[strongSwan] Routing Problem

Wed, 22 Mar 2017 07:38:20 -0700 

Hello List,
I use stongswan on 3 WRT Routers (TP-Link Archer C7) with 2x OpenWRT 15.05.1 and one new with LEDE 17.01.0. 

OpenWRT use strongSwan 5.3.3, Linux 3.18.23, mips
LEDE use strongSwan 5.5.1, Linux 4.4.50, mips


Okay, I want to build a routed VPN connection between 2 locations. The 
conn1 (192.168.0.0/24) is the main location with static public ip 
address. The conn2 (192.168.1.0/24) has currently a dynamic public ip 
address (DSL connection), but will be replaced with the new LEDE Router 
with a LTE connection, which has no public IP address. For testing I 
made a new subnet (192.168.2.0/24) and a new connection (conn2new).



conn1- 192.168.0.0/24 - lanip 192.168.0.254 - wanip fixed private (full 
port forwarding from wan ip)

conn2 - 192.168.1.0/24 - lanip 192.168.1.254 - wanip dynamic

conn2new - 192.168.2.0/24 - lanip 192.168.2.254 - wanip private (no port 
forwarding from wan ip possible)



My Problem is now, that I cannot ping from the router at 192.168.0.0/24 
to the hosts behind the router from subnet 192.168.2.0/24 - But I can 
reach the vpn-router.


Works:
   ping from 192.168.0.254 -> 192.168.2.254
Don't Work:

  ping from 192.168.0.254 -> 192.168.2.102 (example - host firewall is 
open for icmp, and ping from local router to the host works)



The statusall command also don't show me, that the subnet is routed. And 
when I try to "route" it I get this:


ipsec route conn2new
routing 'conn2new' failed


I am not sure if it is a problem of the right=%any or if it is a bug 
from LEDE. Hope somebody can give me a hint.


Thomas

#### Config conn1: ####
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        #charondebug="ike 2, knl 2, cfg 1"
        charondebug="knl 0,enc 0,net 0,cfg 2,chd 2"

conn %default
        # This server
        left=%defaultroute
        leftid=@fqdn
        ikelifetime=28800s
        # The network behind this server
        leftsubnet=192.168.0.0/24
        leftfirewall=yes
        lefthostaccess=yes
        # Connection parameters
        type=tunnel
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        ike=aes256-sha1-modp2048
        esp=aes256-sha-modp2048
        aggressive=no
        authby=secret
        installpolicy=yes
        compress=yes
        mobike=yes
        dpdaction=restart
        dpddelay=10s
        auto=add

# sites
conn conn2
        auto=route
        modeconfig=push
        reqid=1
        # The remote site
        right=fqdn
        rightid=@fqdn
        # The network behind remote router
        rightsubnet=192.168.1.0/24

conn conn2new
        auto=route
        modeconfig=push
        reqid=2
        # The remote site
        right=%any
        rightid=@fqdn
        # The network behind remote router
        rightsubnet=192.168.2.0/24

#### Config conn2: ####
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug = "ike 1, knl 1, cfg 1"

conn %default
        # This server
        left=%defaultroute
        leftid=@fqdn
        ikelifetime=28800s
        # The network behind this server
        leftsubnet=192.168.1.0/24
        leftfirewall=yes
        lefthostaccess=yes
        # Connection parameters
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev2
        ike=aes256-sha1-modp2048
        esp=aes256-sha-modp2048
        aggressive=no
        authby=secret
        installpolicy=yes
        compress=yes
        mobike=no
        dpdaction=restart
        dpddelay=10s
        auto=add

conn conn1
        auto=route
        modeconfig=push
        # The remote site
        right=fqdn
        rightid=@fqdn
        # The network behind remote router
        rightsubnet=192.168.0.0/24

#### Config conn2new: ####
config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        #charondebug="ike 0, knl 0, cfg 0"
        charondebug="knl 0,enc 0,net 0,cfg 2,chd 2"

conn %default
        # This server
        left=%defaultroute
        leftid=@fqdn
        ikelifetime=28800s
        # The network behind this server
        leftsubnet=192.168.2.0/24
        leftfirewall=yes
        lefthostaccess=yes
        # Connection parameters
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev2
        ike=aes256-sha1-modp2048
        esp=aes256-sha-modp2048
        aggressive=no
        authby=secret
        installpolicy=yes
        compress=yes
        mobike=no
        dpdaction=restart
        dpddelay=10s
        auto=add

conn conn1
        auto=route
        modeconfig=push
        # The remote site
        right=fqdn
        rightid=@fqdn
        # The network behind remote router
        rightsubnet=192.168.0.0/24

#### statusall conn1 ####
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.23, mips):
  uptime: 82 minutes, since Mar 22 14:02:04 2017
  malloc: sbrk 159744, mmap 0, used 140896, free 18848

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 17
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp 
xcbc hmac attr kernel-netlink resolve socket-default stroke updown 
xauth-generic

Listening IP addresses:
  192.168.77.101
  192.168.0.254
  192.168.100.100
  fd13:a51d:4d8a::1
Connections:
        conn2:  %any...fqdn  IKEv2, dpddelay=10s
        conn2:   local:  [fqdn] uses pre-shared key authentication
        conn2:   remote: [fqdn] uses pre-shared key authentication

        conn2:   child:  192.168.0.0/24 === 192.168.1.0/24 TUNNEL, 
dpdaction=restart

     conn2new:  %any...%any  IKEv2, dpddelay=10s
     conn2new:   local:  [fqdn] uses pre-shared key authentication
     conn2new:   remote: [fqdn] uses pre-shared key authentication

     conn2new:   child:  192.168.0.0/24 === 192.168.2.0/24 TUNNEL, 
dpdaction=restart

Routed Connections:
        conn2{1}:  ROUTED, TUNNEL, reqid 1
        conn2{1}:   192.168.0.0/24 === 192.168.1.0/24
Security Associations (2 up, 0 connecting):

     conn2new[9]: ESTABLISHED 28 minutes ago, 
192.168.77.101[fqdn]...80.XXX.XXX.XXX[fqdn]
     conn2new[9]: IKEv2 SPIs: 1420e34622680876_i a3eed4f723b3d313_r*, 
pre-shared key reauthentication in 27 minutes
     conn2new[9]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     conn2new{16}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: 
c1d5fc40_i ceea3ead_o, IPCOMP CPIs: d615_i 90a5_o
     conn2new{16}:  AES_CBC_256/HMAC_SHA1_96, 52018 bytes_i (864 pkts, 
1s ago), 52123 bytes_o (864 pkts, 1s ago), rekeying in 17 seconds

     conn2new{16}:   192.168.0.0/24 === 192.168.2.0/24

        conn2[5]: ESTABLISHED 48 minutes ago, 
192.168.77.101[fqdn]...87.XXX.XXX.XXX[fqdn]
        conn2[5]: IKEv2 SPIs: 848ceafffd78b3c6_i* 49013863221c18db_r, 
pre-shared key reauthentication in 2 minutes
        conn2[5]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
        conn2{17}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 
c27b17fb_i ce842e43_o, IPCOMP CPIs: 9f71_i 7ee0_o
        conn2{17}:  AES_CBC_256/HMAC_SHA1_96, 49572 bytes_i (793 pkts, 
1s ago), 244884 bytes_o (1255 pkts, 1s ago), rekeying in 10 minutes

        conn2{17}:   192.168.0.0/24 === 192.168.1.0/24

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users





















					Reply via email to