Hello Volker,
We have an ongoing routing problem since the attempt to migrate from
strongswan-4.x.x to strongswan-5.1.x
The current networ segments infrastructure is as follows:
192.168.169.0 / 24 (frqx)
|| ||
|| ||
|| ||
192.168.0.0/24(spb) 192.168.4.0/24 (hmnet)
wave karma
[root@wave ~]# ping aah.prs.ucp
PING aah.prs.ucp (192.168.169.60) 56(84) bytes of data.
64 bytes from ns.prs.ucp (192.168.169.60): icmp_seq=1 ttl=63 time=88.9 ms
64 bytes from ns.prs.ucp (192.168.169.60): icmp_seq=2 ttl=63 time=90.6 ms
--- aah.prs.ucp ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 88.991/89.842/90.693/0.851 ms
This above tunnels work fine with pinges in all shown directs
But as soon as we try to establish a spb-hmnet tunnel (between wave and karma
hosts) the routing gets troubled and neither of the networks could be reached.
Here are some extracts of the working setup:
[root@wave ~]# vi /etc/strongswan/ipsec.conf
conn %default
left=%defaultroute
leftcert=wave2034.hostCert.pem
conn spb-hmnet
leftsubnet=192.168.0.0/24
leftid=hq.spb@ucp
right=xx.xx.221.28
#rightsubnet=192.168.4.0/24
rightsubnet=0.0.0.0/0
rightcert=peercerts/karmaY2034.hostCert.pem
rightid=@karma.ucp
leftfirewall=yes
auto=add
#auto=start
The other side on karma:
conn hmnet-spb
leftid=@karma.ucp
leftsendcert=never
leftsubnet=192.168.4.0/24
leftfirewall=yes
#rightsubnet=192.168.0.0/24
rightsubnet=0.0.0.0/0
right=xx.xx.122.170
rightcert=peercerts/wave2034.hostCert.pem
rightid=hq.spb@ucp
keyexchange=ikev2
mobike=yes
compress=yes
The esp packets are exempt from NAT:
[root@wave ~]# iptables -L -n -v -t nat --line-numbers
Chain PREROUTING (policy ACCEPT 5776K packets, 491M bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT udp -- eth1 * 192.168.0.0/24
192.168.169.60 udp dpt:4569
Chain POSTROUTING (policy ACCEPT 559K packets, 40M bytes)
num pkts bytes target prot opt in out source
destination
1 293K 38M ACCEPT all -- * * 192.168.0.0/16
192.168.0.0/16
2 326 20826 ACCEPT all -- * * 192.168.0.0/16
88.174.230.112
3 4865K 322M SNAT !esp -- * eth0 0.0.0.0/0
!192.168.0.0/16 to:xx.xx.122.170
[root@wave ~]# strongswan restart
Stopping strongSwan IPsec...
Starting strongSwan 5.1.0 IPsec [starter]...
[root@wave ~]# ping aah.prs.ucp
PING aah.prs.ucp (192.168.169.60) 56(84) bytes of data.
64 bytes from aah.prs.ucp (192.168.169.60): icmp_seq=1 ttl=63 time=87.9 ms
--- aah.prs.ucp ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 87.939/87.939/87.939/0.000 ms
[root@wave ~]# strongswan up spb-hmnet
initiating IKE_SA spb-hmnet[2] to xx.xx.221.28
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from xx.xx.122.170[500] to xx.xx.221.28[500] (708 bytes)
received packet: from xx.xx.221.28[500] to xx.xx.122.170[500] (465 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(MULT_AUTH) ]
received cert request for "OU=CA, CN=certauth"
sending cert request for "OU=CA, CN=certauth"
authentication of 'hq.spb@ucp' (myself) with RSA signature successful
establishing CHILD_SA spb-hmnet
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH
N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from xx.xx.122.170[4500] to xx.xx.221.28[4500] (556 bytes)
received packet: from xx.xx.221.28[4500] to xx.xx.122.170[4500] (524 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT)
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
using trusted ca certificate "OU=CA, CN=certauth"
checking certificate status of "OU=hmnet, CN=karma.ucp"
certificate status is not available
reached self-signed root ca with a path length of 0
using trusted certificate "OU=hmnet, CN=karma.ucp"
authentication of 'karma.ucp' with RSA signature successful
IKE_SA spb-hmnet[2] established between
xx.xx.122.170[hq.spb@ucp]...xx.xx.221.28[karma.ucp]
scheduling reauthentication in 10033s
maximum IKE_SA lifetime 10573s
connection 'spb-hmnet' established successfully
The remote network can not be reached:
[root@wave ~]# ping 192.168.4.10
PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data.
--- 192.168.4.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1001ms
[root@wave ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.1.0, Linux 2.6.18-92.1.22.el5, i686):
uptime: 54 seconds, since Jan 17 02:54:04 2014
malloc: sbrk 278528, mmap 0, used 169296, free 109232
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 6
loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem fips-prf gmp
xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
xauth-generic xauth-eap dhcp
Listening IP addresses:
192.168.0.100
xx.xx.122.170
Connections:
spb-frqx: %any...88.174.230.112 IKEv2
spb-frqx: local: [OU=spb, CN=wave.spb] uses public key authentication
spb-frqx: cert: "OU=spb, CN=wave.spb"
spb-frqx: remote: [OU=frqx, CN=vpn.ucp] uses public key authentication
spb-frqx: cert: "OU=frqx, CN=vpn.ucp"
spb-frqx: child: 192.168.0.0/24 === 192.168.169.0/24 TUNNEL
spb-hmnet: %any...xx.xx.221.28 IKEv2
spb-hmnet: local: [hq.spb@ucp] uses public key authentication
spb-hmnet: cert: "OU=spb, CN=wave.spb"
spb-hmnet: remote: [karma.ucp] uses public key authentication
spb-hmnet: cert: "OU=hmnet, CN=karma.ucp"
spb-hmnet: child: 192.168.0.0/24 === 0.0.0.0/0 TUNNEL
Security Associations (2 up, 0 connecting):
spb-hmnet[2]: ESTABLISHED 30 seconds ago,
xx.xx.122.170[hq.spb@ucp]...xx.xx.221.28[karma.ucp]
spb-hmnet[2]: IKEv2 SPIs: 732b6c40b2a9066c_i* f1fe7cd05d976861_r, public key
reauthentication in 2 hours
spb-hmnet[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
spb-hmnet{2}: INSTALLED, TUNNEL, ESP SPIs: c83dd53d_i c16f00ac_o, IPCOMP
CPIs: 2c17_i 9671_o
spb-hmnet{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 304 bytes_o (2 pkts, 7s
ago), rekeying in 49 minutes
spb-hmnet{2}: 192.168.0.0/24 === 192.168.4.0/24
spb-frqx[1]: ESTABLISHED 53 seconds ago, xx.xx.122.170[OU=spb,
CN=wave.spb]...88.174.230.112[OU=frqx, CN=vpn.ucp]
spb-frqx[1]: IKEv2 SPIs: 7af4eef8e3ebff9b_i* ce20c08648668d96_r, public key
reauthentication in 2 hours
spb-frqx[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
spb-frqx{1}: INSTALLED, TUNNEL, ESP SPIs: c513db0a_i ca6b1f8e_o, IPCOMP
CPIs: 466d_i c3f7_o
spb-frqx{1}: AES_CBC_128/HMAC_SHA1_96, 4216 bytes_i (13 pkts, 1s ago),
5384 bytes_o (13 pkts, 1s ago), rekeying in 48 minutes
spb-frqx{1}: 192.168.0.0/24 === 192.168.169.0/24
[root@wave ~]# ping aah.prs.ucp
PING aah.prs.ucp (192.168.169.60) 56(84) bytes of data.
--- aah.prs.ucp ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
[root@wave ~]# ping xx.xx.221.28
PING xx.xx.221.28 (xx.xx.221.28) 56(84) bytes of data.
64 bytes from xx.xx.221.28: icmp_seq=1 ttl=48 time=73.7 ms
--- xx.xx.221.28 ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 1001ms
rtt min/avg/max/mdev = 73.790/73.790/73.790/0.000 ms
[root@wave ~]# ping 192.168.4.10
PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data.
--- 192.168.4.10 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
[root@wave ~]# ping 192.168.4.87
PING 192.168.4.87 (192.168.4.87) 56(84) bytes of data.
[root@wave ~]# strongswan down spb-hmnet
deleting IKE_SA spb-hmnet[2] between
xx.xx.122.170[hq.spb@ucp]...xx.xx.221.28[karma.ucp]
sending DELETE for IKE_SA spb-hmnet[2]
generating INFORMATIONAL request 2 [ D ]
sending packet: from xx.xx.122.170[4500] to xx.xx.221.28[4500] (76 bytes)
received packet: from xx.xx.221.28[4500] to xx.xx.122.170[4500] (76 bytes)
parsed INFORMATIONAL response 2 [ ]
IKE_SA deleted
IKE_SA [2] closed successfully
[root@wave ~]#
[root@wave ~]# strongswan down spb-frqx
deleting IKE_SA spb-frqx[1] between xx.xx.122.170[OU=spb,
CN=wave.spb]...88.174.230.112[OU=frqx, CN=vpn.ucp]
sending DELETE for IKE_SA spb-frqx[1]
generating INFORMATIONAL request 2 [ D ]
sending packet: from xx.xx.122.170[4500] to 88.174.230.112[4500] (76 bytes)
received packet: from 88.174.230.112[4500] to xx.xx.122.170[4500] (76 bytes)
parsed INFORMATIONAL response 2 [ ]
IKE_SA deleted
IKE_SA [1] closed successfully
[root@wave ~]# strongswan up spb-frqx
initiating IKE_SA spb-frqx[3] to 88.174.230.112
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from xx.xx.122.170[500] to 88.174.230.112[500] (708 bytes)
received packet: from 88.174.230.112[500] to xx.xx.122.170[500] (465 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(MULT_AUTH) ]
received cert request for "OU=CA, CN=certauth"
sending cert request for "OU=CA, CN=certauth"
authentication of 'OU=spb, CN=wave.spb' (myself) with RSA signature successful
establishing CHILD_SA spb-frqx
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH
N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from xx.xx.122.170[4500] to 88.174.230.112[4500] (796 bytes)
received packet: from 88.174.230.112[4500] to xx.xx.122.170[4500] (508 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT)
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
using trusted ca certificate "OU=CA, CN=certauth"
checking certificate status of "OU=frqx, CN=vpn.ucp"
certificate status is not available
reached self-signed root ca with a path length of 0
using trusted certificate "OU=frqx, CN=vpn.ucp"
authentication of 'OU=frqx, CN=vpn.ucp' with RSA signature successful
IKE_SA spb-frqx[3] established between xx.xx.122.170[OU=spb,
CN=wave.spb]...88.174.230.112[OU=frqx, CN=vpn.ucp]
scheduling reauthentication in 10032s
maximum IKE_SA lifetime 10572s
CHILD_SA spb-frqx{3} established with SPIs ca44cf4f_i ccb8ff76_o and TS
192.168.0.0/24 === 192.168.169.0/24
connection 'spb-frqx' established successfully
Now the tunel to frqx works again:
[root@wave ~]# ping aah.prs.ucp
PING aah.prs.ucp (192.168.169.60) 56(84) bytes of data.
64 bytes from ns.prs.ucp (192.168.169.60): icmp_seq=1 ttl=63 time=87.8 ms
64 bytes from ns.prs.ucp (192.168.169.60): icmp_seq=2 ttl=63 time=84.8 ms
--- aah.prs.ucp ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 84.861/86.373/87.886/1.540 ms
The log on a karma side:
Jan 16 23:54:28 karma charon: 08[NET] received packet: from xx.xx.122.170[500]
to xx.xx.221.28[500] (708 bytes)
Jan 16 23:54:28 karma charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Jan 16 23:54:28 karma charon: 08[IKE] xx.xx.122.170 is initiating an IKE_SA
Jan 16 23:54:28 karma charon: 08[IKE] sending cert request for "OU=CA,
CN=certauth"
Jan 16 23:54:28 karma charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan 16 23:54:28 karma charon: 08[NET] sending packet: from xx.xx.221.28[500] to
xx.xx.122.170[500] (465 bytes)
Jan 16 23:54:28 karma charon: 11[NET] received packet: from xx.xx.122.170[4500]
to xx.xx.221.28[4500] (556 bytes)
Jan 16 23:54:28 karma charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) CERTREQ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jan 16 23:54:28 karma charon: 11[IKE] received cert request for "OU=CA,
CN=certauth"
Jan 16 23:54:28 karma charon: 11[CFG] looking for peer configs matching
xx.xx.221.28[karma.ucp]...xx.xx.122.170[hq.spb@ucp]
Jan 16 23:54:28 karma charon: 11[CFG] selected peer config 'hmnet-spb'
Jan 16 23:54:28 karma charon: 11[CFG] using trusted ca certificate "OU=CA,
CN=certauth"
Jan 16 23:54:28 karma charon: 11[CFG] checking certificate status of "OU=spb,
CN=wave.spb"
Jan 16 23:54:28 karma charon: 11[CFG] certificate status is not available
Jan 16 23:54:28 karma charon: 11[CFG] reached self-signed root ca with a path
length of 0
Jan 16 23:54:28 karma charon: 11[CFG] using trusted certificate "OU=spb,
CN=wave.spb"
Jan 16 23:54:28 karma charon: 11[IKE] authentication of 'hq.spb@ucp' with RSA
signature successful
Jan 16 23:54:28 karma charon: 11[IKE] peer supports MOBIKE
Jan 16 23:54:28 karma charon: 11[IKE] authentication of 'karma.ucp' (myself)
with RSA signature successful
Jan 16 23:54:28 karma charon: 11[IKE] IKE_SA hmnet-spb[3] established between
xx.xx.221.28[karma.ucp]...xx.xx.122.170[hq.spb@ucp]
Jan 16 23:54:28 karma charon: 11[IKE] scheduling reauthentication in 9927s
Jan 16 23:54:28 karma charon: 11[IKE] maximum IKE_SA lifetime 10467s
Jan 16 23:54:28 karma charon: 11[IKE] CHILD_SA hmnet-spb{2} established with
SPIs c16f00ac_i c83dd53d_o and TS 192.168.4.0/24 === 192.168.0.0/24
Jan 16 23:54:28 karma charon: 11[ENC] generating IKE_AUTH response 1 [ IDr AUTH
N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_6_ADDR) ]
Jan 16 23:54:28 karma charon: 11[NET] sending packet: from xx.xx.221.28[4500]
to xx.xx.122.170[4500] (524 bytes)
Are there any ideas of what is going wrong ?
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
