Discussion:
[strongSwan] Passthrough Connection
Christian Hanster
2015-09-02 20:34:25 UTC
Permalink
Hi all :)

I'm having trouble to set up a simple ipsec connection with overlapping networks and a passthrough connection. Therefore my question is, if there is some open bug at the moment so that it cannot work.

My configuration:
ipsec.conf (Client):

config setup
charonstart=yes

conn Router3
keyexchange=ikev2
right=185.48.118.115
rightid=@serverside
rightsubnet=10.1.0.0/16
left=%any
leftsubnet=10.1.13.0/24
leftid=@router
auto=start
authby=secret
ikelifetime=323s
keylife=771s
rekeymargin=151s
keyingtries= 1
leftfirewall=yes
mobike=no

conn passthrough
rightsubnet=10.1.13.0/24
leftsubnet=10.1.13.0/24
type=pass
auto=route
authby=never (There is no different if I write this line or not)

ipsec.conf (Server side)

config setup
# strictcrlpolicy=yes
# uniqueids = no
charonstart=yes
plutostart=no

conn %default
keyexchange=ikev2
left=185.48.118.115
leftid=@serverside
leftsubnet=10.1.0.0/16
right=%any
auto=add
authby=secret
ikelifetime=41s
keylife=89s
rekeymargin=21s
mobike=no
esp=aes128-sha1-modp2048

conn Router3
rightsubnet=10.1.13.0/24
rightid=@router
ikelifetime=323s
keylife=771s
rekeymargin=151s
leftfirewall=yes

The connection will be set up but the clients behind the router in the subnet of 10.1.13.0/24 cannot connect to the router and therefore also not connecting to the other network. I also played around with leftsourceip for the client and lefthostaccess but both did not changed the situation.

Here is the output of ipsec statusall:
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-39-generic, x86_64):
uptime: 22 minutes, since Sep 02 22:08:00 2015
malloc: sbrk 2433024, mmap 0, used 418432, free 2014592
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 242
loaded plugins: charon addrblock aes attr ccm cmac constraints ctr eap-identity gcm md4 openssl pkcs12 pkcs7 pkcs8 rc2 resolve test-vectors xcbc sha1 sha2 md5 pem pkcs1 random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
Listening IP addresses:
192.168.1.162
10.1.13.1
192.168.3.1
Connections:
Router3: %any...185.48.118.115 IKEv2
Router3: local: [router] uses pre-shared key authentication
Router3: remote: [serverside] uses pre-shared key authentication
Router3: child: 10.1.13.0/24 === 10.1.0.0/16 TUNNEL
passthrough: %any...%any IKEv2
passthrough: local: uses public key authentication
passthrough: remote: uses public key authentication
passthrough: child: 10.1.13.0/24 === 10.1.13.0/24 PASS
Shunted Connections:
passthrough: 10.1.13.0/24 === 10.1.13.0/24 PASS
Security Associations (1 up, 0 connecting):
Router3[733]: ESTABLISHED 9 seconds ago, 192.168.1.162[router]
185.48.118.115[serverside]
Router3[733]: IKEv2 SPIs: 05ffa0afc04432df_i* 5d4055a12121b030_r, pre-shared key reauthentication in 7 seconds
Router3[733]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Router3{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c9b05f98_i c1028cf3_o
Router3{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 8 minutes
Router3{1}: 10.1.13.0/24 === 10.1.0.0/16


If I compare that to the output from the test examples (https://www.strongswan.org/uml/testresults4/ikev2/shunt-policies/index.html <https://www.strongswan.org/uml/testresults4/ikev2/shunt-policies/index.html> and https://www.strongswan.org/uml/testresults5/ikev2/shunt-policies-nat-rw/index.html <https://www.strongswan.org/uml/testresults5/ikev2/shunt-policies-nat-rw/index.html>) they look nearly the same. But I actually cannot figure out why I cannot connect to 10.1.13.1

So is there a bug around or do I overlook something in my configuration.

Thanks in advance!

Kind regards
Christian
Noel Kuntze
2015-09-03 19:17:58 UTC
Permalink
Hello Christian,

Make sure that any NAT rules don't break the tunnel,
that your routes on any hosts don't route traffic anywhere else
and stop using overlapping subnets, if you can.
- --

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Christian Hanster
2015-09-04 15:38:47 UTC
Permalink
Hi Noel,

unfortunately I cannot stop using overlapping subnets because the idea is to route the whole internet traffic. I only took other subnets to reduce the complexity a little bit. Actually I have now taken the log a little bit under investigation and it seems that the passthrough-connection is not installed right:
received stroke: add connection 'passthrough'
Sep 4 17:15:26 pceapu-2 charon: 09[CFG] left nor right host is our side, assuming left=local
Sep 4 17:15:26 pceapu-2 charon: 09[CFG] added configuration 'passthrough'
Sep 4 17:15:26 pceapu-2 charon: 10[CFG] received stroke: route 'passthrough'
Sep 4 17:15:26 pceapu-2 charon: 10[KNL] unable to install source route for 10.1.13.1

What I do not understand is, why it is not possible to determine our side because there is only one interface with 10.1.13.0/24. What I now take to consideration is that perhaps strongswan cannot handle this new naming of interfaces. On this router the interfaces are named like p4p1 and p5p1. That I actually do not know. Do you know more?

OS: Ubuntu 14.04 and strongswan 5.1.2.

Kind regards or viele GrÌße :)
Christian Hanster
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Christian,
Make sure that any NAT rules don't break the tunnel,
that your routes on any hosts don't route traffic anywhere else
and stop using overlapping subnets, if you can.
- --
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6JzlAAoJEDg5KY9j7GZYyKEQAJy0lN588igPKNjFGoKBHmd9
sMrbjG5YRfP57azZk3xVJfR0el6fr/WgOVo7zdIjK137eVPfpfyHggpgj+WMlyy1
+P69PoxjK1biZ8c4sJ3tAX7DXcDsr3a/Kge8FW71ETBixQM29XBG7d9s23sIwEss
rdMCwVDvwH2KiYojOgBTNhYQT07Vfe3y0ZTGJswfuMcW+v3FeqKJoLlVFJRqnV55
AB7vFtPZ0CW9xx1ATG/tQfQroy4Efx+ykBdvawnF5Iw6eU8yTQGgSv5Oi1LxlBOJ
2P7jTRaFrWCSm1WiaYriB2Tz57H47NwekCOVJ+t8IxALvPJn1v4hRzMbRF8aCCak
gG7RBW5+iueD5RAg2IhF3vHOaaDqrxhs289olIjHiDRfaEzVJYWFMJQBCEV1e+9R
J4lQCT7rp29kOdPFxTuOU9RpC1yqRKDW/qz8TFXgP6SgEuO3w/Ft264iyYmQrP1Z
utKlPiDhx0H+JXD5I6zhOxjhkPuFqeTX5xUsN40VQ88pLK0ZujP/9W7hbdb5mWkA
Uks3O0J2WHU7Wz059R/wXkv2PJS762uG8KwSXcY41rcmvToNH3enjlsApqgWfhBo
yA1iX4q8X4bylTRTAq8Ozt2HeA5ddV0QpumJ9ssQvS43udJHjOzuZWDrJDyZ2C2o
rKoU8F0kofHBGlaviS+C
=onju
-----END PGP SIGNATURE-----
Noel Kuntze
2015-09-04 16:14:00 UTC
Permalink
Hello Christian,

Your problem is probably _not_ the passthrough connection.
Your problem is that either firewall rules or kernel settings prevent traffic from flowing.
Read the tutorial for forwarding and split tunneling[1].

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

- --

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Christian Hanster
2015-09-04 16:28:23 UTC
Permalink
Hi Noel,

thank you for your fast response. I actually read this article and also understood the content but that is not the actual problem I am facing. However perhaps I did not described the problem good enough. So give me another try:
I have a VPN-Gateway with a local subnet of 10.1.13.0/24 and IP 10.1.13.1. Than this Gateway should connect with another subnet (10.1.0.0/16) via strongswan. The problem now is that clients in the local lan (10.1.13.0/24) should can ping the gateway at 10.1.13.1 but that is not working at the moment. For me it seems to be the passthrough connection…

Kind regards
Christian Hanster
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Christian,
Your problem is probably _not_ the passthrough connection.
Your problem is that either firewall rules or kernel settings prevent traffic from flowing.
Read the tutorial for forwarding and split tunneling[1].
[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
- --
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6cNGAAoJEDg5KY9j7GZY6awP/0yQALdAyoAQM9EqZqGVamr9
kbb4UaoTOuia+LrjLn19+w5oLZbo0FCViil1+75HiVuIkb8aolfzqaFbfTH4+gkm
o6toI3sUStgIlnXvsNWnCvY6shX2bz4vRAMLRAiSmIX3rd1wu+NLK+NNOEr3gE73
iMbwtBmp6hr3pM7OWskWzkhjHAfT04V2Vy2KINXSYWfPB/s3xFljsYTgIz86HbOG
4ZP0s3tgFHx3rhtcV950H+GWI4Kdy9VgKptuSWb4e0J2rTr3ZS/85TQacmipPbbj
L9LBBsD0SudUmrXiJBAWFc0SX7eDtE2lzeJH6yrtlOWk4DbKUtWJQPenzMQofgk5
AlW1vleprJJQDPphYxtr65BxcTMnKEbZdf7DcC8yW2PE2FxCBfAqi68mBoKyX38W
QIBgRDrcLqF+mhUeKTCa2PbgboweExqry/kBNIA87r6wnSXHAB8MUUmRmZJWG3UD
6BbQyurN0YEU66VDnhLEA44biYjUnLvM5yBgt62zoyDkluU0NJRlwU1bcUDrWg/x
FPu+aiQHxEzWFJLnA1AAEdt8vTeqLhyVFm1BzSohxObvQu3VNL1MTN5IEWUtTySd
uCdYU3gFmgff1DsajNy05MokTwoj+nFEH9TOIdfxgbirJuxLOWT+BMpjgwjkJVJr
fnAoeh1lO2jMwQkdlubp
=JEle
-----END PGP SIGNATURE-----
Noel Kuntze
2015-09-04 17:34:33 UTC
Permalink
Hello Christian,

I doubt that. A passthrough policy tells the XFRM part of the kernel to *not* do any IPsec processing
for the matching packets. That means that it does *not* touch the packets. The *only* thing a passthrough policy
in strongSwan does is install passthrough policies into the SPD.
Post by Christian Hanster
I have a VPN-Gateway with a local subnet of 10.1.13.0/24 and IP 10.1.13.1. Than this Gateway should
connect with another subnet (10.1.0.0/16) via strongswan. The problem now is that clients in the local
lan (10.1.13.0/24) should can ping the gateway at 10.1.13.1 but > that is not working at the moment.
For me it seems to be the passthrough connection…
Can you reach the other hosts using DPD?
Make sure that your firewall rules don't drop or reject the packets.

- --

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Noel Kuntze
2015-09-04 17:35:04 UTC
Permalink
Sorry, meant ARP, not DPD.
arping -I eth0 -D <IP>

- --

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Christian Hanster
2015-09-04 17:51:30 UTC
Permalink
Hello Noel,

the arping is working:
arping -I p5p1 -D 10.1.13.100
ARPING 10.1.13.100 from 0.0.0.0 p5p1
Unicast reply from 10.1.13.100 [00:25:4B:CD:F4:64] 0.984ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)

In the meantime I have completely reinstalled the Gateway with a fresh Ubuntu 14.04. That did not solve the problem. Than I changed the log level of charon and there is something really strange:

received stroke: add connection 'passthrough'
Sep 4 19:38:55 pceapu-2 charon: 08[CFG] left nor right host is our side, assuming left=local
Sep 4 19:38:55 pceapu-2 charon: 08[CFG] added configuration 'passthrough'
Sep 4 19:38:55 pceapu-2 charon: 10[CFG] received stroke: route 'passthrough'
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 === 10.1.13.0/24 out (mark 0/0x00000000)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 === 10.1.13.0/24 in (mark 0/0x00000000)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 === 10.1.13.0/24 fwd (mark 0/0x00000000)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] getting a local address in traffic selector 10.1.13.0/24
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] using host 10.1.13.1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] using 192.168.1.1 as nexthop to reach %any
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] 10.1.13.1 is on interface p5p1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] installing route: 10.1.13.0/24 via 192.168.1.1 src 10.1.13.1 dev p5p1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] getting iface index for p5p1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] received netlink error: Network is unreachable (101)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] unable to install source route for 10.1.13.1

For me it seems like a bug that Strongswan wants to add a route with a next hop in a passthrough connection. At the moment I’m not completely but it seems to produce the error because this route does not makes in my eyes any sense as 192.168.1.1 is reachable via p4p1 interface.

Kind regards
Christian Hanster
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sorry, meant ARP, not DPD.
arping -I eth0 -D <IP>
- --
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6dZHAAoJEDg5KY9j7GZY2/4P+wQsKYoPaYesMCkTGzvlmy4O
R4Hq7TLsVekuBakLxxptrt3IE8T2XvTaV2wp16qtIul45SGwHH+34W3RD0IeQJEf
8jc3kmuxdeszi9xVxo4HUDf72aBtZOos1v6Wt8UT30Syf2IBLPD1tdSUdlVIrX5X
5EVG0/AukWHf0aAZXHi41V6H7wBd6UTd1P9i828OFzYx/4Nz06OK7RR2qV1jPP/g
6Bgap0BnfxIc47Hs8CEZWtEMVQaCWfzCSEFAjsyymVNUZVnh2Tt4xRDJPPqoGGmQ
yoailqdIspZ3AeYmYzcC85/nRCKrjmdTcFXaJ5crEYQ9frjzcIQJ/f+qHLy5d9+J
7JLVoEnFPBr2KwUqSJWlt0PhOwfnd4N5D3X5buwNl6+rBpfjgAjKZTvHWMeBc3IB
OJ2V+0TWb1J+5C2wJaH70MhK6QE5hXFNfg7hGmpGOIGybFksJ2hmnZtN2iuudKaH
sHapGdwMMQg3noVJPiZ7jDRVQM4sSuW/7TlrxGLOi+ghLFH9HL8zdQYSU1NmQSC8
v15QmJ+1LMBB/x6gct7yZRci8NtA6fjxK3tMMi9ocqeMES4ix1TA25eFrN+V9mtP
4K8SM3CJVf3cXTZK+99T9tnq2/raCsw5X57WXxjSZTGh/+F8k4O3pK8w16FJXfvM
b2+VSGM+vzncYRH7QZFw
=PFQz
-----END PGP SIGNATURE-----
Noel Kuntze
2015-09-04 17:53:31 UTC
Permalink
Hello Christian,

What does your main routing table look like? Do you use policy based routing?
$ ip route
AFAIK strongSwan parses the main table and maintains
its own table 220 to install rules and handle routing to remote subnets.


- --

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Christian Hanster
2015-09-04 18:01:58 UTC
Permalink
So the routing tables look like this:

sudo ip rule list
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default

sudo ip route list table 220
10.1.0.0/16 via 192.168.1.1 dev p4p1 proto static src 10.1.13.1

ip route //that is the same as "ip route list table main” So this won’t be consulted when 10.1.13.0/24 packets are managed
default via 192.168.1.1 dev p4p1
10.1.13.0/24 dev p5p1 proto kernel scope link src 10.1.13.1
192.168.1.0/24 dev p4p1 proto kernel scope link src 192.168.1.162

So why shouldn’t I use policy based routing? I did not change anything like this


Kind regards
Christian Hanster
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Christian,
What does your main routing table look like? Do you use policy based routing?
$ ip route
AFAIK strongSwan parses the main table and maintains
its own table 220 to install rules and handle routing to remote subnets.
- --
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6dqZAAoJEDg5KY9j7GZYPlQP/2lVUv1dGheOgPFk4IX6OCBg
U1eNYiBdZSBBBJyQ6/xNnSbkODeXRKOm6FzhXpv4EjuIJyWwM4PCAiIhdxTdYxZp
7lzksraJI5OfF7kJbVMsdN7ESmnk3SN25DJCh/OZNy28XL9YR0ckFyAyVL5X+sNJ
wKAep4XAYkKsvZTsqwm+XvWmkTTLuUwufKKY6PLcqhS8Burt3WoiEkUYluz5b/is
96G58Gpd7H2MbALyg5gpKKRC3fgTF7dlOL49Ozlm5p59wXQcTl0CaXAfz4axnLHt
Ezo/1pzhEVbyOzBZpsVfcwR1Iki3jW1Tl7miVoKeTfr6XGfUvS2s81xQ9JdRfK1z
AVcb+y0CG304BI+/WlV2gJJKqp0QrKMtboHGQXaHc5wtXqiQB+9uwOQIath9939i
zQmnlysYAaveLOFI6/LohijCsE3lOcqWcWQ5KXaMk3nbGIiqg88Gl3uri90beQgW
RDx6Tepnir1GkMlK703GWG9N8DIzp92sUJjU9p9e0Ud0jL9LzNCNU8rfWIYkiDH4
hhi8WSkHD5vN9XF3B3e0koH+c5ola64oWMQaVQD2V0fCTGS3ZNRKaZ0NF4d4kQzE
ESvgKr8Dj/5HWmuHb8ULpxkMlReqcj+GhsxX7/5CBTUl2HgJsglLJPtPtqzjh2Ob
oN6W/r5gHMU0UUDpFHhY
=QNVc
-----END PGP SIGNATURE-----
Randy Wyatt
2015-09-04 18:06:18 UTC
Permalink
I may be completely wrong here, but isn't a passthrough route for one side
of the connection only. For example, It would allow you to contact
10.1.13.0/24 from only side B of the connection. A passthrough route is
not meant to travel through both sides of the tunnel.

You have overlapping networks, I would reduse the size of 10.1.0.0/16 to
what you actually need it to be or change 10.1.13.0 to be a different
network.
Post by Christian Hanster
sudo ip rule list
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
sudo ip route list table 220
10.1.0.0/16 via 192.168.1.1 dev p4p1 proto static src 10.1.13.1
ip route //that is the same as "ip route list table main” So this won’t be
consulted when 10.1.13.0/24 packets are managed
default via 192.168.1.1 dev p4p1
10.1.13.0/24 dev p5p1 proto kernel scope link src 10.1.13.1
192.168.1.0/24 dev p4p1 proto kernel scope link src 192.168.1.162
So why shouldn’t I use policy based routing? I did not change anything like this

Kind regards
Christian Hanster
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Christian,
What does your main routing table look like? Do you use policy based routing?
$ ip route
AFAIK strongSwan parses the main table and maintains
its own table 220 to install rules and handle routing to remote subnets.
- --
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6dqZAAoJEDg5KY9j7GZYPlQP/2lVUv1dGheOgPFk4IX6OCBg
U1eNYiBdZSBBBJyQ6/xNnSbkODeXRKOm6FzhXpv4EjuIJyWwM4PCAiIhdxTdYxZp
7lzksraJI5OfF7kJbVMsdN7ESmnk3SN25DJCh/OZNy28XL9YR0ckFyAyVL5X+sNJ
wKAep4XAYkKsvZTsqwm+XvWmkTTLuUwufKKY6PLcqhS8Burt3WoiEkUYluz5b/is
96G58Gpd7H2MbALyg5gpKKRC3fgTF7dlOL49Ozlm5p59wXQcTl0CaXAfz4axnLHt
Ezo/1pzhEVbyOzBZpsVfcwR1Iki3jW1Tl7miVoKeTfr6XGfUvS2s81xQ9JdRfK1z
AVcb+y0CG304BI+/WlV2gJJKqp0QrKMtboHGQXaHc5wtXqiQB+9uwOQIath9939i
zQmnlysYAaveLOFI6/LohijCsE3lOcqWcWQ5KXaMk3nbGIiqg88Gl3uri90beQgW
RDx6Tepnir1GkMlK703GWG9N8DIzp92sUJjU9p9e0Ud0jL9LzNCNU8rfWIYkiDH4
hhi8WSkHD5vN9XF3B3e0koH+c5ola64oWMQaVQD2V0fCTGS3ZNRKaZ0NF4d4kQzE
ESvgKr8Dj/5HWmuHb8ULpxkMlReqcj+GhsxX7/5CBTUl2HgJsglLJPtPtqzjh2Ob
oN6W/r5gHMU0UUDpFHhY
=QNVc
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Christian Hanster
2015-09-04 18:12:42 UTC
Permalink
I think I solved the problem. It was really a problem in the routing table.

When I add a rule like this:
sudo ip route add 10.1.13.0/24 proto static dev p5p1 src 10.1.13.1 table 220

It’s working like a charm. Because this is also the route strong swan wants to add and is failing (according to the log, this might be a bug?!). So should I fill a bug report?

Kind regards
Christian
Post by Christian Hanster
sudo ip rule list
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
sudo ip route list table 220
10.1.0.0/16 via 192.168.1.1 dev p4p1 proto static src 10.1.13.1
ip route //that is the same as "ip route list table main” So this won’t be consulted when 10.1.13.0/24 packets are managed
default via 192.168.1.1 dev p4p1
10.1.13.0/24 dev p5p1 proto kernel scope link src 10.1.13.1
192.168.1.0/24 dev p4p1 proto kernel scope link src 192.168.1.162
So why shouldn’t I use policy based routing? I did not change anything like this

Kind regards
Christian Hanster
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Christian,
What does your main routing table look like? Do you use policy based routing?
$ ip route
AFAIK strongSwan parses the main table and maintains
its own table 220 to install rules and handle routing to remote subnets.
- --
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6dqZAAoJEDg5KY9j7GZYPlQP/2lVUv1dGheOgPFk4IX6OCBg
U1eNYiBdZSBBBJyQ6/xNnSbkODeXRKOm6FzhXpv4EjuIJyWwM4PCAiIhdxTdYxZp
7lzksraJI5OfF7kJbVMsdN7ESmnk3SN25DJCh/OZNy28XL9YR0ckFyAyVL5X+sNJ
wKAep4XAYkKsvZTsqwm+XvWmkTTLuUwufKKY6PLcqhS8Burt3WoiEkUYluz5b/is
96G58Gpd7H2MbALyg5gpKKRC3fgTF7dlOL49Ozlm5p59wXQcTl0CaXAfz4axnLHt
Ezo/1pzhEVbyOzBZpsVfcwR1Iki3jW1Tl7miVoKeTfr6XGfUvS2s81xQ9JdRfK1z
AVcb+y0CG304BI+/WlV2gJJKqp0QrKMtboHGQXaHc5wtXqiQB+9uwOQIath9939i
zQmnlysYAaveLOFI6/LohijCsE3lOcqWcWQ5KXaMk3nbGIiqg88Gl3uri90beQgW
RDx6Tepnir1GkMlK703GWG9N8DIzp92sUJjU9p9e0Ud0jL9LzNCNU8rfWIYkiDH4
hhi8WSkHD5vN9XF3B3e0koH+c5ola64oWMQaVQD2V0fCTGS3ZNRKaZ0NF4d4kQzE
ESvgKr8Dj/5HWmuHb8ULpxkMlReqcj+GhsxX7/5CBTUl2HgJsglLJPtPtqzjh2Ob
oN6W/r5gHMU0UUDpFHhY
=QNVc
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Randy Wyatt
2015-09-04 18:17:02 UTC
Permalink
I don't think so being you are using an invalid network configuration. You
have the same network on both sides of the tunnel. By definition, a
passthrough shouldn't go through the tunnel at all.
Post by Christian Hanster
I think I solved the problem. It was really a problem in the routing table.
sudo ip route add 10.1.13.0/24 proto static dev p5p1 src 10.1.13.1 table 220
It’s working like a charm. Because this is also the route strong swan
wants to add and is failing (according to the log, this might be a bug?!).
So should I fill a bug report?
Kind regards
Christian
sudo ip rule list
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
sudo ip route list table 220
10.1.0.0/16 via 192.168.1.1 dev p4p1 proto static src 10.1.13.1
ip route //that is the same as "ip route list table main” So this won’t be
consulted when 10.1.13.0/24 packets are managed
default via 192.168.1.1 dev p4p1
10.1.13.0/24 dev p5p1 proto kernel scope link src 10.1.13.1
192.168.1.0/24 dev p4p1 proto kernel scope link src 192.168.1.162
So why shouldn’t I use policy based routing? I did not change anything like this

Kind regards
Christian Hanster
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Christian,
What does your main routing table look like? Do you use policy based routing?
$ ip route
AFAIK strongSwan parses the main table and maintains
its own table 220 to install rules and handle routing to remote subnets.
- --
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6dqZAAoJEDg5KY9j7GZYPlQP/2lVUv1dGheOgPFk4IX6OCBg
U1eNYiBdZSBBBJyQ6/xNnSbkODeXRKOm6FzhXpv4EjuIJyWwM4PCAiIhdxTdYxZp
7lzksraJI5OfF7kJbVMsdN7ESmnk3SN25DJCh/OZNy28XL9YR0ckFyAyVL5X+sNJ
wKAep4XAYkKsvZTsqwm+XvWmkTTLuUwufKKY6PLcqhS8Burt3WoiEkUYluz5b/is
96G58Gpd7H2MbALyg5gpKKRC3fgTF7dlOL49Ozlm5p59wXQcTl0CaXAfz4axnLHt
Ezo/1pzhEVbyOzBZpsVfcwR1Iki3jW1Tl7miVoKeTfr6XGfUvS2s81xQ9JdRfK1z
AVcb+y0CG304BI+/WlV2gJJKqp0QrKMtboHGQXaHc5wtXqiQB+9uwOQIath9939i
zQmnlysYAaveLOFI6/LohijCsE3lOcqWcWQ5KXaMk3nbGIiqg88Gl3uri90beQgW
RDx6Tepnir1GkMlK703GWG9N8DIzp92sUJjU9p9e0Ud0jL9LzNCNU8rfWIYkiDH4
hhi8WSkHD5vN9XF3B3e0koH+c5ola64oWMQaVQD2V0fCTGS3ZNRKaZ0NF4d4kQzE
ESvgKr8Dj/5HWmuHb8ULpxkMlReqcj+GhsxX7/5CBTUl2HgJsglLJPtPtqzjh2Ob
oN6W/r5gHMU0UUDpFHhY
=QNVc
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Noel Kuntze
2015-09-04 18:25:27 UTC
Permalink
A passthrough policy always only applies to the local host.
It's completely okay to use overlapping subnets, because the tunnel doesn't work like a normal route.
It's source AND Destination based routing. If you apply a passthrough policy for local traffic in your LAN, then it will work.
The purpose of a passthrough policy is to *explicitely* tell the IPsec stack to *not* do any IPsec processing on certain packets.
The use case of Christian is *exactly* what it's for.

- --

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Randy Wyatt
2015-09-04 18:28:44 UTC
Permalink
Then why would a passthrough be passed the tunnel. Passthrough policies
are for the local lan only. I will wait for more of an expert to comment.
I am willing to accept if I am wrong.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
A passthrough policy always only applies to the local host.
It's completely okay to use overlapping subnets, because the tunnel
doesn't work like a normal route.
It's source AND Destination based routing. If you apply a passthrough
policy for local traffic in your LAN, then it will work.
The purpose of a passthrough policy is to *explicitely* tell the IPsec
stack to *not* do any IPsec processing on certain packets.
The use case of Christian is *exactly* what it's for.
- --
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6eIXAAoJEDg5KY9j7GZYu/IP/AtkpY7UsCf3fx6nSpCxiBWK
ZJJ1Ip2vaHFnUSDdqvYlkj09m1Cumzo5MRoBZ8NrbdBaftsCrBkBCtyhcwYbPnfC
ykdqXSH5eQID/BL9qXfYOQhS+llYo1tpW1WgNX4/9mfU/VHpnQ059iWSyO47JxoR
IgPPuNtkk2q88LWoG4h3QCdws+XG0ui+AG1WIX9pdQ1hror3+Q19rKBRVsJ3paqJ
msx7A3ZaHa62CQ9iq4ruGaVUR+17ZgGg9G80vjapb1mgnvk0yDQycL3cz+ANm4cH
HPIZqbc/JvJgcpF1iTVS5ToIrznvXUtaBFIgYLqTqDawyssDe3ly1Jt27+pN0t9V
CkPCKljoSHMOnZChhxJRyAo8gRxSmBhbETedt7blBQ8CrNaFGVpZw4K2RE5/nCub
MA1wCbqmXl5hcuAyLLYL2izdsXvZtmUeyARBWkVf12J4Z1m4DHl1iMfTgxma/G0n
NlTXWXJg7MbaKiPLmmxRn95/rXZoRhTk4ihfiVIKOvBuGIAVBb/u+9NJUax3veHS
rNdTs4wLgW28Ey6elyAukWIGSO6m75W9fONsBSYFldQw1Ktz04bqoZbAA57QisF2
ZuE8RV/vD2+yp02/F4b5XS0oELFGh6QDJjVTjaVHRGYno18Eluspz7/4rF357KIk
9FBnWOIWPB1oerb44xWS
=n/f1
-----END PGP SIGNATURE-----
Noel Kuntze
2015-09-04 18:32:55 UTC
Permalink
It doesn't get passed through a tunnel.
Christian's networks use distinct subnets, but they are all in the 10.1.0.0/16 range.
He uses 10.1.13.0/24 in the "local" part of the tunnel, but *all* the other subnets of 10.1.0.0/16 are on the remote side.
Of course, he could define CHILD_SAs for every subnet in use on the other side, but I figure he's too lazy for that.

- --

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Christian Hanster
2015-09-04 18:37:25 UTC
Permalink
Perhaps I’m too lazy but as I mentioned earlier, the main idea is to route all traffic (0.0.0.0/0) through the tunnel and then passthrough is the only option possible ;-)

Kind regards
Christian
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
It doesn't get passed through a tunnel.
Christian's networks use distinct subnets, but they are all in the 10.1.0.0/16 range.
He uses 10.1.13.0/24 in the "local" part of the tunnel, but *all* the other subnets of 10.1.0.0/16 are on the remote side.
Of course, he could define CHILD_SAs for every subnet in use on the other side, but I figure he's too lazy for that.
- --
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6ePXAAoJEDg5KY9j7GZYz1kP/jvRJqZlTTmJ4mlHyWXyeqtZ
UNBeKaZAft/ZdBP9tKZAYuv4P/YjUD2Dgq5l35aZbqZloV4ZMuj5AIm7b4Sslose
VmRhONB2H7um7bjLapZtG4/w8ELRMZIex3T7Jep0+rXQAudRQuaxLDQAk0mSYBrD
3KtW12n9g17DrGcHAO7XlmM4FG/TgUeIN/Y6ZPpbPN/fYGFCNDo8pMHhG6DaMW/N
LtpgeygKzpyXkIQu6E46jdjIT7iyc34+tFOnnJtn7+oPi/vKU9+z8JNYb8A/BdhI
sJn7n4riZiJpaQGrfgdMFrYcZ1nW9aSaV6YW/qa4HcUqfRmBvsDDduIHBTKmlgcT
n7mLTJ++HzLStZ4sHljdoY6cFjO+zUpaIkgaWJrOa0mKcyEUyOVRcB0/cgv/i2rl
5irI56M6w664ZSYVsl1jpOWmqbfUO3RF4fU5xE1TLEwImlR4kSPFUU0gsQpdKsws
eY7ZGBCN5qLmOHDOgs9zkIzaLVATova+PpjuPAzkkj4EO0ldN9s51aka5mnsq+xY
norqd8myD0nNguC8L+tYLafXuR0ldRrhLiti8BSA2I0g01bjRWdwSgntaCVLtwvL
DjCgaKOfWBgQWE0TcQUR//myuaeR3R6tKOALd48t/RFP6kaQ3lCcE/3qc2nl4+zq
dnqP+YXetzNl3+HCwWB2
=D7Ni
-----END PGP SIGNATURE-----
Christian Hanster
2015-09-04 18:33:57 UTC
Permalink
Noel is right in this case. I set up something similar with openswan some time ago. I do not want to route my local network traffic through the tunnel. Therefore I need a passthrough connection. Perhaps you misunderstood that


@Noel: I will later search the bug database and if needed fill a bug report.

Kind regards
Christian Hanster
Then why would a passthrough be passed the tunnel. Passthrough policies are for the local lan only. I will wait for more of an expert to comment.
I am willing to accept if I am wrong.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
A passthrough policy always only applies to the local host.
It's completely okay to use overlapping subnets, because the tunnel doesn't work like a normal route.
It's source AND Destination based routing. If you apply a passthrough policy for local traffic in your LAN, then it will work.
The purpose of a passthrough policy is to *explicitely* tell the IPsec stack to *not* do any IPsec processing on certain packets.
The use case of Christian is *exactly* what it's for.
- --
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6eIXAAoJEDg5KY9j7GZYu/IP/AtkpY7UsCf3fx6nSpCxiBWK
ZJJ1Ip2vaHFnUSDdqvYlkj09m1Cumzo5MRoBZ8NrbdBaftsCrBkBCtyhcwYbPnfC
ykdqXSH5eQID/BL9qXfYOQhS+llYo1tpW1WgNX4/9mfU/VHpnQ059iWSyO47JxoR
IgPPuNtkk2q88LWoG4h3QCdws+XG0ui+AG1WIX9pdQ1hror3+Q19rKBRVsJ3paqJ
msx7A3ZaHa62CQ9iq4ruGaVUR+17ZgGg9G80vjapb1mgnvk0yDQycL3cz+ANm4cH
HPIZqbc/JvJgcpF1iTVS5ToIrznvXUtaBFIgYLqTqDawyssDe3ly1Jt27+pN0t9V
CkPCKljoSHMOnZChhxJRyAo8gRxSmBhbETedt7blBQ8CrNaFGVpZw4K2RE5/nCub
MA1wCbqmXl5hcuAyLLYL2izdsXvZtmUeyARBWkVf12J4Z1m4DHl1iMfTgxma/G0n
NlTXWXJg7MbaKiPLmmxRn95/rXZoRhTk4ihfiVIKOvBuGIAVBb/u+9NJUax3veHS
rNdTs4wLgW28Ey6elyAukWIGSO6m75W9fONsBSYFldQw1Ktz04bqoZbAA57QisF2
ZuE8RV/vD2+yp02/F4b5XS0oELFGh6QDJjVTjaVHRGYno18Eluspz7/4rF357KIk
9FBnWOIWPB1oerb44xWS
=n/f1
-----END PGP SIGNATURE-----
Noel Kuntze
2015-09-04 18:18:26 UTC
Permalink
Hello Christian,

Yes, please. Search through the tracker first, though.
- --

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Randy Wyatt
2015-09-04 17:54:10 UTC
Permalink
Isn't there a problem that you are adding overlapping routes? 10.1.0.0/16
covers 10.1.13.0/24. I think you need a MAST stack for this.
Post by Christian Hanster
Hello Noel,
arping -I p5p1 -D 10.1.13.100
ARPING 10.1.13.100 from 0.0.0.0 p5p1
Unicast reply from 10.1.13.100 [00:25:4B:CD:F4:64] 0.984ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
In the meantime I have completely reinstalled the Gateway with a fresh
Ubuntu 14.04. That did not solve the problem. Than I changed the log level
received stroke: add connection 'passthrough'
Sep 4 19:38:55 pceapu-2 charon: 08[CFG] left nor right host is our side,
assuming left=local
Sep 4 19:38:55 pceapu-2 charon: 08[CFG] added configuration 'passthrough'
Sep 4 19:38:55 pceapu-2 charon: 10[CFG] received stroke: route 'passthrough'
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 ===
10.1.13.0/24 out (mark 0/0x00000000)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 ===
10.1.13.0/24 in (mark 0/0x00000000)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 ===
10.1.13.0/24 fwd (mark 0/0x00000000)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] getting a local address in
traffic selector 10.1.13.0/24
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] using host 10.1.13.1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] using 192.168.1.1 as nexthop to reach %any
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] 10.1.13.1 is on interface p5p1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] installing route: 10.1.13.0/24
via 192.168.1.1 src 10.1.13.1 dev p5p1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] getting iface index for p5p1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] received netlink error: Network
is unreachable (101)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] unable to install source route for 10.1.13.1
For me it seems like a bug that Strongswan wants to add a route with a
next hop in a passthrough connection. At the moment I’m not completely but
it seems to produce the error because this route does not makes in my eyes
any sense as 192.168.1.1 is reachable via p4p1 interface.
Kind regards
Christian Hanster
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sorry, meant ARP, not DPD.
arping -I eth0 -D <IP>
- --
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6dZHAAoJEDg5KY9j7GZY2/4P+wQsKYoPaYesMCkTGzvlmy4O
R4Hq7TLsVekuBakLxxptrt3IE8T2XvTaV2wp16qtIul45SGwHH+34W3RD0IeQJEf
8jc3kmuxdeszi9xVxo4HUDf72aBtZOos1v6Wt8UT30Syf2IBLPD1tdSUdlVIrX5X
5EVG0/AukWHf0aAZXHi41V6H7wBd6UTd1P9i828OFzYx/4Nz06OK7RR2qV1jPP/g
6Bgap0BnfxIc47Hs8CEZWtEMVQaCWfzCSEFAjsyymVNUZVnh2Tt4xRDJPPqoGGmQ
yoailqdIspZ3AeYmYzcC85/nRCKrjmdTcFXaJ5crEYQ9frjzcIQJ/f+qHLy5d9+J
7JLVoEnFPBr2KwUqSJWlt0PhOwfnd4N5D3X5buwNl6+rBpfjgAjKZTvHWMeBc3IB
OJ2V+0TWb1J+5C2wJaH70MhK6QE5hXFNfg7hGmpGOIGybFksJ2hmnZtN2iuudKaH
sHapGdwMMQg3noVJPiZ7jDRVQM4sSuW/7TlrxGLOi+ghLFH9HL8zdQYSU1NmQSC8
v15QmJ+1LMBB/x6gct7yZRci8NtA6fjxK3tMMi9ocqeMES4ix1TA25eFrN+V9mtP
4K8SM3CJVf3cXTZK+99T9tnq2/raCsw5X57WXxjSZTGh/+F8k4O3pK8w16FJXfvM
b2+VSGM+vzncYRH7QZFw
=PFQz
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Christian Hanster
2015-09-04 18:03:26 UTC
Permalink
So what’s that a MAST stack? Can you explain it to me?

Thanks :)
Isn't there a problem that you are adding overlapping routes? 10.1.0.0/16 <http://10.1.0.0/16> covers 10.1.13.0/24 <http://10.1.13.0/24>. I think you need a MAST stack for this.
Hello Noel,
arping -I p5p1 -D 10.1.13.100
ARPING 10.1.13.100 from 0.0.0.0 p5p1
Unicast reply from 10.1.13.100 [00:25:4B:CD:F4:64] 0.984ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
received stroke: add connection 'passthrough'
Sep 4 19:38:55 pceapu-2 charon: 08[CFG] left nor right host is our side, assuming left=local
Sep 4 19:38:55 pceapu-2 charon: 08[CFG] added configuration 'passthrough'
Sep 4 19:38:55 pceapu-2 charon: 10[CFG] received stroke: route 'passthrough'
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 <http://10.1.13.0/24> === 10.1.13.0/24 <http://10.1.13.0/24> out (mark 0/0x00000000)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 <http://10.1.13.0/24> === 10.1.13.0/24 <http://10.1.13.0/24> in (mark 0/0x00000000)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 <http://10.1.13.0/24> === 10.1.13.0/24 <http://10.1.13.0/24> fwd (mark 0/0x00000000)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] getting a local address in traffic selector 10.1.13.0/24 <http://10.1.13.0/24>
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] using host 10.1.13.1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] using 192.168.1.1 as nexthop to reach %any
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] 10.1.13.1 is on interface p5p1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] installing route: 10.1.13.0/24 <http://10.1.13.0/24> via 192.168.1.1 src 10.1.13.1 dev p5p1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] getting iface index for p5p1
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] received netlink error: Network is unreachable (101)
Sep 4 19:38:55 pceapu-2 charon: 10[KNL] unable to install source route for 10.1.13.1
For me it seems like a bug that Strongswan wants to add a route with a next hop in a passthrough connection. At the moment I’m not completely but it seems to produce the error because this route does not makes in my eyes any sense as 192.168.1.1 is reachable via p4p1 interface.
Kind regards
Christian Hanster
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Sorry, meant ARP, not DPD.
arping -I eth0 -D <IP>
- --
Mit freundlichen GrÌßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJV6dZHAAoJEDg5KY9j7GZY2/4P+wQsKYoPaYesMCkTGzvlmy4O
R4Hq7TLsVekuBakLxxptrt3IE8T2XvTaV2wp16qtIul45SGwHH+34W3RD0IeQJEf
8jc3kmuxdeszi9xVxo4HUDf72aBtZOos1v6Wt8UT30Syf2IBLPD1tdSUdlVIrX5X
5EVG0/AukWHf0aAZXHi41V6H7wBd6UTd1P9i828OFzYx/4Nz06OK7RR2qV1jPP/g
6Bgap0BnfxIc47Hs8CEZWtEMVQaCWfzCSEFAjsyymVNUZVnh2Tt4xRDJPPqoGGmQ
yoailqdIspZ3AeYmYzcC85/nRCKrjmdTcFXaJ5crEYQ9frjzcIQJ/f+qHLy5d9+J
7JLVoEnFPBr2KwUqSJWlt0PhOwfnd4N5D3X5buwNl6+rBpfjgAjKZTvHWMeBc3IB
OJ2V+0TWb1J+5C2wJaH70MhK6QE5hXFNfg7hGmpGOIGybFksJ2hmnZtN2iuudKaH
sHapGdwMMQg3noVJPiZ7jDRVQM4sSuW/7TlrxGLOi+ghLFH9HL8zdQYSU1NmQSC8
v15QmJ+1LMBB/x6gct7yZRci8NtA6fjxK3tMMi9ocqeMES4ix1TA25eFrN+V9mtP
4K8SM3CJVf3cXTZK+99T9tnq2/raCsw5X57WXxjSZTGh/+F8k4O3pK8w16FJXfvM
b2+VSGM+vzncYRH7QZFw
=PFQz
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
Loading...