 interface, nor from the br-lan iterface. Made it past the above issue. Had to set: left=192.168.0.12 type=passthrough since this is a device behind the main router. My bad!. Now I'm receiving a reply back: root@DD-WRT-INTERNET-ASUS:~# tcpdump -n | grep -Ei "123.123.123.123" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 21:42:10.410556 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I] 21:42:10.414404 IP 123.123.123.123.500 > 192.168.0.12.500: isakmp: parent_sa ikev2_init[R] However the result is this error: received NO_PROPOSAL_CHOSEN notify error I've gone and searched the above error but nothing worked so far. Tried different settings for ike= and esp= but no luck either. Perhaps I'm missing something here a trained eye won't? Any help is appreciated. - Full session: Aug 11 00:41:57 OWRT01 : 00[DMN] signal of type SIGINT received. Shutting down Aug 11 00:42:00 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, armv7l) Aug 11 00:42:00 OWRT01 : 00[CFG] PKCS11 module '' lacks library path Aug 11 00:42:01 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not supported, https:// disabled Aug 11 00:42:01 OWRT01 : 00[CFG] disabling load-tester plugin, not configured Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Aug 11 00:42:01 OWRT01 : 00[LIB] created TUN device: ipsec0 Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found Aug 11 00:42:01 OWRT01 : 00[CFG] attr-sql plugin: database URI not set Aug 11 00:42:01 OWRT01 : 00[NET] using forecast interface br-lan Aug 11 00:42:01 OWRT01 : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 Aug 11 00:42:01 OWRT01 : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Aug 11 00:42:01 OWRT01 : 00[CFG] loading aa certificates fro
[strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? -- Thx, TK.
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
Hey All, I've configured the VTI's and routing is now fully working between the 9 VLAN's. XFRM, as far as I can tell, isn't as well documented. I might try this later on o see if OpenWRT supprots it. Thx, On 10/25/2020 9:48 PM, TomK wrote: Hey Noel, I have four VLAN's on the Azure side. I need all these VLAN's visible to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem GW can see those Azure VLAN's. The mapping works well. However, the on-prem StrongSwan GW running on my Raspberry Pi 2 (OpenWRT) isn't redistributing the Azure VLAN's at the moment since they are sitting in table 220 where OSPF can't see them. From the Azure side, I can ping the on-prem GW just fine, including the ability to ssh to the on-prem OpenWRT GW from Azure. However, I can't ping any of the other on-prem VLAN's from the Azure side, of course. Not until OSPF sees the Azure VLAN's I'm thinking. This is mostly a POC so I have plenty of room to experiment. This is the goal. Cheers, TK On 10/25/2020 8:51 PM, Noel Kuntze wrote: Hello Tom, That is the right wiki page. What I forgot to mention though is that with interfaces, you can then talk your routing protocol over it. It does not give you information about the subnets though for which IPsec policies are installed. What is the goal of this in the end? Kind regards Noel Am 26.10.20 um 01:33 schrieb TomK: Hey Noel, Thanks. That would certainly make it automatic with either BIRD or Quagga. I'll have a look at the pages again to see what it takes to create these. Thinking this is still the right page for VTI and XFRM information? https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN Cheers, TK On 10/25/2020 4:59 PM, Noel Kuntze wrote: Hi Tom, The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network. They aren't part of XFRM and only tangentially pertain IPsec. Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete. A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links. Kind regards Noel Am 25.10.20 um 19:05 schrieb TomK: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? -- Thx, TK.
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
That's certainly an option I've reviewed. Whatever the option, would like to keep customization to nothing, if possible. Cheers, TK On 10/25/2020 3:03 PM, Volodymyr Litovka wrote: Hi, if it's option, you can consider Bird, which can import from specified table - https://bird.network.cz/?get_doc=20=bird-6.html#ss6.6 : |kernel table /number/| Select which kernel table should this particular instance of the Kernel protocol work with. Available only on systems supporting multiple routing tables. On 25.10.2020 20:05, TomK wrote: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? -- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison -- Thx, TK.
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
Hey Noel, I have four VLAN's on the Azure side. I need all these VLAN's visible to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem GW can see those Azure VLAN's. The mapping works well. However, the on-prem StrongSwan GW running on my Raspberry Pi 2 (OpenWRT) isn't redistributing the Azure VLAN's at the moment since they are sitting in table 220 where OSPF can't see them. From the Azure side, I can ping the on-prem GW just fine, including the ability to ssh to the on-prem OpenWRT GW from Azure. However, I can't ping any of the other on-prem VLAN's from the Azure side, of course. Not until OSPF sees the Azure VLAN's I'm thinking. This is mostly a POC so I have plenty of room to experiment. This is the goal. Cheers, TK On 10/25/2020 8:51 PM, Noel Kuntze wrote: Hello Tom, That is the right wiki page. What I forgot to mention though is that with interfaces, you can then talk your routing protocol over it. It does not give you information about the subnets though for which IPsec policies are installed. What is the goal of this in the end? Kind regards Noel Am 26.10.20 um 01:33 schrieb TomK: Hey Noel, Thanks. That would certainly make it automatic with either BIRD or Quagga. I'll have a look at the pages again to see what it takes to create these. Thinking this is still the right page for VTI and XFRM information? https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN Cheers, TK On 10/25/2020 4:59 PM, Noel Kuntze wrote: Hi Tom, The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network. They aren't part of XFRM and only tangentially pertain IPsec. Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete. A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links. Kind regards Noel Am 25.10.20 um 19:05 schrieb TomK: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? -- Thx, TK.
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
Hey Noel, Thanks. That would certainly make it automatic with either BIRD or Quagga. I'll have a look at the pages again to see what it takes to create these. Thinking this is still the right page for VTI and XFRM information? https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN Cheers, TK On 10/25/2020 4:59 PM, Noel Kuntze wrote: Hi Tom, The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network. They aren't part of XFRM and only tangentially pertain IPsec. Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete. A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links. Kind regards Noel Am 25.10.20 um 19:05 schrieb TomK: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? -- Thx, TK.
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
On 10/26/2020 2:10 AM, Michael Schwartzkopff wrote: On 26.10.20 05:47, TomK wrote: Hey All, I've configured the VTI's and routing is now fully working between the 9 VLAN's. XFRM, as far as I can tell, isn't as well documented. I might try this later on o see if OpenWRT supprots it. Thx, On 10/25/2020 9:48 PM, TomK wrote: Hey Noel, I have four VLAN's on the Azure side. I need all these VLAN's visible to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem GW can see those Azure VLAN's. The mapping works well. However, the on-prem StrongSwan GW running on my Raspberry Pi 2 (OpenWRT) isn't redistributing the Azure VLAN's at the moment since they are sitting in table 220 where OSPF can't see them. From the Azure side, I can ping the on-prem GW just fine, including the ability to ssh to the on-prem OpenWRT GW from Azure. However, I can't ping any of the other on-prem VLAN's from the Azure side, of course. Not until OSPF sees the Azure VLAN's I'm thinking. This is mostly a POC so I have plenty of room to experiment. This is the goal. Cheers, TK On 10/25/2020 8:51 PM, Noel Kuntze wrote: Hello Tom, That is the right wiki page. What I forgot to mention though is that with interfaces, you can then talk your routing protocol over it. It does not give you information about the subnets though for which IPsec policies are installed. What is the goal of this in the end? Kind regards Noel Am 26.10.20 um 01:33 schrieb TomK: Hey Noel, Thanks. That would certainly make it automatic with either BIRD or Quagga. I'll have a look at the pages again to see what it takes to create these. Thinking this is still the right page for VTI and XFRM information? https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN Cheers, TK On 10/25/2020 4:59 PM, Noel Kuntze wrote: Hi Tom, The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network. They aren't part of XFRM and only tangentially pertain IPsec. Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete. A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links. Kind regards Noel Am 25.10.20 um 19:05 schrieb TomK: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? Hi, I wrote two blog articles explaining how to achieve do route based VPN with dynamic routing. https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html Mit freundlichen Grüßen, I'll check it out. Thank you. -- Thx, TK.
Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 6/30/2020 4:41 AM, Tobias Brunner wrote: Hi Tom, What I meant to say, is that would confirm all proper kernel modules were already in place to allow the communication would it not? Anything else I could try to, in the least, confirm if the packet was successfully forwarded to the Azure VPN Gateway end? I know the packet arrives at the IPSec ipsec0 interface however, checking just now, I don't see any traffic change on the WAN interface of the on-prem StrongSwan VPN GW. As explained in previous emails, with kernel-libipsec you are not using any of the IPsec-related kernel modules. IPsec processing happens in userland via ipsec0 TUN device (see [1] for more on this plugin). rp_filter could be an issue when using it. To check traffic, use packet counters (strongSwan's status output, firewall etc.) or traffic captures on the respective hosts to see if e.g. ESP packets are exchanged. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec Hey All, So I've given up on DD-WRT for the time being and decided instead to use an old Raspberry PI 2 and OpenWRT. The topology I'll reference is available on the below OpenWRT forum. For the sake of not replicating all the content (and partially due to a touch of laziness), here is the link: Aug 9th post: https://forum.openwrt.org/t/openwrt-support-for-quagga-ospf-strongswan-ipsecv2-1-openvpn-firewalld-ssh-ddns-dnsmasquerade/69528/18 I'm effectively running into this error: Aug 9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to 123.123.123.123 Aug 9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Aug 9 17:04:06 OWRT01 : 14[NET] sending packet: from 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes) Aug 9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network unreachable Aug 9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message ID 0 This time, XFRM modules are loaded: root@OWRT01:~# lsmod|grep xfrm tunnel412288 2 sit,xfrm4_tunnel tunnel612288 1 xfrm6_tunnel xfrm_algo 12288 7 esp6,ah6,esp4,ah4,xfrm_user,xfrm_ipcomp,af_key xfrm_ipcomp12288 2 ipcomp6,ipcomp xfrm_user 28672 0 xfrm4_mode_beet12288 0 xfrm4_mode_transport 12288 0 xfrm4_mode_tunnel 12288 0 xfrm4_tunnel 12288 0 xfrm6_mode_beet12288 0 xfrm6_mode_transport 12288 0 xfrm6_mode_tunnel 12288 0 xfrm6_tunnel 12288 1 ipcomp6 root@OWRT01:~# However, from the OpenWRT post, you can see that packets arent' even making it out of the ipsec0 interface, nor from the br-lan iterface. -- Thx, TK.
Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 8/9/2020 8:10 PM, TomK wrote: On 6/30/2020 4:41 AM, Tobias Brunner wrote: Hi Tom, What I meant to say, is that would confirm all proper kernel modules were already in place to allow the communication would it not? Anything else I could try to, in the least, confirm if the packet was successfully forwarded to the Azure VPN Gateway end? I know the packet arrives at the IPSec ipsec0 interface however, checking just now, I don't see any traffic change on the WAN interface of the on-prem StrongSwan VPN GW. As explained in previous emails, with kernel-libipsec you are not using any of the IPsec-related kernel modules. IPsec processing happens in userland via ipsec0 TUN device (see [1] for more on this plugin). rp_filter could be an issue when using it. To check traffic, use packet counters (strongSwan's status output, firewall etc.) or traffic captures on the respective hosts to see if e.g. ESP packets are exchanged. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec Hey All, So I've given up on DD-WRT for the time being and decided instead to use an old Raspberry PI 2 and OpenWRT. The topology I'll reference is available on the below OpenWRT forum. For the sake of not replicating all the content (and partially due to a touch of laziness), here is the link: Aug 9th post: https://forum.openwrt.org/t/openwrt-support-for-quagga-ospf-strongswan-ipsecv2-1-openvpn-firewalld-ssh-ddns-dnsmasquerade/69528/18 I'm effectively running into this error: Aug 9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to 123.123.123.123 Aug 9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Aug 9 17:04:06 OWRT01 : 14[NET] sending packet: from 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes) Aug 9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network unreachable Aug 9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message ID 0 This time, XFRM modules are loaded: root@OWRT01:~# lsmod|grep xfrm tunnel4 12288 2 sit,xfrm4_tunnel tunnel6 12288 1 xfrm6_tunnel xfrm_algo 12288 7 esp6,ah6,esp4,ah4,xfrm_user,xfrm_ipcomp,af_key xfrm_ipcomp 12288 2 ipcomp6,ipcomp xfrm_user 28672 0 xfrm4_mode_beet 12288 0 xfrm4_mode_transport 12288 0 xfrm4_mode_tunnel 12288 0 xfrm4_tunnel 12288 0 xfrm6_mode_beet 12288 0 xfrm6_mode_transport 12288 0 xfrm6_mode_tunnel 12288 0 xfrm6_tunnel 12288 1 ipcomp6 root@OWRT01:~# However, from the OpenWRT post, you can see that packets arent' even making it out of the ipsec0 interface, nor from the br-lan iterface. Made it past the above issue. Had to set: left=192.168.0.12 type=passthrough since this is a device behind the main router. My bad!. Now I'm receiving a reply back: root@DD-WRT-INTERNET-ASUS:~# tcpdump -n | grep -Ei "123.123.123.123" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 21:42:10.410556 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I] 21:42:10.414404 IP 123.123.123.123.500 > 192.168.0.12.500: isakmp: parent_sa ikev2_init[R] However the result is this error: received NO_PROPOSAL_CHOSEN notify error I've gone and searched the above error but nothing worked so far. Tried different settings for ike= and esp= but no luck either. Perhaps I'm missing something here a trained eye won't? Any help is appreciated. - Full session: Aug 11 00:41:57 OWRT01 : 00[DMN] signal of type SIGINT received. Shutting down Aug 11 00:42:00 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, armv7l) Aug 11 00:42:00 OWRT01 : 00[CFG] PKCS11 module '' lacks library path Aug 11 00:42:01 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not supported, https:// disabled Aug 11 00:42:01 OWRT01 : 00[CFG] disabling load-tester plugin, not configured Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Aug 11 00:42:01 OWRT01 : 00[LIB] created TUN device: ipsec0 Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found Aug 11 00:42:01 OWRT01 : 00[CFG] attr-sql plugin: database URI not set Aug 11 00:42:01 OWRT01 : 00[NET] using forecast interface br-lan Aug 11 00:42:01 OWRT01 : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 Aug 11 00:42:01 OWRT01 : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Aug 11 00:42:01 OWRT01 : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Aug 11 00:42:01 OWRT01 : 00[CFG] loading ocsp signer c
Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 6/24/2020 5:48 AM, Tobias Brunner wrote: Hi Tom, This is a DD-WRT router. Uses a pre-built kernel I might not have too much option in customizing it. But I tried removing it kernel-libipsec is a userland IPsec implementation (read the wiki page), it has nothing to do with the kernel (except that it has to be able to create TUN devices). However, to use the kernel's IPsec stack, it is missing an important module: Jun 22 08:12:15 DD-WRT daemon.info charon: 00[KNL] unable to create netlink socket: Protocol not supported (93) Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] could not open socket: Address family not supported by protocol Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] could not open IPv6 socket, IPv6 disabled Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] installing IKE bypass policy failed Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] installing IKE bypass policy failed Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed Jun 22 08:12:15 DD-WRT daemon.info charon: 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: CUSTOM:kernel-ipsec Interestingly, what I do have is: What you are definitely missing is xfrm_user, which is required for the daemon to communicate with the kernel. Without that module all the others are pretty much useless, so no idea why your kernel is configured like that. May I ask which exact line above told you I'm missing sfrm_user? The ones that start with CUSTOM? Have a post to try and get one compiled in. https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1208983#1208983 This is DD-WRT so it's a minimized router kernel. I was surprised as the next guy learning that module isn't available. Since I'm trying to get the remote VLAN's mapped over to my VLAN's here, this router is the best spot to do that from. I no longer have to run: ip route add 10.10.0.0/24 dev ipsec0 for packets to show up on ipsec0: As I mentioned, strongSwan installs a route automatically if there is a local IP in the local traffic selector. You can see those in table 220. root@DD-WRT:~# tcpdump -i ipsec0 -s 0 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipsec0, link-type RAW (Raw IP), snapshot length 262144 bytes 08:44:28.318516 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id 36426, seq 0, length 64 08:44:29.325741 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id 36426, seq 1, length 64 but not anymore. No you won't as these packets don't match the negotiated traffic selectors. The local TS is 192.168.0.0/24, which obviously doesn't match 100.100.100.100 so libipsec will drop the packet. If there was a route in table 220 it should list a source IP in the local traffic selector, so it's interesting that a different source IP was selected - or was that IP forced somehow? I tinkered around with this at some point. I had it originating from 192.168.0.6 > 10.10.0.4 but same results. Based on what you wrote, unless I get xfrm_user module installed, this won't work regardless of what source IP it's coming from? Here's what I had earlier and retried just now: iptables -t nat -I POSTROUTING -d 10.10.0.0/24 -j SNAT --to $(nvram get lan_ipaddr) This resulted in: # tcpdump -i ipsec0 -s 0 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipsec0, link-type RAW (Raw IP), snapshot length 262144 bytes 08:48:19.481357 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, seq 3, length 64 08:48:20.490676 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, seq 4, length 64 08:48:21.500060 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, seq 5, length 64 08:48:22.509503 IP 192.168.0.6 > 10.10.0.4: ICMP echo request, id 61506, seq 6, length 64 instead of originating from the WAN IP. No reply of course. My routes root@DD-WRT:~# ip route default via 100.100.100.50 dev vlan2 10.0.0.0/24 via 192.168.0.1 dev br0 metric 20 10.1.0.0/24 via 192.168.0.1 dev br0 metric 20 10.1.1.0/24 dev tun2 scope link src 10.1.1.1 10.2.0.0/24 via 192.168.0.1 dev br0 metric 20 10.3.0.0/24 via 192.168.0.1 dev br0 metric 20 100.100.100.50/27 dev vlan2 scope link src 100.100.100.100 127.0.0.0/8 dev lo scope link 192.168.0.0/24 dev br0 scope link src 192.168.0.6 192.168.45.0/24 dev wl0.1 scope link src 192.168.45.1 192.168.75.0/24 dev wl1.1 scope link src 192.168.75.1 Still looking at Brian's recommendations however: root@DD-WRT:~# ip link add xfrm0 type xfrm dev ipsec0 if_id 42 ip: RTNETLINK answers: Not supported root@DD-WRT:~# ip link add vti0 type vti dev ipsec0 if_id 42 ip: RTNETLINK answers: Not supported root@DD-WRT:~# Trying GRE but: root@DD-WRT:~# ip tunnel add ipsec01 local 100.100.100.100 remote 123.123.123.123 mode gre ip: ioctl 0x89f1 failed: No such device root@DD-WRT:~# None of these will work without kernel IPsec support (and XFRM interfaces
Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 6/24/2020 9:19 AM, Tobias Brunner wrote: Hi Tom, May I ask which exact line above told you I'm missing sfrm_user? The ones that start with CUSTOM? Yes, the first one is logged after the kernel-netlink plugin failed to open a Netlink/XFRM socket, plus it is obviously missing in the module lists you posted after that. Kool This is DD-WRT so it's a minimized router kernel. I was surprised as the next guy learning that module isn't available. Yeah, makes not much sense to enable the other IPsec-related modules without a means to actually use them. But why did you use the 2.6.23 kernel sources to build the missing module if your router uses a 4.4.190 kernel? Was questions my sanity around that as well but initially only found the wiki page for 2.6.33 . The SVN appeared a bit messy to me, probably because I'm not familiar with it yet, so wasn't sure if they just reused the folder name or if it was truly for Linux 2.6.33. And couldn't find the Linux 4.4's at the time until I rummaged through the SVN the next day. Look further down on the post. I've tried the Linux 4.4 branch but couldn't get that to work. There's some missing Makefiles. I tinkered around with this at some point. I had it originating from 192.168.0.6 > 10.10.0.4 but same results. Based on what you wrote, unless I get xfrm_user module installed, this won't work regardless of what source IP it's coming from? No, that's unrelated. You need that module to use the IPsec stack in the kernel (i.e. to run without kernel-libipsec or ipsec0 interface). The whole point of the userland IPsec stack is that it bypasses the kernel and can run with reduced privileges (e.g. on Android where apps can create TUN devices via VpnService API but can't access the kernel's IPsec stack via Netlink/XFRM). instead of originating from the WAN IP. No reply of course. My routes Are ESP packets sent? If yes, are any returned? If not, then this seems to be an issue on the other end. So try to follow the traffic there. That is what I'm not sure about. Between StrongSwan (SSW) and Azure VPN Gateway, I'm not able to find which one is it. I've setup a packet trace from the Azure VPN Gateway but the only option it gave me as a target was against one of the Azure VM's. Not between Azure VPN Gateway and the on-prem gateway. So in the least I was hoping to confirm if everything was sent correctly from SSW then I'll be more sure that the issue is really with Azure VPN Gateway blocking traffic. What I do know is that I can ping from the Azure VM's back down to my on-prem VLAN (192.168.0.X/24 ) but NOT FROM my router that's running SSW. In other words, traffic flows only one way. Down. So to me this looked like an issue where: 1) Like you said, ESP packets are not getting sent properly from SSW to Azure VPN Gateway. ( How do I confirm this with 100% certainty? What should I look for to determine if there's any dropped packets on my on-prem F/W that's on this router? ) 2) The Azure VPN Gateway is blocking on-prem to itself. I've made sure the F/W on the Azure side is not an issue. root@DD-WRT:~# ip route Again, strongSwan installs its routes in table 220, that is, use `ip route show table 220` (or `all`). root@DD-WRT:~# ip route show table all default via 100.100.100.50 dev vlan2 10.0.0.0/24 via 192.168.0.1 dev br0 metric 20 10.1.0.0/24 via 192.168.0.1 dev br0 metric 20 10.1.1.0/24 dev tun2 scope link src 10.1.1.1 10.2.0.0/24 via 192.168.0.1 dev br0 metric 20 10.3.0.0/24 via 192.168.0.1 dev br0 metric 20 100.100.100.75/27 dev vlan2 scope link src 100.100.100.100 127.0.0.0/8 dev lo scope link 192.168.0.0/24 dev br0 scope link src 192.168.0.6 192.168.45.0/24 dev wl0.1 scope link src 192.168.45.1 192.168.75.0/24 dev wl1.1 scope link src 192.168.75.1 broadcast 10.1.1.0 dev tun2 table local scope link src 10.1.1.1 local 10.1.1.1 dev tun2 table local scope host src 10.1.1.1 broadcast 10.1.1.255 dev tun2 table local scope link src 10.1.1.1 broadcast 100.100.100.75 dev vlan2 table local scope link src 100.100.100.100 local 100.100.100.100 dev vlan2 table local scope host src 100.100.100.100 broadcast 100.100.100.25 dev vlan2 table local scope link src 100.100.100.100 broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1 local 127.0.0.1 dev lo table local scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1 broadcast 192.168.0.0 dev br0 table local scope link src 192.168.0.6 local 192.168.0.6 dev br0 table local scope host src 192.168.0.6 broadcast 192.168.0.255 dev br0 table local scope link src 192.168.0.6 broadcast 192.168.45.0 dev wl0.1 table local scope link src 192.168.45.1 local 192.168.45.1 dev wl0.1 table local scope host src 192.168.45.1 broadcast 192.168.45.255 dev wl0.1 table local scope link src 192.168.45.1 broadcast 192.168.75.0 dev wl1.1 table local
Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 6/26/2020 10:04 AM, TomK wrote: On 6/24/2020 10:40 AM, TomK wrote: On 6/24/2020 9:19 AM, Tobias Brunner wrote: Hi Tom, May I ask which exact line above told you I'm missing sfrm_user? The ones that start with CUSTOM? Yes, the first one is logged after the kernel-netlink plugin failed to open a Netlink/XFRM socket, plus it is obviously missing in the module lists you posted after that. Kool This is DD-WRT so it's a minimized router kernel. I was surprised as the next guy learning that module isn't available. Yeah, makes not much sense to enable the other IPsec-related modules without a means to actually use them. But why did you use the 2.6.23 kernel sources to build the missing module if your router uses a 4.4.190 kernel? Was questions my sanity around that as well but initially only found the wiki page for 2.6.33 . The SVN appeared a bit messy to me, probably because I'm not familiar with it yet, so wasn't sure if they just reused the folder name or if it was truly for Linux 2.6.33. And couldn't find the Linux 4.4's at the time until I rummaged through the SVN the next day. Look further down on the post. I've tried the Linux 4.4 branch but couldn't get that to work. There's some missing Makefiles. I tinkered around with this at some point. I had it originating from 192.168.0.6 > 10.10.0.4 but same results. Based on what you wrote, unless I get xfrm_user module installed, this won't work regardless of what source IP it's coming from? No, that's unrelated. You need that module to use the IPsec stack in the kernel (i.e. to run without kernel-libipsec or ipsec0 interface). The whole point of the userland IPsec stack is that it bypasses the kernel and can run with reduced privileges (e.g. on Android where apps can create TUN devices via VpnService API but can't access the kernel's IPsec stack via Netlink/XFRM). instead of originating from the WAN IP. No reply of course. My routes Are ESP packets sent? If yes, are any returned? If not, then this seems to be an issue on the other end. So try to follow the traffic there. That is what I'm not sure about. Between StrongSwan (SSW) and Azure VPN Gateway, I'm not able to find which one is it. I've setup a packet trace from the Azure VPN Gateway but the only option it gave me as a target was against one of the Azure VM's. Not between Azure VPN Gateway and the on-prem gateway. So in the least I was hoping to confirm if everything was sent correctly from SSW then I'll be more sure that the issue is really with Azure VPN Gateway blocking traffic. What I do know is that I can ping from the Azure VM's back down to my on-prem VLAN (192.168.0.X/24 ) but NOT FROM my router that's running SSW. In other words, traffic flows only one way. Down. So to me this looked like an issue where: 1) Like you said, ESP packets are not getting sent properly from SSW to Azure VPN Gateway. ( How do I confirm this with 100% certainty? What should I look for to determine if there's any dropped packets on my on-prem F/W that's on this router? ) 2) The Azure VPN Gateway is blocking on-prem to itself. I've made sure the F/W on the Azure side is not an issue. root@DD-WRT:~# ip route Again, strongSwan installs its routes in table 220, that is, use `ip route show table 220` (or `all`). root@DD-WRT:~# ip route show table all default via 100.100.100.50 dev vlan2 10.0.0.0/24 via 192.168.0.1 dev br0 metric 20 10.1.0.0/24 via 192.168.0.1 dev br0 metric 20 10.1.1.0/24 dev tun2 scope link src 10.1.1.1 10.2.0.0/24 via 192.168.0.1 dev br0 metric 20 10.3.0.0/24 via 192.168.0.1 dev br0 metric 20 100.100.100.75/27 dev vlan2 scope link src 100.100.100.100 127.0.0.0/8 dev lo scope link 192.168.0.0/24 dev br0 scope link src 192.168.0.6 192.168.45.0/24 dev wl0.1 scope link src 192.168.45.1 192.168.75.0/24 dev wl1.1 scope link src 192.168.75.1 broadcast 10.1.1.0 dev tun2 table local scope link src 10.1.1.1 local 10.1.1.1 dev tun2 table local scope host src 10.1.1.1 broadcast 10.1.1.255 dev tun2 table local scope link src 10.1.1.1 broadcast 100.100.100.75 dev vlan2 table local scope link src 100.100.100.100 local 100.100.100.100 dev vlan2 table local scope host src 100.100.100.100 broadcast 100.100.100.25 dev vlan2 table local scope link src 100.100.100.100 broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1 local 127.0.0.1 dev lo table local scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1 broadcast 192.168.0.0 dev br0 table local scope link src 192.168.0.6 local 192.168.0.6 dev br0 table local scope host src 192.168.0.6 broadcast 192.168.0.255 dev br0 table local scope link src 192.168.0.6 broadcast 192.168.45.0 dev wl0.1 table local scope link src 192.168.45.1 local 192.168.45.1 dev wl0.1 table local scope host src 192.168.45.1 broadcast 192.168.45.255 dev wl0.1 table lo
Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 6/29/2020 3:31 AM, Tobias Brunner wrote: Hi Tom, Is the xfrm_user.ko module used for both traffic going out and coming back in via StrongSwan / IPSEC ? It's not used for handling traffic at all. It provides the interface to configure the IPsec stack (SAs and policies) from userland. It does rely on general Netlink infrastructure, but no idea what symbol could be missing. Maybe the kernel version doesn't match exactly? Regards, Tobias That's a bit odd then. Traffic arriving at the on-prem VPN GW from the Azure VPN Gateway, makes it through just fine. This appears to confirm routing and general connectivity works. It's the traffic going from the on-prem VPN GW to the Azure GW where the issue is. Looking at xfrm_user.ko, I notice the dependencies it has are: ./net/ipv4/xfrm4_policy.c ./net/ipv4/xfrm4_state.c Or basically: xfrm4_policy.ko xfrm4_state.ko Neither of these are listed in the dependency list however realized these were missing while inserting the other .ko modules. Trying to get a copy of them so I can try this out and see if it makes a difference. Maybe add these to the dependency list on the wiki? -- Thx, TK.
Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 6/29/2020 10:00 AM, TomK wrote: On 6/29/2020 3:31 AM, Tobias Brunner wrote: Hi Tom, Is the xfrm_user.ko module used for both traffic going out and coming back in via StrongSwan / IPSEC ? It's not used for handling traffic at all. It provides the interface to configure the IPsec stack (SAs and policies) from userland. It does rely on general Netlink infrastructure, but no idea what symbol could be missing. Maybe the kernel version doesn't match exactly? Regards, Tobias That's a bit odd then. Traffic arriving at the on-prem VPN GW from the Azure VPN Gateway, makes it through just fine. This appears to confirm routing and general connectivity works. It's the traffic going from the on-prem VPN GW to the Azure GW where the issue is. What I meant to say, is that would confirm all proper kernel modules were already in place to allow the communication would it not? Anything else I could try to, in the least, confirm if the packet was successfully forwarded to the Azure VPN Gateway end? I know the packet arrives at the IPSec ipsec0 interface however, checking just now, I don't see any traffic change on the WAN interface of the on-prem StrongSwan VPN GW. Will be reading why that is the case to get some more details but this certainly points to on-prem for the moment. Looking at xfrm_user.ko, I notice the dependencies it has are: ./net/ipv4/xfrm4_policy.c ./net/ipv4/xfrm4_state.c Or basically: xfrm4_policy.ko xfrm4_state.ko Neither of these are listed in the dependency list however realized these were missing while inserting the other .ko modules. Trying to get a copy of them so I can try this out and see if it makes a difference. Maybe add these to the dependency list on the wiki? -- Thx, TK.
Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 6/19/2020 10:56 PM, Brian Topping wrote: Sounds like you’re unable to look at traffic on both sides. Unless you’re looking closely at the logs and know what’s happening, it’s hard to debug. It also looks as if you’ve rather heavily sanitized the console logs, for instance the ping destination. This line concerns me: Jun 19 19:57:11 14[KNL] error installing route with policy 10.3.0.0/24 === 10.10.0.0/24 out If your are coming from or going to 100.100.100.100 and using transport instead of tunnel, these routes being installed are wrong, which becomes a configuration issue. Best way to post is to take the console output verbatim, then replace the first two octets of every IP address you want to sanitize with unique letters so the addresses can be distinguished. Easier if you can put the content into something like pastebin or gist instead of mailing to the list for viewing purposes. Sent from my iPhone On Jun 19, 2020, at 19:28, TomK wrote: Jun 19 19:57:11 14[KNL] error installing route with policy 10.3.0.0/24 === 10.10.0.0/24 out Thank you. Attached the logs. https COLON //www DOT microdevsys DOT com/WordPressFiles/charon.log https COLON //www DOT microdevsys DOT com/WordPressFiles/var-log-messages.txt Config files: root@DD-WRT:~# cat /opt/etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. conn REMOTE-VLAN1 authby=secret auto=start type=tunnel keyexchange=ikev2 keylife=3600s ikelifetime=28800s rekey=yes rekeymargin=3m keyingtries=1 mobike=no dpdaction=none lifebytes=10240 left=100.100.100.100 # IP address of your on-premises gateway leftsubnet=192.168.0.0/24,10.0.0.0/24,10.1.0.0/24,10.2.0.0/24,10.3.0.0/24 # Home LAB - Local # leftnexthop=%defaultroute right=123.123.123.123 # Remote VPN gateway IP address rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24 # Remote network subnet defined in public cloud ike=aes256-sha1-modp1024 esp=aes256-sha1 root@DD-WRT:~# root@DD-WRT:~# cat /opt/etc/strongswan.conf # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files # Verbosity levels # -1: Absolutely silent # 0: Very basic auditing logs, (e.g. SA up/SA down) # 1: Generic control flow with errors, a good default to see whats going on # 2: More detailed debugging control flow # 3: Including RAW data dumps in Hex # 4: Also include sensitive material in dumps, e.g. keys charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } filelog { charon { path = /opt/tmp/charon.log time_format = %b %e %T append = no default = 2 # in case troubleshoot is required switch this to 2 } stderr { ike = 2 # in case troubleshoot is required switch this to 2 knl = 3 # in case troubleshoot is required switch this to 3 ike_name = yes } } syslog { # enable logging to LOG_DAEMON, use defaults daemon { } # minimalistic IKE auditing logging to LOG_AUTHPRIV auth { default = 2 # in case troubleshoot is required switch this to 2 ike = 2 # in case troubleshoot is required switch this to 2 } } } include strongswan.d/*.conf root@DD-WRT:~# root@DD-WRT:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.4.190, armv7l): uptime: 28 seconds, since Jun 19 23:04:51 2020 malloc: sbrk 892928, mmap 0, used 493392, free 399536 worker threads: 6 of 16 idle, 6/0/4/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revoca tion constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp gmpdh curve255 19 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default socket-dynamic farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xau th-eap dhcp whitelist led duplicheck addrblock unity Listening IP addresses: 100.100.100.100 192.168.0.6 192.168.45.1 192.168.75.1 10.1.1.1 Connections: AZURE-VLAN1: 100.100.100.100...123.123.123.123 IKEv2 AZURE-VLAN1: local: [100.100.100.100] uses pre
Re: [strongSwan] StrongSwan w/ multiple local subnets.
ipsec0 receives the packet from the ping request but nothing comes back: # tcpdump -i ipsec0 -s 0 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipsec0, link-type RAW (Raw IP), snapshot length 262144 bytes 21:21:55.601249 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id 29010, seq 94, length 64 21:21:56.610601 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id 29010, seq 95, length 64 21:21:57.61 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id 29010, seq 96, length 64 Logs: # cat /opt/tmp/charon.log |grep -Ev "ENC|NET" | tail -n 30 Jun 19 19:57:07 10[KNL] error installing route with policy 10.3.0.0/24 === 10.10.0.0/24 out Jun 19 19:57:07 10[IKE] unable to install IPsec policies (SPD) in kernel Jun 19 19:57:07 10[IKE] failed to establish CHILD_SA, keeping IKE_SA Jun 19 19:57:08 15[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Jun 19 19:57:08 15[KNL] error installing route with policy 10.3.0.0/24 === 10.10.0.0/24 out Jun 19 19:57:08 15[IKE] unable to install IPsec policies (SPD) in kernel Jun 19 19:57:08 15[IKE] failed to establish CHILD_SA, keeping IKE_SA Jun 19 19:57:09 12[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Jun 19 19:57:09 12[KNL] error installing route with policy 10.3.0.0/24 === 10.10.0.0/24 out Jun 19 19:57:09 12[IKE] unable to install IPsec policies (SPD) in kernel Jun 19 19:57:09 12[IKE] failed to establish CHILD_SA, keeping IKE_SA Jun 19 19:57:10 16[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Jun 19 19:57:10 16[KNL] error installing route with policy 10.3.0.0/24 === 10.10.0.0/24 out Jun 19 19:57:10 16[IKE] unable to install IPsec policies (SPD) in kernel Jun 19 19:57:10 16[IKE] failed to establish CHILD_SA, keeping IKE_SA Jun 19 19:57:11 14[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Jun 19 19:57:11 14[KNL] error installing route with policy 10.3.0.0/24 === 10.10.0.0/24 out Jun 19 19:57:11 14[IKE] unable to install IPsec policies (SPD) in kernel Jun 19 19:57:11 14[IKE] failed to establish CHILD_SA, keeping IKE_SA Jun 19 20:37:26 06[KNL] creating rekey job for CHILD_SA ESP/0xe223cf04/52.188.11.203 Jun 19 20:37:26 11[IKE] establishing CHILD_SA REMOTE-VLAN1{47} reqid 4 Jun 19 20:37:26 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Jun 19 20:37:26 11[IKE] inbound CHILD_SA REMOTE-VLAN1{47} established with SPIs d60f2974_i 34a12944_o and TS 10.0.0.0/24 10.1.0.0/24 10.2.0.0/24 10.3.0.0/24 192.168.0.0/24 === 10.10.0.0/24 10.10.1.0/24 10.10.2.0/24 10.10.3.0/24 10.10.4.0/24 Jun 19 20:37:26 11[KNL] error installing route with policy 10.0.0.0/24 === 10.10.0.0/24 out Jun 19 20:37:26 11[IKE] unable to install outbound IPsec SA (SAD) in kernel Jun 19 20:37:26 11[IKE] closing CHILD_SA REMOTE-VLAN1{4} with SPIs 28539651_i (840 bytes) e223cf04_o (840 bytes) and TS 192.168.0.0/24 === 10.10.0.0/24 Jun 19 20:37:26 11[IKE] sending DELETE for ESP CHILD_SA with SPI 28539651 Jun 19 20:37:26 12[IKE] received DELETE for ESP CHILD_SA with SPI e223cf04 Jun 19 20:37:26 12[IKE] CHILD_SA closed Of interest, are these messages: charon: 10[ESP] no matching outbound IPsec policy for 100.100.100.100 == 10.10.0.4 [1] On 6/19/2020 3:38 AM, TomK wrote: Hello, I have an Asus router using DD-WRT. On this router I've enabled ospf. The router sits on VLAN1: 192.168.0.0/24 There are two more VLAN's within the space: VLAN2: 10.0.0.0/24 VLAN3: 10.1.0.0/24 VLAN4: 10.2.0.0/24 VLAN5: 10.3.0.0/24 I've installed StrongSwan on top of this router and looking to configure site-to-site VLAN via IKEv2 to 4 more external VLAN's: VLAN1: 10.10.0.0/24 VLAN2: 10.10.1.0/24 VLAN3: 10.10.2.0/24 VLAN4: 10.10.3.0/24 So my config looks like this: /opt/etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. conn REMOTE-VLAN1 authby=secret auto=start type=tunnel keyexchange=ikev2 keylife=3600s ikelifetime=28800s left=100.100.100.100 leftsubnet=192.168.0.0/24 # leftnexthop=%defaultroute right=123.123.123.123 rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24 ike=aes256-sha1-modp1024 esp=aes256-sha1 conn REMOTE-VLAN2 authby=secret auto=start type=tunnel keyexchange=ikev2 keylife=3600s ikelifetime=28800s left=100.100.100.100 leftsubnet=10.0.0.0/24 # leftnexthop=%defaultroute right=123.123.123.123 rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24 ike=aes256-sha1-modp1024 esp=aes256-sha1 conn REMOTE-VLAN5 authby=secret auto=start type=tunnel keyexchange=ikev2 keylife=3600s
Re: [strongSwan] StrongSwan w/ multiple local subnets.
Hi Brian, Thank you. You're right, I'm not using the script you provided. Seems like the instructions are aimed at a standalone Linux box however so I'm not sure at this point if it will negatively interfere with anything else I have configured here. I'm running DD-WRT so things are more restricted. However, I'll have to read it more thoroughly later on to be sure of that. If you can shed more light on this, that will help. Shouldn't ipsec configure the interfaces correctly? It does create ipsec01 so thought that would suffice. Had a quick glance at the pages. Some of the commands and modules aren't available (ie xfrmi) on DD-WRT however so I'll have to have a closer look later this weekend. If you could provide more details that will help. In the interim, my interface setup: 1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo valid_lft forever preferred_lft forever 2: teql0: mtu 1500 qdisc noop state DOWN qlen 100 link/void 3: eth0: mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000 link/ether bb:16:aa:a2:62:10 brd ff:ff:ff:ff:ff:ff 4: vlan1@eth0: mtu 1500 qdisc noqueue master br0 state UP link/ether bb:16:aa:a2:62:10 brd ff:ff:ff:ff:ff:ff 5: vlan2@eth0: mtu 1492 qdisc noqueue state UP qlen 1000 link/ether bb:16:aa:a2:62:11 brd ff:ff:ff:ff:ff:ff inet 100.100.100.100/27 brd 108.168.115.127 scope global vlan2 valid_lft forever preferred_lft forever 6: eth1: mtu 1500 qdisc fq_codel master br0 state UNKNOWN qlen 1000 link/ether bb:16:aa:a2:62:12 brd ff:ff:ff:ff:ff:ff 7: eth2: mtu 1500 qdisc fq_codel master br0 state UNKNOWN qlen 1000 link/ether bb:16:ac:a2:62:24 brd ff:ff:ff:ff:ff:ff 8: br0: mtu 1500 qdisc noqueue state UP qlen 1000 link/ether bb:16:ac:a2:62:12 brd ff:ff:ff:ff:ff:ff inet 192.168.0.6/24 brd 192.168.0.255 scope global br0 valid_lft forever preferred_lft forever 9: wl0.1: mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000 link/ether bd:16:ac:a2:62:13 brd ff:ff:ff:ff:ff:ff inet 192.168.45.1/24 brd 192.168.45.255 scope global wl0.1 valid_lft forever preferred_lft forever 10: wl1.1: mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000 link/ether bd:16:ac:a2:62:25 brd ff:ff:ff:ff:ff:ff inet 192.168.75.1/24 brd 192.168.75.255 scope global wl1.1 valid_lft forever preferred_lft forever 28: tun2: mtu 1500 qdisc fq_codel state UNKNOWN qlen 100 link/[65534] inet 10.1.1.1/24 brd 10.1.1.255 scope global tun2 valid_lft forever preferred_lft forever 30: ipsec0: mtu 1400 qdisc fq_codel state UNKNOWN qlen 500 link/[65534] On 6/20/2020 1:10 AM, Brian Topping wrote: I do the same thing with OSPF (with BIRD 2). I’m going to take a guess that StrongSWAN is working fine and your router is not sensing the transition of it, so it doesn’t know when (or where) to route. But I can’t exactly tell if you are setting up interfaces with an updown script, I don’t see them here. See https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#XFRM-Interfaces-on-Linux and https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/_updown/_updown.in. After you have interfaces working properly, have your OSPF configured against the interfaces (I just use something like `vti*` wildcard so I can name them anything) and you should see correct behavior. Last point of note, I just define `0.0.0.0/0` on left/rightsubnet. If your deployment gets supersized, you won’t want to be going back and updating networks on every gateway, though you will probably want to do that from LDAP for road warriors. On Jun 19, 2020, at 10:53 PM, TomK <mailto:tomk...@mdevsys.com>> wrote: On 6/19/2020 10:56 PM, Brian Topping wrote: Sounds like you’re unable to look at traffic on both sides. Unless you’re looking closely at the logs and know what’s happening, it’s hard to debug. It also looks as if you’ve rather heavily sanitized the console logs, for instance the ping destination. This line concerns me: Jun 19 19:57:11 14[KNL] error installing route with policy 10.3.0.0/24 === 10.10.0.0/24 out If your are coming from or going to 100.100.100.100 and using transport instead of tunnel, these routes being installed are wrong, which becomes a configuration issue. Best way to post is to take the console output verbatim, then replace the first two octets of every IP address you want to sanitize with unique letters so the addresses can be distinguished. Easier if you can put the content into something like pastebin or gist instead of mailing to the list for viewing purposes. Sent from my iPhone On Jun 19, 2020, at 19:28, TomK <mailto:tomk...@mdevsys.com>> wrote: Jun 19 19:57:11 14[KNL] error installing route with policy 10.3.0.0/24 === 10.10.0.0/24 out Thank you. Attached the logs. https COLON //www DOT m
Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 6/22/2020 4:08 AM, Tobias Brunner wrote: Hi Tom, ipsec0 receives the packet from the ping request but nothing comes back: Is there any particular reason you are using the kernel-libipsec plugin (see [1])? You might want to try just using kernel-netlink. This is a DD-WRT router. Uses a pre-built kernel I might not have too much option in customizing it. But I tried removing it root@DD-WRT:~# opkg list-installed | grep -Ei kernel-libipsec strongswan-mod-kernel-libipsec - 5.8.4-1 root@DD-WRT:~# opkg remove strongswan-mod-kernel-libipsec Removing package strongswan-mod-kernel-libipsec from root... root@DD-WRT:~# And restarting: root@DD-WRT:~# ipsec status root@DD-WRT:~# However: root@DD-WRT:~# tail -f /var/log/messages|grep -Ei charon Jun 22 08:12:14 DD-WRT daemon.info charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 4.4.190, armv7l) Jun 22 08:12:14 DD-WRT daemon.info charon: 00[CFG] PKCS11 module '' lacks library path Jun 22 08:12:14 DD-WRT daemon.info charon: 00[CFG] disabling load-tester plugin, not configured Jun 22 08:12:14 DD-WRT daemon.info charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Jun 22 08:12:15 DD-WRT daemon.info charon: 00[KNL] unable to create netlink socket: Protocol not supported (93) Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] could not open socket: Address family not supported by protocol Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] could not open IPv6 socket, IPv6 disabled Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] installing IKE bypass policy failed Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] installing IKE bypass policy failed Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed Jun 22 08:12:15 DD-WRT daemon.info charon: 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: CUSTOM:kernel-ipsec Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] attr-sql plugin: database URI not set Jun 22 08:12:15 DD-WRT daemon.info charon: 00[KNL] received netlink error: Address family not supported by protocol (97) Jun 22 08:12:15 DD-WRT daemon.info charon: 00[KNL] unable to create IPv6 routing table rule Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading ca certificates from '/opt/etc/ipsec.d/cacerts' Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading aa certificates from '/opt/etc/ipsec.d/aacerts' Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading ocsp signer certificates from '/opt/etc/ipsec.d/ocspcerts' Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading attribute certificates from '/opt/etc/ipsec.d/acerts' Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading crls from '/opt/etc/ipsec.d/crls' Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading secrets from '/opt/etc/ipsec.secrets' Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loaded IKE secret for 100.100.100.100 123.123.123.123 Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] sql plugin: database URI not set Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loaded 0 RADIUS server configurations Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] HA config misses local/remote address Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] coupling file path unspecified Jun 22 08:12:15 DD-WRT daemon.info charon: 00[LIB] failed to load 1 critical plugin feature Jun 22 08:12:15 DD-WRT daemon.info charon: 00[DMN] initialization failed - aborting charon Jun 22 08:12:15 DD-WRT daemon.info charon: 00[KNL] received netlink error: Address family not supported by protocol (97) Jun 22 08:12:15 DD-WRT authpriv.info ipsec_starter[15105]: charon has quit: initialization failed Jun 22 08:12:15 DD-WRT authpriv.info ipsec_starter[15105]: charon refused to be started Interestingly, what I do have is: root@DD-WRT:~# find / -iname tunnel* /lib/modules/4.4.190/tunnel4.ko /lib/modules/4.4.190/tunnel6.ko root@DD-WRT:~# find / -iname exp4* root@DD-WRT:~# find / -iname esp4* root@DD-WRT:~# find / -iname esp* /lib/modules/4.4.190/esp6.ko root@DD-WRT:~# find / -iname xfrm* /lib/modules/4.4.190/xfrm6_mode_beet.ko /lib/modules/4.4.190/xfrm6_mode_ro.ko /lib/modules/4.4.190/xfrm6_mode_transport.ko /lib/modules/4.4.190/xfrm6_mode_tunnel.ko /lib/modules/4.4.190/xfrm6_tunnel.ko /lib/modules/4.4.190/xfrm_algo.ko /lib/modules/4.4.190/xfrm_ipcomp.ko /proc/sys/net/core/xfrm_acq_expires /proc/sys/net/core/xfrm_aevent_etime /proc/sys/net/core/xfrm_aevent_rseqth /proc/sys/net/core/xfrm_larval_drop /proc/sys/net/ipv4/xfrm4_gc_thresh root@DD-WRT:~# root@DD-WRT:~# root@DD-WRT:~# find / -iname ip_tunnel* /lib/modules/4.4.190/ip_tunnel.ko root@DD-WRT:~# So just to recap, pinging, ssh etc access in general works from REMOTE to LOCAL. But not LOCAL to REMOTE with strongswan-kernel-libipsec included. This I find odd because it seems to indicate the Azure to Strongswan connection is fine, just routing and
[strongSwan] StrongSwan w/ multiple local subnets.
Hello, I have an Asus router using DD-WRT. On this router I've enabled ospf. The router sits on VLAN1: 192.168.0.0/24 There are two more VLAN's within the space: VLAN2: 10.0.0.0/24 VLAN3: 10.1.0.0/24 VLAN4: 10.2.0.0/24 VLAN5: 10.3.0.0/24 I've installed StrongSwan on top of this router and looking to configure site-to-site VLAN via IKEv2 to 4 more external VLAN's: VLAN1: 10.10.0.0/24 VLAN2: 10.10.1.0/24 VLAN3: 10.10.2.0/24 VLAN4: 10.10.3.0/24 So my config looks like this: /opt/etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. conn REMOTE-VLAN1 authby=secret auto=start type=tunnel keyexchange=ikev2 keylife=3600s ikelifetime=28800s left=100.100.100.100 leftsubnet=192.168.0.0/24 # leftnexthop=%defaultroute right=123.123.123.123 rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24 ike=aes256-sha1-modp1024 esp=aes256-sha1 conn REMOTE-VLAN2 authby=secret auto=start type=tunnel keyexchange=ikev2 keylife=3600s ikelifetime=28800s left=100.100.100.100 leftsubnet=10.0.0.0/24 # leftnexthop=%defaultroute right=123.123.123.123 rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24 ike=aes256-sha1-modp1024 esp=aes256-sha1 conn REMOTE-VLAN5 authby=secret auto=start type=tunnel keyexchange=ikev2 keylife=3600s ikelifetime=28800s left=100.100.100.100 leftsubnet=10.3.0.0/24 # leftnexthop=%defaultroute right=123.123.123.123 rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24 ike=aes256-sha1-modp1024 esp=aes256-sha1 root@ASUS01:~# ipsec status Security Associations (1 up, 0 connecting): REMOTE-VLAN1[1]: ESTABLISHED 3 seconds ago, 100.100.100.100 [100.100.100.100 ]...123.123.123.123[123.123.123.123] REMOTE-VLAN1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ada5f39c_i a96955ba_o REMOTE-VLAN1{1}: 192.168.0.0/24 === 10.10.0.0/24 10.10.1.0/24 10.10.2.0/24 10.10.3.0/24 10.10.4.0/24 root@ASUS01:~# Just by the effect of the configuration file and what is happening on restart, doesn't appear I can create any other VLAN routes other then from the VLAN I'm currently on. How do I effectively make a site-to-site VPN configuration using StrongSwan between all 10 VLAN's? Additionally, for the VLAN that does have a tunnel created, I can ping a local (left) subnet directly but not vice versa. I'm interested in the correct configuration to use first since I'm very new to this. If this still doesn't work, I'll post the logs from a good known configuration. -- Thx, TK.
[strongSwan] StrongSwan w/ multiple local subnets.
Hello, I have an Asus router using DD-WRT. On this router I've enabled ospf. The router sits on VLAN1: 192.168.0.0/24 There are two more VLAN's within the space: VLAN2: 10.0.0.0/24 VLAN3: 10.1.0.0/24 VLAN4: 10.2.0.0/24 VLAN5: 10.3.0.0/24 I've installed StrongSwan on top of this router and looking to configure site-to-site VLAN via IKEv2 to 4 more external VLAN's: VLAN1: 10.10.0.0/24 VLAN2: 10.10.1.0/24 VLAN3: 10.10.2.0/24 VLAN4: 10.10.3.0/24 So my config looks like this: /opt/etc/ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. conn REMOTE-VLAN1 authby=secret auto=start type=tunnel keyexchange=ikev2 keylife=3600s ikelifetime=28800s left=100.100.100.100 leftsubnet=192.168.0.0/24 # leftnexthop=%defaultroute right=123.123.123.123 rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24 ike=aes256-sha1-modp1024 esp=aes256-sha1 conn REMOTE-VLAN2 authby=secret auto=start type=tunnel keyexchange=ikev2 keylife=3600s ikelifetime=28800s left=100.100.100.100 leftsubnet=10.0.0.0/24 # leftnexthop=%defaultroute right=123.123.123.123 rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24 ike=aes256-sha1-modp1024 esp=aes256-sha1 conn REMOTE-VLAN5 authby=secret auto=start type=tunnel keyexchange=ikev2 keylife=3600s ikelifetime=28800s left=100.100.100.100 leftsubnet=10.3.0.0/24 # leftnexthop=%defaultroute right=123.123.123.123 rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24 ike=aes256-sha1-modp1024 esp=aes256-sha1 root@ASUS01:~# ipsec status Security Associations (1 up, 0 connecting): REMOTE-VLAN1[1]: ESTABLISHED 3 seconds ago, 100.100.100.100 [100.100.100.100 ]...123.123.123.123[123.123.123.123] REMOTE-VLAN1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ada5f39c_i a96955ba_o REMOTE-VLAN1{1}: 192.168.0.0/24 === 10.10.0.0/24 10.10.1.0/24 10.10.2.0/24 10.10.3.0/24 10.10.4.0/24 root@ASUS01:~# Just by the effect of the configuration file and what is happening on restart, doesn't appear I can create any other VLAN routes other then from the VLAN I'm currently on. How do I effectively make a site-to-site VPN configuration using StrongSwan between all 10 VLAN's? Additionally, for the VLAN that does have a tunnel created, I can ping a local (left) subnet directly but not vice versa. I'm interested in the correct configuration to use first since I'm very new to this. If this still doesn't work, I'll post the logs from a good known configuration. -- Thx, TK.
Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 6/24/2020 10:40 AM, TomK wrote: On 6/24/2020 9:19 AM, Tobias Brunner wrote: Hi Tom, May I ask which exact line above told you I'm missing sfrm_user? The ones that start with CUSTOM? Yes, the first one is logged after the kernel-netlink plugin failed to open a Netlink/XFRM socket, plus it is obviously missing in the module lists you posted after that. Kool This is DD-WRT so it's a minimized router kernel. I was surprised as the next guy learning that module isn't available. Yeah, makes not much sense to enable the other IPsec-related modules without a means to actually use them. But why did you use the 2.6.23 kernel sources to build the missing module if your router uses a 4.4.190 kernel? Was questions my sanity around that as well but initially only found the wiki page for 2.6.33 . The SVN appeared a bit messy to me, probably because I'm not familiar with it yet, so wasn't sure if they just reused the folder name or if it was truly for Linux 2.6.33. And couldn't find the Linux 4.4's at the time until I rummaged through the SVN the next day. Look further down on the post. I've tried the Linux 4.4 branch but couldn't get that to work. There's some missing Makefiles. I tinkered around with this at some point. I had it originating from 192.168.0.6 > 10.10.0.4 but same results. Based on what you wrote, unless I get xfrm_user module installed, this won't work regardless of what source IP it's coming from? No, that's unrelated. You need that module to use the IPsec stack in the kernel (i.e. to run without kernel-libipsec or ipsec0 interface). The whole point of the userland IPsec stack is that it bypasses the kernel and can run with reduced privileges (e.g. on Android where apps can create TUN devices via VpnService API but can't access the kernel's IPsec stack via Netlink/XFRM). instead of originating from the WAN IP. No reply of course. My routes Are ESP packets sent? If yes, are any returned? If not, then this seems to be an issue on the other end. So try to follow the traffic there. That is what I'm not sure about. Between StrongSwan (SSW) and Azure VPN Gateway, I'm not able to find which one is it. I've setup a packet trace from the Azure VPN Gateway but the only option it gave me as a target was against one of the Azure VM's. Not between Azure VPN Gateway and the on-prem gateway. So in the least I was hoping to confirm if everything was sent correctly from SSW then I'll be more sure that the issue is really with Azure VPN Gateway blocking traffic. What I do know is that I can ping from the Azure VM's back down to my on-prem VLAN (192.168.0.X/24 ) but NOT FROM my router that's running SSW. In other words, traffic flows only one way. Down. So to me this looked like an issue where: 1) Like you said, ESP packets are not getting sent properly from SSW to Azure VPN Gateway. ( How do I confirm this with 100% certainty? What should I look for to determine if there's any dropped packets on my on-prem F/W that's on this router? ) 2) The Azure VPN Gateway is blocking on-prem to itself. I've made sure the F/W on the Azure side is not an issue. root@DD-WRT:~# ip route Again, strongSwan installs its routes in table 220, that is, use `ip route show table 220` (or `all`). root@DD-WRT:~# ip route show table all default via 100.100.100.50 dev vlan2 10.0.0.0/24 via 192.168.0.1 dev br0 metric 20 10.1.0.0/24 via 192.168.0.1 dev br0 metric 20 10.1.1.0/24 dev tun2 scope link src 10.1.1.1 10.2.0.0/24 via 192.168.0.1 dev br0 metric 20 10.3.0.0/24 via 192.168.0.1 dev br0 metric 20 100.100.100.75/27 dev vlan2 scope link src 100.100.100.100 127.0.0.0/8 dev lo scope link 192.168.0.0/24 dev br0 scope link src 192.168.0.6 192.168.45.0/24 dev wl0.1 scope link src 192.168.45.1 192.168.75.0/24 dev wl1.1 scope link src 192.168.75.1 broadcast 10.1.1.0 dev tun2 table local scope link src 10.1.1.1 local 10.1.1.1 dev tun2 table local scope host src 10.1.1.1 broadcast 10.1.1.255 dev tun2 table local scope link src 10.1.1.1 broadcast 100.100.100.75 dev vlan2 table local scope link src 100.100.100.100 local 100.100.100.100 dev vlan2 table local scope host src 100.100.100.100 broadcast 100.100.100.25 dev vlan2 table local scope link src 100.100.100.100 broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1 local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1 local 127.0.0.1 dev lo table local scope host src 127.0.0.1 broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1 broadcast 192.168.0.0 dev br0 table local scope link src 192.168.0.6 local 192.168.0.6 dev br0 table local scope host src 192.168.0.6 broadcast 192.168.0.255 dev br0 table local scope link src 192.168.0.6 broadcast 192.168.45.0 dev wl0.1 table local scope link src 192.168.45.1 local 192.168.45.1 dev wl0.1 table local scope host src 192.168.45.1 broadcast 192.168.45.255 dev wl0.1 table local scope link src 192.168.45.1 broadc
Re: [strongSwan] StrongSwan w/ multiple local subnets.
On 8/11/2020 1:16 AM, TomK wrote: On 8/9/2020 8:10 PM, TomK wrote: On 6/30/2020 4:41 AM, Tobias Brunner wrote: Hi Tom, What I meant to say, is that would confirm all proper kernel modules were already in place to allow the communication would it not? Anything else I could try to, in the least, confirm if the packet was successfully forwarded to the Azure VPN Gateway end? I know the packet arrives at the IPSec ipsec0 interface however, checking just now, I don't see any traffic change on the WAN interface of the on-prem StrongSwan VPN GW. As explained in previous emails, with kernel-libipsec you are not using any of the IPsec-related kernel modules. IPsec processing happens in userland via ipsec0 TUN device (see [1] for more on this plugin). rp_filter could be an issue when using it. To check traffic, use packet counters (strongSwan's status output, firewall etc.) or traffic captures on the respective hosts to see if e.g. ESP packets are exchanged. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec Hey All, So I've given up on DD-WRT for the time being and decided instead to use an old Raspberry PI 2 and OpenWRT. The topology I'll reference is available on the below OpenWRT forum. For the sake of not replicating all the content (and partially due to a touch of laziness), here is the link: Aug 9th post: https://forum.openwrt.org/t/openwrt-support-for-quagga-ospf-strongswan-ipsecv2-1-openvpn-firewalld-ssh-ddns-dnsmasquerade/69528/18 I'm effectively running into this error: Aug 9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to 123.123.123.123 Aug 9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Aug 9 17:04:06 OWRT01 : 14[NET] sending packet: from 100.100.100.100[500] to 123.123.123.123[500] (1188 bytes) Aug 9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network unreachable Aug 9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message ID 0 This time, XFRM modules are loaded: root@OWRT01:~# lsmod|grep xfrm tunnel4 12288 2 sit,xfrm4_tunnel tunnel6 12288 1 xfrm6_tunnel xfrm_algo 12288 7 esp6,ah6,esp4,ah4,xfrm_user,xfrm_ipcomp,af_key xfrm_ipcomp 12288 2 ipcomp6,ipcomp xfrm_user 28672 0 xfrm4_mode_beet 12288 0 xfrm4_mode_transport 12288 0 xfrm4_mode_tunnel 12288 0 xfrm4_tunnel 12288 0 xfrm6_mode_beet 12288 0 xfrm6_mode_transport 12288 0 xfrm6_mode_tunnel 12288 0 xfrm6_tunnel 12288 1 ipcomp6 root@OWRT01:~# However, from the OpenWRT post, you can see that packets arent' even making it out of the ipsec0 interface, nor from the br-lan iterface. Made it past the above issue. Had to set: left=192.168.0.12 type=passthrough since this is a device behind the main router. My bad!. Now I'm receiving a reply back: root@DD-WRT-INTERNET-ASUS:~# tcpdump -n | grep -Ei "123.123.123.123" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 21:42:10.410556 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp: parent_sa ikev2_init[I] 21:42:10.414404 IP 123.123.123.123.500 > 192.168.0.12.500: isakmp: parent_sa ikev2_init[R] However the result is this error: received NO_PROPOSAL_CHOSEN notify error I've gone and searched the above error but nothing worked so far. Tried different settings for ike= and esp= but no luck either. Perhaps I'm missing something here a trained eye won't? Any help is appreciated. - Full session: Aug 11 00:41:57 OWRT01 : 00[DMN] signal of type SIGINT received. Shutting down Aug 11 00:42:00 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 4.14.180, armv7l) Aug 11 00:42:00 OWRT01 : 00[CFG] PKCS11 module '' lacks library path Aug 11 00:42:01 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not supported, https:// disabled Aug 11 00:42:01 OWRT01 : 00[CFG] disabling load-tester plugin, not configured Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Aug 11 00:42:01 OWRT01 : 00[LIB] created TUN device: ipsec0 Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found Aug 11 00:42:01 OWRT01 : 00[CFG] attr-sql plugin: database URI not set Aug 11 00:42:01 OWRT01 : 00[NET] using forecast interface br-lan Aug 11 00:42:01 OWRT01 : 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 Aug 11 00:42:01 OWRT01 : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Aug 11 00:42:01 OWRT01 : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Aug 11 00:42:01
Re: [strongSwan] Export XFRM StrongSwan / IPSec routes to Quagga (OSPF)
On 10/26/2020 8:42 AM, TomK wrote: On 10/26/2020 2:10 AM, Michael Schwartzkopff wrote: On 26.10.20 05:47, TomK wrote: Hey All, I've configured the VTI's and routing is now fully working between the 9 VLAN's. XFRM, as far as I can tell, isn't as well documented. I might try this later on o see if OpenWRT supprots it. Thx, On 10/25/2020 9:48 PM, TomK wrote: Hey Noel, I have four VLAN's on the Azure side. I need all these VLAN's visible to my on-prem VLAN's, 5 on-prem VLAN's in total. The on-prem GW can see those Azure VLAN's. The mapping works well. However, the on-prem StrongSwan GW running on my Raspberry Pi 2 (OpenWRT) isn't redistributing the Azure VLAN's at the moment since they are sitting in table 220 where OSPF can't see them. From the Azure side, I can ping the on-prem GW just fine, including the ability to ssh to the on-prem OpenWRT GW from Azure. However, I can't ping any of the other on-prem VLAN's from the Azure side, of course. Not until OSPF sees the Azure VLAN's I'm thinking. This is mostly a POC so I have plenty of room to experiment. This is the goal. Cheers, TK On 10/25/2020 8:51 PM, Noel Kuntze wrote: Hello Tom, That is the right wiki page. What I forgot to mention though is that with interfaces, you can then talk your routing protocol over it. It does not give you information about the subnets though for which IPsec policies are installed. What is the goal of this in the end? Kind regards Noel Am 26.10.20 um 01:33 schrieb TomK: Hey Noel, Thanks. That would certainly make it automatic with either BIRD or Quagga. I'll have a look at the pages again to see what it takes to create these. Thinking this is still the right page for VTI and XFRM information? https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN Cheers, TK On 10/25/2020 4:59 PM, Noel Kuntze wrote: Hi Tom, The routes in table 220 are only used to tell the kernel which source IP to use for sending packets to a remote network. They aren't part of XFRM and only tangentially pertain IPsec. Also, routes are only added if they are required, so those routes in table 220 are not necessarily complete. A better solution for your use case would be to use route based IPsec by using dedicated VTIs or XFRM interfaces and running OSPF/BGP/whatever over those virtual links. Kind regards Noel Am 25.10.20 um 19:05 schrieb TomK: Hey All, I'm interested in finding out how to import routes from StrongSwan IPSec installed XFRM tables (220) into Quagga (OSPF, 254)? The XFRM policy based rules are saved in table 220 while Quagga (OSPF) saves the routes in table 254. I have an IPSec StrongSwan on-prem GW paired up with one of the Cloud providers. The connection is established fine however I can't ping the remote VLAN's from any other device on the on-prem network except from the on-prem GW itself. I would like to make OSPF aware of table 220 so it can import the rules. Or at least find another way to export the rules in table 220 and into table 254. Either import from or export to would work but I haven't been able to find articles on the web addressing this issue. Is this possible? Hi, I wrote two blog articles explaining how to achieve do route based VPN with dynamic routing. https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html Mit freundlichen Grüßen, I'll check it out. Thank you. I've tossed in a post as well: https://microdevsys.com/wp/microsoft-azure-to-cloudera-cdh-via-vpn-gateway/ Included all the issues and successes I encountered along the way. Hope that helps someone. -- Thx, TK.