Hello Leroy, Routes in table 220 are only added when needed now (might be later, but the existence of any is not a suitable indicator of any success or failure, what the IKE daemon reports is what you should look at).
What is the actual issue?
Kind regards
Noel
Am 08.10.20 um 19:40 schrieb Leroy Tennison:
> We're on Strongswan 5.3.5 on Ubuntu 16.04 (kernel 4.0-171-generic). I've
> searched the web and found very little references to table 220 issues but,
> after "ipsec start", "ipsec statusall" shows the connection (as does ip xfrm
> policy and ip xfrm state) and table 220 is empty. This is the first time
> this has happened to me (admittedly, only two other IPSec setups using
> Strongswan). Below are the configuration files (except ipsec.secrets which
> has one uncommented line in the form: 67.nnn.nnn.nnn : PSK <pre-shared key
> obfuscated>) with IP addresses and conn names (but nothing else) obfuscated.
> What am I doing wrong? Any further debugging steps I can take? Anything else
> you need to know? Thanks for your help.
>
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
>
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
>
> # Add connections here.
>
> # Sample VPN connections
>
> conn %default
> authby=psk
> auto=start
> dpdaction=restart
> dpddelay=30s
> esp=aes256-sha256-ecp384
> ike=aes256-sha256-ecp384
> keyexchange=ikev2
> left=67.nnn.nnn.nnn
> leftauth=psk
> leftfirewall=yes
> lifetime=3h
> # mark=77 tested with vti - didn't help
> right=64.mmm.mmm.mmm
> rightauth=psk
> # See strongswan.conf for retransmission settings
>
> conn Rock-Roll-aaa-qqq
> leftsubnet=10.xxx.aaa.0/24
> rightsubnet=10.64.qqq.0/24
>
> conn Rock-Roll-bbb-qqq
> leftsubnet=10.xxx.bbb.0/24
> rightsubnet=10.64.qqq.0/24
>
> conn Rock-Roll-ccc-qqq
> leftsubnet=10.xxx.ccc.0/24
> rightsubnet=10.64.qqq.0/24
>
> conn Rock-Roll-aaa-rrr
> leftsubnet=10.xxx.aaa.0/24
> rightsubnet=10.64.rrr.0/24
>
> conn Rock-Roll-bbb-rrr
> leftsubnet=10.xxx.bbb.0/24
> rightsubnet=10.64.rrr.0/24
>
> conn Rock-Roll-ccc-rrr
> leftsubnet=10.xxx.ccc.0/24
> rightsubnet=10.64.rrr.0/24
>
> # strongswan.conf - strongSwan configuration file
> #
> # Refer to the strongswan.conf(5) manpage for details
> #
> # Configuration changes should be made in the included files
>
> charon {
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> }
> # charon.install_routes=0
> charon.retransmit_base = 2
> charon.retransmit_timeout = 5
> charon.retransmit_tries = 7
> }
>
> include strongswan.d/*.conf
>
> ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-171-generic, i686):
> uptime: 13 seconds, since Oct 08 12:07:47 2020
> malloc: sbrk 1310720, mmap 0, used 305896, free 1004824
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 3
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce
> x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
> pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
> socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc
> eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc
> eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc
> xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
> tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
> Listening IP addresses:
> 192.168.eee.fff
> 67.nnn.nnn.nnn
> 10.xxx.ddd.www
> 10.xxx.ddd.ttt
> 10.xxx.bbb.www
> 10.xxx.bbb.ttt
> 10.xxx.eee.www
> 10.xxx.eee.ttt
> 192.168.ppp.ttt
> 10.xxx.aaa.uuu
> 66.lll.mmm.vvv
> Connections:
> Rock-Roll-aaa-qqq: 67.nnn.nnn.nnn...64.mmm.mmm.mmm IKEv2, dpddelay=30s
> Rock-Roll-aaa-qqq: local: [67.nnn.nnn.nnn] uses pre-shared key
> authentication
> Rock-Roll-aaa-qqq: remote: [64.mmm.mmm.mmm] uses pre-shared key
> authentication
> Rock-Roll-aaa-qqq: child: 10.xxx.aaa.0/24 === 10.64.qqq.0/24 TUNNEL,
> dpdaction=restart
> Rock-Roll-bbb-qqq: child: 10.xxx.bbb.0/24 === 10.64.qqq.0/24 TUNNEL,
> dpdaction=restart
> Rock-Roll-ccc-qqq: child: 10.xxx.ccc.0/24 === 10.64.qqq.0/24 TUNNEL,
> dpdaction=restart
> Rock-Roll-aaa-rrr: child: 10.xxx.aaa.0/24 === 10.64.rrr.0/24 TUNNEL,
> dpdaction=restart
> Rock-Roll-bbb-rrr: child: 10.xxx.bbb.0/24 === 10.64.rrr.0/24 TUNNEL,
> dpdaction=restart
> Rock-Roll-ccc-rrr: child: 10.xxx.ccc.0/24 === 10.64.rrr.0/24 TUNNEL,
> dpdaction=restart
> Security Associations (1 up, 0 connecting):
> Rock-Roll-aaa-qqq[1]: ESTABLISHED 13 seconds ago,
> 67.nnn.nnn.nnn[67.nnn.nnn.nnn]...64.mmm.mmm.mmm[64.mmm.mmm.mmm]
> Rock-Roll-aaa-qqq[1]: IKEv2 SPIs: 8b6302f038b8cd7a_i* 093becf3e02081ef_r,
> pre-shared key reauthentication in 2 hours
> Rock-Roll-aaa-qqq[1]: IKE proposal:
> AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
> Rock-Roll-bbb-rrr{6}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs:
> c5a95ea2_i 8d9b26cd_o
> Rock-Roll-bbb-rrr{6}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
> rekeying in 2 hours
> Rock-Roll-bbb-rrr{6}: 10.xxx.ccc.0/24 === 10.64.rrr.0/24
>
> ip xfrm state
> src 67.nnn.nnn.nnn dst 64.mmm.mmm.mmm
> proto esp spi 0x8d9b26cd reqid 6 mode tunnel
> replay-window 32 flag af-unspec
> mark 0x4d/0xffffffff
> auth-trunc hmac(sha256)
> 0x9985013cc2678d13ff4d070f02c72fd1ea49f2c7158bc056d0150de4a5b4a7dc 128
> enc cbc(aes)
> 0xfcbc30f7ffadddb494d651668b012db11c437164fb430ed809a190b537e016c1
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn
> proto esp spi 0xc5a95ea2 reqid 6 mode tunnel
> replay-window 32 flag af-unspec
> mark 0x4d/0xffffffff
> auth-trunc hmac(sha256)
> 0xa71506e5ad73a6ad0b1b25bd7d94af7d19906fe9d82bf86e1c21e5a8d9feb22c 128
> enc cbc(aes)
> 0x6c819631ced958d174d1490ee83f95c1d47ae5ead6df21b08095575e199c9805
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>
> ip xfrm policy
> src 10.64.rrr.0/24 dst 10.xxx.ccc.0/24
> dir fwd priority 2883
> mark 0x4d/0xffffffff
> tmpl src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn
> proto esp reqid 6 mode tunnel
> src 10.64.rrr.0/24 dst 10.xxx.ccc.0/24
> dir in priority 2883
> mark 0x4d/0xffffffff
> tmpl src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn
> proto esp reqid 6 mode tunnel
> src 10.xxx.ccc.0/24 dst 10.64.rrr.0/24
> dir out priority 2883
> mark 0x4d/0xffffffff
> tmpl src 67.nnn.nnn.nnn dst 64.mmm.mmm.mmm
> proto esp reqid 6 mode tunnel
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket in priority 0
> src 0.0.0.0/0 dst 0.0.0.0/0
> socket out priority 0
> src ::/0 dst ::/0
> socket in priority 0
> src ::/0 dst ::/0
> socket out priority 0
> src ::/0 dst ::/0
> socket in priority 0
> src ::/0 dst ::/0
> socket out priority 0
>
>
> Harriscomputer
>
> *Leroy Tennison
> *Network Information/Cyber Security Specialist
> E: le...@datavoiceint.com
> P:
>
>
>
>
>
>
> 2220 Bush Dr
> McKinney, Texas
> 75070
> www.datavoiceint.com <http://www..com>
>
> This message has been sent on behalf of a company that is part of the Harris
> Operating Group of Constellation Software Inc.
>
> If you prefer not to be contacted by Harris Operating Group please notify us
> <http://subscribe.harriscomputer.com/>.
>
>
>
> This message is intended exclusively for the individual or entity to which it
> is addressed. This communication may contain information that is proprietary,
> privileged or confidential or otherwise legally exempt from disclosure. If
> you are not the named addressee, you are not authorized to read, print,
> retain, copy or disseminate this message or any part of it. If you have
> received this message in error, please notify the sender immediately by
> e-mail and delete all copies of the message.
>
>
>
signature.asc
Description: OpenPGP digital signature
