Hello everyone! I have problems setting up a roadwarrior config. Both ends sit behind a NAT; the roadwarrior/initiator as usual with unpredictable IPs, the server/responder with a fixed set of public/private IPs (198.51.100.33/192.168.1.1). I shall write the initiator addresses as rw.pp.uu.bb and rw.ii.nn.tt, respectively. The 198.51.100.33 is, as commonly with NAT, in fact the public address of the whole LAN behind it, but incoming connections to udp/500 and udp/4500 are being forwarded to the responder.
Currently, my issue is that the tunnel seems to get established correctly, but when trying to ping the responder from the initiator, the ICMP packets travel back and forth in clear. This is the status output from the initiator: 000 Connection list: 000 000 "main": 0.0.0.0/0===rw.ii.nn.tt[C=ZZ, O=Privdomain, CN=roadw.privdomain]---192.168.43.65...198.51.100.33[%fromcert]===192.168.1.1/32; unrouted; eroute owner: #0 000 "main": oriented; my_ip=unset; their_ip=unset; mycert=roadw; my_updown=ipsec _updown; 000 "main": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "main": our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+RSASIG_v1_5, our autheap:none, their autheap:none; 000 "main": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset; 000 "main": sec_label:unset; 000 "main": CAs: 'CN=Privdomain CA'...'CN=Privdomain CA' 000 "main": ike_life: 28800s; ipsec_life: 3600s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "main": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500; 000 "main": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "main": policy: IKEv2+RSASIG+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+failureDROP; 000 "main": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512; 000 "main": conn_prio: 0,32; interface: wlp4s2; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "main": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "main": our idtype: ID_DER_ASN1_DN; our id=C=ZZ, O=Privdomain, CN=roadw.privdomain; their idtype: %fromcert; their id=%fromcert 000 "main": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s 000 "main": nat-traversal: encaps:auto; keepalive:20s 000 "main": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $1; 000 "main"[1]: rw.pp.uu.bb/32===rw.ii.nn.tt[C=ZZ, O=Privdomain, CN=roadw.privdomain]---192.168.43.65...198.51.100.33:4500[C=ZZ, O=Privdomain, CN=server.privdomain]===192.168.1.1/32; erouted; eroute owner: #8 000 "main"[1]: oriented; my_ip=unset; their_ip=unset; mycert=roadw; my_updown=ipsec _updown; 000 "main"[1]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "main"[1]: our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+RSASIG_v1_5, our autheap:none, their autheap:none; 000 "main"[1]: modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset; 000 "main"[1]: sec_label:unset; 000 "main"[1]: CAs: 'CN=Privdomain CA'...'CN=Privdomain CA' 000 "main"[1]: ike_life: 28800s; ipsec_life: 3600s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2; 000 "main"[1]: retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500; 000 "main"[1]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "main"[1]: policy: IKEv2+RSASIG+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+failureDROP; 000 "main"[1]: v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512; 000 "main"[1]: conn_prio: 32,32; interface: wlp4s2; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "main"[1]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "main"[1]: our idtype: ID_DER_ASN1_DN; our id=C=ZZ, O=Privdomain, CN=roadw.privdomain; their idtype: ID_DER_ASN1_DN; their id=C=ZZ, O=Privdomain, CN=server.privdomain 000 "main"[1]: liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s 000 "main"[1]: nat-traversal: encaps:auto; keepalive:20s 000 "main"[1]: newest IKE SA: #7; newest IPsec SA: #8; conn serial: $2, instantiated from: $1; 000 "main"[1]: IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048 000 "main"[1]: ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<Phase1> 000 000 Total IPsec connections: loaded 2, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #7: "main"[1] 198.51.100.33:4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27182s; REPLACE in 27743s; newest; idle; 000 #8: "main"[1] 198.51.100.33:4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 1858s; REPLACE in 2543s; newest; eroute owner; IKE SA #7; idle; 000 #8: "main"[1] 198.51.100.33 [email protected] [email protected] [email protected] [email protected] Traffic: ESPin=0B ESPout=0B ESPmax=2^63B 000 000 Bare Shunt list: 000 Here, 192.168.43.65 seems to be the gateway/next hop of rw.ii.nn.tt. /proc/net/xfrm_stat shows only zeroes. The xfrm policies seem OK to me: src rw.pp.uu.bb/32 dst 192.168.1.1/32 dir out priority 1753280 ptype main tmpl src rw.ii.nn.tt dst 198.51.100.33 proto esp reqid 16393 mode tunnel src 192.168.1.1/32 dst rw.pp.uu.bb/32 dir fwd priority 1753280 ptype main tmpl src 198.51.100.33 dst rw.ii.nn.tt proto esp reqid 16393 mode tunnel src 192.168.1.1/32 dst rw.pp.uu.bb/32 dir in priority 1753280 ptype main tmpl src 198.51.100.33 dst rw.ii.nn.tt proto esp reqid 16393 mode tunnel What am I missing? Many thanks, Phil _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
