Sorry, other way around, 32666 and 220 works, but 0 doesn't.
0: from all lookup local
101:from 90.225.194.x lookup WAN1
102:from 10.248.0.x lookup WAN2
103:from 85.24.240.x lookup WAN3
121:from all fwmark 0x100/0xf00 lookup WAN1
122:from all fwmark 0x200/0xf00 lookup
Source hints?
I dont think so, I have noticed that it depends on which routing table
in strongswn.conf is configured for charon to install routes. The
behaviour seem different if I use 220, table 0 or main routing table. I
think if I use main routing table for route installation the source IP
There is nothing in the logs, i'm downing the tunnel then starting a
ping from a client to get it up while tailing the log file on the
gateway. Nothing related to that tunnel are shown at all...
The only tunnel that goes up by traffic is the tunnel with rightsubnet
0.0.0.0. When I disable
On 03.05.2017 13:27, Dusan Ilic wrote:
> The log just says that sometimes it chooses 0.0.0.0 as source, sometimes the
> gateway local Ip and sometimes the correct Public IP. Dont know if the
> problem is that left is %any as you proposed?
No. It's a race condition in your network
On 06.05.2017 14:29, Dusan Ilic wrote:
> Sorry to say I didnt follow you completely, what do you mean? Dont disabling
> route installation effectively mean that im forced to setup the same with
> updown-scriprs?
> Also, whats the difference setting a fwmark with netlink plugin? What
> behaviour
Sorry to say I didnt follow you completely, what do you mean? Dont disabling
route installation effectively mean that im forced to setup the same with
updown-scriprs?
Also, whats the difference setting a fwmark with netlink plugin? What behaviour
changes?
One observation, it looks like
As far as I can tell, there is effectively no useful change with charon
installing any routes in your case, because in your setup,
there aren't going to be any more network reachable over a non-default route.
On 05.05.2017 23:43, Dusan Ilic wrote:
> Hello Noel,
>
> You keep suggesting disabling
Hello Noel,
You keep suggesting disabling route installation (and before also a
random fwmark in netlink plugin), well, could you explain a little more
detailed what would/should happen if I follow these instructions, and
also what else I will have to do? I mean, without routes there will be
Hello Dusan,
On 05.05.2017 08:55, Dusan Ilic wrote:
> Okey, so I have tried different things now and I think that Charon source
> routing seem to work better (atleast it looks like if after a couple of
> reboots of the gateway). Im not source what did it, because I have both added
> an Iptable
Okey, so I have tried different things now and I think that Charon
source routing seem to work better (atleast it looks like if after a
couple of reboots of the gateway). Im not source what did it, because I
have both added an Iptable mangling rule for UDP port 500 (IKE) marrking
out the WAN
Okey, I will try some things out and see if it gets better. If not I
will return with some logs :)
I'm just thinking out loud here regarding Charon source route selection,
because you proposed leaving out the "left"-parameter (defaulting to
%any I think) and my router is multihomed, what about
On 03.05.2017 13:51, Dusan Ilic wrote:
> By the way, it seems the order of shunt connections do matter.
They don't. XFRM doesn't care about what order any policies are inserted, only
the TS and the priority.
> If I put it at the end after all other connections the network gets
> completely
By the way, it seems the order of shunt connections do matter. If I put it at
the end after all other connections the network gets completely cut off...looks
like I have to put it directly after the 0.0.0.0 connection.
Noel Kuntze skrev
>
>
>On 02.05.2017 17:41, Dusan Ilic wrote:
>>
The log just says that sometimes it chooses 0.0.0.0 as source, sometimes the
gateway local Ip and sometimes the correct Public IP. Dont know if the problem
is that left is %any as you proposed?
Also, Strongswan pick the LAN shunt connection for some incoming connections
attempts.
Another
On 02.05.2017 17:41, Dusan Ilic wrote:
>
> I see, thank you.
>
> Well, I seem to have random issues now with my new configuration.
>
> After restartin Strongswan sometiems it works, sometimes it don't Very
> unreliable.
> Sometimes it connects with right source interface, sometimes sending
I see, thank you.
Well, I seem to have random issues now with my new configuration.
After restartin Strongswan sometiems it works, sometimes it don't Very
unreliable.
Sometimes it connects with right source interface, sometimes sending
packet: from 0.0.0.0[500] to 94.x.x.x[500] (1316 bytes)
Yes, that's the reason why that happens. No, you need to start using another
subnet.
On 02.05.2017 02:02, Dusan Ilic wrote:
> I seem to have found the problem, it was on my local endpoint. The gateway
> have default IP-table rules in prerouting table dropping traffic entering any
>
I seem to have found the problem, it was on my local endpoint. The
gateway have default IP-table rules in prerouting table dropping traffic
entering any WAN-interface destined to a LAN-subnet, which I understand
is normal as long as their isn't any IPsec involved :) Below exlude rule
solves
I can't help you further easily. You need to check what happens to the packets
and what actually needs to happen.
On 30.04.2017 23:25, Dusan Ilic wrote:
>
> I have added following on local router
>
> iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -o vlan847 -m policy --dir out
> --pol ipsec
I have added following on local router
iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -o vlan847 -m policy --dir
out --pol ipsec --proto esp -j ACCEPT
(before it was iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -d
192.168.1.0/24 -o vlan847 -m policy --dir out --pol ipsec --proto esp -j
Fix your NAT rules.
Am 30. April 2017 12:28:48 MESZ schrieb Dusan Ilic :
>Okey, so I found info about adding a "passthrough" connection for my
>local LAN. I have done this now and when i start the connection the
>network connection isn't cut off, however, it seems like my
Okey, so I found info about adding a "passthrough" connection for my
local LAN. I have done this now and when i start the connection the
network connection isn't cut off, however, it seems like my internet
traffic i still using my local gateway (browsed to a check my ip-page).
I can however
Hello Dusan,
On 29.04.2017 18:34, Dusan Ilic wrote:
> It works! I found a hidden setting under Phase 1 in Fortigate where i could
> add the local ID. Added it's dynamic dns hostname and now it connects.
Great!
>
> However, I still have issues with another endpoint I'm testing. My local
>
It works! I found a hidden setting under Phase 1 in Fortigate where i
could add the local ID. Added it's dynamic dns hostname and now it connects.
However, I still have issues with another endpoint I'm testing. My local
endpoint have Strongswan 5.5.1 and the remote endpoint have 4.5.2. Would
I just tested it with two hosts running strongSwan 5.5.2 and it works just fine.
This is a problem with the fortigate, which resolves its configured ID to an IP
address.
Try to find a way to turn that off.
Here are the two configurations I used (one with ipsec.conf, one with
swanctl.conf). They
For the Fortigate connection if I add in both locla and remote ID,
instead of only remote ID, i get the following:
authentication of '85.230.x.x' with pre-shared key successful
constraint check failed: identity 'remote.example' required
selected peer config 'site2site' inacceptable: constraint
I also tried with another remote endpoint with Strongswan too, and
reversed the config.
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
Den 2017-04-29 kl. 13:26, skrev Dusan Ilic:
no shared key found for 'local.example' - '137.135.x.x'
generating
no shared key found for 'local.example' - '137.135.x.x'
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
The remote side is a Fortigate firewall, so I can't configure it the
same. I can just choose local interface (ie wan) and remote gateway IP
or Dynamic DNS, I have chosen Dynamic DNS.
Hello Dusan,
On 29.04.2017 02:25, Dusan Ilic wrote:
> Hi Noel,
>
> Okey, if I don't set "left" and initiate the connection it takes the wrong
> route (multiple WAN-interfaces) and the remote peer don't expect that source
> IP. Probably works better if the remote peer is initiating connection
Hi Noel,
Okey, if I don't set "left" and initiate the connection it takes the
wrong route (multiple WAN-interfaces) and the remote peer don't expect
that source IP. Probably works better if the remote peer is initiating
connection instead.
If I set "left=%local.example" and "right" /
Hello Dusan,
Don't set "left".
Set "right=%remoteDNSname" and "rightid="remoteDNSname". Use the following
verbatim as selector "remoteDNSname". DO NOT use %remoteDNSname".
Secrets are looked up based on the remote peer's ID, not the local one's.
There's no need to use IPs as IDs with IKEv2. The
Here is another example (dynamic DNS both sides), other side is initiating.
Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] x.x.x.200 is
initiating an IKE_SA
Apr 28 07:49:06 R6250 authpriv.info charon: 12[IKE] x.x.x.200 is
initiating an IKE_SA
Apr 28 07:49:06 R6250 daemon.info charon:
Thank you
Well for starters, I can paste the logs i had in an earlier thread. Are
you saying that site-2-site with PSK must use certificates when using
dynamic hostnames?
What about if only one side of the tunnel has a dynamic IP and dynamic
DNS (my side)? I have two remote peers, one using
On 27.04.2017 22:38, Dusan Ilic wrote:
> I would really appreciate some help with below also, Im having a Hard time
> understanding how Strongswan chooses connection definitions and ipsec secrets.
Based on IPs, identities and authentication methods.
>
> For example, how can I setup an ikev2 psk
I would really appreciate some help with below also, Im having a Hard
time understanding how Strongswan chooses connection definitions and
ipsec secrets.
For example, how can I setup an ikev2 psk tunnel between two hosts with
dynamic dns?
Can I have several ip secrets or connections with
I tried something like this, so that only the VPN-client subnet are
marked differently from ordinary traffic on vlan847, but it doesn't seem
to work.
iptables -t mangle -I PREROUTING -s VPN-clientIP -i vlan847 -m policy
--dir in --pol ipsec --proto esp -j M
ARK --set-mark 0x200/0xf00
Below
I have found the issue! Not a Strongswan one after all :)
This is my ip rules output:
# ip rule
0: from all lookup local
100:from 85.24.x.x lookup WAN1
101:from 90.225.x.x lookup WAN2
102:from 10.248.x.x lookup WAN3
104:from 46.195.x.x lookup WAN4
121:from all fwmark
Hello Dusan,
In general, charon does not route any packets of the kernel. Charon is out of
the loop there,
however, it installs routes into routing table 220 by default to make sure the
packets
that are going to be protected with IPsec reach the remote subnet.
This means that when charon picks
Hi again Tobias,
After reading your post once more I suspect we are talking about different
things. I see you qouted my question why the last multipath is being chosen by
Strongswan when configuring left=%any and initiating the connection, however Im
talking about the route Strongswan chooses
I need load distribution and policy routing just dont cut it,its to static.
All Ipsec connections are configured in ipsec.conf to use vlsn847 interface for
incoming connections (left) which means Strongswan always use that route as
initiatiator and responder, only problem is that Strongswan
Hi,
> How exactly do these kind of kind of multipath routes compare to
> multiple routes with different priorities/metrics? In your case you
> have multiple paths with the same weight, how is the actual
> nexthop/interface chosen by the kernel?
The nexthop of a multipath route is selected
Hi Dusan,
> default
> nexthop via 90.225.x.x dev vlan845 weight 1
> nexthop via 10.248.x.x dev ppp0 weight 256
> nexthop via 85.24.x.x dev vlan847 weight 1
> nexthop via 46.195.x.x dev ppp1 weight 1
>
> My gateway is configured to use 10.248.0.x as "default
No one?
Den 2017-04-21 kl. 10:16, skrev Dusan Ilic:
Hi!
I have some issues, please read on.
1. I have one side of the IP-sec tunnel with dynamic IP (associated
with a dynamic hostname), I would like not need to change the
"left"-parameter in both ipsec.conf and ipsec.secrets whenever the
Okey, one correction
left=%hostname is working for one of my tunnels, but not the other. See
below.
The working:
sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt
Authority X3"
authentication of 'hostname' (myself) with pre-shared key
establishing CHILD_SA Azure
generating
Hi!
I have some issues, please read on.
1. I have one side of the IP-sec tunnel with dynamic IP (associated with
a dynamic hostname), I would like not need to change the
"left"-parameter in both ipsec.conf and ipsec.secrets whenever the local
WAN IP changes, so I have tried putting "left =
45 matches
Mail list logo