On 8/9/2020 8:10 PM, TomK wrote:
On 6/30/2020 4:41 AM, Tobias Brunner wrote:
Hi Tom,
What I meant to say, is that would confirm all proper kernel modules
were already in place to allow the communication would it not? Anything
else I could try to, in the least, confirm if the packet was
successfully forwarded to the Azure VPN Gateway end?
I know the packet arrives at the IPSec ipsec0 interface however,
checking just now, I don't see any traffic change on the WAN interface
of the on-prem StrongSwan VPN GW.
As explained in previous emails, with kernel-libipsec you are not using
any of the IPsec-related kernel modules. IPsec processing happens in
userland via ipsec0 TUN device (see [1] for more on this plugin).
rp_filter could be an issue when using it.
To check traffic, use packet counters (strongSwan's status output,
firewall etc.) or traffic captures on the respective hosts to see if
e.g. ESP packets are exchanged.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
Hey All,
So I've given up on DD-WRT for the time being and decided instead to use
an old Raspberry PI 2 and OpenWRT.
The topology I'll reference is available on the below OpenWRT forum. For
the sake of not replicating all the content (and partially due to a
touch of laziness), here is the link:
Aug 9th post:
https://forum.openwrt.org/t/openwrt-support-for-quagga-ospf-strongswan-ipsecv2-1-openvpn-firewalld-ssh-ddns-dnsmasquerade/69528/18
I'm effectively running into this error:
Aug 9 17:04:06 OWRT01 : 14[IKE] initiating IKE_SA AZURE[1] to
123.123.123.123
Aug 9 17:04:06 OWRT01 : 14[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 9 17:04:06 OWRT01 : 14[NET] sending packet: from
100.100.100.100[500] to 123.123.123.123[500] (1188 bytes)
Aug 9 17:04:06 OWRT01 : 04[NET] error writing to socket: Network
unreachable
Aug 9 17:04:10 OWRT01 : 14[IKE] retransmit 1 of request with message ID 0
This time, XFRM modules are loaded:
root@OWRT01:~# lsmod|grep xfrm
tunnel4 12288 2 sit,xfrm4_tunnel
tunnel6 12288 1 xfrm6_tunnel
xfrm_algo 12288 7
esp6,ah6,esp4,ah4,xfrm_user,xfrm_ipcomp,af_key
xfrm_ipcomp 12288 2 ipcomp6,ipcomp
xfrm_user 28672 0
xfrm4_mode_beet 12288 0
xfrm4_mode_transport 12288 0
xfrm4_mode_tunnel 12288 0
xfrm4_tunnel 12288 0
xfrm6_mode_beet 12288 0
xfrm6_mode_transport 12288 0
xfrm6_mode_tunnel 12288 0
xfrm6_tunnel 12288 1 ipcomp6
root@OWRT01:~#
However, from the OpenWRT post, you can see that packets arent' even
making it out of the ipsec0 interface, nor from the br-lan iterface.
Made it past the above issue. Had to set:
left=192.168.0.12
type=passthrough
since this is a device behind the main router. My bad!.
Now I'm receiving a reply back:
root@DD-WRT-INTERNET-ASUS:~# tcpdump -n | grep -Ei "123.123.123.123"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:42:10.410556 IP 192.168.0.12.500 > 123.123.123.123.500: isakmp:
parent_sa ikev2_init[I]
21:42:10.414404 IP 123.123.123.123.500 > 192.168.0.12.500: isakmp:
parent_sa ikev2_init[R]
However the result is this error:
received NO_PROPOSAL_CHOSEN notify error
I've gone and searched the above error but nothing worked so far. Tried
different settings for ike= and esp= but no luck either.
Perhaps I'm missing something here a trained eye won't? Any help is
appreciated.
---------------------------------------------------------
Full session:
Aug 11 00:41:57 OWRT01 : 00[DMN] signal of type SIGINT received.
Shutting down
Aug 11 00:42:00 OWRT01 : 00[DMN] Starting IKE charon daemon (strongSwan
5.8.2, Linux 4.14.180, armv7l)
Aug 11 00:42:00 OWRT01 : 00[CFG] PKCS11 module '<name>' lacks library path
Aug 11 00:42:01 OWRT01 : 00[LIB] curl SSL backend 'mbedTLS/2.16.6' not
supported, https:// disabled
Aug 11 00:42:01 OWRT01 : 00[CFG] disabling load-tester plugin, not
configured
Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'load-tester': failed to load -
load_tester_plugin_create returned NULL
Aug 11 00:42:01 OWRT01 : 00[LIB] created TUN device: ipsec0
Aug 11 00:42:01 OWRT01 : 00[LIB] plugin 'uci' failed to load: Error
relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup:
symbol not found
Aug 11 00:42:01 OWRT01 : 00[CFG] attr-sql plugin: database URI not set
Aug 11 00:42:01 OWRT01 : 00[NET] using forecast interface br-lan
Aug 11 00:42:01 OWRT01 : 00[CFG] joining forecast multicast groups:
224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Aug 11 00:42:01 OWRT01 : 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 11 00:42:01 OWRT01 : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 11 00:42:01 OWRT01 : 00[CFG] loaded IKE secret for 192.168.0.12
123.123.123.123
Aug 11 00:42:01 OWRT01 : 00[CFG] sql plugin: database URI not set
Aug 11 00:42:01 OWRT01 : 00[CFG] loaded 0 RADIUS server configurations
Aug 11 00:42:01 OWRT01 : 00[CFG] HA config misses local/remote address
Aug 11 00:42:01 OWRT01 : 00[CFG] coupling file path unspecified
Aug 11 00:42:01 OWRT01 : 00[LIB] loaded plugins: charon test-vectors
ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 agent xcbc cmac
hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink
resolve socket-default socket-dynamic connmark forecast farp stroke vici
smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls
xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Aug 11 00:42:01 OWRT01 : 00[JOB] spawning 16 worker threads
Aug 11 00:42:01 OWRT01 : 13[CFG] received stroke: add connection 'AZURE'
Aug 11 00:42:01 OWRT01 : 13[CFG] added configuration 'AZURE'
Aug 11 00:42:01 OWRT01 : 15[CFG] received stroke: initiate 'AZURE'
Aug 11 00:42:01 OWRT01 : 15[IKE] initiating IKE_SA AZURE[1] to
123.123.123.123
Aug 11 00:42:01 OWRT01 : 15[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 11 00:42:01 OWRT01 : 15[NET] sending packet: from 192.168.0.12[500]
to 123.123.123.123[500] (336 bytes)
Aug 11 00:42:01 OWRT01 : 10[NET] received packet: from 192.168.0.6[500]
to 192.168.0.12[500] (336 bytes)
Aug 11 00:42:01 OWRT01 : 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 11 00:42:01 OWRT01 : 10[IKE] no IKE config found for
192.168.0.12...192.168.0.6, sending NO_PROPOSAL_CHOSEN
Aug 11 00:42:01 OWRT01 : 10[ENC] generating IKE_SA_INIT response 0 [
N(NO_PROP) ]
Aug 11 00:42:01 OWRT01 : 10[NET] sending packet: from 192.168.0.12[500]
to 192.168.0.6[500] (36 bytes)
Aug 11 00:42:01 OWRT01 : 11[NET] received packet: from
123.123.123.123[500] to 192.168.0.12[500] (36 bytes)
Aug 11 00:42:01 OWRT01 : 11[ENC] parsed IKE_SA_INIT response 0 [
N(NO_PROP) ]
Aug 11 00:42:01 OWRT01 : 11[IKE] received NO_PROPOSAL_CHOSEN notify error
root@OWRT01:~# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.8.2 IPsec [starter]...
root@OWRT01:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn AZURE
authby=secret
auto=start
type=passthrough
keyexchange=ikev2
keylife=3600s
ikelifetime=28800s
left=192.168.0.12
leftsubnet=0.0.0.0/0
right=123.123.123.123
rightsubnet=0.0.0.0/0
ike=aes256-sha2_256-modp1024
esp=aes256-sha2_256
root@OWRT01:~#
root@OWRT01:~# cat /etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
# Verbosity levels
# -1: Absolutely silent
# 0: Very basic auditing logs, (e.g. SA up/SA down)
# 1: Generic control flow with errors, a good default to see whats going on
# 2: More detailed debugging control flow
# 3: Including RAW data dumps in Hex
# 4: Also include sensitive material in dumps, e.g. keys
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
charon {
path = /var/log/charon.log
time_format = %b %e %T
append = no
default = 0 # in case troubleshoot is required
switch this to 2
}
stderr {
ike = 0 # in case troubleshoot is required
switch this to 2
knl = 0 # in case troubleshoot is required
switch this to 3
ike_name = yes
}
}
syslog {
# enable logging to LOG_DAEMON, use defaults
daemon {
}
# minimalistic IKE auditing logging to LOG_AUTHPRIV
auth {
default = 0 # in case troubleshoot is required
switch this to 2
ike = 0 # in case troubleshoot is required
switch this to 2
}
}
}
include strongswan.d/*.conf
root@OWRT01:~#
--
Thx,
TK.
