Hello Volker, We have an ongoing routing problem since the attempt to migrate from strongswan-4.x.x to strongswan-5.1.x
The current networ segments infrastructure is as follows: 192.168.169.0 / 24 (frqx) || || || || || || 192.168.0.0/24(spb) 192.168.4.0/24 (hmnet) wave karma [root@wave ~]# ping aah.prs.ucp PING aah.prs.ucp (192.168.169.60) 56(84) bytes of data. 64 bytes from ns.prs.ucp (192.168.169.60): icmp_seq=1 ttl=63 time=88.9 ms 64 bytes from ns.prs.ucp (192.168.169.60): icmp_seq=2 ttl=63 time=90.6 ms --- aah.prs.ucp ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 88.991/89.842/90.693/0.851 ms This above tunnels work fine with pinges in all shown directs But as soon as we try to establish a spb-hmnet tunnel (between wave and karma hosts) the routing gets troubled and neither of the networks could be reached. Here are some extracts of the working setup: [root@wave ~]# vi /etc/strongswan/ipsec.conf conn %default left=%defaultroute leftcert=wave2034.hostCert.pem conn spb-hmnet leftsubnet=192.168.0.0/24 leftid=hq.spb@ucp right=xx.xx.221.28 #rightsubnet=192.168.4.0/24 rightsubnet=0.0.0.0/0 rightcert=peercerts/karmaY2034.hostCert.pem rightid=@karma.ucp leftfirewall=yes auto=add #auto=start The other side on karma: conn hmnet-spb leftid=@karma.ucp leftsendcert=never leftsubnet=192.168.4.0/24 leftfirewall=yes #rightsubnet=192.168.0.0/24 rightsubnet=0.0.0.0/0 right=xx.xx.122.170 rightcert=peercerts/wave2034.hostCert.pem rightid=hq.spb@ucp keyexchange=ikev2 mobike=yes compress=yes The esp packets are exempt from NAT: [root@wave ~]# iptables -L -n -v -t nat --line-numbers Chain PREROUTING (policy ACCEPT 5776K packets, 491M bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT udp -- eth1 * 192.168.0.0/24 192.168.169.60 udp dpt:4569 Chain POSTROUTING (policy ACCEPT 559K packets, 40M bytes) num pkts bytes target prot opt in out source destination 1 293K 38M ACCEPT all -- * * 192.168.0.0/16 192.168.0.0/16 2 326 20826 ACCEPT all -- * * 192.168.0.0/16 88.174.230.112 3 4865K 322M SNAT !esp -- * eth0 0.0.0.0/0 !192.168.0.0/16 to:xx.xx.122.170 [root@wave ~]# strongswan restart Stopping strongSwan IPsec... Starting strongSwan 5.1.0 IPsec [starter]... [root@wave ~]# ping aah.prs.ucp PING aah.prs.ucp (192.168.169.60) 56(84) bytes of data. 64 bytes from aah.prs.ucp (192.168.169.60): icmp_seq=1 ttl=63 time=87.9 ms --- aah.prs.ucp ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 87.939/87.939/87.939/0.000 ms [root@wave ~]# strongswan up spb-hmnet initiating IKE_SA spb-hmnet[2] to xx.xx.221.28 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from xx.xx.122.170[500] to xx.xx.221.28[500] (708 bytes) received packet: from xx.xx.221.28[500] to xx.xx.122.170[500] (465 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for "OU=CA, CN=certauth" sending cert request for "OU=CA, CN=certauth" authentication of 'hq.spb@ucp' (myself) with RSA signature successful establishing CHILD_SA spb-hmnet generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from xx.xx.122.170[4500] to xx.xx.221.28[4500] (556 bytes) received packet: from xx.xx.221.28[4500] to xx.xx.122.170[4500] (524 bytes) parsed IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] using trusted ca certificate "OU=CA, CN=certauth" checking certificate status of "OU=hmnet, CN=karma.ucp" certificate status is not available reached self-signed root ca with a path length of 0 using trusted certificate "OU=hmnet, CN=karma.ucp" authentication of 'karma.ucp' with RSA signature successful IKE_SA spb-hmnet[2] established between xx.xx.122.170[hq.spb@ucp]...xx.xx.221.28[karma.ucp] scheduling reauthentication in 10033s maximum IKE_SA lifetime 10573s connection 'spb-hmnet' established successfully The remote network can not be reached: [root@wave ~]# ping 192.168.4.10 PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data. --- 192.168.4.10 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1001ms [root@wave ~]# strongswan statusall Status of IKE charon daemon (strongSwan 5.1.0, Linux 2.6.18-92.1.22.el5, i686): uptime: 54 seconds, since Jan 17 02:54:04 2014 malloc: sbrk 278528, mmap 0, used 169296, free 109232 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap dhcp Listening IP addresses: 192.168.0.100 xx.xx.122.170 Connections: spb-frqx: %any...88.174.230.112 IKEv2 spb-frqx: local: [OU=spb, CN=wave.spb] uses public key authentication spb-frqx: cert: "OU=spb, CN=wave.spb" spb-frqx: remote: [OU=frqx, CN=vpn.ucp] uses public key authentication spb-frqx: cert: "OU=frqx, CN=vpn.ucp" spb-frqx: child: 192.168.0.0/24 === 192.168.169.0/24 TUNNEL spb-hmnet: %any...xx.xx.221.28 IKEv2 spb-hmnet: local: [hq.spb@ucp] uses public key authentication spb-hmnet: cert: "OU=spb, CN=wave.spb" spb-hmnet: remote: [karma.ucp] uses public key authentication spb-hmnet: cert: "OU=hmnet, CN=karma.ucp" spb-hmnet: child: 192.168.0.0/24 === 0.0.0.0/0 TUNNEL Security Associations (2 up, 0 connecting): spb-hmnet[2]: ESTABLISHED 30 seconds ago, xx.xx.122.170[hq.spb@ucp]...xx.xx.221.28[karma.ucp] spb-hmnet[2]: IKEv2 SPIs: 732b6c40b2a9066c_i* f1fe7cd05d976861_r, public key reauthentication in 2 hours spb-hmnet[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 spb-hmnet{2}: INSTALLED, TUNNEL, ESP SPIs: c83dd53d_i c16f00ac_o, IPCOMP CPIs: 2c17_i 9671_o spb-hmnet{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 304 bytes_o (2 pkts, 7s ago), rekeying in 49 minutes spb-hmnet{2}: 192.168.0.0/24 === 192.168.4.0/24 spb-frqx[1]: ESTABLISHED 53 seconds ago, xx.xx.122.170[OU=spb, CN=wave.spb]...88.174.230.112[OU=frqx, CN=vpn.ucp] spb-frqx[1]: IKEv2 SPIs: 7af4eef8e3ebff9b_i* ce20c08648668d96_r, public key reauthentication in 2 hours spb-frqx[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 spb-frqx{1}: INSTALLED, TUNNEL, ESP SPIs: c513db0a_i ca6b1f8e_o, IPCOMP CPIs: 466d_i c3f7_o spb-frqx{1}: AES_CBC_128/HMAC_SHA1_96, 4216 bytes_i (13 pkts, 1s ago), 5384 bytes_o (13 pkts, 1s ago), rekeying in 48 minutes spb-frqx{1}: 192.168.0.0/24 === 192.168.169.0/24 [root@wave ~]# ping aah.prs.ucp PING aah.prs.ucp (192.168.169.60) 56(84) bytes of data. --- aah.prs.ucp ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms [root@wave ~]# ping xx.xx.221.28 PING xx.xx.221.28 (xx.xx.221.28) 56(84) bytes of data. 64 bytes from xx.xx.221.28: icmp_seq=1 ttl=48 time=73.7 ms --- xx.xx.221.28 ping statistics --- 2 packets transmitted, 1 received, 50% packet loss, time 1001ms rtt min/avg/max/mdev = 73.790/73.790/73.790/0.000 ms [root@wave ~]# ping 192.168.4.10 PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data. --- 192.168.4.10 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms [root@wave ~]# ping 192.168.4.87 PING 192.168.4.87 (192.168.4.87) 56(84) bytes of data. [root@wave ~]# strongswan down spb-hmnet deleting IKE_SA spb-hmnet[2] between xx.xx.122.170[hq.spb@ucp]...xx.xx.221.28[karma.ucp] sending DELETE for IKE_SA spb-hmnet[2] generating INFORMATIONAL request 2 [ D ] sending packet: from xx.xx.122.170[4500] to xx.xx.221.28[4500] (76 bytes) received packet: from xx.xx.221.28[4500] to xx.xx.122.170[4500] (76 bytes) parsed INFORMATIONAL response 2 [ ] IKE_SA deleted IKE_SA [2] closed successfully [root@wave ~]# [root@wave ~]# strongswan down spb-frqx deleting IKE_SA spb-frqx[1] between xx.xx.122.170[OU=spb, CN=wave.spb]...88.174.230.112[OU=frqx, CN=vpn.ucp] sending DELETE for IKE_SA spb-frqx[1] generating INFORMATIONAL request 2 [ D ] sending packet: from xx.xx.122.170[4500] to 88.174.230.112[4500] (76 bytes) received packet: from 88.174.230.112[4500] to xx.xx.122.170[4500] (76 bytes) parsed INFORMATIONAL response 2 [ ] IKE_SA deleted IKE_SA [1] closed successfully [root@wave ~]# strongswan up spb-frqx initiating IKE_SA spb-frqx[3] to 88.174.230.112 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from xx.xx.122.170[500] to 88.174.230.112[500] (708 bytes) received packet: from 88.174.230.112[500] to xx.xx.122.170[500] (465 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for "OU=CA, CN=certauth" sending cert request for "OU=CA, CN=certauth" authentication of 'OU=spb, CN=wave.spb' (myself) with RSA signature successful establishing CHILD_SA spb-frqx generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from xx.xx.122.170[4500] to 88.174.230.112[4500] (796 bytes) received packet: from 88.174.230.112[4500] to xx.xx.122.170[4500] (508 bytes) parsed IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ] using trusted ca certificate "OU=CA, CN=certauth" checking certificate status of "OU=frqx, CN=vpn.ucp" certificate status is not available reached self-signed root ca with a path length of 0 using trusted certificate "OU=frqx, CN=vpn.ucp" authentication of 'OU=frqx, CN=vpn.ucp' with RSA signature successful IKE_SA spb-frqx[3] established between xx.xx.122.170[OU=spb, CN=wave.spb]...88.174.230.112[OU=frqx, CN=vpn.ucp] scheduling reauthentication in 10032s maximum IKE_SA lifetime 10572s CHILD_SA spb-frqx{3} established with SPIs ca44cf4f_i ccb8ff76_o and TS 192.168.0.0/24 === 192.168.169.0/24 connection 'spb-frqx' established successfully Now the tunel to frqx works again: [root@wave ~]# ping aah.prs.ucp PING aah.prs.ucp (192.168.169.60) 56(84) bytes of data. 64 bytes from ns.prs.ucp (192.168.169.60): icmp_seq=1 ttl=63 time=87.8 ms 64 bytes from ns.prs.ucp (192.168.169.60): icmp_seq=2 ttl=63 time=84.8 ms --- aah.prs.ucp ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 84.861/86.373/87.886/1.540 ms The log on a karma side: Jan 16 23:54:28 karma charon: 08[NET] received packet: from xx.xx.122.170[500] to xx.xx.221.28[500] (708 bytes) Jan 16 23:54:28 karma charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jan 16 23:54:28 karma charon: 08[IKE] xx.xx.122.170 is initiating an IKE_SA Jan 16 23:54:28 karma charon: 08[IKE] sending cert request for "OU=CA, CN=certauth" Jan 16 23:54:28 karma charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jan 16 23:54:28 karma charon: 08[NET] sending packet: from xx.xx.221.28[500] to xx.xx.122.170[500] (465 bytes) Jan 16 23:54:28 karma charon: 11[NET] received packet: from xx.xx.122.170[4500] to xx.xx.221.28[4500] (556 bytes) Jan 16 23:54:28 karma charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Jan 16 23:54:28 karma charon: 11[IKE] received cert request for "OU=CA, CN=certauth" Jan 16 23:54:28 karma charon: 11[CFG] looking for peer configs matching xx.xx.221.28[karma.ucp]...xx.xx.122.170[hq.spb@ucp] Jan 16 23:54:28 karma charon: 11[CFG] selected peer config 'hmnet-spb' Jan 16 23:54:28 karma charon: 11[CFG] using trusted ca certificate "OU=CA, CN=certauth" Jan 16 23:54:28 karma charon: 11[CFG] checking certificate status of "OU=spb, CN=wave.spb" Jan 16 23:54:28 karma charon: 11[CFG] certificate status is not available Jan 16 23:54:28 karma charon: 11[CFG] reached self-signed root ca with a path length of 0 Jan 16 23:54:28 karma charon: 11[CFG] using trusted certificate "OU=spb, CN=wave.spb" Jan 16 23:54:28 karma charon: 11[IKE] authentication of 'hq.spb@ucp' with RSA signature successful Jan 16 23:54:28 karma charon: 11[IKE] peer supports MOBIKE Jan 16 23:54:28 karma charon: 11[IKE] authentication of 'karma.ucp' (myself) with RSA signature successful Jan 16 23:54:28 karma charon: 11[IKE] IKE_SA hmnet-spb[3] established between xx.xx.221.28[karma.ucp]...xx.xx.122.170[hq.spb@ucp] Jan 16 23:54:28 karma charon: 11[IKE] scheduling reauthentication in 9927s Jan 16 23:54:28 karma charon: 11[IKE] maximum IKE_SA lifetime 10467s Jan 16 23:54:28 karma charon: 11[IKE] CHILD_SA hmnet-spb{2} established with SPIs c16f00ac_i c83dd53d_o and TS 192.168.4.0/24 === 192.168.0.0/24 Jan 16 23:54:28 karma charon: 11[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] Jan 16 23:54:28 karma charon: 11[NET] sending packet: from xx.xx.221.28[4500] to xx.xx.122.170[4500] (524 bytes) Are there any ideas of what is going wrong ? _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users