Re: [strongSwan] Tunnels with dynamic IP and another route issue

Sorry, other way around, 32666 and 220 works, but 0 doesn't. 0: from all lookup local 101:from 90.225.194.x lookup WAN1 102:from 10.248.0.x lookup WAN2 103:from 85.24.240.x lookup WAN3 121:from all fwmark 0x100/0xf00 lookup WAN1 122:from all fwmark 0x200/0xf00 lookup

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Source hints? I dont think so, I have noticed that it depends on which routing table in strongswn.conf is configured for charon to install routes. The behaviour seem different if I use 220, table 0 or main routing table. I think if I use main routing table for route installation the source IP

Re: [strongSwan] Tunnels with dynamic IP and another route issue

There is nothing in the logs, i'm downing the tunnel then starting a ping from a client to get it up while tailing the log file on the gateway. Nothing related to that tunnel are shown at all... The only tunnel that goes up by traffic is the tunnel with rightsubnet 0.0.0.0. When I disable

Re: [strongSwan] Tunnels with dynamic IP and another route issue

On 03.05.2017 13:27, Dusan Ilic wrote: > The log just says that sometimes it chooses 0.0.0.0 as source, sometimes the > gateway local Ip and sometimes the correct Public IP. Dont know if the > problem is that left is %any as you proposed? No. It's a race condition in your network

Re: [strongSwan] Tunnels with dynamic IP and another route issue

On 06.05.2017 14:29, Dusan Ilic wrote: > Sorry to say I didnt follow you completely, what do you mean? Dont disabling > route installation effectively mean that im forced to setup the same with > updown-scriprs? > Also, whats the difference setting a fwmark with netlink plugin? What > behaviour

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Sorry to say I didnt follow you completely, what do you mean? Dont disabling route installation effectively mean that im forced to setup the same with updown-scriprs? Also, whats the difference setting a fwmark with netlink plugin? What behaviour changes? One observation, it looks like

Re: [strongSwan] Tunnels with dynamic IP and another route issue

As far as I can tell, there is effectively no useful change with charon installing any routes in your case, because in your setup, there aren't going to be any more network reachable over a non-default route. On 05.05.2017 23:43, Dusan Ilic wrote: > Hello Noel, > > You keep suggesting disabling

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Hello Noel, You keep suggesting disabling route installation (and before also a random fwmark in netlink plugin), well, could you explain a little more detailed what would/should happen if I follow these instructions, and also what else I will have to do? I mean, without routes there will be

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Hello Dusan, On 05.05.2017 08:55, Dusan Ilic wrote: > Okey, so I have tried different things now and I think that Charon source > routing seem to work better (atleast it looks like if after a couple of > reboots of the gateway). Im not source what did it, because I have both added > an Iptable

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Okey, so I have tried different things now and I think that Charon source routing seem to work better (atleast it looks like if after a couple of reboots of the gateway). Im not source what did it, because I have both added an Iptable mangling rule for UDP port 500 (IKE) marrking out the WAN

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Okey, I will try some things out and see if it gets better. If not I will return with some logs :) I'm just thinking out loud here regarding Charon source route selection, because you proposed leaving out the "left"-parameter (defaulting to %any I think) and my router is multihomed, what about

Re: [strongSwan] Tunnels with dynamic IP and another route issue

On 03.05.2017 13:51, Dusan Ilic wrote: > By the way, it seems the order of shunt connections do matter. They don't. XFRM doesn't care about what order any policies are inserted, only the TS and the priority. > If I put it at the end after all other connections the network gets > completely

Re: [strongSwan] Tunnels with dynamic IP and another route issue

By the way, it seems the order of shunt connections do matter. If I put it at the end after all other connections the network gets completely cut off...looks like I have to put it directly after the 0.0.0.0 connection. Noel Kuntze skrev > > >On 02.05.2017 17:41, Dusan Ilic wrote: >>

Re: [strongSwan] Tunnels with dynamic IP and another route issue

The log just says that sometimes it chooses 0.0.0.0 as source, sometimes the gateway local Ip and sometimes the correct Public IP. Dont know if the problem is that left is %any as you proposed? Also, Strongswan pick the LAN shunt connection for some incoming connections attempts. Another

Re: [strongSwan] Tunnels with dynamic IP and another route issue

On 02.05.2017 17:41, Dusan Ilic wrote: > > I see, thank you. > > Well, I seem to have random issues now with my new configuration. > > After restartin Strongswan sometiems it works, sometimes it don't Very > unreliable. > Sometimes it connects with right source interface, sometimes sending

Re: [strongSwan] Tunnels with dynamic IP and another route issue

I see, thank you. Well, I seem to have random issues now with my new configuration. After restartin Strongswan sometiems it works, sometimes it don't Very unreliable. Sometimes it connects with right source interface, sometimes sending packet: from 0.0.0.0[500] to 94.x.x.x[500] (1316 bytes)

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Yes, that's the reason why that happens. No, you need to start using another subnet. On 02.05.2017 02:02, Dusan Ilic wrote: > I seem to have found the problem, it was on my local endpoint. The gateway > have default IP-table rules in prerouting table dropping traffic entering any >

Re: [strongSwan] Tunnels with dynamic IP and another route issue

I seem to have found the problem, it was on my local endpoint. The gateway have default IP-table rules in prerouting table dropping traffic entering any WAN-interface destined to a LAN-subnet, which I understand is normal as long as their isn't any IPsec involved :) Below exlude rule solves

Re: [strongSwan] Tunnels with dynamic IP and another route issue

I can't help you further easily. You need to check what happens to the packets and what actually needs to happen. On 30.04.2017 23:25, Dusan Ilic wrote: > > I have added following on local router > > iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -o vlan847 -m policy --dir out > --pol ipsec

Re: [strongSwan] Tunnels with dynamic IP and another route issue

I have added following on local router iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -o vlan847 -m policy --dir out --pol ipsec --proto esp -j ACCEPT (before it was iptables -t nat -I POSTROUTING -s 10.1.1.0/26 -d 192.168.1.0/24 -o vlan847 -m policy --dir out --pol ipsec --proto esp -j

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Fix your NAT rules. Am 30. April 2017 12:28:48 MESZ schrieb Dusan Ilic : >Okey, so I found info about adding a "passthrough" connection for my >local LAN. I have done this now and when i start the connection the >network connection isn't cut off, however, it seems like my

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Okey, so I found info about adding a "passthrough" connection for my local LAN. I have done this now and when i start the connection the network connection isn't cut off, however, it seems like my internet traffic i still using my local gateway (browsed to a check my ip-page). I can however

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Hello Dusan, On 29.04.2017 18:34, Dusan Ilic wrote: > It works! I found a hidden setting under Phase 1 in Fortigate where i could > add the local ID. Added it's dynamic dns hostname and now it connects. Great! > > However, I still have issues with another endpoint I'm testing. My local >

Re: [strongSwan] Tunnels with dynamic IP and another route issue

It works! I found a hidden setting under Phase 1 in Fortigate where i could add the local ID. Added it's dynamic dns hostname and now it connects. However, I still have issues with another endpoint I'm testing. My local endpoint have Strongswan 5.5.1 and the remote endpoint have 4.5.2. Would

Re: [strongSwan] Tunnels with dynamic IP and another route issue

I just tested it with two hosts running strongSwan 5.5.2 and it works just fine. This is a problem with the fortigate, which resolves its configured ID to an IP address. Try to find a way to turn that off. Here are the two configurations I used (one with ipsec.conf, one with swanctl.conf). They

Re: [strongSwan] Tunnels with dynamic IP and another route issue

For the Fortigate connection if I add in both locla and remote ID, instead of only remote ID, i get the following: authentication of '85.230.x.x' with pre-shared key successful constraint check failed: identity 'remote.example' required selected peer config 'site2site' inacceptable: constraint

Re: [strongSwan] Tunnels with dynamic IP and another route issue

I also tried with another remote endpoint with Strongswan too, and reversed the config. parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] received AUTHENTICATION_FAILED notify error Den 2017-04-29 kl. 13:26, skrev Dusan Ilic: no shared key found for 'local.example' - '137.135.x.x' generating

Re: [strongSwan] Tunnels with dynamic IP and another route issue

no shared key found for 'local.example' - '137.135.x.x' generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] The remote side is a Fortigate firewall, so I can't configure it the same. I can just choose local interface (ie wan) and remote gateway IP or Dynamic DNS, I have chosen Dynamic DNS.

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Hello Dusan, On 29.04.2017 02:25, Dusan Ilic wrote: > Hi Noel, > > Okey, if I don't set "left" and initiate the connection it takes the wrong > route (multiple WAN-interfaces) and the remote peer don't expect that source > IP. Probably works better if the remote peer is initiating connection

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Hi Noel, Okey, if I don't set "left" and initiate the connection it takes the wrong route (multiple WAN-interfaces) and the remote peer don't expect that source IP. Probably works better if the remote peer is initiating connection instead. If I set "left=%local.example" and "right" /

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Hello Dusan, Don't set "left". Set "right=%remoteDNSname" and "rightid="remoteDNSname". Use the following verbatim as selector "remoteDNSname". DO NOT use %remoteDNSname". Secrets are looked up based on the remote peer's ID, not the local one's. There's no need to use IPs as IDs with IKEv2. The

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Here is another example (dynamic DNS both sides), other side is initiating. Apr 28 07:49:06 R6250 daemon.info charon: 12[IKE] x.x.x.200 is initiating an IKE_SA Apr 28 07:49:06 R6250 authpriv.info charon: 12[IKE] x.x.x.200 is initiating an IKE_SA Apr 28 07:49:06 R6250 daemon.info charon:

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Thank you Well for starters, I can paste the logs i had in an earlier thread. Are you saying that site-2-site with PSK must use certificates when using dynamic hostnames? What about if only one side of the tunnel has a dynamic IP and dynamic DNS (my side)? I have two remote peers, one using

Re: [strongSwan] Tunnels with dynamic IP and another route issue

On 27.04.2017 22:38, Dusan Ilic wrote: > I would really appreciate some help with below also, Im having a Hard time > understanding how Strongswan chooses connection definitions and ipsec secrets. Based on IPs, identities and authentication methods. > > For example, how can I setup an ikev2 psk

Re: [strongSwan] Tunnels with dynamic IP and another route issue

I would really appreciate some help with below also, Im having a Hard time understanding how Strongswan chooses connection definitions and ipsec secrets. For example, how can I setup an ikev2 psk tunnel between two hosts with dynamic dns? Can I have several ip secrets or connections with

Re: [strongSwan] Tunnels with dynamic IP and another route issue

I tried something like this, so that only the VPN-client subnet are marked differently from ordinary traffic on vlan847, but it doesn't seem to work. iptables -t mangle -I PREROUTING -s VPN-clientIP -i vlan847 -m policy --dir in --pol ipsec --proto esp -j M ARK --set-mark 0x200/0xf00 Below

Re: [strongSwan] Tunnels with dynamic IP and another route issue

I have found the issue! Not a Strongswan one after all :) This is my ip rules output: # ip rule 0: from all lookup local 100:from 85.24.x.x lookup WAN1 101:from 90.225.x.x lookup WAN2 102:from 10.248.x.x lookup WAN3 104:from 46.195.x.x lookup WAN4 121:from all fwmark

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Hello Dusan, In general, charon does not route any packets of the kernel. Charon is out of the loop there, however, it installs routes into routing table 220 by default to make sure the packets that are going to be protected with IPsec reach the remote subnet. This means that when charon picks

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Hi again Tobias, After reading your post once more I suspect we are talking about different things. I see you qouted my question why the last multipath is being chosen by Strongswan when configuring left=%any and initiating the connection, however Im talking about the route Strongswan chooses

Re: [strongSwan] Tunnels with dynamic IP and another route issue

I need load distribution and policy routing just dont cut it,its to static. All Ipsec connections are configured in ipsec.conf to use vlsn847 interface for incoming connections (left) which means Strongswan always use that route as initiatiator and responder, only problem is that Strongswan

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Hi, > How exactly do these kind of kind of multipath routes compare to > multiple routes with different priorities/metrics?  In your case you > have multiple paths with the same weight, how is the actual > nexthop/interface chosen by the kernel? The nexthop of a multipath route is selected

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Hi Dusan, > default > nexthop via 90.225.x.x dev vlan845 weight 1 > nexthop via 10.248.x.x dev ppp0 weight 256 > nexthop via 85.24.x.x dev vlan847 weight 1 > nexthop via 46.195.x.x dev ppp1 weight 1 > > My gateway is configured to use 10.248.0.x as "default

Re: [strongSwan] Tunnels with dynamic IP and another route issue

No one? Den 2017-04-21 kl. 10:16, skrev Dusan Ilic: Hi! I have some issues, please read on. 1. I have one side of the IP-sec tunnel with dynamic IP (associated with a dynamic hostname), I would like not need to change the "left"-parameter in both ipsec.conf and ipsec.secrets whenever the

Re: [strongSwan] Tunnels with dynamic IP and another route issue

Okey, one correction left=%hostname is working for one of my tunnels, but not the other. See below. The working: sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" authentication of 'hostname' (myself) with pre-shared key establishing CHILD_SA Azure generating

[strongSwan] Tunnels with dynamic IP and another route issue

Hi! I have some issues, please read on. 1. I have one side of the IP-sec tunnel with dynamic IP (associated with a dynamic hostname), I would like not need to change the "left"-parameter in both ipsec.conf and ipsec.secrets whenever the local WAN IP changes, so I have tried putting "left =