OOPs!!...Jumped the Gun...Sorry! Noel has answered it more correctly and succintly....Sorry again
On Fri, Sep 22, 2017 at 5:26 AM, Rajiv Kulkarni <[email protected]> wrote: > Hi > > Try giving the "right=<ipaddr-of-tunnel-endppoint>" > > for e,g: > > left=1.1.1.11 > right=2.2.2.51 > > and also use the below policy instead of using leftprotoport/rightprotoport > > leftsubnet=1.1.1.11[gre] > rightsubnet=2.2.2.51[gre] > > maybe then the gre tunnel traffic will trigger the ipsec tunnel; to come > up > > Also first try if possible with the firewall disabled...and then try with > firewall enabled...to eliminate and narrow down where the issue is... > > In your case, does the traffic go thru once you bring up the ipsec tunnel > manually? > > > > On Thu, Sep 14, 2017 at 12:37 PM, Chengcheng Fu <[email protected]> > wrote: > >> Hi, >> >> After I manually bring up the tunnel from the spoke side, it has started >> working. >> >> "ipsec up host-host". >> >> But is this normal?? >> >> Regards, >> >> Terry >> >> On Sep 13, 2017, at 07:12 PM, Chengcheng Fu <[email protected]> wrote: >> >> Hi, >> >> The GRE tunnel is working on its own, it's like Strongswan is not even >> aware of it's happening, and not trying to encapsulate it. >> I must be missing something simple. >> >> Below are my configs. >> >> >> ========================= >> hub-192.168.23.193 >> ========================= >> ##### ipsec.conf ##### >> config setup >> >> conn %default >> ikelifetime=60m >> keylife=20m >> rekeymargin=3m >> keyingtries=1 >> authby=secret >> mobike=no >> keyexchange=ikev2 >> >> conn host-host >> left=192.168.23.193 >> leftprotoport=gre >> rightprotoport=gre >> type=transport >> auto=add >> reauth=no >> closeaction=clear >> keyexchange=ikev2 >> right=%any >> mark=%unique >> >> >> ##### strongswan.conf ##### >> charon { >> load_modular = yes >> plugins { >> include strongswan.d/charon/*.conf >> } >> filelog { >> /var/log/charon_debug.log { >> time_format = %a, %Y-%m-%d %R >> default = 2 >> mgr = 0 >> net = 1 >> enc = 1 >> asn = 1 >> job = 1 >> knl = 1 >> ike_name = yes >> append = no >> flush_line = yes >> } >> } >> } >> >> include strongswan.d/*.conf >> >> >> >> ##### swanctl.conf ##### >> include conf.d/*.conf >> >> >> >> >> ##### ipsec statusall ##### >> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): >> uptime: 12 minutes, since Sep 14 09:52:04 2017 >> malloc: sbrk 1081344, mmap 0, used 267712, free 813632 >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 0 >> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey >> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve >> socket-default stroke vici updown xauth-generic >> Listening IP addresses: >> 192.168.23.193 >> 192.168.34.1 >> Connections: >> host-host: 192.168.23.193...%any IKEv2 >> host-host: local: [192.168.23.193] uses pre-shared key authentication >> host-host: remote: uses pre-shared key authentication >> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT >> Security Associations (0 up, 0 connecting): >> none >> >> >> >> >> ##### iptables -L -v ##### >> Chain INPUT (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source destination >> 25 1876 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED >> 0 0 ACCEPT icmp -- any any anywhere anywhere >> 0 0 ACCEPT all -- lo any anywhere anywhere >> 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh >> >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source destination >> >> Chain OUTPUT (policy ACCEPT 13 packets, 1332 bytes) >> pkts bytes target prot opt in out source destination >> >> >> >> >> >> ##### ip route show table all ##### >> default via 192.168.23.232 dev eth0 proto static metric 20 >> default via 192.168.23.232 dev eth0 proto static metric 100 >> 192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.193 >> metric 100 >> 192.168.34.3 dev gre1 proto kernel scope link src 192.168.34.1 >> broadcast 127.0.0.0 dev lo table local proto kernel scope link src >> 127.0.0.1 >> local 127.0.0.0/8 dev lo table local proto kernel scope host src >> 127.0.0.1 >> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 >> broadcast 127.255.255.255 dev lo table local proto kernel scope link src >> 127.0.0.1 >> broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src >> 192.168.23.193 >> local 192.168.23.193 dev eth0 table local proto kernel scope host src >> 192.168.23.193 >> broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src >> 192.168.23.193 >> local 192.168.34.1 dev gre1 table local proto kernel scope host src >> 192.168.34.1 >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> unreachable ::/96 dev lo metric 1024 error -113 pref medium >> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium >> unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium >> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium >> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium >> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium >> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium >> unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium >> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium >> fe80::/64 dev eth0 proto kernel metric 256 pref medium >> fe80::/64 dev gre1 proto kernel metric 256 pref medium >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> local ::1 dev lo table local proto none metric 0 pref medium >> local fe80:: dev lo table local proto none metric 0 pref medium >> local fe80:: dev lo table local proto none metric 0 pref medium >> local fe80::5efe:c0a8:17c1 dev lo table local proto none metric 0 pref >> medium >> local fe80::5054:ff:fecb:abeb dev lo table local proto none metric 0 pref >> medium >> ff00::/8 dev eth1 table local metric 256 pref medium >> ff00::/8 dev eth2 table local metric 256 pref medium >> ff00::/8 dev eth0 table local metric 256 pref medium >> ff00::/8 dev gre1 table local metric 256 pref medium >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> >> >> >> >> ##### ip address ##### >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group >> default qlen 1 >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> valid_lft forever preferred_lft forever >> inet6 ::1/128 scope host >> valid_lft forever preferred_lft forever >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP group default qlen 1000 >> link/ether 52:54:00:cb:ab:eb brd ff:ff:ff:ff:ff:ff >> inet 192.168.23.193/24 brd 192.168.23.255 scope global eth0 >> valid_lft forever preferred_lft forever >> inet6 fe80::5054:ff:fecb:abeb/64 scope link >> valid_lft forever preferred_lft forever >> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP group default qlen 1000 >> link/ether 52:54:00:62:6d:17 brd ff:ff:ff:ff:ff:ff >> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP group default qlen 1000 >> link/ether 52:54:00:f9:74:56 brd ff:ff:ff:ff:ff:ff >> 5: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1 >> link/gre 0.0.0.0 brd 0.0.0.0 >> 6: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN >> group default qlen 1000 >> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff >> 7: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue >> state UNKNOWN group default qlen 1 >> link/gre 192.168.23.193 peer 192.168.23.203 >> inet 192.168.34.1 peer 192.168.34.3/32 scope global gre1 >> valid_lft forever preferred_lft forever >> inet6 fe80::5efe:c0a8:17c1/64 scope link >> valid_lft forever preferred_lft forever >> >> >> >> >> >> ========================= >> spoke-192.168.23.203 >> ========================= >> ##### ipsec.conf ##### >> config setup >> >> conn %default >> ikelifetime=60m >> keylife=20m >> rekeymargin=3m >> keyingtries=1 >> authby=secret >> mobike=no >> keyexchange=ikev2 >> >> conn host-host >> left=192.168.23.203 >> leftprotoport=gre >> right=192.168.23.193 >> rightprotoport=gre >> type=transport >> auto=add >> reauth=no >> closeaction=hold >> keyexchange=ikev2 >> keyingtries=%forever >> >> >> >> >> ##### strongswan.conf ##### >> charon { >> load_modular = yes >> plugins { >> include strongswan.d/charon/*.conf >> } >> syslog { >> daemon { >> default = 2 >> ike = 2 >> cfg = 2 >> esp = 2 >> chd = 2 >> net = 2 >> } >> } >> filelog { >> /var/log/charon_debug.log { >> time_format = %a, %Y-%m-%d %R >> default = 2 >> mgr = 0 >> net = 1 >> enc = 1 >> asn = 1 >> job = 1 >> knl = 1 >> ike_name = yes >> append = no >> flush_line = yes >> } >> } >> } >> >> include strongswan.d/*.conf >> >> >> >> >> ##### swanctl.conf ##### >> include conf.d/*.conf >> >> >> >> >> >> ##### ipsec statusall ##### >> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): >> uptime: 16 minutes, since Sep 14 09:53:16 2017 >> malloc: sbrk 2289664, mmap 0, used 295488, free 1994176 >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 0 >> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey >> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve >> socket-default stroke vici updown xauth-generic >> Listening IP addresses: >> 192.168.23.203 >> 192.168.34.3 >> Connections: >> host-host: 192.168.23.203...192.168.23.193 IKEv2 >> host-host: local: [192.168.23.203] uses pre-shared key authentication >> host-host: remote: [192.168.23.193] uses pre-shared key authentication >> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT >> Security Associations (0 up, 0 connecting): >> none >> >> >> >> ##### iptables -L -v ##### >> Chain INPUT (policy ACCEPT 376 packets, 60234 bytes) >> pkts bytes target prot opt in out source destination >> 13280 5633K ACCEPT all -- any any anywhere anywhere state >> RELATED,ESTABLISHED >> 1 84 ACCEPT icmp -- any any anywhere anywhere >> 1 80 ACCEPT all -- lo any anywhere anywhere >> 2 120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh >> >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source destination >> >> Chain OUTPUT (policy ACCEPT 14803 packets, 4253K bytes) >> pkts bytes target prot opt in out source destination >> >> >> >> >> ##### ip route show table all ##### >> default via 192.168.23.232 dev eth0 proto static metric 100 >> 192.168.23.0/24 dev eth0 proto kernel scope link src 192.168.23.203 >> 192.168.34.1 dev gre1 proto kernel scope link src 192.168.34.3 >> broadcast 127.0.0.0 dev lo table local proto kernel scope link src >> 127.0.0.1 >> local 127.0.0.0/8 dev lo table local proto kernel scope host src >> 127.0.0.1 >> local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 >> broadcast 127.255.255.255 dev lo table local proto kernel scope link src >> 127.0.0.1 >> broadcast 192.168.23.0 dev eth0 table local proto kernel scope link src >> 192.168.23.203 >> local 192.168.23.203 dev eth0 table local proto kernel scope host src >> 192.168.23.203 >> broadcast 192.168.23.255 dev eth0 table local proto kernel scope link src >> 192.168.23.203 >> local 192.168.34.3 dev gre1 table local proto kernel scope host src >> 192.168.34.3 >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> unreachable ::/96 dev lo metric 1024 error -113 pref medium >> unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 pref medium >> unreachable 2002:a00::/24 dev lo metric 1024 error -113 pref medium >> unreachable 2002:7f00::/24 dev lo metric 1024 error -113 pref medium >> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 pref medium >> unreachable 2002:ac10::/28 dev lo metric 1024 error -113 pref medium >> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 pref medium >> unreachable 2002:e000::/19 dev lo metric 1024 error -113 pref medium >> unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 pref medium >> fe80::/64 dev eth0 proto kernel metric 256 pref medium >> fe80::/64 dev gre1 proto kernel metric 256 pref medium >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> local ::1 dev lo table local proto none metric 0 pref medium >> local fe80:: dev lo table local proto none metric 0 pref medium >> local fe80:: dev lo table local proto none metric 0 pref medium >> local fe80::5efe:c0a8:17cb dev lo table local proto none metric 0 pref >> medium >> local fe80::5054:ff:fe3e:b778 dev lo table local proto none metric 0 pref >> medium >> ff00::/8 dev eth0 table local metric 256 pref medium >> ff00::/8 dev eth1 table local metric 256 pref medium >> ff00::/8 dev eth2 table local metric 256 pref medium >> ff00::/8 dev gre1 table local metric 256 pref medium >> unreachable default dev lo proto kernel metric 4294967295 error -101 pref >> medium >> >> >> >> >> >> ##### ip address ##### >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group >> default qlen 1 >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> valid_lft forever preferred_lft forever >> inet6 ::1/128 scope host >> valid_lft forever preferred_lft forever >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP group default qlen 1000 >> link/ether 52:54:00:3e:b7:78 brd ff:ff:ff:ff:ff:ff >> inet 192.168.23.203/24 brd 192.168.23.255 scope global eth0 >> valid_lft forever preferred_lft forever >> inet6 fe80::5054:ff:fe3e:b778/64 scope link >> valid_lft forever preferred_lft forever >> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP group default qlen 1000 >> link/ether 52:54:00:73:7f:25 brd ff:ff:ff:ff:ff:ff >> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP group default qlen 1000 >> link/ether 52:54:00:89:7f:b2 brd ff:ff:ff:ff:ff:ff >> 5: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1 >> link/gre 0.0.0.0 brd 0.0.0.0 >> 6: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN >> group default qlen 1000 >> link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff >> 7: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue >> state UNKNOWN group default qlen 1 >> link/gre 192.168.23.203 peer 192.168.23.193 >> inet 192.168.34.3 peer 192.168.34.1/32 scope global gre1 >> valid_lft forever preferred_lft forever >> inet6 fe80::5efe:c0a8:17cb/64 scope link >> valid_lft forever preferred_lft forever >> >> >> >> >> >> Regards, >> >> Terry >> >> >> >> On Sep 13, 2017, at 12:12 PM, Noel Kuntze <noel.kuntze+strongswan-users- >> [email protected]> wrote: >> >> Hello, >> >> Please provide all the information that is listed on the HelpRequests[1] >> page on the wiki. Use the listed commands to get that information. >> >> Right now, you don't even have a CHILD_SA that could be used to >> encapsulate the traffic nor an IKE_SA to negotiate that CHILD_SA over. >> >> Kind regards >> >> Noel >> >> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests >> >> On 13.09.2017 19:18, Anvar Kuchkartaev wrote: >> >> What happened when you initiate host-host connection from any side? Can >> you share your ipsec.conf file contents so I could see if any mistakes >> over there? One more question how are your firewall rules configured? Do >> they allow udp 500,4500, ah, esp protocols from both side? >> >> >> Anvar Kuchkartaev >> >> [email protected] >> >> *From: *Chengcheng Fu >> >> *Sent: *miércoles, 13 de septiembre de 2017 06:27 p.m. >> >> *To: *[email protected] >> >> *Subject: *[strongSwan] strongswan not picking up traffic >> >> >> >> Hi, >> >> >> I'm trying to setup a GRE over IPSec. >> >> >> I have the GRE working, but Strongswan wouldn't pickup the gre traffic >> and encrypt it. >> >> >> Following is my topology >> >> >> hub 192.168.23.193 - 192.168.23.203 spoke >> >> >> >> And here are my output. >> >> Hub side: >> >> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): >> >> uptime: 108 seconds, since Sep 14 00:23:00 2017 >> >> malloc: sbrk 2027520, mmap 0, used 273392, free 1754128 >> >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 0 >> >> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey >> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve >> socket-default stroke vici updown xauth-generic >> >> Listening IP addresses: >> >> 192.168.23.193 >> >> 192.168.34.1 >> >> Connections: >> >> host-host: 192.168.23.193...%any IKEv2 >> >> host-host: local: [192.168.23.193] uses pre-shared key authentication >> >> host-host: remote: uses pre-shared key authentication >> >> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT >> >> Security Associations (0 up, 0 connecting): >> >> none >> >> >> >> >> Spoke side: >> >> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64): >> >> uptime: 4 seconds, since Sep 14 00:17:44 2017 >> >> malloc: sbrk 2289664, mmap 0, used 287184, free 2002480 >> >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 0 >> >> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey >> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve >> socket-default stroke vici updown xauth-generic >> >> Listening IP addresses: >> >> 192.168.23.203 >> >> 192.168.34.3 >> >> Connections: >> >> host-host: 192.168.23.203...192.168.23.193 IKEv2 >> >> host-host: local: [192.168.23.203] uses pre-shared key authentication >> >> host-host: remote: [192.168.23.193] uses pre-shared key authentication >> >> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT >> >> Security Associations (0 up, 0 connecting): >> >> none >> >> >> >> >> Any thoughts? >> >> >> Regards, >> >> >> Terry >> >> >> >> >
