On 6/22/2020 4:08 AM, Tobias Brunner wrote:
Hi Tom,
ipsec0 receives the packet from the ping request but nothing comes back:
Is there any particular reason you are using the kernel-libipsec plugin
(see [1])? You might want to try just using kernel-netlink.
This is a DD-WRT router. Uses a pre-built kernel I might not have too
much option in customizing it. But I tried removing it
root@DD-WRT:~# opkg list-installed | grep -Ei kernel-libipsec
strongswan-mod-kernel-libipsec - 5.8.4-1
root@DD-WRT:~# opkg remove strongswan-mod-kernel-libipsec
Removing package strongswan-mod-kernel-libipsec from root...
root@DD-WRT:~#
And restarting:
root@DD-WRT:~# ipsec status
root@DD-WRT:~#
However:
root@DD-WRT:~# tail -f /var/log/messages|grep -Ei charon
Jun 22 08:12:14 DD-WRT daemon.info charon: 00[DMN] Starting IKE charon
daemon (strongSwan 5.8.2, Linux 4.4.190, armv7l)
Jun 22 08:12:14 DD-WRT daemon.info charon: 00[CFG] PKCS11 module
'<name>' lacks library path
Jun 22 08:12:14 DD-WRT daemon.info charon: 00[CFG] disabling load-tester
plugin, not configured
Jun 22 08:12:14 DD-WRT daemon.info charon: 00[LIB] plugin 'load-tester':
failed to load - load_tester_plugin_create returned NULL
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[KNL] unable to create
netlink socket: Protocol not supported (93)
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] could not open
socket: Address family not supported by protocol
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] could not open IPv6
socket, IPv6 disabled
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] installing IKE bypass
policy failed
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] installing IKE bypass
policy failed
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[NET] enabling UDP
decapsulation for IPv4 on port 4500 failed
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[LIB] feature
CUSTOM:libcharon in critical plugin 'charon' has unmet dependency:
CUSTOM:kernel-ipsec
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] attr-sql plugin:
database URI not set
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[KNL] received netlink
error: Address family not supported by protocol (97)
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[KNL] unable to create IPv6
routing table rule
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading ca
certificates from '/opt/etc/ipsec.d/cacerts'
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading aa
certificates from '/opt/etc/ipsec.d/aacerts'
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading ocsp signer
certificates from '/opt/etc/ipsec.d/ocspcerts'
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading attribute
certificates from '/opt/etc/ipsec.d/acerts'
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading crls from
'/opt/etc/ipsec.d/crls'
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loading secrets from
'/opt/etc/ipsec.secrets'
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loaded IKE secret
for 100.100.100.100 123.123.123.123
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] sql plugin: database
URI not set
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] loaded 0 RADIUS
server configurations
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] HA config misses
local/remote address
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[CFG] coupling file path
unspecified
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[LIB] failed to load 1
critical plugin feature
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[DMN] initialization failed
- aborting charon
Jun 22 08:12:15 DD-WRT daemon.info charon: 00[KNL] received netlink
error: Address family not supported by protocol (97)
Jun 22 08:12:15 DD-WRT authpriv.info ipsec_starter[15105]: charon has
quit: initialization failed
Jun 22 08:12:15 DD-WRT authpriv.info ipsec_starter[15105]: charon
refused to be started
Interestingly, what I do have is:
root@DD-WRT:~# find / -iname tunnel*
/lib/modules/4.4.190/tunnel4.ko
/lib/modules/4.4.190/tunnel6.ko
root@DD-WRT:~# find / -iname exp4*
root@DD-WRT:~# find / -iname esp4*
root@DD-WRT:~# find / -iname esp*
/lib/modules/4.4.190/esp6.ko
root@DD-WRT:~# find / -iname xfrm*
/lib/modules/4.4.190/xfrm6_mode_beet.ko
/lib/modules/4.4.190/xfrm6_mode_ro.ko
/lib/modules/4.4.190/xfrm6_mode_transport.ko
/lib/modules/4.4.190/xfrm6_mode_tunnel.ko
/lib/modules/4.4.190/xfrm6_tunnel.ko
/lib/modules/4.4.190/xfrm_algo.ko
/lib/modules/4.4.190/xfrm_ipcomp.ko
/proc/sys/net/core/xfrm_acq_expires
/proc/sys/net/core/xfrm_aevent_etime
/proc/sys/net/core/xfrm_aevent_rseqth
/proc/sys/net/core/xfrm_larval_drop
/proc/sys/net/ipv4/xfrm4_gc_thresh
root@DD-WRT:~#
root@DD-WRT:~#
root@DD-WRT:~# find / -iname ip_tunnel*
/lib/modules/4.4.190/ip_tunnel.ko
root@DD-WRT:~#
So just to recap, pinging, ssh etc access in general works from REMOTE
to LOCAL. But not LOCAL to REMOTE with strongswan-kernel-libipsec
included. This I find odd because it seems to indicate the Azure to
Strongswan connection is fine, just routing and forwarding packets from
the DD-WRT router over to the Azure instances isn't working. Tried a
tcpdump:
root@DD-WRT:~# tcpdump -i ipsec0 -s 0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type RAW (Raw IP), snapshot length 262144 bytes
08:44:28.318516 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id
36426, seq 0, length 64
08:44:29.325741 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id
36426, seq 1, length 64
What's interesting, is that with this new config:
conn AZURE-VLANS
authby=secret
auto=start
type=tunnel
keyexchange=ikev2
keylife=3600s
ikelifetime=28800s
rekey=yes
rekeymargin=3m
keyingtries=1
mobike=no
dpdaction=restart
left=100.100.100.100
leftsubnet=192.168.0.0/24
lefthostaccess=yes
right=123.123.123.123
rightsubnet=10.10.0.0/24
esp=aes256gcm16,aes256-sha2_256,aes256-sha1-modp2048,aes256-sha1,aes128-sha1!
ike=aes256-sha2_256-modp1024,aes256-sha1-modp1024,aes128-sha1-modp1024!
I no longer have to run:
ip route add 10.10.0.0/24 dev ipsec0
for packets to show up on ipsec0:
root@DD-WRT:~# tcpdump -i ipsec0 -s 0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type RAW (Raw IP), snapshot length 262144 bytes
08:44:28.318516 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id
36426, seq 0, length 64
08:44:29.325741 IP 100.100.100.100 > 10.10.0.4: ICMP echo request, id
36426, seq 1, length 64
but not anymore. However, I don't see anything going further then the
ipsec0 that ipsec creates when starting up. It's a bit of a black box
between there and Azure.
The only time I couldn't ping from REMOTE to LOCAL is when I was missing
these F/W rules.
iptables -I FORWARD -s 10.10.0.0/24 -d 192.168.0.0/24 -j ACCEPT
iptables -I INPUT -p icmp -s 10.10.0.0/24 -d 192.168.0.1/32 -j ACCEPT
Thinking something similar was needed but for the reverse. Still
looking at Brian's recommendations however:
root@DD-WRT:~# ip link add xfrm0 type xfrm dev ipsec0 if_id 42
ip: RTNETLINK answers: Not supported
root@DD-WRT:~# ip link add vti0 type vti dev ipsec0 if_id 42
ip: RTNETLINK answers: Not supported
root@DD-WRT:~#
Trying GRE but:
root@DD-WRT:~# ip tunnel add ipsec01 local 100.100.100.100 remote
123.123.123.123 mode gre
ip: ioctl 0x89f1 failed: No such device
root@DD-WRT:~#
So that's where I'm at currently.
Thx,
Jun 19 19:57:07 10[KNL] error installing route with policy 10.3.0.0/24
=== 10.10.0.0/24 out
Jun 19 19:57:07 10[IKE] unable to install IPsec policies (SPD) in kernel
Jun 19 19:57:07 10[IKE] failed to establish CHILD_SA, keeping IKE_SA
The kernel-libipsec plugin currently requires an IP address in the local
traffic selector to install a route, otherwise you get that error.
Of interest, are these messages:
charon: 10[ESP] no matching outbound IPsec policy for 100.100.100.100 ==
10.10.0.4
On obvious result from the above errors to install the policies.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
--
Thx,
TK.
