Hi Noel,
Thank you for your reply.
I have compiled with the option you specified and now I don't see the
'/etc/updown: no such file or directory' in the log But still the
behaviour is same i,e iptables rules are not populated. Rather flow in
opposite direction is quite odd.
To make sure my setup's routing is correct I have tested a scenario with
traditional way of non TUN based setup with pre-shared key and AES
cryptography and I can pass bidirectional traffic.
What is happening now is that, for the below mentioned setup:
Host 1<-------------------> GW sun <---------------------------->
GW moon<---------------------->Host 2
eth1 eth0 eth0 eth2
10.0.0.103 10.0.0.101 12.0.0.167 12.0.0.189
11.0.0.189 11.0.0.101
1) If I send traffic (UDP) from Host 2, traffic is seen in eth2 of moon
GW but nothing is gone to eth0 of the same GW, let alone
encryption/decryption.
2) If I send traffic from Host 1, traffic is encrypted an decrypted in
eth0 or sun GW and moon GW respectively, but that traffic is not seen in
eth2 of moon GW.
The configuration looks like:
moon:
#cat ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn test
left=12.0.0.189
leftcert=moonCert.pem
leftsubnet=11.0.0.0/24
[email protected]
leftupdown=/var/lib/strongswan/_updown
right=12.0.0.167
rightcert=sunCert.pem
rightsubnet=10.0.0.0/24
[email protected]
auto=add
#ip route list table 220
10.0.0.0/24 dev ipsec0 proto static src 11.0.0.189
#cat strongswan.conf
charon {
load = aes des rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
fips-prf gmp xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve
socket-default stroke updown xauth-generic
multiple_authentication = no
debug = 4
}
sun:
cat ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn test
left=12.0.0.167
leftcert=sunCert.pem
leftsubnet=10.0.0.0/24
[email protected]
leftupdown=/var/lib/strongswan/_updown
right=12.0.0.189
rightcert=moonCert.pem
rightsubnet=11.0.0.0/24
[email protected]
auto=add
ip route list table 220
11.0.0.0/24 via 12.0.0.189 dev eth0 proto static src 10.0.0.101
same strongswan.conf.
How should we populate the Iptable rules?
Thanks,
Shahreen
Shahreen Noor Ahmed
Network Support Department
Adax Europe Ltd
url: www.adax.com
e-mail: [email protected]
Direct line: +44(0)118 952 2804
On 09/07/2014 12:33, Noel Kuntze wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
You probably didn't run ./configure with the correct parameters and set
"--with-ipsecdir=/usr/lib/strongswan".
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 09.07.2014 13:29, schrieb Shahreen Ahmed:
Hi,
Can you please help in this regard?
I want to test max throughput based on Ipsec ESP userland encryption with
libipsec.
I configured Strongswan 5.1.3 with following option:
--enable-kernel-libipsec
While trying to make a setup following below link:
http://www.strongswan.org/uml/testresults/libipsec/net2net-cert/
It seems that even though a Tunnel is UP based on X.509 authentication and a
TUN interface 'ipsec0' is injected, NO firewall rules are present for routing
through 'ipsec0' and encrypted traffic that is decrypted by the peer
IPsec GW never reaches the site beyond that GW.
Following log is visible in one of the GW's:
Jul 9 11:46:25 ZNYX9210 charon: 08[IKE] restarting CHILD_SA test
Jul 9 11:46:25 ZNYX9210 charon: 08[IKE] initiating IKE_SA test[2] to 12.0.0.167
Jul 9 11:46:25 ZNYX9210 charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jul 9 11:46:25 ZNYX9210 charon: 08[NET] sending packet: from 12.0.0.189[500]
to 12.0.0.167[500] (708 bytes)
Jul 9 11:46:25 ZNYX9210 charon: 14[NET] received packet: from 12.0.0.167[500]
to 12.0.0.189[500] (457 bytes)
Jul 9 11:46:25 ZNYX9210 charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] remote host is behind NAT
Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] received cert request for "C=CA, ST=PB,
O=strongswan org, OU=strongswan root, [email protected]"
Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] sending cert request for "C=CA, ST=PB,
O=strongswan org, OU=strongswan root, [email protected]"
Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] authentication of 'C=CA, ST=PB,
O=strongswan org, OU=strongswan peer2, [email protected]' (myself) with RSA
signature successful
Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] sending end entity cert "C=CA, ST=PB,
O=strongswan org, OU=strongswan peer2, [email protected]"
Jul 9 11:46:25 ZNYX9210 charon: 14[IKE] establishing CHILD_SA test{1}
Jul 9 11:46:25 ZNYX9210 charon: 14[ENC] generating IKE_AUTH request 1 [ IDi
CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ]
Jul 9 11:46:25 ZNYX9210 charon: 14[NET] sending packet: from 12.0.0.189[4500]
to 12.0.0.167[4500] (1564 bytes)
Jul 9 11:46:25 ZNYX9210 charon: 09[NET] received packet: from 12.0.0.167[4500]
to 12.0.0.189[4500] (1276 bytes)
Jul 9 11:46:25 ZNYX9210 charon: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT
AUTH SA TSi TSr N(AUTH_LFT) ]
Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] received end entity cert "C=CA, ST=PB,
O=strongswan org, OU=strongswan peer1, [email protected]"
Jul 9 11:46:25 ZNYX9210 charon: 09[CFG] using trusted ca certificate "C=CA,
ST=PB, O=strongswan org, OU=strongswan root, [email protected]"
Jul 9 11:46:25 ZNYX9210 charon: 09[CFG] checking certificate status of "C=CA,
ST=PB, O=strongswan org, OU=strongswan peer1, [email protected]"
Jul 9 11:46:25 ZNYX9210 charon: 09[CFG] certificate status is not available
Jul 9 11:46:25 ZNYX9210 charon: 09[CFG] reached self-signed root ca with a
path length of 0
Jul 9 11:46:25 ZNYX9210 charon: 09[CFG] using trusted certificate "C=CA, ST=PB,
O=strongswan org, OU=strongswan peer1, [email protected]"
Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] authentication of 'C=CA, ST=PB,
O=strongswan org, OU=strongswan peer1, [email protected]' with RSA signature
successful
Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] IKE_SA test[2] established between
12.0.0.189[C=CA, ST=PB, O=strongswan org, OU=strongswan peer2,
[email protected]]...12.0.0.167[C=CA, ST=PB, O=strongswan org, OU=strongswan
peer1, [email protected]]
Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] scheduling reauthentication in 3420s
Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] maximum IKE_SA lifetime 3600s
Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] CHILD_SA test{1} established with SPIs
213dcf52_i c9b38fce_o and TS 11.0.0.0/24 === 10.0.0.0/24
*Jul 9 11:46:25 ZNYX9210 charon: 09[CHD] updown: sh: /etc/updown: No such file
or directory*
Jul 9 11:46:25 ZNYX9210 charon: 09[IKE] received AUTH_LIFETIME of 3311s,
scheduling reauthentication in 3131s
Can you please let us know why this /etc/updown file is missing and where
should we get it from?
Thanks,
Shahreen
--
Shahreen Noor Ahmed
Network Support Department
Adax Europe Ltd
url: www.adax.com
e-mail: [email protected]
Direct line: +44(0)118 952 2804
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTvSh6AAoJEDg5KY9j7GZYTxYP/2GxFCPL6gPQ1xtJiMniGfhn
8yCHCiW1nrL+O3ZHLxT/hpGEHoztTbGn/XnZg9Rgpa4BKtrCvFb1kwiuVaOrb5BI
JnYJ80pWJfzamE87KhwdDwWnWfORgtcqt6XwwBPtd9Y7XkdRvONt1NIZFWHhxCXg
kqRGBb2UCXXwezybegZ7WdUXUbQ+jwYtc0S7ScJ+PNStGY642oxVoXnQjkV94LmY
+zC7ukGaNqp4i2F6nmK24buYTRg+FPZiIKdRFXTErlBXRy4RK1kz6UDVO5wd/+df
LHuuwXx0JXykSCZ+t96xaxpwUtwIyTN2QPkugeY5qRxPE6N7jyQ16oeV4claduHB
V0kwrDtnbsMou1WaBE3659I4KFnQ1Uj89PGkA6yuGmjjmV4yHB2QgabZCp95v9WB
NrU6EVxLyn737MoGWek3ljHOwKk55IikDpBAfI5gF9oyXsJfrc++tHh5enxajzkp
oGDyXOIwfUPhZSLL/zCkcY0huEeHeYbazc0XFaiZT79IeFLKI31eBQdvA7DKNdxJ
+p4G2ezXoUt1s2rdLhchcXh+7wEn3Fw5HZyj7vFkFqF4wfnEpByZ6jczJqg50LoK
x0Rk2hXO7gmu0NGiriBORqLGAInY11+nDBRfGcOjmO1j1WGqR//x/lYkC+6wNwCP
IWxYd98nzj4pYj8y9aHy
=vZUM
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
