Hi, You're expected to use auto=route. It is normal, by design and common with all other *swans, that auto=add does not initiate a connection. You gotta read the manual/documentation before using the software.
Kind regards Noel On 14.09.2017 09:07, Chengcheng Fu wrote: > Hi, > > After I manually bring up the tunnel from the spoke side, it has started > working. > > "ipsec up host-host". > > But is this normal?? > > Regards, > > Terry > > On Sep 13, 2017, at 07:12 PM, Chengcheng Fu <[email protected]> wrote: > >> Hi, >> >> The GRE tunnel is working on its own, it's like Strongswan is not even aware >> of it's happening, and not trying to encapsulate it. >> I must be missing something simple. >> >> Below are my configs. >> >> >> ========================= >> hub-192.168.23.193 >> ========================= >> ##### ipsec.conf ##### >> config setup >> >> conn %default >> ikelifetime=60m >> keylife=20m >> rekeymargin=3m >> keyingtries=1 >> authby=secret >> mobike=no >> keyexchange=ikev2 >> >> conn host-host >> left=192.168.23.193 >> leftprotoport=gre >> rightprotoport=gre >> type=transport >> auto=add >> reauth=no >> closeaction=clear >> keyexchange=ikev2 >> right=%any >> mark=%unique >> >> >> ##### strongswan.conf ##### >> charon { >> load_modular = yes >> plugins { >> include strongswan.d/charon/*.conf >> } >> filelog { >> /var/log/charon_debug.log { >> time_format = %a, %Y-%m-%d %R >> default = 2 >> mgr = 0 >> net = 1 >> enc = 1 >> asn = 1 >> job = 1 >> knl = 1 >> ike_name = yes >> append = no >> flush_line = yes >> } >> } >> } >> >> include strongswan.d/*.conf >> >> >> >> ##### swanctl.conf ##### >> include conf.d/*.conf >> >> >> >> >> ##### ipsec statusall ##### >> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): >> uptime: 12 minutes, since Sep 14 09:52:04 2017 >> malloc: sbrk 1081344, mmap 0, used 267712, free 813632 >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 0 >> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem >> fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve >> socket-default stroke vici updown xauth-generic >> Listening IP addresses: >> 192.168.23.193 >> 192.168.34.1 >> Connections: >> host-host: 192.168.23.193...%any IKEv2 >> host-host: local: [192.168.23.193] uses pre-shared key authentication >> host-host: remote: uses pre-shared key authentication >> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT >> Security Associations (0 up, 0 connecting): >> none >> >> >> >> >> ##### iptables -L -v ##### >> Chain INPUT (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source destination >> 25 1876 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED >> 0 0 ACCEPT icmp -- any any anywhere anywhere >> 0 0 ACCEPT all -- lo any anywhere anywhere >> 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh >> >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source destination >> >> Chain OUTPUT (policy ACCEPT 13 packets, 1332 bytes) >> pkts bytes target prot opt in out source destination >> >> >> >> >> >> ##### ip route show table all ##### >> default via 192.168.23.232 dev eth0 proto static metric 20 >> default via 192.168.23.232 dev eth0 proto static metric 100 >> 192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.193 metric >> 100 >> 192.168.34.3 dev gre1 proto kernel scope link src 192.168.34.1 >> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 >> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 >> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 >> broadcast 127.255.255.255 dev lo table local proto kernel scope link src >> 127.0.0.1 >> broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src >> 192.168.23.193 >> local 192.168.23.193 dev eth0 table local proto kernel scope host src >> 192.168.23.193 >> broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src >> 192.168.23.193 >> local 192.168.34.1 dev gre1 table local proto kernel scope host src >> 192.168.34.1 >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> unreachable ::/96 dev lo metric 1024 error -113 pref medium >> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium >> unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium >> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium >> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium >> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium >> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium >> unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium >> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium >> fe80::/64 dev eth0 proto kernel metric 256 pref medium >> fe80::/64 dev gre1 proto kernel metric 256 pref medium >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> local ::1 dev lo table local proto none metric 0 pref medium >> local fe80:: dev lo table local proto none metric 0 pref medium >> local fe80:: dev lo table local proto none metric 0 pref medium >> local fe80::5efe:c0a8:17c1 dev lo table local proto none metric 0 pref medium >> local fe80::5054:ff:fecb:abeb dev lo table local proto none metric 0 pref >> medium >> ff00::/8 dev eth1 table local metric 256 pref medium >> ff00::/8 dev eth2 table local metric 256 pref medium >> ff00::/8 dev eth0 table local metric 256 pref medium >> ff00::/8 dev gre1 table local metric 256 pref medium >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> >> >> >> >> ##### ip address ##### >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group >> default qlen 1 >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> valid_lft forever preferred_lft forever >> inet6 ::1/128 scope host >> valid_lft forever preferred_lft forever >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state >> UP group default qlen 1000 >> link/ether 52:54:00:cb:ab:eb brd ff:ff:ff:ff:ff:ff >> inet 192.168.23.193/24 brd 192.168.23.255 scope global eth0 >> valid_lft forever preferred_lft forever >> inet6 fe80::5054:ff:fecb:abeb/64 scope link >> valid_lft forever preferred_lft forever >> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state >> UP group default qlen 1000 >> link/ether 52:54:00:62:6d:17 brd ff:ff:ff:ff:ff:ff >> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state >> UP group default qlen 1000 >> link/ether 52:54:00:f9:74:56 brd ff:ff:ff:ff:ff:ff >> 5: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1 >> link/gre 0.0.0.0 brd 0.0.0.0 >> 6: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group >> default qlen 1000 >> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff >> 7: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state >> UNKNOWN group default qlen 1 >> link/gre 192.168.23.193 peer 192.168.23.203 >> inet 192.168.34.1 peer 192.168.34.3/32 scope global gre1 >> valid_lft forever preferred_lft forever >> inet6 fe80::5efe:c0a8:17c1/64 scope link >> valid_lft forever preferred_lft forever >> >> >> >> >> >> ========================= >> spoke-192.168.23.203 >> ========================= >> ##### ipsec.conf ##### >> config setup >> >> conn %default >> ikelifetime=60m >> keylife=20m >> rekeymargin=3m >> keyingtries=1 >> authby=secret >> mobike=no >> keyexchange=ikev2 >> >> conn host-host >> left=192.168.23.203 >> leftprotoport=gre >> right=192.168.23.193 >> rightprotoport=gre >> type=transport >> auto=add >> reauth=no >> closeaction=hold >> keyexchange=ikev2 >> keyingtries=%forever >> >> >> >> >> ##### strongswan.conf ##### >> charon { >> load_modular = yes >> plugins { >> include strongswan.d/charon/*.conf >> } >> syslog { >> daemon { >> default = 2 >> ike = 2 >> cfg = 2 >> esp = 2 >> chd = 2 >> net = 2 >> } >> } >> filelog { >> /var/log/charon_debug.log { >> time_format = %a, %Y-%m-%d %R >> default = 2 >> mgr = 0 >> net = 1 >> enc = 1 >> asn = 1 >> job = 1 >> knl = 1 >> ike_name = yes >> append = no >> flush_line = yes >> } >> } >> } >> >> include strongswan.d/*.conf >> >> >> >> >> ##### swanctl.conf ##### >> include conf.d/*.conf >> >> >> >> >> >> ##### ipsec statusall ##### >> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): >> uptime: 16 minutes, since Sep 14 09:53:16 2017 >> malloc: sbrk 2289664, mmap 0, used 295488, free 1994176 >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 0 >> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem >> fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve >> socket-default stroke vici updown xauth-generic >> Listening IP addresses: >> 192.168.23.203 >> 192.168.34.3 >> Connections: >> host-host: 192.168.23.203...192.168.23.193 IKEv2 >> host-host: local: [192.168.23.203] uses pre-shared key authentication >> host-host: remote: [192.168.23.193] uses pre-shared key authentication >> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT >> Security Associations (0 up, 0 connecting): >> none >> >> >> >> ##### iptables -L -v ##### >> Chain INPUT (policy ACCEPT 376 packets, 60234 bytes) >> pkts bytes target prot opt in out source destination >> 13280 5633K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED >> 1 84 ACCEPT icmp -- any any anywhere anywhere >> 1 80 ACCEPT all -- lo any anywhere anywhere >> 2 120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh >> >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source destination >> >> Chain OUTPUT (policy ACCEPT 14803 packets, 4253K bytes) >> pkts bytes target prot opt in out source destination >> >> >> >> >> ##### ip route show table all ##### >> default via 192.168.23.232 dev eth0 proto static metric 100 >> 192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.203 >> 192.168.34.1 dev gre1 proto kernel scope link src 192.168.34.3 >> broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 >> local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 >> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 >> broadcast 127.255.255.255 dev lo table local proto kernel scope link src >> 127.0.0.1 >> broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src >> 192.168.23.203 >> local 192.168.23.203 dev eth0 table local proto kernel scope host src >> 192.168.23.203 >> broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src >> 192.168.23.203 >> local 192.168.34.3 dev gre1 table local proto kernel scope host src >> 192.168.34.3 >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> unreachable ::/96 dev lo metric 1024 error -113 pref medium >> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium >> unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium >> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium >> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium >> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium >> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium >> unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium >> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium >> fe80::/64 dev eth0 proto kernel metric 256 pref medium >> fe80::/64 dev gre1 proto kernel metric 256 pref medium >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> local ::1 dev lo table local proto none metric 0 pref medium >> local fe80:: dev lo table local proto none metric 0 pref medium >> local fe80:: dev lo table local proto none metric 0 pref medium >> local fe80::5efe:c0a8:17cb dev lo table local proto none metric 0 pref medium >> local fe80::5054:ff:fe3e:b778 dev lo table local proto none metric 0 pref >> medium >> ff00::/8 dev eth0 table local metric 256 pref medium >> ff00::/8 dev eth1 table local metric 256 pref medium >> ff00::/8 dev eth2 table local metric 256 pref medium >> ff00::/8 dev gre1 table local metric 256 pref medium >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> >> >> >> >> >> ##### ip address ##### >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group >> default qlen 1 >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> valid_lft forever preferred_lft forever >> inet6 ::1/128 scope host >> valid_lft forever preferred_lft forever >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state >> UP group default qlen 1000 >> link/ether 52:54:00:3e:b7:78 brd ff:ff:ff:ff:ff:ff >> inet 192.168.23.203/24 brd 192.168.23.255 scope global eth0 >> valid_lft forever preferred_lft forever >> inet6 fe80::5054:ff:fe3e:b778/64 scope link >> valid_lft forever preferred_lft forever >> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state >> UP group default qlen 1000 >> link/ether 52:54:00:73:7f:25 brd ff:ff:ff:ff:ff:ff >> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state >> UP group default qlen 1000 >> link/ether 52:54:00:89:7f:b2 brd ff:ff:ff:ff:ff:ff >> 5: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1 >> link/gre 0.0.0.0 brd 0.0.0.0 >> 6: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group >> default qlen 1000 >> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff >> 7: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state >> UNKNOWN group default qlen 1 >> link/gre 192.168.23.203 peer 192.168.23.193 >> inet 192.168.34.3 peer 192.168.34.1/32 scope global gre1 >> valid_lft forever preferred_lft forever >> inet6 fe80::5efe:c0a8:17cb/64 scope link >> valid_lft forever preferred_lft forever >> >> >> >> >> >> Regards, >> >> Terry >> >> >> >> On Sep 13, 2017, at 12:12 PM, Noel Kuntze >> <[email protected]> wrote: >> >>> Hello, >>> >>> Please provide all the information that is listed on the HelpRequests[1] >>> page on the wiki. Use the listed commands to get that information. >>> >>> Right now, you don't even have a CHILD_SA that could be used to encapsulate >>> the traffic nor an IKE_SA to negotiate that CHILD_SA over. >>> >>> Kind regards >>> >>> Noel >>> >>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests >>> >>> On 13.09.2017 19:18, Anvar Kuchkartaev wrote: >>>> What happened when you initiate host-host connection from any side? Can >>>> you share your ipsec.conf file contents so I could see if any mistakes >>>> over there? One more question how are your firewall rules configured? Do >>>> they allow udp 500,4500, ah, esp protocols from both side? >>>> >>>> Anvar Kuchkartaev >>>> [email protected] <mailto:[email protected]> >>>> *From: *Chengcheng Fu >>>> *Sent: *miércoles, 13 de septiembre de 2017 06:27 p.m. >>>> *To: *[email protected] >>>> *Subject: *[strongSwan] strongswan not picking up traffic >>>> >>>> >>>> Hi, >>>> >>>> I'm trying to setup a GRE over IPSec. >>>> >>>> I have the GRE working, but Strongswan wouldn't pickup the gre traffic and >>>> encrypt it. >>>> >>>> Following is my topology >>>> >>>> hub 192.168.23.193 - 192.168.23.203 spoke >>>> >>>> >>>> And here are my output. >>>> Hub side: >>>> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): >>>> uptime: 108 seconds, since Sep 14 00:23:00 2017 >>>> malloc: sbrk 2027520, mmap 0, used 273392, free 1754128 >>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >>>> scheduled: 0 >>>> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 >>>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey >>>> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve >>>> socket-default stroke vici updown xauth-generic >>>> Listening IP addresses: >>>> 192.168.23.193 >>>> 192.168.34.1 >>>> Connections: >>>> host-host: 192.168.23.193...%any IKEv2 >>>> host-host: local: [192.168.23.193] uses pre-shared key authentication >>>> host-host: remote: uses pre-shared key authentication >>>> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT >>>> Security Associations (0 up, 0 connecting): >>>> none >>>> >>>> >>>> >>>> Spoke side: >>>> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): >>>> uptime: 4 seconds, since Sep 14 00:17:44 2017 >>>> malloc: sbrk 2289664, mmap 0, used 287184, free 2002480 >>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >>>> scheduled: 0 >>>> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 >>>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey >>>> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve >>>> socket-default stroke vici updown xauth-generic >>>> Listening IP addresses: >>>> 192.168.23.203 >>>> 192.168.34.3 >>>> Connections: >>>> host-host: 192.168.23.203...192.168.23.193 IKEv2 >>>> host-host: local: [192.168.23.203] uses pre-shared key authentication >>>> host-host: remote: [192.168.23.193] uses pre-shared key authentication >>>> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT >>>> Security Associations (0 up, 0 connecting): >>>> none >>>> >>>> >>>> >>>> Any thoughts? >>>> >>>> Regards, >>>> >>>> Terry >>>> >>>
signature.asc
Description: OpenPGP digital signature
