Re: [strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

Wed, 28 Jul 2021 13:31:40 -0700

I did a bit more checking and found references to "ip xfrm policy list" and "ip xfrm state list" as possible sources of the confirmation of operation I am seeking.  I ran these commands with the VPN up and have attached the output of these commands.
I am not trained in reading these reports, but what I see does appear to indicate that the VPN is indeed functioning and handling the traffic as requested.  If someone who is trained could confirm this for me I would appreciate it. 

Dave


Noel Kuntze wrote:  Hello David,


strongSwan by default builds policy based tunnels, not route based 
tunnels.

Thus no interface is needed or created.
Read up on how IPsec works on the wiki to get an understanding for it.


GUI indicators are not inherently related to if any tunnel exists, or 
works.


Kind regards
Noel

Am 01.07.21 um 20:31 schrieb David H Durgee:

I thought it might make sense to revisit this after the progress that 
has been made. It now appears that the connection is being established:



Jun 29 11:21:34 Z560 charon-nm: 11[IKE] authentication of 
'durgeeenterprises.publicvm.com' with EAP successful
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] IKE_SA Durgee Enterprises, 
LLC[7] established between 
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] scheduling rekeying in 35705s
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] maximum IKE_SA lifetime 36305s

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] installing new virtual IP 
10.10.10.1
Jun 29 11:21:34 Z560 avahi-daemon[750]: Registering new address 
record for 10.10.10.1 on wlp5s0.IPv4.
Jun 29 11:21:34 Z560 charon-nm: 11[CFG] selected proposal: 
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] CHILD_SA Durgee Enterprises, 
LLC{4} established with SPIs c8cad4e5_i c3f2eec4_o and TS 
10.10.10.1/32 === 0.0.0.0/0

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] peer supports MOBIKE

Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6991] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP Config Get) reply received.
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6997] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN plugin: state changed: started (4)
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6997] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP4 Config Get) reply received
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: VPN Gateway: 108.31.28.59
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: Tunnel Device: (null)
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: IPv4 configuration:
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Address: 10.10.10.1
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Prefix: 32
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Point-to-Point Address: 
10.10.10.1
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal DNS: 8.8.8.8
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal DNS: 8.8.4.4
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   DNS Domain: '(none)'
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: No IPv6 configuration
Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7013] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP Config Get) complete



Unfortunately I am not seeing a tunnel interface being created and 
routing added:



enp6s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether b8:70:f4:2c:6b:9f  txqueuelen 1000  (Ethernet)
        RX packets 1143393  bytes 1164336056 (1.1 GB)
        RX errors 0  dropped 20  overruns 0  frame 0
        TX packets 912738  bytes 112966285 (112.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 95404  bytes 9207887 (9.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 95404  bytes 9207887 (9.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0

wlp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.1.114  netmask 255.255.255.0  broadcast 
192.168.1.255
        inet6 fe80::562f:7604:6d84:57ca  prefixlen 64  scopeid 
0x20<link>

        ether ac:81:12:a4:5e:43  txqueuelen 1000  (Ethernet)
        RX packets 5644  bytes 4264877 (4.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 62520
        TX packets 6377  bytes 1007195 (1.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
        device interrupt 17

dhdurgee@z560:~/Downloads$ route
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref Use 
Iface
default         _gateway        0.0.0.0         UG    20600 0        
0 wlp5s0
link-local      0.0.0.0         255.255.0.0     U     1000 0        
0 wlp5s0
192.168.1.0     0.0.0.0         255.255.255.0   U     600 0        0 
wlp5s0

dhdurgee@z560:~/Downloads$



In case it is needed for reference, here is the ipsec.conf on the 
server side:



config setup
  charondebug="ike 1, knl 1, cfg 1"
  uniqueids=no

conn ikev2-vpn
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
ike=aes256-sha1-modp2048,aes256-sha1-modp1024,3des-sha1-modp1024!
  esp=aes256-sha1,3des-sha1!
  dpdaction=clear
  dpddelay=300s
  rekey=no
  left=%any
  leftid=@durgeeenterprises.publicvm.com
  leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=10.10.10.0/24
  rightdns=8.8.8.8,8.8.4.4
  rightsendcert=never
  eap_identity=%identity



Here is the connection definition from 
/etc/NewtorkManager/system-connections:



[connection]
id=Durgee Enterprises, LLC
uuid=72e4370d-ecfb-4e33-8572-5cf04431abb9
type=vpn
autoconnect=false
permissions=user:dhdurgee:;

[vpn]
address=durgeeenterprises.publicvm.com
certificate=/home/dhdurgee/Downloads/vpn_root_certificate.pem
encap=no
ipcomp=no
method=eap
password-flags=1
proposal=no
user=dhdurgee
virtual=yes
service-type=org.freedesktop.NetworkManager.strongswan

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto

[proxy]



The listed connection was created via the GUI.  I have screenshots of 
the four pages from the GUI available for email as they violate size 
restrictions of posting here..



As the VPN connection is already working with android and windows 
systems I want to make no changes to the ipsec.conf on the server. 
All changes should be made to the linux connection.



I can only assume there are revisions to be made, hopefully via the 
GUI.  Obviously if the GUI cannot address what is needed I can edit 
the connection directly.



Alternatively, am I misunderstanding what I am seeing and the tunnel 
is actually being established?  I see only the WiFi icon on the bar 
at the bottom of the screen just as I do when opening the WiFi 
connection. With another VPN service, now discontinued, I showed a 
different icon indicating the secured tunnel was open.  This other 
discontinued service likewise created a tun interface and established 
a route via that interface.


If more information is required please let me know.

Dave







dhdurgee@z560:~/Downloads$ sudo ip xfrm policy list
src 10.10.10.3/32 dst 0.0.0.0/0 
	dir out priority 383615 
	tmpl src 192.168.1.114 dst 108.31.28.59
		proto esp spi 0xcfc85b48 reqid 1 mode tunnel
src 0.0.0.0/0 dst 10.10.10.3/32 
	dir fwd priority 383615 
	tmpl src 108.31.28.59 dst 192.168.1.114
		proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 10.10.10.3/32 
	dir in priority 383615 
	tmpl src 108.31.28.59 dst 192.168.1.114
		proto esp reqid 1 mode tunnel
src fe80::/64 dst fe80::/64 
	dir fwd priority 134463 
src fe80::/64 dst fe80::/64 
	dir in priority 134463 
src fe80::/64 dst fe80::/64 
	dir out priority 134463 
src ::1/128 dst ::1/128 
	dir fwd priority 68927 
src ::1/128 dst ::1/128 
	dir in priority 68927 
src ::1/128 dst ::1/128 
	dir out priority 68927 
src 192.168.1.0/24 dst 192.168.1.0/24 
	dir fwd priority 175423 
src 192.168.1.0/24 dst 192.168.1.0/24 
	dir in priority 175423 
src 192.168.1.0/24 dst 192.168.1.0/24 
	dir out priority 175423 
src 169.254.0.0/16 dst 169.254.0.0/16 
	dir fwd priority 183615 
src 169.254.0.0/16 dst 169.254.0.0/16 
	dir in priority 183615 
src 169.254.0.0/16 dst 169.254.0.0/16 
	dir out priority 183615 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 
src ::/0 dst ::/0 
	socket in priority 0 
src ::/0 dst ::/0 
	socket out priority 0 
src ::/0 dst ::/0 
	socket in priority 0 
src ::/0 dst ::/0 
	socket out priority 0 

dhdurgee@z560:~/Downloads$ sudo ip xfrm state list
src 192.168.1.114 dst 108.31.28.59
	proto esp spi 0xcfc85b48 reqid 1 mode tunnel
	replay-window 0 flag af-unspec
	auth-trunc hmac(sha1) 0x4b048d80625a30c47558fc231af84befcab9f4e1 96
	enc cbc(aes) 0x2a2e30f7ea35339b8eeffe64321f7f446f113b8bf2d8131cfa2e54db61ded8dd
	encap type espinudp sport 42582 dport 4500 addr 0.0.0.0
	anti-replay context: seq 0x0, oseq 0x28, bitmap 0x00000000
src 108.31.28.59 dst 192.168.1.114
	proto esp spi 0xc2bb60a3 reqid 1 mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0xb570b6149d971134fac06a51cec8701b05a68f68 96
	enc cbc(aes) 0xfdab1561b5527f6ddfbaa21b8bd9c0812449b3fda751cc837b94d1642e4bba4c
	encap type espinudp sport 4500 dport 42582 addr 0.0.0.0
	anti-replay context: seq 0x1d, oseq 0x0, bitmap 0x1fffffff



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to