Hi, I have strongSwan running on a raspberry pi that has ipsec connections to an OpenBSD iked gateway and it is working well. However, clients on the network behind the pi seem to have issues sending traffic over tunnels unless I remove my masquerading iptables configuration; specifically, this one:
Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Without this entry I'm seeing packets sent upstream outside of the tunnel. In ASCII art, I'm trying to achieve this fairly standard configuration: +@@@@@@@@@@+ @ Internet @ +@@@@@@@@@@+ | | 0/0 route | wlan1:192.168.31.26 (DHCP assigned) +----+ +-------+ |swan|~~~~~~~~~~~~~~ipsec tunnel~~~~~~~~|openbsd| +----+ +-------+ eth0:10.254.223.1/25 em0:100.64.1.92 wlan0:10.254.223.129/25 lan:10.254.255.1/24 When I start strongSwan without any NAT rules, I'm able to ping from clients behind the pi device (swan: 10.254.223.128/25, etc.) to 10.254.255.1, but default route traffic gets dropped from the upstream Internet device (as it is RFC1918 space and filtered). Are there specific NAT statements that need to be in place as an exception to the traffic that will be encapsulated by strongSwan and sent to the remote peer? Any help is appreciated; thank you very much in advance. # ip xfrm policy src 10.254.223.0/24 dst 192.168.72.0/22 dir out priority 376447 tmpl src 192.168.31.26 dst 100.64.1.92 proto esp spi 0xe112339a reqid 1 mode tunnel src 10.254.223.0/24 dst 10.254.255.0/24 dir out priority 375423 tmpl src 192.168.31.26 dst 100.64.1.92 proto esp spi 0xe112339a reqid 1 mode tunnel src 10.254.223.0/24 dst 10.253.255.0/24 dir out priority 375423 tmpl src 192.168.31.26 dst 100.64.1.92 proto esp spi 0xe112339a reqid 1 mode tunnel src 192.168.72.0/22 dst 10.254.223.0/24 dir fwd priority 376447 tmpl src 100.64.1.92 dst 192.168.31.26 proto esp reqid 1 mode tunnel src 192.168.72.0/22 dst 10.254.223.0/24 dir in priority 376447 tmpl src 100.64.1.92 dst 192.168.31.26 proto esp reqid 1 mode tunnel src 10.254.255.0/24 dst 10.254.223.0/24 dir fwd priority 375423 tmpl src 100.64.1.92 dst 192.168.31.26 proto esp reqid 1 mode tunnel src 10.254.255.0/24 dst 10.254.223.0/24 dir in priority 375423 tmpl src 100.64.1.92 dst 192.168.31.26 proto esp reqid 1 mode tunnel src 10.253.255.0/24 dst 10.254.223.0/24 dir fwd priority 375423 tmpl src 100.64.1.92 dst 192.168.31.26 proto esp reqid 1 mode tunnel src 10.253.255.0/24 dst 10.254.223.0/24 dir in priority 375423 tmpl src 100.64.1.92 dst 192.168.31.26 proto esp reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 # iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT udp -- anywhere 10.254.223.129 udp dpt:domain to:127.0.0.1:53 DNAT tcp -- anywhere 10.254.223.129 tcp dpt:domain to:127.0.0.1:53 DNAT udp -- anywhere 10.254.223.1 udp dpt:domain to:127.0.0.1:53 DNAT tcp -- anywhere 10.254.223.1 tcp dpt:domain to:127.0.0.1:53 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere # cat /etc/ipsec.conf config setup charondebug="all" uniqueids=yes conn openbsd type=tunnel auto=start keyexchange=ikev2 authby=secret left=%any4 leftsubnet=10.254.223.0/24 leftauth=secret leftid=swan.example.com leftfirewall=yes right=100.64.1.92 rightsubnet=10.253.255.0/24,10.254.255.0/24,192.168.72.0/22 rightid=openbsd.example.com rightauth=secret ike=aes256-sha512-prfsha512-ecp521 esp=aes256-sha512-prfsha512-ecp521 ikelifetime=4h keyingtries=%forever dpddelay=30s dpdtimeout=120s dpdaction=restart # cat /var/log/charon_debug.log Sat, 2022-04-02, 16:32:40 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.103-v7+, armv7l) Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'aes': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'rc2': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'sha2': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'sha1': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'md5': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'mgf1': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'random': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'nonce': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'x509': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'revocation': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'constraints': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pubkey': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pkcs1': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pkcs7': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pkcs8': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pkcs12': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pgp': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'dnskey': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'sshkey': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'pem': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'openssl': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'fips-prf': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'gmp': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'agent': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'xcbc': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'hmac': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'gcm': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'drbg': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'attr': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'kernel-netlink': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'resolve': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'socket-default': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'connmark': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'stroke': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'updown': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'eap-mschapv2': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'xauth-generic': loaded successfully Sat, 2022-04-02, 16:32:40 00[LIB] plugin 'counters': loaded successfully Sat, 2022-04-02, 16:32:40 00[KNL] known interfaces and IP addresses: Sat, 2022-04-02, 16:32:40 00[KNL] lo Sat, 2022-04-02, 16:32:40 00[KNL] 127.0.0.1 Sat, 2022-04-02, 16:32:40 00[KNL] ::1 Sat, 2022-04-02, 16:32:40 00[KNL] eth0 Sat, 2022-04-02, 16:32:40 00[KNL] 10.254.223.1 Sat, 2022-04-02, 16:32:40 00[KNL] wlan0 Sat, 2022-04-02, 16:32:40 00[KNL] 10.254.223.129 Sat, 2022-04-02, 16:32:40 00[KNL] wlan1 Sat, 2022-04-02, 16:32:40 00[KNL] 192.168.31.26 Sat, 2022-04-02, 16:32:40 00[LIB] feature PUBKEY:BLISS in plugin 'pem' has unmet dependency: PUBKEY:BLISS Sat, 2022-04-02, 16:32:40 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA Sat, 2022-04-02, 16:32:40 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA Sat, 2022-04-02, 16:32:40 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS Sat, 2022-04-02, 16:32:40 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST Sat, 2022-04-02, 16:32:40 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Sat, 2022-04-02, 16:32:40 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Sat, 2022-04-02, 16:32:40 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Sat, 2022-04-02, 16:32:40 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Sat, 2022-04-02, 16:32:40 00[CFG] loading crls from '/etc/ipsec.d/crls' Sat, 2022-04-02, 16:32:40 00[CFG] loading secrets from '/etc/ipsec.secrets' Sat, 2022-04-02, 16:32:40 00[CFG] loaded IKE secret for "swan.example.com" "openbsd.example.com" Sat, 2022-04-02, 16:32:40 00[CFG] loaded IKE secret for "swan.example.com" "openbsd.example.com" Sat, 2022-04-02, 16:32:40 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters Sat, 2022-04-02, 16:32:40 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies) Sat, 2022-04-02, 16:32:40 00[LIB] dropped capabilities, running as uid 0, gid 0 Sat, 2022-04-02, 16:32:40 00[JOB] spawning 16 worker threads Sat, 2022-04-02, 16:32:40 01[LIB] created thread 01 [1714] Sat, 2022-04-02, 16:32:40 02[LIB] created thread 02 [1715] Sat, 2022-04-02, 16:32:40 03[LIB] created thread 03 [1716] Sat, 2022-04-02, 16:32:40 04[LIB] created thread 04 [1717] Sat, 2022-04-02, 16:32:40 05[LIB] created thread 05 [1718] Sat, 2022-04-02, 16:32:40 06[LIB] created thread 06 [1719] Sat, 2022-04-02, 16:32:40 07[LIB] created thread 07 [1720] Sat, 2022-04-02, 16:32:40 08[LIB] created thread 08 [1721] Sat, 2022-04-02, 16:32:40 09[LIB] created thread 09 [1722] Sat, 2022-04-02, 16:32:40 10[LIB] created thread 10 [1723] Sat, 2022-04-02, 16:32:40 11[LIB] created thread 11 [1724] Sat, 2022-04-02, 16:32:40 12[LIB] created thread 12 [1725] Sat, 2022-04-02, 16:32:40 13[LIB] created thread 13 [1726] Sat, 2022-04-02, 16:32:40 14[LIB] created thread 14 [1727] Sat, 2022-04-02, 16:32:40 15[LIB] created thread 15 [1728] Sat, 2022-04-02, 16:32:40 16[LIB] created thread 16 [1729] Sat, 2022-04-02, 16:32:40 06[CFG] received stroke: add connection 'openbsd' Sat, 2022-04-02, 16:32:40 06[CFG] conn openbsd Sat, 2022-04-02, 16:32:40 06[CFG] left=%any4 Sat, 2022-04-02, 16:32:40 06[CFG] leftsubnet=10.254.223.0/24 Sat, 2022-04-02, 16:32:40 06[CFG] leftauth=secret Sat, 2022-04-02, 16:32:40 06[CFG] leftid=swan.example.com Sat, 2022-04-02, 16:32:40 06[CFG] leftupdown=ipsec _updown iptables Sat, 2022-04-02, 16:32:40 06[CFG] right=100.64.1.92 Sat, 2022-04-02, 16:32:40 06[CFG] rightsubnet=10.253.255.0/24,10.254.255.0/24,192.168.72.0/22 Sat, 2022-04-02, 16:32:40 06[CFG] rightauth=secret Sat, 2022-04-02, 16:32:40 06[CFG] rightid=openbsd.example.com Sat, 2022-04-02, 16:32:40 06[CFG] ike=aes256-sha512-prfsha512-ecp521 Sat, 2022-04-02, 16:32:40 06[CFG] esp=aes256-sha512-prfsha512-ecp521 Sat, 2022-04-02, 16:32:40 06[CFG] dpddelay=30 Sat, 2022-04-02, 16:32:40 06[CFG] dpdtimeout=120 Sat, 2022-04-02, 16:32:40 06[CFG] dpdaction=3 Sat, 2022-04-02, 16:32:40 06[CFG] sha256_96=no Sat, 2022-04-02, 16:32:40 06[CFG] mediation=no Sat, 2022-04-02, 16:32:40 06[CFG] keyexchange=ikev2 Sat, 2022-04-02, 16:32:40 06[KNL] 100.64.1.92 is not a local address or the interface is down Sat, 2022-04-02, 16:32:40 06[CFG] added configuration 'openbsd' Sat, 2022-04-02, 16:32:40 07[CFG] received stroke: initiate 'openbsd' Sat, 2022-04-02, 16:32:40 07[KNL] <openbsd|1> using 192.168.31.26 as address to reach 100.64.1.92/32 Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_VENDOR task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_INIT task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_NATD task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_CERT_PRE task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_AUTH task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_CERT_POST task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_CONFIG task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_AUTH_LIFETIME task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_MOBIKE task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing IKE_ME task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> queueing CHILD_CREATE task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating new tasks Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating IKE_VENDOR task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating IKE_INIT task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating IKE_NATD task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating IKE_CERT_PRE task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating IKE_ME task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating IKE_AUTH task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating IKE_CERT_POST task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating IKE_CONFIG task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating CHILD_CREATE task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating IKE_AUTH_LIFETIME task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> activating IKE_MOBIKE task Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> initiating IKE_SA openbsd[1] to 100.64.1.92 Sat, 2022-04-02, 16:32:40 07[IKE] <openbsd|1> IKE_SA openbsd[1] state change: CREATED => CONNECTING Sat, 2022-04-02, 16:32:40 07[CFG] <openbsd|1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Sat, 2022-04-02, 16:32:40 07[CFG] <openbsd|1> sending supported signature hash algorithms: sha256 sha384 sha512 identity Sat, 2022-04-02, 16:32:40 07[ENC] <openbsd|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sat, 2022-04-02, 16:32:40 07[NET] <openbsd|1> sending packet: from 192.168.31.26[500] to 100.64.1.92[500] (880 bytes) Sat, 2022-04-02, 16:32:40 09[NET] <openbsd|1> received packet: from 100.64.1.92[500] to 192.168.31.26[500] (322 bytes) Sat, 2022-04-02, 16:32:40 09[ENC] <openbsd|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> received SIGNATURE_HASH_ALGORITHMS notify Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> selecting proposal: Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> proposal matches Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> received proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521 Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048 Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521 Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> received supported signature hash algorithms: sha256 sha384 sha512 Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> local host is behind NAT, sending keep alives Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> reinitiating already active tasks Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> IKE_CERT_PRE task Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> IKE_AUTH task Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> authentication of 'swan.example.com' (myself) with pre-shared key Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> successfully created shared key MAC Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> proposing traffic selectors for us: Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> 10.254.223.0/24 Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> proposing traffic selectors for other: Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> 10.253.255.0/24 Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> 10.254.255.0/24 Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> 192.168.72.0/22 Sat, 2022-04-02, 16:32:40 09[CFG] <openbsd|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ, ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256 Sat, 2022-04-02, 16:32:40 09[IKE] <openbsd|1> establishing CHILD_SA openbsd{1} Sat, 2022-04-02, 16:32:40 09[KNL] <openbsd|1> got SPI cda16a87 Sat, 2022-04-02, 16:32:40 09[ENC] <openbsd|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Sat, 2022-04-02, 16:32:40 09[NET] <openbsd|1> sending packet: from 192.168.31.26[4500] to 100.64.1.92[4500] (544 bytes) Sat, 2022-04-02, 16:32:40 10[NET] <openbsd|1> received packet: from 100.64.1.92[4500] to 192.168.31.26[4500] (336 bytes) Sat, 2022-04-02, 16:32:40 10[ENC] <openbsd|1> parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) SA TSi TSr ] Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> authentication of 'openbsd.example.com' with pre-shared key successful Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> IKE_SA openbsd[1] established between 192.168.31.26[swan.example.com]...100.64.1.92[openbsd.example.com] Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> IKE_SA openbsd[1] state change: CONNECTING => ESTABLISHED Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> scheduling reauthentication in 13362s Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> maximum IKE_SA lifetime 13902s Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> selecting proposal: Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> proposal matches Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> received proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/ECP_521/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ, ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256 Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> selecting traffic selectors for us: Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 10.254.223.0/24, received: 10.254.223.0/24 => match: 10.254.223.0/24 Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> selecting traffic selectors for other: Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 10.253.255.0/24, received: 192.168.72.0/22 => no match Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 10.253.255.0/24, received: 10.253.255.0/24 => match: 10.253.255.0/24 Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 10.253.255.0/24, received: 10.254.255.0/24 => no match Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 10.253.255.0/24, received: 10.255.255.0/24 => no match Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 10.254.255.0/24, received: 192.168.72.0/22 => no match Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 10.254.255.0/24, received: 10.253.255.0/24 => no match Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 10.254.255.0/24, received: 10.254.255.0/24 => match: 10.254.255.0/24 Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 10.254.255.0/24, received: 10.255.255.0/24 => no match Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 192.168.72.0/22, received: 192.168.72.0/22 => match: 192.168.72.0/22 Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 192.168.72.0/22, received: 10.253.255.0/24 => no match Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 192.168.72.0/22, received: 10.254.255.0/24 => no match Sat, 2022-04-02, 16:32:40 10[CFG] <openbsd|1> config: 192.168.72.0/22, received: 10.255.255.0/24 => no match Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> CHILD_SA openbsd{1} state change: CREATED => INSTALLING Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> using AES_CBC for encryption Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> using HMAC_SHA2_512_256 for integrity Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> adding inbound ESP SA Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> SPI 0xcda16a87, src 100.64.1.92 dst 192.168.31.26 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding SAD entry with SPI cda16a87 and reqid {1} Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using encryption algorithm AES_CBC with key size 256 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using integrity algorithm HMAC_SHA2_512_256 with key size 512 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using replay window of 32 packets Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> HW offload: no Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> adding outbound ESP SA Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> SPI 0x7e5fb1a3, src 192.168.31.26 dst 100.64.1.92 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding SAD entry with SPI 7e5fb1a3 and reqid {1} Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using encryption algorithm AES_CBC with key size 256 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using integrity algorithm HMAC_SHA2_512_256 with key size 512 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using replay window of 0 packets Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> HW offload: no Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.253.255.0/24 === 10.254.223.0/24 in [priority 375423, refcount 1] Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.253.255.0/24 === 10.254.223.0/24 fwd [priority 375423, refcount 1] Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.254.223.0/24 === 10.253.255.0/24 out [priority 375423, refcount 1] Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting a local address in traffic selector 10.254.223.0/24 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using host 10.254.223.1 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and wlan1 as dev to reach 100.64.1.92/32 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> installing route: 10.253.255.0/24 via 192.168.28.1 src 10.254.223.1 dev wlan1 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface index for wlan1 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.254.255.0/24 === 10.254.223.0/24 in [priority 375423, refcount 1] Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.254.255.0/24 === 10.254.223.0/24 fwd [priority 375423, refcount 1] Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.254.223.0/24 === 10.254.255.0/24 out [priority 375423, refcount 1] Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting a local address in traffic selector 10.254.223.0/24 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using host 10.254.223.1 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and wlan1 as dev to reach 100.64.1.92/32 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> installing route: 10.254.255.0/24 via 192.168.28.1 src 10.254.223.1 dev wlan1 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface index for wlan1 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 192.168.72.0/22 === 10.254.223.0/24 in [priority 376447, refcount 1] Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 192.168.72.0/22 === 10.254.223.0/24 fwd [priority 376447, refcount 1] Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> adding policy 10.254.223.0/24 === 192.168.72.0/22 out [priority 376447, refcount 1] Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting a local address in traffic selector 10.254.223.0/24 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using host 10.254.223.1 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and wlan1 as dev to reach 100.64.1.92/32 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> installing route: 192.168.72.0/22 via 192.168.28.1 src 10.254.223.1 dev wlan1 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface index for wlan1 Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> CHILD_SA openbsd{1} established with SPIs cda16a87_i 7e5fb1a3_o and TS 10.254.223.0/24 === 10.253.255.0/24 10.254.255.0/24 192.168.72.0/22 Sat, 2022-04-02, 16:32:40 10[CHD] <openbsd|1> CHILD_SA openbsd{1} state change: INSTALLING => INSTALLED Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and wlan1 as dev to reach 100.64.1.92/32 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and wlan1 as dev to reach 100.64.1.92/32 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> getting iface name for index 4 Sat, 2022-04-02, 16:32:40 10[KNL] <openbsd|1> using 192.168.28.1 as nexthop and wlan1 as dev to reach 100.64.1.92/32 Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> peer supports MOBIKE Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> activating new tasks Sat, 2022-04-02, 16:32:40 10[IKE] <openbsd|1> nothing to initiate