Volodymyr Litovka
2018-09-25 15:54:33 UTC
Hello colleagues,
I'm facing a problem of routing between hosts over established SA.
[Ubuntu 18.04/Strongswan 5.6.2] <--> [PAT/Cisco] <--> [OSX 10.12.6]
OSX is client, Ubuntu is server and they're able to establish connection:
Sep 25 15:43:27 vpn strongswan: 04[IKE] <ikev2-eap-mschapv2|4> CHILD_SA
pinocchio{5} established with SPIs c61c704d_i 00121be9_o and TS
25.1.1.0/24 === 192.168.1.1/32
# swanctl --list-sas
ikev2-eap-mschapv2: #2, ESTABLISHED, IKEv2, bd64dfef8156901f_i
22426a0bf50a3047_r*
local 'server' @ X.X.X.252[4500]
remote 'doka' @ Y.Y.Y.194[4500] [192.168.1.1]
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 217s ago, rekeying in 10083s
pinocchio: #2, reqid 2, INSTALLED, TUNNEL-in-UDP,
ESP:AES_CBC-256/HMAC_SHA2_256_128
installed 217s ago, rekeying in 3165s, expires in 3743s
in c94f7412 (0x00000003), 0 bytes, 0 packets
out 0f4f18d1 (0x00000004), 0 bytes, 0 packets
local 25.1.1.0/24
remote 192.168.1.1/32
Routing table on client side (OXS) looks correct:
25.1.1/24 192.168.1.1 UGSc 0 1 ipsec0
192.168.1.1 192.168.1.1 UH 1 0 ipsec0
Routing configuration on server side (Ubuntu):
***@vpn:~# ip rule show
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
***@vpn:~# ip route show table 220
192.168.1.1 via X.X.X.254 dev wan0 proto static src 25.1.1.1
***@vpn:~# ip route show table 0
192.168.1.1 via X.X.X.254 dev wan0 table 220 proto static src 25.1.1.1
default via X.X.X.254 dev wan0 proto static
***@vpn:/etc# ip route
default via X.X.X.254 dev wan0 proto static
25.1.1.0/24 dev wan0 proto kernel scope link src 25.1.1.1
and local address is up and accessible:
***@vpn:/etc# ping 25.1.1.1
PING 25.1.1.1 (25.1.1.1) 56(84) bytes of data.
64 bytes from 25.1.1.1: icmp_seq=1 ttl=64 time=0.024 ms
Debug shows the following:
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> adding
policy 192.168.1.1/32 === 25.1.1.0/24 in (mark 5/0xffffffff) [priority
371327, refcount 1]
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> adding
policy 192.168.1.1/32 === 25.1.1.0/24 fwd (mark 5/0xffffffff) [priority
371327, refcount 1]
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> adding
policy 25.1.1.0/24 === 192.168.1.1/32 out (mark 6/0xffffffff) [priority
371327, refcount 1]
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> getting a
local address in traffic selector 25.1.1.0/24
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> using
host 25.1.1.1
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> getting
iface name for index 2
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> using
X.X.X.254 as nexthop and wan0 as dev to reach Y.Y.Y.194/32
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4>
installing route: 192.168.1.1/32 via X.X.X.254 src 25.1.1.1 dev wan0
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> getting
iface index for wan0
Sep 25 15:43:27 vpn strongswan: 04[IKE] <ikev2-eap-mschapv2|4> CHILD_SA
pinocchio{5} established with SPIs c61c704d_i 00121be9_o and TS
25.1.1.0/24 === 192.168.1.1/32
Sep 25 15:43:27 vpn strongswan: 04[CHD] <ikev2-eap-mschapv2|4> CHILD_SA
pinocchio{5} state change: INSTALLING => INSTALLED
on server side there is neither NAT nor other iptable rules, it's
accessible from Internet from everywhere. Also, ipv4 forwarding is on
(net.ipv4.ip_forward=1 @ sysctl.conf)
but no traffic (ping -I 25.1.1.1 192.168.1.1) between these addresses
swanctl configuration:
connections {
ikev2-eap-mschapv2 {
version = 2
local_addrs = X.X.X.252
remote_addrs = %any
proposals =
aes256gcm16-prfsha256-modp2048,aes128gcm16-prfaescmac-modp2048,aes256-sha256-prfsha256-modp2048
encap = yes
fragmentation = yes
mobike = yes(NOTE: tried NO as well)
dpd_delay = 300s
send_cert = always
unique = keep
rekey_time = 3h
pools = mypool
local-1 {
certs = fullchain.pem
id = @myfqdn
}
remote-1 {
id = %any
auth = eap-mschapv2
}
children {
pinocchio {
ah_proposals =
esp_proposals =
aes256gcm16-modp2048,aes128gcm16-modp2048,aes256-sha256
local_ts = 25.1.1.0/24
remote_ts = dynamic
mode = tunnel
dpd_action = clear
ipcomp = no
mark_in = %unique-dir
mark_out = %unique-dir
tfc_padding = mtu
hw_offload = yes (NOTE: tried NO as well)
}
}
}
}
secrets {
include conf.d/secret-*.conf
}
pools {
mypool {
addrs = 192.168.1.0/24
}
}
Actually, I don't understand where to look into problem. Can anybody
suggest the way I need to follow in order to narrow and fix the problem?
Thanks!
I'm facing a problem of routing between hosts over established SA.
[Ubuntu 18.04/Strongswan 5.6.2] <--> [PAT/Cisco] <--> [OSX 10.12.6]
OSX is client, Ubuntu is server and they're able to establish connection:
Sep 25 15:43:27 vpn strongswan: 04[IKE] <ikev2-eap-mschapv2|4> CHILD_SA
pinocchio{5} established with SPIs c61c704d_i 00121be9_o and TS
25.1.1.0/24 === 192.168.1.1/32
# swanctl --list-sas
ikev2-eap-mschapv2: #2, ESTABLISHED, IKEv2, bd64dfef8156901f_i
22426a0bf50a3047_r*
local 'server' @ X.X.X.252[4500]
remote 'doka' @ Y.Y.Y.194[4500] [192.168.1.1]
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 217s ago, rekeying in 10083s
pinocchio: #2, reqid 2, INSTALLED, TUNNEL-in-UDP,
ESP:AES_CBC-256/HMAC_SHA2_256_128
installed 217s ago, rekeying in 3165s, expires in 3743s
in c94f7412 (0x00000003), 0 bytes, 0 packets
out 0f4f18d1 (0x00000004), 0 bytes, 0 packets
local 25.1.1.0/24
remote 192.168.1.1/32
Routing table on client side (OXS) looks correct:
25.1.1/24 192.168.1.1 UGSc 0 1 ipsec0
192.168.1.1 192.168.1.1 UH 1 0 ipsec0
Routing configuration on server side (Ubuntu):
***@vpn:~# ip rule show
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
***@vpn:~# ip route show table 220
192.168.1.1 via X.X.X.254 dev wan0 proto static src 25.1.1.1
***@vpn:~# ip route show table 0
192.168.1.1 via X.X.X.254 dev wan0 table 220 proto static src 25.1.1.1
default via X.X.X.254 dev wan0 proto static
***@vpn:/etc# ip route
default via X.X.X.254 dev wan0 proto static
25.1.1.0/24 dev wan0 proto kernel scope link src 25.1.1.1
and local address is up and accessible:
***@vpn:/etc# ping 25.1.1.1
PING 25.1.1.1 (25.1.1.1) 56(84) bytes of data.
64 bytes from 25.1.1.1: icmp_seq=1 ttl=64 time=0.024 ms
Debug shows the following:
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> adding
policy 192.168.1.1/32 === 25.1.1.0/24 in (mark 5/0xffffffff) [priority
371327, refcount 1]
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> adding
policy 192.168.1.1/32 === 25.1.1.0/24 fwd (mark 5/0xffffffff) [priority
371327, refcount 1]
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> adding
policy 25.1.1.0/24 === 192.168.1.1/32 out (mark 6/0xffffffff) [priority
371327, refcount 1]
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> getting a
local address in traffic selector 25.1.1.0/24
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> using
host 25.1.1.1
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> getting
iface name for index 2
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> using
X.X.X.254 as nexthop and wan0 as dev to reach Y.Y.Y.194/32
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4>
installing route: 192.168.1.1/32 via X.X.X.254 src 25.1.1.1 dev wan0
Sep 25 15:43:27 vpn strongswan: 04[KNL] <ikev2-eap-mschapv2|4> getting
iface index for wan0
Sep 25 15:43:27 vpn strongswan: 04[IKE] <ikev2-eap-mschapv2|4> CHILD_SA
pinocchio{5} established with SPIs c61c704d_i 00121be9_o and TS
25.1.1.0/24 === 192.168.1.1/32
Sep 25 15:43:27 vpn strongswan: 04[CHD] <ikev2-eap-mschapv2|4> CHILD_SA
pinocchio{5} state change: INSTALLING => INSTALLED
on server side there is neither NAT nor other iptable rules, it's
accessible from Internet from everywhere. Also, ipv4 forwarding is on
(net.ipv4.ip_forward=1 @ sysctl.conf)
but no traffic (ping -I 25.1.1.1 192.168.1.1) between these addresses
swanctl configuration:
connections {
ikev2-eap-mschapv2 {
version = 2
local_addrs = X.X.X.252
remote_addrs = %any
proposals =
aes256gcm16-prfsha256-modp2048,aes128gcm16-prfaescmac-modp2048,aes256-sha256-prfsha256-modp2048
encap = yes
fragmentation = yes
mobike = yes(NOTE: tried NO as well)
dpd_delay = 300s
send_cert = always
unique = keep
rekey_time = 3h
pools = mypool
local-1 {
certs = fullchain.pem
id = @myfqdn
}
remote-1 {
id = %any
auth = eap-mschapv2
}
children {
pinocchio {
ah_proposals =
esp_proposals =
aes256gcm16-modp2048,aes128gcm16-modp2048,aes256-sha256
local_ts = 25.1.1.0/24
remote_ts = dynamic
mode = tunnel
dpd_action = clear
ipcomp = no
mark_in = %unique-dir
mark_out = %unique-dir
tfc_padding = mtu
hw_offload = yes (NOTE: tried NO as well)
}
}
}
}
secrets {
include conf.d/secret-*.conf
}
pools {
mypool {
addrs = 192.168.1.0/24
}
}
Actually, I don't understand where to look into problem. Can anybody
suggest the way I need to follow in order to narrow and fix the problem?
Thanks!
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison