Err, where's the hub and the spoke? There are just two duplicate CHILD_SAs for a single IKE_SA.
On 24.02.2017 23:59, Martin Sand wrote: > Sure, please find enclosed the requested files. > > Best regards/Viele Grüsse > Martin > > > On 02/24/2017 11:52 PM, Noel Kuntze wrote: >> Of course not. This is not a problem with the routing table. >> Please make sure you understand exactly what's going on before >> attempting to solve problems. Other technology might not >> be as forgiving as this. >> >> The problem is probably that your security policies don't allow >> the forwarding of the traffic or you have SNAT/MASQUERADE (or other) >> iptables rules that either change addresses so the traffic doesn't >> match the policies anymore or outright drop it. >> >> Please provide a paste of the output of `ipsec statusall` >> and `iptables-save`. >> >> >> >> On 24.02.2017 23:49, Martin Sand wrote: >>> Hi all >>> >>> After some time I began to investigate again. >>> I think the problem is that my strongSwan router is behind a modem (another >>> router) which I cannot set to bridge modus. >>> The modem is NATing the traffic. >>> >>> Routing table 220 shows the problem. >>> The traffic is sent to the modem (192.168.0.1), connected to the internet >>> and my strongSwan vpn router (192.168.2.1). >>> The modem is also the default gateway. >>> >>> root@OpenWrt:~# ip route show table 220 >>> 192.168.1.0/24 via 192.168.0.1 dev eth0 proto static src 192.168.2.1 >>> 192.168.3.0/24 via 192.168.0.1 dev eth0 proto static src 192.168.2.1 >>> >>> I tried to get around the problem by setting the via route to the external >>> IP of my modem (134.100.110.120). >>> But this does not work: >>> >>> root@OpenWrt:~# ip r c table 220 192.168.1.0/24 via 134.100.110.120 dev >>> eth0 proto static src 192.168.2.1 >>> RTNETLINK answers: Network is unreachable >>> >>> Any ideas on how to solve the issue? >>> >>> Best regards >>> Martin >>> >>> On 11/08/2016 08:46 PM, Martin Sand wrote: >>>> Hi all >>>> >>>> I have a Hub and Spoke setup: >>>> * Central server 192.168.0.1 >>>> * Router 1: 192.168.1.1 >>>> * Router 2: 192.168.2.1 >>>> >>>> I cannot reach the computers on the other side of the network although >>>> tunnel is established. >>>> Do I miss an iptable or route information? >>>> >>>> Output from 192.168.1.100 when trying to reach a computer on the other >>>> network (192.168.2.100): >>>> [user@workstation ~]$ tracepath 192.168.2.100 >>>> 1?: [LOCALHOST] pmtu 1500 >>>> 1: router-1 0.475ms >>>> 1: router-1 0.445ms >>>> 2: no reply >>>> >>>> Output of route on Router 1 (192.168.1.1): >>>> 192.168.2.0/24 via 80.10.10.1 dev eth0 proto static src 192.168.1.1 >>>> >>>> Output of route on Router 2 (192.168.2.1): >>>> 192.168.1.0/24 via 192.168.0.1 dev eth0 proto static src 192.168.2.1 >>>> >>>> Any ideas on what is going wrong? Maybe because one router shows the >>>> external IP of the Hub instead of the internal one? >>>> >>>> Best regards >>>> Martin >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] >>>> https://lists.strongswan.org/mailman/listinfo/users >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> https://lists.strongswan.org/mailman/listinfo/users >>> > > > ipsec_statusall.txt > > > Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips): > uptime: 24 minutes, since Feb 24 23:30:27 2017 > malloc: sbrk 151552, mmap 0, used 139840, free 11712 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 5 > loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 > revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc > hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic > Listening IP addresses: > 192.168.0.31 > 192.168.2.1 > Connections: > vpn-mann: %any...vpn.example.de IKEv2, dpddelay=30s > vpn-mann: local: [C=DE, O=StrongSwan, CN=mann] uses public key > authentication > vpn-mann: cert: "C=DE, O=StrongSwan, CN=mann" > vpn-mann: remote: [vpn.example.de] uses public key authentication > vpn-mann: cert: "C=DE, O=StrongSwan, CN=vpn.example.de" > vpn-mann: child: 192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24 > PASS, dpdaction=restart > Security Associations (1 up, 0 connecting): > vpn-mann[1]: ESTABLISHED 23 minutes ago, 192.168.0.31[C=DE, O=StrongSwan, > CN=mann]...200.200.8.224[vpn.example.de] > vpn-mann[1]: IKEv2 SPIs: a2b57fe98a312245_i* 484d1d053cc36aaa_r, public > key reauthentication in 28 minutes > vpn-mann[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > vpn-mann{4}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c5f28034_i > c535472d_o > vpn-mann{4}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in > 5 minutes > vpn-mann{4}: 192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24 > vpn-mann{5}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cca10f29_i > cd435e9e_o > vpn-mann{5}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in > 6 minutes > vpn-mann{5}: 192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24 > > > iptables_save.txt > > > # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017 > *nat > :PREROUTING ACCEPT [94139:25693304] > :INPUT ACCEPT [23929:1678867] > :OUTPUT ACCEPT [24490:1838326] > :POSTROUTING ACCEPT [529:103136] > :delegate_postrouting - [0:0] > :delegate_prerouting - [0:0] > :postrouting_lan_rule - [0:0] > :postrouting_rule - [0:0] > :postrouting_wan_rule - [0:0] > :prerouting_lan_rule - [0:0] > :prerouting_rule - [0:0] > :prerouting_wan_rule - [0:0] > :zone_lan_postrouting - [0:0] > :zone_lan_prerouting - [0:0] > :zone_wan_postrouting - [0:0] > :zone_wan_prerouting - [0:0] > -A PREROUTING -j delegate_prerouting > -A POSTROUTING -j delegate_postrouting > -A delegate_postrouting -m comment --comment "user chain for postrouting" -j > postrouting_rule > -A delegate_postrouting -o br-lan -j zone_lan_postrouting > -A delegate_postrouting -o eth0 -j zone_wan_postrouting > -A delegate_prerouting -m comment --comment "user chain for prerouting" -j > prerouting_rule > -A delegate_prerouting -i br-lan -j zone_lan_prerouting > -A delegate_prerouting -i eth0 -j zone_wan_prerouting > -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j > postrouting_lan_rule > -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j > prerouting_lan_rule > -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j > postrouting_wan_rule > -A zone_wan_postrouting -j MASQUERADE > -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j > prerouting_wan_rule > COMMIT > # Completed on Fri Feb 24 23:54:03 2017 > # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017 > *raw > :PREROUTING ACCEPT [30562873:27538250738] > :OUTPUT ACCEPT [92351:9943384] > :delegate_notrack - [0:0] > -A PREROUTING -j delegate_notrack > COMMIT > # Completed on Fri Feb 24 23:54:03 2017 > # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017 > *mangle > :PREROUTING ACCEPT [30562873:27538250738] > :INPUT ACCEPT [86788:8751557] > :FORWARD ACCEPT [30431248:27507406630] > :OUTPUT ACCEPT [92351:9943384] > :POSTROUTING ACCEPT [30523601:27517350687] > :fwmark - [0:0] > :mssfix - [0:0] > -A PREROUTING -j fwmark > -A FORWARD -j mssfix > -A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment > "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu > COMMIT > # Completed on Fri Feb 24 23:54:03 2017 > # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017 > *filter > :INPUT ACCEPT [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [0:0] > :delegate_forward - [0:0] > :delegate_input - [0:0] > :delegate_output - [0:0] > :forwarding_lan_rule - [0:0] > :forwarding_rule - [0:0] > :forwarding_wan_rule - [0:0] > :input_lan_rule - [0:0] > :input_rule - [0:0] > :input_wan_rule - [0:0] > :output_lan_rule - [0:0] > :output_rule - [0:0] > :output_wan_rule - [0:0] > :reject - [0:0] > :syn_flood - [0:0] > :zone_lan_dest_ACCEPT - [0:0] > :zone_lan_forward - [0:0] > :zone_lan_input - [0:0] > :zone_lan_output - [0:0] > :zone_lan_src_ACCEPT - [0:0] > :zone_wan_dest_ACCEPT - [0:0] > :zone_wan_dest_REJECT - [0:0] > :zone_wan_forward - [0:0] > :zone_wan_input - [0:0] > :zone_wan_output - [0:0] > :zone_wan_src_REJECT - [0:0] > -A INPUT -j delegate_input > -A FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in > --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out > --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in > --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out > --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in > --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out > --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in > --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out > --pol ipsec --reqid 1 --proto esp -j ACCEPT > -A FORWARD -j delegate_forward > -A OUTPUT -j delegate_output > -A delegate_forward -m comment --comment "user chain for forwarding" -j > forwarding_rule > -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A delegate_forward -i br-lan -j zone_lan_forward > -A delegate_forward -i eth0 -j zone_wan_forward > -A delegate_forward -j reject > -A delegate_input -i lo -j ACCEPT > -A delegate_input -m comment --comment "user chain for input" -j input_rule > -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood > -A delegate_input -i br-lan -j zone_lan_input > -A delegate_input -i eth0 -j zone_wan_input > -A delegate_output -o lo -j ACCEPT > -A delegate_output -m comment --comment "user chain for output" -j output_rule > -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A delegate_output -o br-lan -j zone_lan_output > -A delegate_output -o eth0 -j zone_wan_output > -A reject -p tcp -j REJECT --reject-with tcp-reset > -A reject -j REJECT --reject-with icmp-port-unreachable > -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit > 25/sec --limit-burst 50 -j RETURN > -A syn_flood -j DROP > -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT > -A zone_lan_forward -m comment --comment "user chain for forwarding" -j > forwarding_lan_rule > -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j > zone_wan_dest_ACCEPT > -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept > port forwards" -j ACCEPT > -A zone_lan_forward -j zone_lan_dest_ACCEPT > -A zone_lan_input -m comment --comment "user chain for input" -j > input_lan_rule > -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept > port redirections" -j ACCEPT > -A zone_lan_input -j zone_lan_src_ACCEPT > -A zone_lan_output -m comment --comment "user chain for output" -j > output_lan_rule > -A zone_lan_output -j zone_lan_dest_ACCEPT > -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT > -A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT > -A zone_wan_dest_REJECT -o eth0 -j reject > -A zone_wan_forward -m comment --comment "user chain for forwarding" -j > forwarding_wan_rule > -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept > port forwards" -j ACCEPT > -A zone_wan_forward -j zone_wan_dest_REJECT > -A zone_wan_input -m comment --comment "user chain for input" -j > input_wan_rule > -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment > Allow-DHCP-Renew -j ACCEPT > -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment > Allow-Ping -j ACCEPT > -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept > port redirections" -j ACCEPT > -A zone_wan_input -j zone_wan_src_REJECT > -A zone_wan_output -m comment --comment "user chain for output" -j > output_wan_rule > -A zone_wan_output -j zone_wan_dest_ACCEPT > -A zone_wan_src_REJECT -i eth0 -j reject > COMMIT > # Completed on Fri Feb 24 23:54:03 2017 > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
