Bumping this one last time before I give up and move on to something else ☺ Thanks for any insight.
James On Sun, 2018-07-29 at 08:43 -0600, James Lay wrote: > On Sun, 2018-07-29 at 08:00 -0600, James Lay wrote: > On Sun, 2018-07-29 at 07:53 -0600, James Lay wrote: > On Wed, 2018-07-25 at 18:33 -0600, James Lay wrote: > On Wed, 2018-07-25 at 06:53 -0600, James Lay wrote: > On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,So I moved to > Strongswan 5.6.2 during a distribution upgrade.What > distribution? What was the previous version? Do youstill havethe > same plugins installed and enabled?My simplesetup no longer routes > back to the client (I can seethe incoming pingson the server, but > nothing goes back). Iestablish a tunnel fine...mysetup looks like > this: > external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnetall I need > is to have a connected device able toaccess192.168.1.1...and it's > only a single user.Please read [1]. From the involved IPs I guess > you used thefarp pluginbefore, so make sure you still have that > installedand loaded.Regards,Tobias[1] > https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunnelingThanks > Tobias...I have access to the old server so I'll seewhat's there...I > don't recall installing any other plugins, butwe shall see. I'll > report my findings soon..thanks again.James > So now I'm super confused. I changed to the below: > conn rw leftsubnet=192.168.1.0/24leftcert=StrongSwanHostCert.pe > mright=%anyrightsourceip=172.16.0.1auto=add > > > and added the below top 2 postrouting nat rules: pkts bytes > target prot > optin out source destination 0 > 0 ACCEPT all > -- * * 0.0.0.0/0 0.0.0.0/0 policy > match dir out pol ipsec 0 0 MASQUERADE all > -- * enp0s31f6 172.16.0.1 0.0.0.0/0 24519 > 1646K MASQUERADE all > -- * ppp0 192.168.1.0/24 0.0.0.0/0 > > However when I attempt to ping, I see the ping on the ppp0interface, > and the source isn't 172.16.0.1:2018-07-25 > 18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100Echo (ping) > request id=0x0004, seq=1/256, ttl=64 > > Not exactly sure where to go next. I did install the extraplugins > that include farp as well. Thank you. > James > Anything on this? in testing I made this change: > rightsourceip=10.10.10.0/24 > Pinging from the client connected device gets me this: > 1 2018-07-29 07:50:27.606525877 8.0.10.1 → 192.168.1.1 ICMP > 100Echo (ping) request id=0x000f, seq=1/256, ttl=64 > > Something seems very broken. Thank you. > James > And some startup and connect logs: > Jul 29 07:29:44 gateway charon: 00[DMN] Starting IKE charon > daemon(strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64)Jul 29 > 07:29:44 gateway charon: 00[CFG] PKCS11 module '<name>' lackslibrary > pathJul 29 07:29:44 gateway charon: 00[CFG] disabling load-tester > plugin,not configuredJul 29 07:29:44 gateway charon: 00[LIB] plugin > 'load-tester': failedto load - load_tester_plugin_create returned > NULLJul 29 07:29:44 gateway charon: 00[CFG] dnscert plugin is > disabledJul 29 07:29:44 gateway charon: 00[CFG] ipseckey plugin is > disabledJul 29 07:29:44 gateway charon: 00[CFG] attr-sql plugin: > database URInot setJul 29 07:29:44 gateway charon: 00[CFG] loading ca > certificates from'/etc/ipsec.d/cacerts'Jul 29 07:29:44 gateway > charon: 00[CFG] loaded ca certificate"C=CH, O=strongSwan, > CN=strongSwan Root CA" > from'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'Jul 29 07:29:44 > gateway charon: 00[CFG] loading aa certificates > from'/etc/ipsec.d/aacerts'Jul 29 07:29:44 gateway charon: 00[CFG] > loading ocsp signercertificates from '/etc/ipsec.d/ocspcerts'Jul 29 > 07:29:44 gateway charon: 00[CFG] loading attributecertificates from > '/etc/ipsec.d/acerts'Jul 29 07:29:44 gateway charon: 00[CFG] loading > crls from'/etc/ipsec.d/crls'Jul 29 07:29:44 gateway charon: 00[CFG] > loading secrets from'/etc/ipsec.secrets'Jul 29 07:29:44 gateway > charon: 00[CFG] loaded RSA private key > from'/etc/ipsec.d/private/StrongSwanHostKey.pem'Jul 29 07:29:44 > gateway charon: 00[CFG] sql plugin: database URI notsetJul 29 > 07:29:44 gateway charon: 00[CFG] opening triplet > file/etc/ipsec.d/triplets.dat failed: No such file or directoryJul 29 > 07:29:44 gateway charon: 00[CFG] eap-simaka-sql database > URImissingJul 29 07:29:44 gateway charon: 00[CFG] loaded 0 RADIUS > serverconfigurationsJul 29 07:29:44 gateway charon: 00[CFG] HA config > misses local/remoteaddressJul 29 07:29:44 gateway charon: 00[CFG] no > threshold configured forsystime-fix, disabledJul 29 07:29:44 gateway > charon: 00[CFG] coupling file pathunspecifiedJul 29 07:29:44 gateway > charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap > pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1rdrand random nonce > x509 revocation constraints acert pubkey pkcs1pkcs7 pkcs8 pkcs12 pgp > dnskey sshkey dnscert ipseckey pem opensslgcrypt af-alg fips-prf gmp > curve25519 agent chapoly xcbc cmac hmacctr ccm gcm ntru bliss curl > soup mysql sqlite attr kernel-netlinkresolve socket-default connmark > farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka- > 3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap- > mschapv2 eap-dynamic eap-radiuseap-tls eap-ttls eap-peap eap-tnc > xauth-generic xauth-eap xauth-pamxauth-noauth tnc-tnccs tnccs-20 > tnccs-11 tnccs-dynamic dhcp whitelistlookip error-notify certexpire > led radattr addrblock unity countersJul 29 07:29:44 gateway charon: > 00[LIB] dropped capabilities, runningas uid 0, gid 0Jul 29 07:29:44 > gateway charon: 00[JOB] spawning 16 worker threadsJul 29 07:29:44 > gateway ipsec[12353]: charon (12392) started after100 msJul 29 > 07:29:44 gateway ipsec_starter[12353]: charon (12392) startedafter > 100 msJul 29 07:29:44 gateway charon: 06[CFG] received stroke: > addconnection 'rw'Jul 29 07:29:44 gateway charon: 06[CFG] adding > virtual IP addresspool 172.16.0.1Jul 29 07:29:44 gateway charon: > 06[CFG] loaded certificate "C=CH,O=strongSwan, CN=ns1.domain" from > 'StrongSwanHostCert.pem'Jul 29 07:29:44 gateway charon: 06[CFG] id > 'external_ip' notconfirmed by certificate, defaulting to 'C=CH, > O=strongSwan,CN=ns1.domain'Jul 29 07:29:44 gateway charon: 06[CFG] > added configuration 'rw'Jul 29 07:30:13 gateway charon: 10[NET] > received packet: fromx.x.15.77[7388] to external_ip[500] (716 > bytes)Jul 29 07:30:13 gateway charon: 10[ENC] parsed IKE_SA_INIT > request 0[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) > N(HASH_ALG)N(REDIR_SUP) ]Jul 29 07:30:13 gateway charon: 10[IKE] > x.x.15.77 is initiating anIKE_SAJul 29 07:30:13 gateway charon: > 10[IKE] x.x.15.77 is initiating anIKE_SAJul 29 07:30:13 gateway > charon: 10[IKE] remote host is behind NATJul 29 07:30:13 gateway > charon: 10[IKE] sending cert request for"C=CH, O=strongSwan, > CN=strongSwan Root CA"Jul 29 07:30:13 gateway charon: 10[ENC] > generating IKE_SA_INITresponse 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > CERTREQ N(FRAG_SUP)N(HASH_ALG) N(MULT_AUTH) ]Jul 29 07:30:13 gateway > charon: 10[NET] sending packet: fromexternal_ip[500] to > x.x.15.77[7388] (297 bytes)Jul 29 07:30:15 gateway charon: 11[NET] > received packet: fromx.x.15.77[7380] to external_ip[4500] (1364 > bytes)Jul 29 07:30:15 gateway charon: 11[ENC] parsed IKE_AUTH request > 1 [EF(1/4) ]Jul 29 07:30:15 gateway charon: 11[ENC] received fragment > #1 of 4,waiting for complete IKE messageJul 29 07:30:15 gateway > charon: 12[NET] received packet: fromx.x.15.77[7380] to > external_ip[4500] (1364 bytes)Jul 29 07:30:15 gateway charon: 12[ENC] > parsed IKE_AUTH request 1 [EF(2/4) ]Jul 29 07:30:15 gateway charon: > 12[ENC] received fragment #2 of 4,waiting for complete IKE messageJul > 29 07:30:15 gateway charon: 13[NET] received packet: > fromx.x.15.77[7380] to external_ip[4500] (1364 bytes)Jul 29 07:30:15 > gateway charon: 13[ENC] parsed IKE_AUTH request 1 [EF(3/4) ]Jul 29 > 07:30:15 gateway charon: 13[ENC] received fragment #3 of 4,waiting > for complete IKE messageJul 29 07:30:15 gateway charon: 14[NET] > received packet: fromx.x.15.77[7380] to external_ip[4500] (1156 > bytes)Jul 29 07:30:15 gateway charon: 14[ENC] parsed IKE_AUTH request > 1 [EF(4/4) ] > And startup and session logs from previous, working version:Apr 18 > 04:23:33 gateway charon: 00[DMN] Starting IKE charon > daemon(strongSwan 5.1.2, Linux 4.4.0-119-generic, x86_64)Apr 18 > 04:23:34gateway charon: 00[CFG] loading ca certificates > from'/etc/ipsec.d/cacerts'Apr 18 04:23:34 gateway charon: > 00[CFG] loadedca certificate "C=CH, O=strongSwan, CN=strongSwan > Root CA" from'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'Apr 18 > 04:23:34 gatewaycharon: 00[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts'Apr18 04:23:34 gateway charon: 00[CFG] loading > ocsp signer certificatesfrom '/etc/ipsec.d/ocspcerts'Apr 18 04:23:34 > gateway charon: 00[CFG]loading attribute certificates from > '/etc/ipsec.d/acerts'Apr 1804:23:34 gateway charon: 00[CFG] loading > crls from'/etc/ipsec.d/crls'Apr 18 04:23:34 gateway charon: 00[CFG] > loadingsecrets from '/etc/ipsec.secrets'Apr 18 04:23:34 gateway > charon:00[CFG] loaded RSA private key > from'/etc/ipsec.d/private/StrongSwanHostKey.pem'Apr 18 04:23:34 > gatewaycharon: 00[LIB] loaded plugins: charon test-vectors aes rc2 > sha1 sha2md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 > pkcs8pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel- > netlinkresolve socket-default stroke updown eap-identity addrblockApr > 1804:23:34 gateway charon: 00[LIB] unable to load 5 plugin features > (5due to unmet dependencies)Apr 18 04:23:34 gateway charon: > 00[LIB]dropped capabilities, running as uid 0, gid 0Apr 18 04:23:34 > gatewaycharon: 00[JOB] spawning 16 worker threadsApr 18 04:23:34 > gatewayipsec_starter[26813]: charon (26814) started after 180 msApr > 1804:23:34 gateway charon: 05[CFG] received stroke: add > connection'rw'Apr 18 04:23:34 gateway charon: 05[CFG] left nor right > host is ourside, assuming left=localApr 18 04:23:34 gateway charon: > 05[CFG] addingvirtual IP address pool 192.168.1.11Apr 18 04:23:34 > gateway charon:05[CFG] loaded certificate "C=CH, O=strongSwan, > CN=ns1.domain" from'StrongSwanHostCert.pem'Apr 18 04:23:34 gateway > charon: 05[CFG] id'%any' not confirmed by certificate, defaulting > to 'C=CH, O=strongSwan,CN=ns1.domain'Apr 18 04:23:34 gateway charon: > 05[CFG] addedconfiguration 'rw' > Apr 22 12:22:52 gateway charon: 11[NET] received packet: > fromx.x.9.223[8351] to external_ip[500] (704 bytes)Apr 22 12:22:52 > gatewaycharon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No > N(NATD_S_IP)N(NATD_D_IP) N((16430)) N((16431)) N(REDIR_SUP) ]Apr 22 > 12:22:52gateway charon: 11[IKE] x.x.9.223 is initiating an IKE_SAApr > 2212:22:52 gateway charon: 11[IKE] x.x.9.223 is initiating an > IKE_SAApr22 12:22:52 gateway charon: 11[IKE] remote host is behind > NATApr 2212:22:52 gateway charon: 11[IKE] DH group ECP_256 > inacceptable,requesting MODP_2048Apr 22 12:22:52 gateway charon: > 11[ENC] generatingIKE_SA_INIT response 0 [ N(INVAL_KE) ]Apr 22 > 12:22:52 gateway charon:11[NET] sending packet: from external_ip[500] > to x.x.9.223[8351] (38bytes)Apr 22 12:22:52 gateway charon: 12[NET] > received packet: fromx.x.9.223[8351] to external_ip[500] (896 > bytes)Apr 22 12:22:52 gatewaycharon: 12[ENC] parsed IKE_SA_INIT > request 0 [ SA KE No N(NATD_S_IP)N(NATD_D_IP) N((16430)) N((16431)) > N(REDIR_SUP) ]Apr 22 12:22:52gateway charon: 12[IKE] x.x.9.223 is > initiating an IKE_SAApr 2212:22:52 gateway charon: 12[IKE] x.x.9.223 > is initiating an IKE_SAApr22 12:22:52 gateway charon: 12[IKE] remote > host is behind NATApr 2212:22:52 gateway charon: 12[IKE] sending cert > request for "C=CH,O=strongSwan, CN=strongSwan Root CA"Apr 22 12:22:52 > gateway charon:12[ENC] generating IKE_SA_INIT response 0 [ SA KE No > N(NATD_S_IP)N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]Apr 22 12:22:52 > gateway charon:12[NET] sending packet: from external_ip[500] to > x.x.9.223[8351] (465bytes)Apr 22 12:22:53 gateway charon: 14[NET] > received packet: fromx.x.9.223[8331] to external_ip[4500] (5100 > bytes)Apr 22 12:22:53gateway charon: 14[ENC] parsed IKE_AUTH request > 1 [ IDi CERTN(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) > N(ESP_TFC_PAD_N)SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) > N(EAP_ONLY)N(MSG_ID_SYN_SUP) ]Apr 22 12:22:53 gateway charon: 14[IKE] > receivedcert request for "C=CH, O=strongSwan, CN=strongSwan Root > CA"Apr 2212:22:53 gateway charon: 14[IKE] received 156 cert requests > for anunknown caApr 22 12:22:53 gateway charon: 14[IKE] received end > entitycert "C=CH, O=strongSwan, CN=user@domain"Apr 22 12:22:53 > gatewaycharon: 14[CFG] looking for peer configs > matchingexternal_ip[%any]...x.x.9.223[C=CH, O=strongSwan, > CN=user@domain]Apr 2212:22:53 gateway charon: 14[CFG] selected peer > config 'rw'Apr 2212:22:53 gateway charon: 14[CFG] using certificate > "C=CH,O=strongSwan, CN=user@domain"Apr 22 12:22:53 gateway > charon:14[CFG] using trusted ca certificate "C=CH, > O=strongSwan,CN=strongSwan Root CA"Apr 22 12:22:53 gateway charon: > 14[CFG] checkingcertificate status of "C=CH, O=strongSwan, > CN=user@domain"Apr 2212:22:53 gateway charon: 14[CFG] certificate > status is not availableApr22 12:22:53 gateway charon: > 14[CFG] reached self-signed root ca witha path length of 0Apr 22 > 12:22:53 gateway charon: 14[IKE]authentication of 'C=CH, > O=strongSwan, CN=user@domain' with RSAsignature successfulApr 22 > 12:22:53 gateway charon: 14[IKE] > receivedESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC paddingApr > 2212:22:53 gateway charon: 14[IKE] peer supports MOBIKEApr 22 > 12:22:53gateway charon: 14[IKE] authentication of 'C=CH, > O=strongSwan,CN=ns1.domain' (myself) with RSA signature successfulApr > 22 12:22:53gateway charon: 14[IKE] IKE_SA rw[6] established > betweenexternal_ip[C=CH, O=strongSwan, > CN=ns1.domain]...x.x.9.223[C=CH,O=strongSwan, CN=user@domain]Apr 22 > 12:22:53 gateway charon: 14[IKE]IKE_SA rw[6] established between > external_ip[C=CH, O=strongSwan,CN=ns1.domain]...x.x.9.223[C=CH, > O=strongSwan, CN=user@domain]Apr 2212:22:53 gateway charon: 14[IKE] > scheduling reauthentication in9726sApr 22 12:22:53 gateway charon: > 14[IKE] maximum IKE_SA lifetime10266sApr 22 12:22:53 gateway charon: > 14[IKE] sending end entity cert"C=CH, O=strongSwan, CN=ns1.domain"Apr > 22 12:22:53 gateway charon:14[IKE] peer requested virtual IP %anyApr > 22 12:22:53 gateway charon:14[CFG] reassigning offline lease to > 'C=CH, O=strongSwan, CN=user@domain'Apr 22 12:22:53 gateway charon: > 14[IKE] assigning virtual IP192.168.1.11 to peer 'C=CH, O=strongSwan, > CN=user@domain'Apr 2212:22:53 gateway charon: 14[IKE] peer requested > virtual IP %any6Apr 2212:22:53 gateway charon: 14[IKE] no virtual IP > found for %any6requested by 'C=CH, O=strongSwan, CN=user@domain'Apr > 22 12:22:53gateway charon: 14[IKE] CHILD_SA rw{4} established with > SPIs cab12a0f_i17e464af_o and TS 192.168.1.0/24 === 192.168.1.11/32 > Apr 22 12:22:53gateway charon: 14[IKE] CHILD_SA rw{4} established > with SPIs cab12a0f_i17e464af_o and TS 192.168.1.0/24 === > 192.168.1.11/32 Apr 22 12:22:53gateway charon: 14[ENC] generating > IKE_AUTH response 1 [ IDr CERT AUTHCPRP(ADDR) SA TSi TSr N(AUTH_LFT) > N(MOBIKE_SUP) N(ADD_4_ADDR) ]Apr 2212:22:53 gateway charon: 14[NET] > sending packet: from external_ip[4500]to x.x.9.223[8331] (2204 > bytes)Apr 22 12:22:53 gateway charon: 15[NET]received packet: from > x.x.9.223[8331] to external_ip[4500] (76bytes)Apr 22 12:22:53 gateway > charon: 15[ENC] parsed INFORMATIONALrequest 2 [ N(NO_ADD_ADDR) ]Apr > 22 12:22:53 gateway charon: 15[ENC]generating INFORMATIONAL response > 2 [ ]Apr 22 12:22:53 gateway charon:15[NET] sending packet: from > external_ip[4500] to x.x.9.223[8331] (76bytes)Apr 22 12:23:24 gateway > charon: 06[NET] received packet: fromx.x.9.223[8331] to > external_ip[4500] (76 bytes)Apr 22 12:23:24 gatewaycharon: 06[ENC] > parsed INFORMATIONAL request 3 [ D ]Apr 22 12:23:24gateway charon: > 06[IKE] received DELETE for IKE_SA rw[6]Apr 22 12:23:24gateway > charon: 06[IKE] deleting IKE_SA rw[6] between > external_ip[C=CH,O=strongSwan, CN=ns1.domain]...x.x.9.223[C=CH, > O=strongSwan, CN=user@domain]Apr 22 12:23:24 gateway charon: 06[IKE] > deleting IKE_SA rw[6]between external_ip[C=CH, > O=strongSwan,CN=ns1.domain]...x.x.9.223[C=CH, O=strongSwan, > CN=user@domain]Apr 2212:23:24 gateway charon: 06[IKE] IKE_SA > deletedApr 22 12:23:24 gatewaycharon: 06[IKE] IKE_SA deletedApr 22 > 12:23:24 gateway charon: 06[ENC]generating INFORMATIONAL response 3 [ > ]Apr 22 12:23:24 gateway charon:06[NET] sending packet: from > external_ip[4500] to x.x.9.223[8331] (76bytes)Apr 22 12:23:24 gateway > charon: 06[CFG] lease 192.168.1.11 by'C=CH, O=strongSwan, > CN=user@domain' went offline