Hello Leroy, Routes in table 220 are only added when needed now (might be later, but the existence of any is not a suitable indicator of any success or failure, what the IKE daemon reports is what you should look at).
What is the actual issue? Kind regards Noel Am 08.10.20 um 19:40 schrieb Leroy Tennison: > We're on Strongswan 5.3.5 on Ubuntu 16.04 (kernel 4.0-171-generic). I've > searched the web and found very little references to table 220 issues but, > after "ipsec start", "ipsec statusall" shows the connection (as does ip xfrm > policy and ip xfrm state) and table 220 is empty. This is the first time > this has happened to me (admittedly, only two other IPSec setups using > Strongswan). Below are the configuration files (except ipsec.secrets which > has one uncommented line in the form: 67.nnn.nnn.nnn : PSK <pre-shared key > obfuscated>) with IP addresses and conn names (but nothing else) obfuscated. > What am I doing wrong? Any further debugging steps I can take? Anything else > you need to know? Thanks for your help. > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > # strictcrlpolicy=yes > # uniqueids = no > > # Add connections here. > > # Sample VPN connections > > conn %default > authby=psk > auto=start > dpdaction=restart > dpddelay=30s > esp=aes256-sha256-ecp384 > ike=aes256-sha256-ecp384 > keyexchange=ikev2 > left=67.nnn.nnn.nnn > leftauth=psk > leftfirewall=yes > lifetime=3h > # mark=77 tested with vti - didn't help > right=64.mmm.mmm.mmm > rightauth=psk > # See strongswan.conf for retransmission settings > > conn Rock-Roll-aaa-qqq > leftsubnet=10.xxx.aaa.0/24 > rightsubnet=10.64.qqq.0/24 > > conn Rock-Roll-bbb-qqq > leftsubnet=10.xxx.bbb.0/24 > rightsubnet=10.64.qqq.0/24 > > conn Rock-Roll-ccc-qqq > leftsubnet=10.xxx.ccc.0/24 > rightsubnet=10.64.qqq.0/24 > > conn Rock-Roll-aaa-rrr > leftsubnet=10.xxx.aaa.0/24 > rightsubnet=10.64.rrr.0/24 > > conn Rock-Roll-bbb-rrr > leftsubnet=10.xxx.bbb.0/24 > rightsubnet=10.64.rrr.0/24 > > conn Rock-Roll-ccc-rrr > leftsubnet=10.xxx.ccc.0/24 > rightsubnet=10.64.rrr.0/24 > > # strongswan.conf - strongSwan configuration file > # > # Refer to the strongswan.conf(5) manpage for details > # > # Configuration changes should be made in the included files > > charon { > load_modular = yes > plugins { > include strongswan.d/charon/*.conf > } > # charon.install_routes=0 > charon.retransmit_base = 2 > charon.retransmit_timeout = 5 > charon.retransmit_tries = 7 > } > > include strongswan.d/*.conf > > ipsec statusall > Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-171-generic, i686): > uptime: 13 seconds, since Oct 08 12:07:47 2020 > malloc: sbrk 1310720, mmap 0, used 305896, free 1004824 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 3 > loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce > x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey > pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve > socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc > eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc > eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc > xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 > tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity > Listening IP addresses: > 192.168.eee.fff > 67.nnn.nnn.nnn > 10.xxx.ddd.www > 10.xxx.ddd.ttt > 10.xxx.bbb.www > 10.xxx.bbb.ttt > 10.xxx.eee.www > 10.xxx.eee.ttt > 192.168.ppp.ttt > 10.xxx.aaa.uuu > 66.lll.mmm.vvv > Connections: > Rock-Roll-aaa-qqq: 67.nnn.nnn.nnn...64.mmm.mmm.mmm IKEv2, dpddelay=30s > Rock-Roll-aaa-qqq: local: [67.nnn.nnn.nnn] uses pre-shared key > authentication > Rock-Roll-aaa-qqq: remote: [64.mmm.mmm.mmm] uses pre-shared key > authentication > Rock-Roll-aaa-qqq: child: 10.xxx.aaa.0/24 === 10.64.qqq.0/24 TUNNEL, > dpdaction=restart > Rock-Roll-bbb-qqq: child: 10.xxx.bbb.0/24 === 10.64.qqq.0/24 TUNNEL, > dpdaction=restart > Rock-Roll-ccc-qqq: child: 10.xxx.ccc.0/24 === 10.64.qqq.0/24 TUNNEL, > dpdaction=restart > Rock-Roll-aaa-rrr: child: 10.xxx.aaa.0/24 === 10.64.rrr.0/24 TUNNEL, > dpdaction=restart > Rock-Roll-bbb-rrr: child: 10.xxx.bbb.0/24 === 10.64.rrr.0/24 TUNNEL, > dpdaction=restart > Rock-Roll-ccc-rrr: child: 10.xxx.ccc.0/24 === 10.64.rrr.0/24 TUNNEL, > dpdaction=restart > Security Associations (1 up, 0 connecting): > Rock-Roll-aaa-qqq[1]: ESTABLISHED 13 seconds ago, > 67.nnn.nnn.nnn[67.nnn.nnn.nnn]...64.mmm.mmm.mmm[64.mmm.mmm.mmm] > Rock-Roll-aaa-qqq[1]: IKEv2 SPIs: 8b6302f038b8cd7a_i* 093becf3e02081ef_r, > pre-shared key reauthentication in 2 hours > Rock-Roll-aaa-qqq[1]: IKE proposal: > AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384 > Rock-Roll-bbb-rrr{6}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: > c5a95ea2_i 8d9b26cd_o > Rock-Roll-bbb-rrr{6}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, > rekeying in 2 hours > Rock-Roll-bbb-rrr{6}: 10.xxx.ccc.0/24 === 10.64.rrr.0/24 > > ip xfrm state > src 67.nnn.nnn.nnn dst 64.mmm.mmm.mmm > proto esp spi 0x8d9b26cd reqid 6 mode tunnel > replay-window 32 flag af-unspec > mark 0x4d/0xffffffff > auth-trunc hmac(sha256) > 0x9985013cc2678d13ff4d070f02c72fd1ea49f2c7158bc056d0150de4a5b4a7dc 128 > enc cbc(aes) > 0xfcbc30f7ffadddb494d651668b012db11c437164fb430ed809a190b537e016c1 > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 > src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn > proto esp spi 0xc5a95ea2 reqid 6 mode tunnel > replay-window 32 flag af-unspec > mark 0x4d/0xffffffff > auth-trunc hmac(sha256) > 0xa71506e5ad73a6ad0b1b25bd7d94af7d19906fe9d82bf86e1c21e5a8d9feb22c 128 > enc cbc(aes) > 0x6c819631ced958d174d1490ee83f95c1d47ae5ead6df21b08095575e199c9805 > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 > > ip xfrm policy > src 10.64.rrr.0/24 dst 10.xxx.ccc.0/24 > dir fwd priority 2883 > mark 0x4d/0xffffffff > tmpl src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn > proto esp reqid 6 mode tunnel > src 10.64.rrr.0/24 dst 10.xxx.ccc.0/24 > dir in priority 2883 > mark 0x4d/0xffffffff > tmpl src 64.mmm.mmm.mmm dst 67.nnn.nnn.nnn > proto esp reqid 6 mode tunnel > src 10.xxx.ccc.0/24 dst 10.64.rrr.0/24 > dir out priority 2883 > mark 0x4d/0xffffffff > tmpl src 67.nnn.nnn.nnn dst 64.mmm.mmm.mmm > proto esp reqid 6 mode tunnel > src 0.0.0.0/0 dst 0.0.0.0/0 > socket in priority 0 > src 0.0.0.0/0 dst 0.0.0.0/0 > socket out priority 0 > src 0.0.0.0/0 dst 0.0.0.0/0 > socket in priority 0 > src 0.0.0.0/0 dst 0.0.0.0/0 > socket out priority 0 > src ::/0 dst ::/0 > socket in priority 0 > src ::/0 dst ::/0 > socket out priority 0 > src ::/0 dst ::/0 > socket in priority 0 > src ::/0 dst ::/0 > socket out priority 0 > > > Harriscomputer > > *Leroy Tennison > *Network Information/Cyber Security Specialist > E: le...@datavoiceint.com > P: > > > > > > > 2220 Bush Dr > McKinney, Texas > 75070 > www.datavoiceint.com <http://www..com> > > This message has been sent on behalf of a company that is part of the Harris > Operating Group of Constellation Software Inc. > > If you prefer not to be contacted by Harris Operating Group please notify us > <http://subscribe.harriscomputer.com/>. > > > > This message is intended exclusively for the individual or entity to which it > is addressed. This communication may contain information that is proprietary, > privileged or confidential or otherwise legally exempt from disclosure. If > you are not the named addressee, you are not authorized to read, print, > retain, copy or disseminate this message or any part of it. If you have > received this message in error, please notify the sender immediately by > e-mail and delete all copies of the message. > > >
signature.asc
Description: OpenPGP digital signature