A quick update.
I installed the farp plugin and now the arp is getting resolved. But still
packets are not being pushed into the tunnel when I specify the icmp filter.
Pl find below the logs:
sh-4.3# ipsec statusall m1
Status of IKE charon daemon (weakSwan 5.8.2, Linux 4.1.35-rt41, ppc64):
uptime: 11 minutes, since Jan 29 06:17:58 2021
malloc: sbrk 2297856, mmap 0, used 307440, free 1990416
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve
socket-default farp stroke vici updown xauth-generic counters
Listening IP addresses:
192.168.61.2
192.168.62.2
172.16.31.2
172.16.32.2
10.10.9.1
Connections:
m1: 172.16.31.2...172.16.31.1 IKEv2, dpddelay=60s
m1: local: [172.16.31.2] uses pre-shared key authentication
m1: remote: [172.16.31.1] uses pre-shared key authentication
m1: child: 10.10.9.0/24[icmp] 192.168.61.0/24 ===
192.168.9.0/24[icmp] 192.168.51.0/24 TUNNEL, dpdaction=clear
Routed Connections:
m1{1}: ROUTED, TUNNEL, reqid 1
m1{1}: 10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp]
192.168.51.0/24
Security Associations (1 up, 0 connecting):
m1[1]: ESTABLISHED 11 minutes ago,
172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1]
m1[1]: IKEv2 SPIs: 766231c8253bf352_i* 6be8de67ab04169d_r, pre-shared
key reauthentication in 46 minutes
m1[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
m1{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb85fce1_i c83b5361_o
m1{3}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying
in 107 minutes
m1{3}: 10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp]
192.168.51.0/24
06:30:48.324650 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq
318, length 64
06:30:49.364648 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq
319, length 64
06:30:50.404673 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq
320, length 64
06:30:51.444627 IP 10.10.9.32 > 192.168.9.31: ICMP echo request, id 4637, seq
321, length 64
No ESP for src 10.10.9.32 to 192.168.9.31 ICMP.
Ip xfrm seems to be ok:
src 10.10.9.0/24 dst 192.168.9.0/24 proto icmp
dir out priority 375167 ptype main
tmpl src 172.16.31.2 dst 172.16.31.1
proto esp spi 0xc83b5361 reqid 1 mode tunnel
Scenario 2: Permit ssh traffic on port 22.
Ipsec.conf:
rightsubnet=192.168.9.0/24[/22],192.168.51.0/24
leftsubnet=10.10.9.0/24,192.168.61.0/24
Also, I see the same problem. ARP is resolved but packets are not pushed into
the tunnel.
06:39:21.636521 ARP, Request who-has 192.168.9.31 (Broadcast) tell
192.168.61.1, length 46
06:39:21.637023 ARP, Reply 192.168.9.31 is-at e8:e8:75:90:3f:80 (oui Unknown),
length 28
06:39:21.639116 IP 10.10.9.32.50550 > 192.168.9.31.ssh: Flags [S], seq
3400545033, win 64240, options [mss 1460,sackOK,TS val 2883004940 ecr
0,nop,wscale 7], length 0
06:39:34.712713 LLDP, length 121: iS5com
06:39:34.908298 IP 172.16.31.1.isakmp > 172.16.31.2.isakmp: isakmp: parent_sa
inf2
Was wondering if the filtering functionality is broken?
I'm running 5.8.2. Will upgrading to 5.9.1 fix this?
Any opinions would be appreciated.
Thanks.
Makarand.
-----Original Message-----
From: Users <users-boun...@lists.strongswan.org> On Behalf Of Makarand Pradhan
Sent: January 28, 2021 12:33 PM
To: users@lists.strongswan.org
Subject: [strongSwan] Subnet selector question
GM Everyone,
Am trying to selectively push icmp traffic into the tunnel. Am missing
something, would appreciate any pointers.
Scenario:
(PC1 10.10.9.31/24) <---> 10.10.9.1 Router 172.16.31.1 <-Tunnel-> 172.16.31.2
Router 192.168.9.1 <---> (192.168.9.31 PC 2)
Ipsec.conf: I'm permitting only icmp in []
rightsubnet=192.168.9.0/24[icmp],192.168.51.0/24
leftsubnet=10.10.9.0/24[icmp],192.168.61.0/24
Issue: Ping fails.
Tunnel status:
sh-4.3# ipsec status
Routed Connections:
m1{1}: ROUTED, TUNNEL, reqid 1
m1{1}: 10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp]
192.168.51.0/24
Security Associations (1 up, 0 connecting):
m1[1]: ESTABLISHED 3 seconds ago,
172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1]
m1{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7b29cc2_i ca9ed38c_o
m1{2}: 10.10.9.0/24[icmp] 192.168.61.0/24 === 192.168.9.0/24[icmp]
192.168.51.0/24
I notice that the ARP request is not answered.
When I do not specify icmp, everything works. I think strongswan responds to
the ARP. Don't see it with icmp filter.
Thanks for looking.
Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandprad...@is5com.com
Website: www.iS5Com.com
Confidentiality Notice:
This message is intended only for the named recipients. This message may
contain information that is confidential and/or exempt from disclosure under
applicable law. Any dissemination or copying of this message by anyone other
than a named recipient is strictly prohibited. If you are not a named recipient
or an employee or agent responsible for delivering this message to a named
recipient, please notify us immediately, and permanently destroy this message
and any copies you may have. Warning: Email may not be secure unless properly
encrypted.
