ipsec0 receives the packet from the ping request but nothing comes back:
# tcpdump -i ipsec0 -s 0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type RAW (Raw IP), snapshot length 262144 bytes
21:21:55.601249 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id
29010, seq 94, length 64
21:21:56.610601 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id
29010, seq 95, length 64
21:21:57.619999 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id
29010, seq 96, length 64
Logs:
# cat /opt/tmp/charon.log |grep -Ev "ENC|NET" | tail -n 30
Jun 19 19:57:07 10[KNL] error installing route with policy 10.3.0.0/24
=== 10.10.0.0/24 out
Jun 19 19:57:07 10[IKE] unable to install IPsec policies (SPD) in kernel
Jun 19 19:57:07 10[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 19 19:57:08 15[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 19 19:57:08 15[KNL] error installing route with policy 10.3.0.0/24
=== 10.10.0.0/24 out
Jun 19 19:57:08 15[IKE] unable to install IPsec policies (SPD) in kernel
Jun 19 19:57:08 15[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 19 19:57:09 12[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 19 19:57:09 12[KNL] error installing route with policy 10.3.0.0/24
=== 10.10.0.0/24 out
Jun 19 19:57:09 12[IKE] unable to install IPsec policies (SPD) in kernel
Jun 19 19:57:09 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 19 19:57:10 16[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 19 19:57:10 16[KNL] error installing route with policy 10.3.0.0/24
=== 10.10.0.0/24 out
Jun 19 19:57:10 16[IKE] unable to install IPsec policies (SPD) in kernel
Jun 19 19:57:10 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 19 19:57:11 14[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 19 19:57:11 14[KNL] error installing route with policy 10.3.0.0/24
=== 10.10.0.0/24 out
Jun 19 19:57:11 14[IKE] unable to install IPsec policies (SPD) in kernel
Jun 19 19:57:11 14[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 19 20:37:26 06[KNL] creating rekey job for CHILD_SA
ESP/0xe223cf04/52.188.11.203
Jun 19 20:37:26 11[IKE] establishing CHILD_SA REMOTE-VLAN1{47} reqid 4
Jun 19 20:37:26 11[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 19 20:37:26 11[IKE] inbound CHILD_SA REMOTE-VLAN1{47} established
with SPIs d60f2974_i 34a12944_o and TS 10.0.0.0/24 10.1.0.0/24
10.2.0.0/24 10.3.0.0/24 192.168.0.0/24 === 10.10.0.0/24 10.10.1.0/24
10.10.2.0/24 10.10.3.0/24 10.10.4.0/24
Jun 19 20:37:26 11[KNL] error installing route with policy 10.0.0.0/24
=== 10.10.0.0/24 out
Jun 19 20:37:26 11[IKE] unable to install outbound IPsec SA (SAD) in kernel
Jun 19 20:37:26 11[IKE] closing CHILD_SA REMOTE-VLAN1{4} with SPIs
28539651_i (840 bytes) e223cf04_o (840 bytes) and TS 192.168.0.0/24 ===
10.10.0.0/24
Jun 19 20:37:26 11[IKE] sending DELETE for ESP CHILD_SA with SPI 28539651
Jun 19 20:37:26 12[IKE] received DELETE for ESP CHILD_SA with SPI e223cf04
Jun 19 20:37:26 12[IKE] CHILD_SA closed
Of interest, are these messages:
charon: 10[ESP] no matching outbound IPsec policy for 100.100.100.100 ==
10.10.0.4 [1]
On 6/19/2020 3:38 AM, TomK wrote:
Hello,
I have an Asus router using DD-WRT. On this router I've enabled ospf.
The router sits on VLAN1: 192.168.0.0/24
There are two more VLAN's within the space:
VLAN2: 10.0.0.0/24
VLAN3: 10.1.0.0/24
VLAN4: 10.2.0.0/24
VLAN5: 10.3.0.0/24
I've installed StrongSwan on top of this router and looking to configure
site-to-site VLAN via IKEv2 to 4 more external VLAN's:
VLAN1: 10.10.0.0/24
VLAN2: 10.10.1.0/24
VLAN3: 10.10.2.0/24
VLAN4: 10.10.3.0/24
So my config looks like this:
/opt/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn REMOTE-VLAN1
authby=secret
auto=start
type=tunnel
keyexchange=ikev2
keylife=3600s
ikelifetime=28800s
left=100.100.100.100
leftsubnet=192.168.0.0/24
# leftnexthop=%defaultroute
right=123.123.123.123
rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
ike=aes256-sha1-modp1024
esp=aes256-sha1
conn REMOTE-VLAN2
authby=secret
auto=start
type=tunnel
keyexchange=ikev2
keylife=3600s
ikelifetime=28800s
left=100.100.100.100
leftsubnet=10.0.0.0/24
# leftnexthop=%defaultroute
right=123.123.123.123
rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
ike=aes256-sha1-modp1024
esp=aes256-sha1
conn REMOTE-VLAN5
authby=secret
auto=start
type=tunnel
keyexchange=ikev2
keylife=3600s
ikelifetime=28800s
left=100.100.100.100
leftsubnet=10.3.0.0/24
# leftnexthop=%defaultroute
right=123.123.123.123
rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
ike=aes256-sha1-modp1024
esp=aes256-sha1
root@ASUS01:~# ipsec status
Security Associations (1 up, 0 connecting):
REMOTE-VLAN1[1]: ESTABLISHED 3 seconds ago, 100.100.100.100
[100.100.100.100 ]...123.123.123.123[123.123.123.123]
REMOTE-VLAN1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
ada5f39c_i a96955ba_o
REMOTE-VLAN1{1}: 192.168.0.0/24 === 10.10.0.0/24 10.10.1.0/24
10.10.2.0/24 10.10.3.0/24 10.10.4.0/24
root@ASUS01:~#
Just by the effect of the configuration file and what is happening on
restart, doesn't appear I can create any other VLAN routes other then
from the VLAN I'm currently on.
How do I effectively make a site-to-site VPN configuration using
StrongSwan between all 10 VLAN's?
Additionally, for the VLAN that does have a tunnel created, I can ping a
local (left) subnet directly but not vice versa.
I'm interested in the correct configuration to use first since I'm very
new to this. If this still doesn't work, I'll post the logs from a good
known configuration.
--
Thx,
TK.
