On 6/24/2020 10:40 AM, TomK wrote:
On 6/24/2020 9:19 AM, Tobias Brunner wrote:
Hi Tom,
May I ask which exact line above told you I'm missing sfrm_user? The
ones that start with CUSTOM?
Yes, the first one is logged after the kernel-netlink plugin failed to
open a Netlink/XFRM socket, plus it is obviously missing in the module
lists you posted after that.
Kool
This is DD-WRT so it's a minimized router kernel. I was surprised as the
next guy learning that module isn't available.
Yeah, makes not much sense to enable the other IPsec-related modules
without a means to actually use them. But why did you use the 2.6.23
kernel sources to build the missing module if your router uses a 4.4.190
kernel?
Was questions my sanity around that as well but initially only found the
wiki page for 2.6.33 . The SVN appeared a bit messy to me, probably
because I'm not familiar with it yet, so wasn't sure if they just reused
the folder name or if it was truly for Linux 2.6.33. And couldn't find
the Linux 4.4's at the time until I rummaged through the SVN the next day.
Look further down on the post. I've tried the Linux 4.4 branch but
couldn't get that to work. There's some missing Makefiles.
I tinkered around with this at some point. I had it originating from
192.168.0.6 > 10.10.0.4 but same results. Based on what you wrote,
unless I get xfrm_user module installed, this won't work regardless of
what source IP it's coming from?
No, that's unrelated. You need that module to use the IPsec stack in
the kernel (i.e. to run without kernel-libipsec or ipsec0 interface).
The whole point of the userland IPsec stack is that it bypasses the
kernel and can run with reduced privileges (e.g. on Android where apps
can create TUN devices via VpnService API but can't access the kernel's
IPsec stack via Netlink/XFRM).
instead of originating from the WAN IP. No reply of course. My routes
Are ESP packets sent? If yes, are any returned? If not, then this
seems to be an issue on the other end. So try to follow the traffic
there.
That is what I'm not sure about. Between StrongSwan (SSW) and Azure VPN
Gateway, I'm not able to find which one is it. I've setup a packet
trace from the Azure VPN Gateway but the only option it gave me as a
target was against one of the Azure VM's. Not between Azure VPN Gateway
and the on-prem gateway.
So in the least I was hoping to confirm if everything was sent correctly
from SSW then I'll be more sure that the issue is really with Azure VPN
Gateway blocking traffic.
What I do know is that I can ping from the Azure VM's back down to my
on-prem VLAN (192.168.0.X/24 ) but NOT FROM my router that's running
SSW. In other words, traffic flows only one way. Down.
So to me this looked like an issue where:
1) Like you said, ESP packets are not getting sent properly from SSW to
Azure VPN Gateway. ( How do I confirm this with 100% certainty? What
should I look for to determine if there's any dropped packets on my
on-prem F/W that's on this router? )
2) The Azure VPN Gateway is blocking on-prem to itself. I've made sure
the F/W on the Azure side is not an issue.
root@DD-WRT:~# ip route
Again, strongSwan installs its routes in table 220, that is, use `ip
route show table 220` (or `all`).
root@DD-WRT:~# ip route show table all
default via 100.100.100.50 dev vlan2
10.0.0.0/24 via 192.168.0.1 dev br0 metric 20
10.1.0.0/24 via 192.168.0.1 dev br0 metric 20
10.1.1.0/24 dev tun2 scope link src 10.1.1.1
10.2.0.0/24 via 192.168.0.1 dev br0 metric 20
10.3.0.0/24 via 192.168.0.1 dev br0 metric 20
100.100.100.75/27 dev vlan2 scope link src 100.100.100.100
127.0.0.0/8 dev lo scope link
192.168.0.0/24 dev br0 scope link src 192.168.0.6
192.168.45.0/24 dev wl0.1 scope link src 192.168.45.1
192.168.75.0/24 dev wl1.1 scope link src 192.168.75.1
broadcast 10.1.1.0 dev tun2 table local scope link src 10.1.1.1
local 10.1.1.1 dev tun2 table local scope host src 10.1.1.1
broadcast 10.1.1.255 dev tun2 table local scope link src 10.1.1.1
broadcast 100.100.100.75 dev vlan2 table local scope link src
100.100.100.100
local 100.100.100.100 dev vlan2 table local scope host src 100.100.100.100
broadcast 100.100.100.25 dev vlan2 table local scope link src
100.100.100.100
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.0.0 dev br0 table local scope link src 192.168.0.6
local 192.168.0.6 dev br0 table local scope host src 192.168.0.6
broadcast 192.168.0.255 dev br0 table local scope link src 192.168.0.6
broadcast 192.168.45.0 dev wl0.1 table local scope link src 192.168.45.1
local 192.168.45.1 dev wl0.1 table local scope host src 192.168.45.1
broadcast 192.168.45.255 dev wl0.1 table local scope link src 192.168.45.1
broadcast 192.168.75.0 dev wl1.1 table local scope link src 192.168.75.1
local 192.168.75.1 dev wl1.1 table local scope host src 192.168.75.1
broadcast 192.168.75.255 dev wl1.1 table local scope link src 192.168.75.1
root@DD-WRT:~#
root@DD-WRT:~# ip route show table 220
root@DD-WRT:~#
( Redacted the IP hence why you see 100.100.100.X for the ISP GW )
Regards,
Tobias
What are the dependencies of all these modules listed here? I'm close
and was able to load quite a few:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1209261#1209261
https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
but xfrm_user.ko doesn't insert and suspecting due to missing dependencies:
root@DD-WRT:/opt/xfrm4# lsmod
Module Size Used by
tunnel6 1691 0
xfrm4_mode_tunnel 1354 0
xfrm4_mode_transport 778 0
xfrm4_mode_beet 1418 0
ah4 4540 0
esp4 5175 0
xfrm_ipcomp 2853 0
xfrm4_tunnel 1368 0
xfrm_algo 3645 3 ah4,esp4,xfrm_ipcomp
ip_tunnel 10496 0
tunnel4 1692 1 xfrm4_tunnel
ext4 319105 1
jbd2 50250 1 ext4
mbcache 7009 1 ext4
crc16 1060 1 ext4
vhci_hcd 12705 0
usbip_host 12201 0
usbip_core 4593 2 vhci_hcd,usbip_host
usblp 8913 0
usb_storage 37587 1
sr_mod 11005 0
cdrom 24153 1 sr_mod
sd_mod 24627 1
scsi_mod 83966 3 usb_storage,sr_mod,sd_mod
xhci_plat_hcd 2116 0
xhci_pci 2632 0
xhci_hcd 84444 2 xhci_plat_hcd,xhci_pci
ohci_pci 2157 0
ohci_hcd 23292 1 ohci_pci
ehci_pci 2829 0
ehci_hcd 33905 1 ehci_pci
usbcore 127988 12
vhci_hcd,usbip_host,usblp,usb_storage,xhci_plat_hcd,xhci_pci,xhci_hcd,ohci_pci,ohci_hcd,ehci_pci,ehci_hcd
usb_common 1589 2 vhci_hcd,usbcore
ip6_tables 9261 0
xt_ndpi 344541 0
tun 15569 4
fast_classifier 138897 0
jffs2 92216 1
lzo_decompress 1764 0
lzo_compress 1828 0
lzma_decompress 8228 1 jffs2
lzma_compress 23664 1 jffs2
wl 4384906 0
switch_robo 13611 0
switch_core 5449 1 switch_robo
et 42648 0
root@DD-WRT:/opt/xfrm4#
All others insert just fine as long as they are added in a specific
sequence:
root@DD-WRT:/opt/xfrm4# for mods in $(echo tunnel4.ko ip_tunnel.ko
xfrm_algo.ko xfrm4_tunnel.ko xfrm_ipcomp.ko esp4.ko ah4.ko
xfrm4_mode_beet.ko xfrm4
_mode_beet.ko xfrm4_mode_transport.ko xfrm4_mode_tunnel.ko
xfrm_user.ko); do insmod $mods; done
insmod: cannot insert 'tunnel4.ko': File exists
insmod: cannot insert 'ip_tunnel.ko': File exists
insmod: cannot insert 'xfrm_algo.ko': File exists
insmod: cannot insert 'xfrm4_tunnel.ko': File exists
insmod: cannot insert 'xfrm_ipcomp.ko': File exists
insmod: cannot insert 'esp4.ko': File exists
insmod: cannot insert 'ah4.ko': File exists
insmod: cannot insert 'xfrm4_mode_beet.ko': File exists
insmod: cannot insert 'xfrm4_mode_beet.ko': File exists
insmod: cannot insert 'xfrm4_mode_transport.ko': File exists
insmod: cannot insert 'xfrm4_mode_tunnel.ko': File exists
insmod: cannot insert 'xfrm_user.ko': unknown symbol in module
root@DD-WRT:/opt/xfrm4#
root@DD-WRT:/opt/xfrm4# strings xfrm_user.ko|grep -Ei depends
depends=xfrm_algo
root@DD-WRT:/opt/xfrm4# insmod xfrm_algo.ko
insmod: cannot insert 'xfrm_algo.ko': File exists
root@DD-WRT:/opt/xfrm4# lsmod|grep xfrm_algo
xfrm_algo 3645 3 ah4,esp4,xfrm_ipcomp
root@DD-WRT:/opt/xfrm4#
--
Thx,
TK.