[strongSwan] libipsec/net2net-cert: Ipsec tunnel UP but decrypted traffic does not reach beyond GW: /etc/updown: no such file or directory

Wed, 09 Jul 2014 04:29:41 -0700 

Hi,

Can you please help in this regard?
I want to test max throughput based on Ipsec ESP userland encryption with libipsec. 

I configured Strongswan 5.1.3 with following option:

--enable-kernel-libipsec

While trying to make a setup following below link:

http://www.strongswan.org/uml/testresults/libipsec/net2net-cert/

It seems that even though a Tunnel is UP based on X.509 authentication and a 
TUN interface 'ipsec0' is injected, NO firewall rules are present for routing 
through 'ipsec0' and encrypted traffic that is decrypted by the peer
IPsec GW never reaches the site beyond that GW.

Following log is visible in one of the GW's:

Jul  9 11:46:25 ZNYX9210 charon: 08[IKE] restarting CHILD_SA test
Jul  9 11:46:25 ZNYX9210 charon: 08[IKE] initiating IKE_SA test[2] to 12.0.0.167
Jul  9 11:46:25 ZNYX9210 charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul  9 11:46:25 ZNYX9210 charon: 08[NET] sending packet: from 12.0.0.189[500] 
to 12.0.0.167[500] (708 bytes)
Jul  9 11:46:25 ZNYX9210 charon: 14[NET] received packet: from 12.0.0.167[500] 
to 12.0.0.189[500] (457 bytes)
Jul  9 11:46:25 ZNYX9210 charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE 
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] remote host is behind NAT
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] received cert request for "C=CA, ST=PB, 
O=strongswan org, OU=strongswan root, [email protected]"
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] sending cert request for "C=CA, ST=PB, 
O=strongswan org, OU=strongswan root, [email protected]"
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] authentication of 'C=CA, ST=PB, 
O=strongswan org, OU=strongswan peer2, [email protected]' (myself) with RSA 
signature successful
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] sending end entity cert "C=CA, ST=PB, 
O=strongswan org, OU=strongswan peer2, [email protected]"
Jul  9 11:46:25 ZNYX9210 charon: 14[IKE] establishing CHILD_SA test{1}
Jul  9 11:46:25 ZNYX9210 charon: 14[ENC] generating IKE_AUTH request 1 [ IDi 
CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
Jul  9 11:46:25 ZNYX9210 charon: 14[NET] sending packet: from 12.0.0.189[4500] 
to 12.0.0.167[4500] (1564 bytes)
Jul  9 11:46:25 ZNYX9210 charon: 09[NET] received packet: from 12.0.0.167[4500] 
to 12.0.0.189[4500] (1276 bytes)
Jul  9 11:46:25 ZNYX9210 charon: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT 
AUTH SA TSi TSr N(AUTH_LFT) ]
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] received end entity cert "C=CA, ST=PB, 
O=strongswan org, OU=strongswan peer1, [email protected]"
Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   using trusted ca certificate "C=CA, 
ST=PB, O=strongswan org, OU=strongswan root, [email protected]"
Jul  9 11:46:25 ZNYX9210 charon: 09[CFG] checking certificate status of "C=CA, 
ST=PB, O=strongswan org, OU=strongswan peer1, [email protected]"
Jul  9 11:46:25 ZNYX9210 charon: 09[CFG] certificate status is not available
Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   reached self-signed root ca with a 
path length of 0
Jul  9 11:46:25 ZNYX9210 charon: 09[CFG]   using trusted certificate "C=CA, ST=PB, 
O=strongswan org, OU=strongswan peer1, [email protected]"
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] authentication of 'C=CA, ST=PB, 
O=strongswan org, OU=strongswan peer1, [email protected]' with RSA signature 
successful
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] IKE_SA test[2] established between 
12.0.0.189[C=CA, ST=PB, O=strongswan org, OU=strongswan peer2, 
[email protected]]...12.0.0.167[C=CA, ST=PB, O=strongswan org, OU=strongswan 
peer1, [email protected]]
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] scheduling reauthentication in 3420s
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] maximum IKE_SA lifetime 3600s
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] CHILD_SA test{1} established with SPIs 
213dcf52_i c9b38fce_o and TS 11.0.0.0/24 === 10.0.0.0/24
*Jul  9 11:46:25 ZNYX9210 charon: 09[CHD] updown: sh: /etc/updown: No such file 
or directory*
Jul  9 11:46:25 ZNYX9210 charon: 09[IKE] received AUTH_LIFETIME of 3311s, 
scheduling reauthentication in 3131s


Can you please let us know why this /etc/updown file is missing and where 
should we get it from?

Thanks,
Shahreen

--

Shahreen Noor Ahmed
Network Support Department
Adax Europe Ltd
url: www.adax.com
e-mail: [email protected]
Direct line: +44(0)118 952 2804


_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to