On 6/30/2020 4:41 AM, Tobias Brunner wrote:
Hi Tom,
What I meant to say, is that would confirm all proper kernel modules
were already in place to allow the communication would it not? Anything
else I could try to, in the least, confirm if the packet was
successfully forwarded to the Azure VPN Gateway end?
I know the packet arrives at the IPSec ipsec0 interface however,
checking just now, I don't see any traffic change on the WAN interface
of the on-prem StrongSwan VPN GW.
As explained in previous emails, with kernel-libipsec you are not using
any of the IPsec-related kernel modules. IPsec processing happens in
userland via ipsec0 TUN device (see [1] for more on this plugin).
rp_filter could be an issue when using it.
To check traffic, use packet counters (strongSwan's status output,
firewall etc.) or traffic captures on the respective hosts to see if
e.g. ESP packets are exchanged.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
Hey All,
So I've given up on DD-WRT for the time being and decided instead to use
an old Raspberry PI 2 and OpenWRT.
The topology I'll reference is available on the below OpenWRT forum.
For the sake of not replicating all the content (and partially due to a
touch of laziness), here is the link:
Aug 9th post:
https://forum.openwrt.org/t/openwrt-support-for-quagga-ospf-strongswan-ipsecv2-1-openvpn-firewalld-ssh-ddns-dnsmasquerade/69528/18
I'm effectively running into this error:
Aug 9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to
123.123.123.123
Aug 9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 9 17:04:06 OWRT01 : 14[NET] sending packet: from
100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
Aug 9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network
unreachable
Aug 9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message ID 0
This time, XFRM modules are loaded:
root@OWRT01:~# lsmod|grep xfrm
tunnel4 12288 2 sit,xfrm4_tunnel
tunnel6 12288 1 xfrm6_tunnel
xfrm_algo 12288 7
esp6,ah6,esp4,ah4,xfrm_user,xfrm_ipcomp,af_key
xfrm_ipcomp 12288 2 ipcomp6,ipcomp
xfrm_user 28672 0
xfrm4_mode_beet 12288 0
xfrm4_mode_transport 12288 0
xfrm4_mode_tunnel 12288 0
xfrm4_tunnel 12288 0
xfrm6_mode_beet 12288 0
xfrm6_mode_transport 12288 0
xfrm6_mode_tunnel 12288 0
xfrm6_tunnel 12288 1 ipcomp6
root@OWRT01:~#
However, from the OpenWRT post, you can see that packets arent' even
making it out of the ipsec0 interface, nor from the br-lan iterface.
--
Thx,
TK.
