Discussion:
[strongSwan] Simple road warrior setup no longer routing after upgrade
James Lay
2018-07-24 11:38:17 UTC
Permalink
Hey all,
So I moved to Strongswan 5.6.2 during a distribution upgrade. My
simple setup no longer routes back to the client (I can see the
incoming pings on the server, but nothing goes back). I establish a
tunnel fine...my setup looks like this:

external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
all I need is to have a connected device able to access
192.168.1.1...and it's only a single user. So that being said here's
the ipsec.conf:
conn rw leftsubnet=192.168.1.0/24 leftcert=Strong
SwanHostCert.pem right=%any rightsourceip=192.168.1.10
auto=add
I suspect I have been doing this wrong but it worked anyway. Thanks
for any assistance.
James
Tobias Brunner
2018-07-24 12:51:50 UTC
Permalink
Hi James,
Post by James Lay
So I moved to Strongswan 5.6.2 during a distribution upgrade.
What distribution? What was the previous version? Do you still have
the same plugins installed and enabled?
Post by James Lay
My simple
setup no longer routes back to the client (I can see the incoming pings
on the server, but nothing goes back). I establish a tunnel fine...my
external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
all I need is to have a connected device able to access
192.168.1.1...and it's only a single user.
Please read [1]. From the involved IPs I guess you used the farp plugin
before, so make sure you still have that installed and loaded.

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
James Lay
2018-07-25 12:53:25 UTC
Permalink
Post by Tobias Brunner
Hi James,
Post by James Lay
So I moved to Strongswan 5.6.2 during a distribution upgrade.
What distribution? What was the previous version? Do you still have
the same plugins installed and enabled?
Post by James Lay
My simple
setup no longer routes back to the client (I can see the incoming pings
on the server, but nothing goes back). I establish a tunnel fine...my
external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
all I need is to have a connected device able to access
192.168.1.1...and it's only a single user.
Please read [1]. From the involved IPs I guess you used the farp plugin
before, so make sure you still have that installed and loaded.
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Thanks Tobias...I have access to the old server so I'll see what's
there...I don't recall installing any other plugins, but we shall see.
I'll report my findings soon..thanks again.

James
James Lay
2018-07-26 00:33:15 UTC
Permalink
On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,
So I moved to Strongswan 5.6.2 during a distribution upgrade.
What distribution? What was the previous version? Do you still
havethe same plugins installed and enabled?
My simplesetup no longer routes back to the client (I can see the
incoming pingson the server, but nothing goes back). I establish a
external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
all I need is to have a connected device able to
access192.168.1.1...and it's only a single user.
Please read [1]. From the involved IPs I guess you used the farp
pluginbefore, so make sure you still have that installed and loaded.
Regards,Tobias
[1]https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAnd
SplitTunneling
Thanks Tobias...I have access to the old server so I'll see what's
there...I don't recall installing any other plugins, but we shall
see. I'll report my findings soon..thanks again.
James
So now I'm super confused. I changed to the below:

conn rw
leftsubnet=192.168.1.0/24
leftcert=StrongSwanHostCert.pem
right=%any
rightsourceip=172.16.0.1
auto=add



and added the below top 2 postrouting nat rules:
pkts bytes target prot opt
in out source destination
0 0 ACCEPT all
-- * * 0.0.0.0/0 0.0.0.0/0 policy
match dir out pol ipsec
0 0 MASQUERADE all
-- * enp0s31f6 172.16.0.1 0.0.0.0/0
24519 1646K MASQUERADE all
-- * ppp0 192.168.1.0/24 0.0.0.0/0


However when I attempt to ping, I see the ping on the ppp0 interface,
and the source isn't 172.16.0.1:
2018-07-25 18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100 Echo
(ping) request id=0x0004, seq=1/256, ttl=64


Not exactly sure where to go next. I did install the extra plugins
that include farp as well. Thank you.

James
James Lay
2018-07-29 13:53:12 UTC
Permalink
Post by James Lay
On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,
So I moved to Strongswan 5.6.2 during a distribution upgrade.
What distribution? What was the previous version? Do you still
havethe same plugins installed and enabled?
My simplesetup no longer routes back to the client (I can see the
incoming pingson the server, but nothing goes back). I establish a
external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
all I need is to have a connected device able to
access192.168.1.1...and it's only a single user.
Please read [1]. From the involved IPs I guess you used the farp
pluginbefore, so make sure you still have that installed and
loaded.
Regards,Tobias
[1]https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingA
ndSplitTunneling
Thanks Tobias...I have access to the old server so I'll see what's
there...I don't recall installing any other plugins, but we shall
see. I'll report my findings soon..thanks again.
James
conn rw
leftsubnet=192.168.1.0/24
leftcert=StrongSwanHostCert.pem
right=%any
rightsourceip=172.16.0.1
auto=add
pkts bytes target prot opt
in out source destination
0 0 ACCEPT all
-- * * 0.0.0.0/0 0.0.0.0/0 policy
match dir out pol ipsec
0 0 MASQUERADE all
-- * enp0s31f6 172.16.0.1 0.0.0.0/0
24519 1646K MASQUERADE all
-- * ppp0 192.168.1.0/24 0.0.0.0/0
However when I attempt to ping, I see the ping on the ppp0 interface,
2018-07-25 18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100
Echo (ping) request id=0x0004, seq=1/256, ttl=64
Not exactly sure where to go next. I did install the extra plugins
that include farp as well. Thank you.
James
Anything on this? in testing I made this change:

rightsourceip=10.10.10.0/24

Pinging from the client connected device gets me this:

1 2018-07-29 07:50:27.606525877 8.0.10.1 → 192.168.1.1 ICMP 100
Echo (ping) request id=0x000f, seq=1/256, ttl=64


Something seems very broken. Thank you.

James
James Lay
2018-07-29 14:00:07 UTC
Permalink
Post by James Lay
Post by James Lay
On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,
So I moved to Strongswan 5.6.2 during a distribution upgrade.
What distribution? What was the previous version? Do you still
havethe same plugins installed and enabled?
My simplesetup no longer routes back to the client (I can see the
incoming pingson the server, but nothing goes back). I establish
external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
all I need is to have a connected device able to
access192.168.1.1...and it's only a single user.
Please read [1]. From the involved IPs I guess you used the farp
pluginbefore, so make sure you still have that installed and loaded.
Regards,Tobias
[1]https://wiki.strongswan.org/projects/strongswan/wiki/Forwardin
gAndSplitTunneling
Thanks Tobias...I have access to the old server so I'll see
what's there...I don't recall installing any other plugins, but
we shall see. I'll report my findings soon..thanks again.
James
conn rw
leftsubnet=192.168.1.0/24
leftcert=StrongSwanHostCert.pem
right=%any
rightsourceip=172.16.0.1
auto=add
pkts bytes target prot opt
in out source destination
0 0 ACCEPT all
-- * * 0.0.0.0/0 0.0.0.0/0 policy
match dir out pol ipsec
0 0 MASQUERADE all
-- * enp0s31f6 172.16.0.1 0.0.0.0/0
24519 1646K MASQUERADE all
-- * ppp0 192.168.1.0/24 0.0.0.0/0
However when I attempt to ping, I see the ping on the ppp0
2018-07-25 18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100
Echo (ping) request id=0x0004, seq=1/256, ttl=64
Not exactly sure where to go next. I did install the extra plugins
that include farp as well. Thank you.
James
rightsourceip=10.10.10.0/24
1 2018-07-29 07:50:27.606525877 8.0.10.1 → 192.168.1.1 ICMP 100
Echo (ping) request id=0x000f, seq=1/256, ttl=64
Something seems very broken. Thank you.
James
And some startup and connect logs:

Jul 29 07:29:44 gateway charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64)
Jul 29 07:29:44 gateway charon: 00[CFG] PKCS11 module '<name>' lacks
library path
Jul 29 07:29:44 gateway charon: 00[CFG] disabling load-tester plugin,
not configured
Jul 29 07:29:44 gateway charon: 00[LIB] plugin 'load-tester': failed to
load - load_tester_plugin_create returned NULL
Jul 29 07:29:44 gateway charon: 00[CFG] dnscert plugin is disabled
Jul 29 07:29:44 gateway charon: 00[CFG] ipseckey plugin is disabled
Jul 29 07:29:44 gateway charon: 00[CFG] attr-sql plugin: database URI
not set
Jul 29 07:29:44 gateway charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jul 29 07:29:44 gateway charon: 00[CFG] loaded ca certificate "C=CH,
O=strongSwan, CN=strongSwan Root CA" from
'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'
Jul 29 07:29:44 gateway charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jul 29 07:29:44 gateway charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jul 29 07:29:44 gateway charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Jul 29 07:29:44 gateway charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jul 29 07:29:44 gateway charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jul 29 07:29:44 gateway charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/StrongSwanHostKey.pem'
Jul 29 07:29:44 gateway charon: 00[CFG] sql plugin: database URI not
set
Jul 29 07:29:44 gateway charon: 00[CFG] opening triplet file
/etc/ipsec.d/triplets.dat failed: No such file or directory
Jul 29 07:29:44 gateway charon: 00[CFG] eap-simaka-sql database URI
missing
Jul 29 07:29:44 gateway charon: 00[CFG] loaded 0 RADIUS server
configurations
Jul 29 07:29:44 gateway charon: 00[CFG] HA config misses local/remote
address
Jul 29 07:29:44 gateway charon: 00[CFG] no threshold configured for
systime-fix, disabled
Jul 29 07:29:44 gateway charon: 00[CFG] coupling file path unspecified
Jul 29 07:29:44 gateway charon: 00[LIB] loaded plugins: charon test-
vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1
rdrand random nonce x509 revocation constraints acert pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl
gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr
ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve
socket-default connmark farp stroke updown eap-identity eap-sim eap-
sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth
eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls
eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-
tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-
notify certexpire led radattr addrblock unity counters
Jul 29 07:29:44 gateway charon: 00[LIB] dropped capabilities, running
as uid 0, gid 0
Jul 29 07:29:44 gateway charon: 00[JOB] spawning 16 worker threads
Jul 29 07:29:44 gateway ipsec[12353]: charon (12392) started after 100
ms
Jul 29 07:29:44 gateway ipsec_starter[12353]: charon (12392) started
after 100 ms
Jul 29 07:29:44 gateway charon: 06[CFG] received stroke: add connection
'rw'
Jul 29 07:29:44 gateway charon: 06[CFG] adding virtual IP address pool
172.16.0.1
Jul 29 07:29:44 gateway charon: 06[CFG] loaded certificate "C=CH,
O=strongSwan, CN=ns1.domain" from 'StrongSwanHostCert.pem'
Jul 29 07:29:44 gateway charon: 06[CFG] id 'external_ip' not
confirmed by certificate, defaulting to 'C=CH, O=strongSwan,
CN=ns1.domain'
Jul 29 07:29:44 gateway charon: 06[CFG] added configuration 'rw'
Jul 29 07:30:13 gateway charon: 10[NET] received packet: from
x.x.15.77[7388] to external_ip[500] (716 bytes)
Jul 29 07:30:13 gateway charon: 10[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
]
Jul 29 07:30:13 gateway charon: 10[IKE] x.x.15.77 is initiating an
IKE_SA
Jul 29 07:30:13 gateway charon: 10[IKE] x.x.15.77 is initiating an
IKE_SA
Jul 29 07:30:13 gateway charon: 10[IKE] remote host is behind NAT
Jul 29 07:30:13 gateway charon: 10[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan Root CA"
Jul 29 07:30:13 gateway charon: 10[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Jul 29 07:30:13 gateway charon: 10[NET] sending packet: from
external_ip[500] to x.x.15.77[7388] (297 bytes)
Jul 29 07:30:15 gateway charon: 11[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1364 bytes)
Jul 29 07:30:15 gateway charon: 11[ENC] parsed IKE_AUTH request 1 [
EF(1/4) ]
Jul 29 07:30:15 gateway charon: 11[ENC] received fragment #1 of 4,
waiting for complete IKE message
Jul 29 07:30:15 gateway charon: 12[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1364 bytes)
Jul 29 07:30:15 gateway charon: 12[ENC] parsed IKE_AUTH request 1 [
EF(2/4) ]
Jul 29 07:30:15 gateway charon: 12[ENC] received fragment #2 of 4,
waiting for complete IKE message
Jul 29 07:30:15 gateway charon: 13[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1364 bytes)
Jul 29 07:30:15 gateway charon: 13[ENC] parsed IKE_AUTH request 1 [
EF(3/4) ]
Jul 29 07:30:15 gateway charon: 13[ENC] received fragment #3 of 4,
waiting for complete IKE message
Jul 29 07:30:15 gateway charon: 14[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1156 bytes)
Jul 29 07:30:15 gateway charon: 14[ENC] parsed IKE_AUTH request 1 [
EF(4/4) ]
James Lay
2018-07-29 14:43:39 UTC
Permalink
Post by James Lay
Post by James Lay
Post by James Lay
On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,
So I moved to Strongswan 5.6.2 during a distribution upgrade.
What distribution? What was the previous version? Do you
still havethe same plugins installed and enabled?
My simplesetup no longer routes back to the client (I can see
the incoming pingson the server, but nothing goes back). I
external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnet
all I need is to have a connected device able to
access192.168.1.1...and it's only a single user.
Please read [1]. From the involved IPs I guess you used the
farp pluginbefore, so make sure you still have that installed
and loaded.
Regards,Tobias
[1]https://wiki.strongswan.org/projects/strongswan/wiki/Forward
ingAndSplitTunneling
Thanks Tobias...I have access to the old server so I'll see
what's there...I don't recall installing any other plugins, but
we shall see. I'll report my findings soon..thanks again.
James
conn rw
leftsubnet=192.168.1.0/24
leftcert=StrongSwanHostCert.pem
right=%any
rightsourceip=172.16.0.1
auto=add
pkts bytes target prot opt
in out source destination
0 0 ACCEPT all
-- * * 0.0.0.0/0 0.0.0.0/0 poli
cy match dir out pol ipsec
0 0 MASQUERADE all
-- * enp0s31f6 172.16.0.1 0.0.0.0/0
24519 1646K MASQUERADE all
-- * ppp0 192.168.1.0/24 0.0.0.0/0
However when I attempt to ping, I see the ping on the ppp0
2018-07-25 18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100
Echo (ping) request id=0x0004, seq=1/256, ttl=64
Not exactly sure where to go next. I did install the extra
plugins that include farp as well. Thank you.
James
rightsourceip=10.10.10.0/24
1 2018-07-29 07:50:27.606525877 8.0.10.1 → 192.168.1.1 ICMP 100
Echo (ping) request id=0x000f, seq=1/256, ttl=64
Something seems very broken. Thank you.
James
Jul 29 07:29:44 gateway charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64)
Jul 29 07:29:44 gateway charon: 00[CFG] PKCS11 module '<name>' lacks
library path
Jul 29 07:29:44 gateway charon: 00[CFG] disabling load-tester plugin,
not configured
Jul 29 07:29:44 gateway charon: 00[LIB] plugin 'load-tester': failed
to load - load_tester_plugin_create returned NULL
Jul 29 07:29:44 gateway charon: 00[CFG] dnscert plugin is disabled
Jul 29 07:29:44 gateway charon: 00[CFG] ipseckey plugin is disabled
Jul 29 07:29:44 gateway charon: 00[CFG] attr-sql plugin: database URI
not set
Jul 29 07:29:44 gateway charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jul 29 07:29:44 gateway charon: 00[CFG] loaded ca certificate
"C=CH, O=strongSwan, CN=strongSwan Root CA" from
'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'
Jul 29 07:29:44 gateway charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jul 29 07:29:44 gateway charon: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jul 29 07:29:44 gateway charon: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Jul 29 07:29:44 gateway charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jul 29 07:29:44 gateway charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jul 29 07:29:44 gateway charon: 00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/StrongSwanHostKey.pem'
Jul 29 07:29:44 gateway charon: 00[CFG] sql plugin: database URI not
set
Jul 29 07:29:44 gateway charon: 00[CFG] opening triplet file
/etc/ipsec.d/triplets.dat failed: No such file or directory
Jul 29 07:29:44 gateway charon: 00[CFG] eap-simaka-sql database URI
missing
Jul 29 07:29:44 gateway charon: 00[CFG] loaded 0 RADIUS server
configurations
Jul 29 07:29:44 gateway charon: 00[CFG] HA config misses local/remote
address
Jul 29 07:29:44 gateway charon: 00[CFG] no threshold configured for
systime-fix, disabled
Jul 29 07:29:44 gateway charon: 00[CFG] coupling file path
unspecified
Jul 29 07:29:44 gateway charon: 00[LIB] loaded plugins: charon test-
vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1
rdrand random nonce x509 revocation constraints acert pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl
gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac
ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink
resolve socket-default connmark farp stroke updown eap-identity eap-
sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-
simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius
eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam
xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist
lookip error-notify certexpire led radattr addrblock unity counters
Jul 29 07:29:44 gateway charon: 00[LIB] dropped capabilities, running
as uid 0, gid 0
Jul 29 07:29:44 gateway charon: 00[JOB] spawning 16 worker threads
Jul 29 07:29:44 gateway ipsec[12353]: charon (12392) started after
100 ms
Jul 29 07:29:44 gateway ipsec_starter[12353]: charon (12392) started
after 100 ms
Jul 29 07:29:44 gateway charon: 06[CFG] received stroke: add
connection 'rw'
Jul 29 07:29:44 gateway charon: 06[CFG] adding virtual IP address
pool 172.16.0.1
Jul 29 07:29:44 gateway charon: 06[CFG] loaded certificate "C=CH,
O=strongSwan, CN=ns1.domain" from 'StrongSwanHostCert.pem'
Jul 29 07:29:44 gateway charon: 06[CFG] id 'external_ip' not
confirmed by certificate, defaulting to 'C=CH, O=strongSwan,
CN=ns1.domain'
Jul 29 07:29:44 gateway charon: 06[CFG] added configuration 'rw'
Jul 29 07:30:13 gateway charon: 10[NET] received packet: from
x.x.15.77[7388] to external_ip[500] (716 bytes)
Jul 29 07:30:13 gateway charon: 10[ENC] parsed IKE_SA_INIT request 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG)
N(REDIR_SUP) ]
Jul 29 07:30:13 gateway charon: 10[IKE] x.x.15.77 is initiating an
IKE_SA
Jul 29 07:30:13 gateway charon: 10[IKE] x.x.15.77 is initiating an
IKE_SA
Jul 29 07:30:13 gateway charon: 10[IKE] remote host is behind NAT
Jul 29 07:30:13 gateway charon: 10[IKE] sending cert request for
"C=CH, O=strongSwan, CN=strongSwan Root CA"
Jul 29 07:30:13 gateway charon: 10[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP)
N(HASH_ALG) N(MULT_AUTH) ]
Jul 29 07:30:13 gateway charon: 10[NET] sending packet: from
external_ip[500] to x.x.15.77[7388] (297 bytes)
Jul 29 07:30:15 gateway charon: 11[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1364 bytes)
Jul 29 07:30:15 gateway charon: 11[ENC] parsed IKE_AUTH request 1 [
EF(1/4) ]
Jul 29 07:30:15 gateway charon: 11[ENC] received fragment #1 of 4,
waiting for complete IKE message
Jul 29 07:30:15 gateway charon: 12[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1364 bytes)
Jul 29 07:30:15 gateway charon: 12[ENC] parsed IKE_AUTH request 1 [
EF(2/4) ]
Jul 29 07:30:15 gateway charon: 12[ENC] received fragment #2 of 4,
waiting for complete IKE message
Jul 29 07:30:15 gateway charon: 13[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1364 bytes)
Jul 29 07:30:15 gateway charon: 13[ENC] parsed IKE_AUTH request 1 [
EF(3/4) ]
Jul 29 07:30:15 gateway charon: 13[ENC] received fragment #3 of 4,
waiting for complete IKE message
Jul 29 07:30:15 gateway charon: 14[NET] received packet: from
x.x.15.77[7380] to external_ip[4500] (1156 bytes)
Jul 29 07:30:15 gateway charon: 14[ENC] parsed IKE_AUTH request 1 [
EF(4/4) ]
And startup and session logs from previous, working version:
Apr 18 04:23:33 gateway charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.1.2, Linux 4.4.0-119-generic, x86_64)Apr 18 04:23:34
gateway charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'Apr 18 04:23:34 gateway charon: 00[CFG] loaded
ca certificate "C=CH, O=strongSwan, CN=strongSwan Root CA" from
'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'Apr 18 04:23:34 gateway
charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'Apr
18 04:23:34 gateway charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'Apr 18 04:23:34 gateway charon: 00[CFG]
loading attribute certificates from '/etc/ipsec.d/acerts'Apr 18
04:23:34 gateway charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'Apr 18 04:23:34 gateway charon: 00[CFG] loading
secrets from '/etc/ipsec.secrets'Apr 18 04:23:34 gateway charon:
00[CFG] loaded RSA private key from
'/etc/ipsec.d/private/StrongSwanHostKey.pem'Apr 18 04:23:34 gateway
charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2
md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8
pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink
resolve socket-default stroke updown eap-identity addrblockApr 18
04:23:34 gateway charon: 00[LIB] unable to load 5 plugin features (5
due to unmet dependencies)Apr 18 04:23:34 gateway charon: 00[LIB]
dropped capabilities, running as uid 0, gid 0Apr 18 04:23:34 gateway
charon: 00[JOB] spawning 16 worker threadsApr 18 04:23:34 gateway
ipsec_starter[26813]: charon (26814) started after 180 msApr 18
04:23:34 gateway charon: 05[CFG] received stroke: add connection
'rw'Apr 18 04:23:34 gateway charon: 05[CFG] left nor right host is our
side, assuming left=localApr 18 04:23:34 gateway charon: 05[CFG] adding
virtual IP address pool 192.168.1.11Apr 18 04:23:34 gateway charon:
05[CFG] loaded certificate "C=CH, O=strongSwan, CN=ns1.domain" from
'StrongSwanHostCert.pem'Apr 18 04:23:34 gateway charon: 05[CFG] id
'%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan,
CN=ns1.domain'Apr 18 04:23:34 gateway charon: 05[CFG] added
configuration 'rw'

Apr 22 12:22:52 gateway charon: 11[NET] received packet: from
x.x.9.223[8351] to external_ip[500] (704 bytes)Apr 22 12:22:52 gateway
charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N((16430)) N((16431)) N(REDIR_SUP) ]Apr 22 12:22:52
gateway charon: 11[IKE] x.x.9.223 is initiating an IKE_SAApr 22
12:22:52 gateway charon: 11[IKE] x.x.9.223 is initiating an IKE_SAApr
22 12:22:52 gateway charon: 11[IKE] remote host is behind NATApr 22
12:22:52 gateway charon: 11[IKE] DH group ECP_256 inacceptable,
requesting MODP_2048Apr 22 12:22:52 gateway charon: 11[ENC] generating
IKE_SA_INIT response 0 [ N(INVAL_KE) ]Apr 22 12:22:52 gateway charon:
11[NET] sending packet: from external_ip[500] to x.x.9.223[8351] (38
bytes)Apr 22 12:22:52 gateway charon: 12[NET] received packet: from
x.x.9.223[8351] to external_ip[500] (896 bytes)Apr 22 12:22:52 gateway
charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N((16430)) N((16431)) N(REDIR_SUP) ]Apr 22 12:22:52
gateway charon: 12[IKE] x.x.9.223 is initiating an IKE_SAApr 22
12:22:52 gateway charon: 12[IKE] x.x.9.223 is initiating an IKE_SAApr
22 12:22:52 gateway charon: 12[IKE] remote host is behind NATApr 22
12:22:52 gateway charon: 12[IKE] sending cert request for "C=CH,
O=strongSwan, CN=strongSwan Root CA"Apr 22 12:22:52 gateway charon:
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]Apr 22 12:22:52 gateway charon:
12[NET] sending packet: from external_ip[500] to x.x.9.223[8351] (465
bytes)Apr 22 12:22:53 gateway charon: 14[NET] received packet: from
x.x.9.223[8331] to external_ip[4500] (5100 bytes)Apr 22 12:22:53
gateway charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERT
N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N)
SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY)
N(MSG_ID_SYN_SUP) ]Apr 22 12:22:53 gateway charon: 14[IKE] received
cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"Apr 22
12:22:53 gateway charon: 14[IKE] received 156 cert requests for an
unknown caApr 22 12:22:53 gateway charon: 14[IKE] received end entity
cert "C=CH, O=strongSwan, CN=***@domain"Apr 22 12:22:53 gateway
charon: 14[CFG] looking for peer configs matching
external_ip[%any]...x.x.9.223[C=CH, O=strongSwan, CN=***@domain]Apr 22
12:22:53 gateway charon: 14[CFG] selected peer config 'rw'Apr 22
12:22:53 gateway charon: 14[CFG] using certificate "C=CH,
O=strongSwan, CN=***@domain"Apr 22 12:22:53 gateway charon:
14[CFG] using trusted ca certificate "C=CH, O=strongSwan,
CN=strongSwan Root CA"Apr 22 12:22:53 gateway charon: 14[CFG] checking
certificate status of "C=CH, O=strongSwan, CN=***@domain"Apr 22
12:22:53 gateway charon: 14[CFG] certificate status is not availableApr
22 12:22:53 gateway charon: 14[CFG] reached self-signed root ca with
a path length of 0Apr 22 12:22:53 gateway charon: 14[IKE]
authentication of 'C=CH, O=strongSwan, CN=***@domain' with RSA
signature successfulApr 22 12:22:53 gateway charon: 14[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC paddingApr 22
12:22:53 gateway charon: 14[IKE] peer supports MOBIKEApr 22 12:22:53
gateway charon: 14[IKE] authentication of 'C=CH, O=strongSwan,
CN=ns1.domain' (myself) with RSA signature successfulApr 22 12:22:53
gateway charon: 14[IKE] IKE_SA rw[6] established between
external_ip[C=CH, O=strongSwan, CN=ns1.domain]...x.x.9.223[C=CH,
O=strongSwan, CN=***@domain]Apr 22 12:22:53 gateway charon: 14[IKE]
IKE_SA rw[6] established between external_ip[C=CH, O=strongSwan,
CN=ns1.domain]...x.x.9.223[C=CH, O=strongSwan, CN=***@domain]Apr 22
12:22:53 gateway charon: 14[IKE] scheduling reauthentication in
9726sApr 22 12:22:53 gateway charon: 14[IKE] maximum IKE_SA lifetime
10266sApr 22 12:22:53 gateway charon: 14[IKE] sending end entity cert
"C=CH, O=strongSwan, CN=ns1.domain"Apr 22 12:22:53 gateway charon:
14[IKE] peer requested virtual IP %anyApr 22 12:22:53 gateway charon:
14[CFG] reassigning offline lease to 'C=CH, O=strongSwan, CN=***@domai
n'Apr 22 12:22:53 gateway charon: 14[IKE] assigning virtual IP
192.168.1.11 to peer 'C=CH, O=strongSwan, CN=***@domain'Apr 22
12:22:53 gateway charon: 14[IKE] peer requested virtual IP %any6Apr 22
12:22:53 gateway charon: 14[IKE] no virtual IP found for %any6
requested by 'C=CH, O=strongSwan, CN=***@domain'Apr 22 12:22:53
gateway charon: 14[IKE] CHILD_SA rw{4} established with SPIs cab12a0f_i
17e464af_o and TS 192.168.1.0/24 === 192.168.1.11/32 Apr 22 12:22:53
gateway charon: 14[IKE] CHILD_SA rw{4} established with SPIs cab12a0f_i
17e464af_o and TS 192.168.1.0/24 === 192.168.1.11/32 Apr 22 12:22:53
gateway charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]Apr 22
12:22:53 gateway charon: 14[NET] sending packet: from external_ip[4500]
to x.x.9.223[8331] (2204 bytes)Apr 22 12:22:53 gateway charon: 15[NET]
received packet: from x.x.9.223[8331] to external_ip[4500] (76
bytes)Apr 22 12:22:53 gateway charon: 15[ENC] parsed INFORMATIONAL
request 2 [ N(NO_ADD_ADDR) ]Apr 22 12:22:53 gateway charon: 15[ENC]
generating INFORMATIONAL response 2 [ ]Apr 22 12:22:53 gateway charon:
15[NET] sending packet: from external_ip[4500] to x.x.9.223[8331] (76
bytes)Apr 22 12:23:24 gateway charon: 06[NET] received packet: from
x.x.9.223[8331] to external_ip[4500] (76 bytes)Apr 22 12:23:24 gateway
charon: 06[ENC] parsed INFORMATIONAL request 3 [ D ]Apr 22 12:23:24
gateway charon: 06[IKE] received DELETE for IKE_SA rw[6]Apr 22 12:23:24
gateway charon: 06[IKE] deleting IKE_SA rw[6] between external_ip[C=CH,
O=strongSwan, CN=ns1.domain]...x.x.9.223[C=CH, O=strongSwan, CN=***@do
main]Apr 22 12:23:24 gateway charon: 06[IKE] deleting IKE_SA rw[6]
between external_ip[C=CH, O=strongSwan,
CN=ns1.domain]...x.x.9.223[C=CH, O=strongSwan, CN=***@domain]Apr 22
12:23:24 gateway charon: 06[IKE] IKE_SA deletedApr 22 12:23:24 gateway
charon: 06[IKE] IKE_SA deletedApr 22 12:23:24 gateway charon: 06[ENC]
generating INFORMATIONAL response 3 [ ]Apr 22 12:23:24 gateway charon:
06[NET] sending packet: from external_ip[4500] to x.x.9.223[8331] (76
bytes)Apr 22 12:23:24 gateway charon: 06[CFG] lease 192.168.1.11 by
'C=CH, O=strongSwan, CN=***@domain' went offline
James Lay
2018-10-16 12:30:05 UTC
Permalink
Bumping this one last time before I give up and move on to something
else ☺ Thanks for any insight.

James
On 2018-07-24 06:51, Tobias Brunner wrote:Hi James,So I moved to
Strongswan 5.6.2 during a distribution upgrade.What
distribution? What was the previous version? Do youstill havethe
same plugins installed and enabled?My simplesetup no longer routes
back to the client (I can seethe incoming pingson the server, but
nothing goes back). Iestablish a tunnel fine...mysetup looks like
external_IP_nic2 <-> 192.168.1.1_nic2 192.168.1.0/24 subnetall I need
is to have a connected device able toaccess192.168.1.1...and it's
only a single user.Please read [1]. From the involved IPs I guess
you used thefarp pluginbefore, so make sure you still have that
installedand loaded.Regards,Tobias[1]
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunnelingThanks
Tobias...I have access to the old server so I'll seewhat's there...I
don't recall installing any other plugins, butwe shall see. I'll
report my findings soon..thanks again.James
conn rw leftsubnet=192.168.1.0/24leftcert=StrongSwanHostCert.pe
mright=%anyrightsourceip=172.16.0.1auto=add
and added the below top 2 postrouting nat rules: pkts bytes
target prot
optin out source destination 0
0 ACCEPT all
-- * * 0.0.0.0/0 0.0.0.0/0 policy
match dir out pol ipsec 0 0 MASQUERADE all
-- * enp0s31f6 172.16.0.1 0.0.0.0/0 24519
1646K MASQUERADE all
-- * ppp0 192.168.1.0/24 0.0.0.0/0
However when I attempt to ping, I see the ping on the ppp0interface,
and the source isn't 172.16.0.1:2018-07-25
18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100Echo (ping)
request id=0x0004, seq=1/256, ttl=64
Not exactly sure where to go next. I did install the extraplugins
that include farp as well. Thank you.
James
rightsourceip=10.10.10.0/24
1 2018-07-29 07:50:27.606525877 8.0.10.1 → 192.168.1.1 ICMP
100Echo (ping) request id=0x000f, seq=1/256, ttl=64
Something seems very broken. Thank you.
James
Jul 29 07:29:44 gateway charon: 00[DMN] Starting IKE charon
daemon(strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64)Jul 29
07:29:44 gateway charon: 00[CFG] PKCS11 module '<name>' lackslibrary
pathJul 29 07:29:44 gateway charon: 00[CFG] disabling load-tester
plugin,not configuredJul 29 07:29:44 gateway charon: 00[LIB] plugin
'load-tester': failedto load - load_tester_plugin_create returned
NULLJul 29 07:29:44 gateway charon: 00[CFG] dnscert plugin is
disabledJul 29 07:29:44 gateway charon: 00[CFG] ipseckey plugin is
database URInot setJul 29 07:29:44 gateway charon: 00[CFG] loading ca
certificates from'/etc/ipsec.d/cacerts'Jul 29 07:29:44 gateway
charon: 00[CFG] loaded ca certificate"C=CH, O=strongSwan,
CN=strongSwan Root CA"
from'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'Jul 29 07:29:44
gateway charon: 00[CFG] loading aa certificates
from'/etc/ipsec.d/aacerts'Jul 29 07:29:44 gateway charon: 00[CFG]
loading ocsp signercertificates from '/etc/ipsec.d/ocspcerts'Jul 29
07:29:44 gateway charon: 00[CFG] loading attributecertificates from
'/etc/ipsec.d/acerts'Jul 29 07:29:44 gateway charon: 00[CFG] loading
crls from'/etc/ipsec.d/crls'Jul 29 07:29:44 gateway charon: 00[CFG]
loading secrets from'/etc/ipsec.secrets'Jul 29 07:29:44 gateway
charon: 00[CFG] loaded RSA private key
from'/etc/ipsec.d/private/StrongSwanHostKey.pem'Jul 29 07:29:44
gateway charon: 00[CFG] sql plugin: database URI notsetJul 29
07:29:44 gateway charon: 00[CFG] opening triplet
file/etc/ipsec.d/triplets.dat failed: No such file or directoryJul 29
07:29:44 gateway charon: 00[CFG] eap-simaka-sql database
URImissingJul 29 07:29:44 gateway charon: 00[CFG] loaded 0 RADIUS
serverconfigurationsJul 29 07:29:44 gateway charon: 00[CFG] HA config
misses local/remoteaddressJul 29 07:29:44 gateway charon: 00[CFG] no
threshold configured forsystime-fix, disabledJul 29 07:29:44 gateway
charon: 00[CFG] coupling file pathunspecifiedJul 29 07:29:44 gateway
charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap
pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1rdrand random nonce
x509 revocation constraints acert pubkey pkcs1pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey dnscert ipseckey pem opensslgcrypt af-alg fips-prf gmp
curve25519 agent chapoly xcbc cmac hmacctr ccm gcm ntru bliss curl
soup mysql sqlite attr kernel-netlinkresolve socket-default connmark
farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-
3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-
mschapv2 eap-dynamic eap-radiuseap-tls eap-ttls eap-peap eap-tnc
xauth-generic xauth-eap xauth-pamxauth-noauth tnc-tnccs tnccs-20
tnccs-11 tnccs-dynamic dhcp whitelistlookip error-notify certexpire
00[LIB] dropped capabilities, runningas uid 0, gid 0Jul 29 07:29:44
gateway charon: 00[JOB] spawning 16 worker threadsJul 29 07:29:44
gateway ipsec[12353]: charon (12392) started after100 msJul 29
07:29:44 gateway ipsec_starter[12353]: charon (12392) startedafter
addconnection 'rw'Jul 29 07:29:44 gateway charon: 06[CFG] adding
06[CFG] loaded certificate "C=CH,O=strongSwan, CN=ns1.domain" from
'StrongSwanHostCert.pem'Jul 29 07:29:44 gateway charon: 06[CFG] id
'external_ip' notconfirmed by certificate, defaulting to 'C=CH,
O=strongSwan,CN=ns1.domain'Jul 29 07:29:44 gateway charon: 06[CFG]
added configuration 'rw'Jul 29 07:30:13 gateway charon: 10[NET]
received packet: fromx.x.15.77[7388] to external_ip[500] (716
bytes)Jul 29 07:30:13 gateway charon: 10[ENC] parsed IKE_SA_INIT
request 0[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG)N(REDIR_SUP) ]Jul 29 07:30:13 gateway charon: 10[IKE]
10[IKE] x.x.15.77 is initiating anIKE_SAJul 29 07:30:13 gateway
charon: 10[IKE] remote host is behind NATJul 29 07:30:13 gateway
charon: 10[IKE] sending cert request for"C=CH, O=strongSwan,
CN=strongSwan Root CA"Jul 29 07:30:13 gateway charon: 10[ENC]
generating IKE_SA_INITresponse 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(FRAG_SUP)N(HASH_ALG) N(MULT_AUTH) ]Jul 29 07:30:13 gateway
charon: 10[NET] sending packet: fromexternal_ip[500] to
x.x.15.77[7388] (297 bytes)Jul 29 07:30:15 gateway charon: 11[NET]
received packet: fromx.x.15.77[7380] to external_ip[4500] (1364
bytes)Jul 29 07:30:15 gateway charon: 11[ENC] parsed IKE_AUTH request
1 [EF(1/4) ]Jul 29 07:30:15 gateway charon: 11[ENC] received fragment
#1 of 4,waiting for complete IKE messageJul 29 07:30:15 gateway
charon: 12[NET] received packet: fromx.x.15.77[7380] to
external_ip[4500] (1364 bytes)Jul 29 07:30:15 gateway charon: 12[ENC]
12[ENC] received fragment #2 of 4,waiting for complete IKE messageJul
fromx.x.15.77[7380] to external_ip[4500] (1364 bytes)Jul 29 07:30:15
gateway charon: 13[ENC] parsed IKE_AUTH request 1 [EF(3/4) ]Jul 29
07:30:15 gateway charon: 13[ENC] received fragment #3 of 4,waiting
for complete IKE messageJul 29 07:30:15 gateway charon: 14[NET]
received packet: fromx.x.15.77[7380] to external_ip[4500] (1156
bytes)Jul 29 07:30:15 gateway charon: 14[ENC] parsed IKE_AUTH request
1 [EF(4/4) ]
And startup and session logs from previous, working version:Apr 18
04:23:33 gateway charon: 00[DMN] Starting IKE charon
daemon(strongSwan 5.1.2, Linux 4.4.0-119-generic, x86_64)Apr 18
04:23:34gateway charon: 00[CFG] loading ca certificates
00[CFG] loadedca certificate "C=CH, O=strongSwan, CN=strongSwan
Root CA" from'/etc/ipsec.d/cacerts/StrongSwanCACert.pem'Apr 18
04:23:34 gatewaycharon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'Apr18 04:23:34 gateway charon: 00[CFG] loading
ocsp signer certificatesfrom '/etc/ipsec.d/ocspcerts'Apr 18 04:23:34
gateway charon: 00[CFG]loading attribute certificates from
'/etc/ipsec.d/acerts'Apr 1804:23:34 gateway charon: 00[CFG] loading
crls from'/etc/ipsec.d/crls'Apr 18 04:23:34 gateway charon: 00[CFG]
loadingsecrets from '/etc/ipsec.secrets'Apr 18 04:23:34 gateway
charon:00[CFG] loaded RSA private key
from'/etc/ipsec.d/private/StrongSwanHostKey.pem'Apr 18 04:23:34
gatewaycharon: 00[LIB] loaded plugins: charon test-vectors aes rc2
sha1 sha2md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7
pkcs8pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-
netlinkresolve socket-default stroke updown eap-identity addrblockApr
1804:23:34 gateway charon: 00[LIB] unable to load 5 plugin features
00[LIB]dropped capabilities, running as uid 0, gid 0Apr 18 04:23:34
gatewaycharon: 00[JOB] spawning 16 worker threadsApr 18 04:23:34
gatewayipsec_starter[26813]: charon (26814) started after 180 msApr
1804:23:34 gateway charon: 05[CFG] received stroke: add
connection'rw'Apr 18 04:23:34 gateway charon: 05[CFG] left nor right
05[CFG] addingvirtual IP address pool 192.168.1.11Apr 18 04:23:34
gateway charon:05[CFG] loaded certificate "C=CH, O=strongSwan,
CN=ns1.domain" from'StrongSwanHostCert.pem'Apr 18 04:23:34 gateway
charon: 05[CFG] id'%any' not confirmed by certificate, defaulting
05[CFG] addedconfiguration 'rw'
fromx.x.9.223[8351] to external_ip[500] (704 bytes)Apr 22 12:22:52
gatewaycharon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP)N(NATD_D_IP) N((16430)) N((16431)) N(REDIR_SUP) ]Apr 22
12:22:52gateway charon: 11[IKE] x.x.9.223 is initiating an IKE_SAApr
2212:22:52 gateway charon: 11[IKE] x.x.9.223 is initiating an
IKE_SAApr22 12:22:52 gateway charon: 11[IKE] remote host is behind
NATApr 2212:22:52 gateway charon: 11[IKE] DH group ECP_256
11[ENC] generatingIKE_SA_INIT response 0 [ N(INVAL_KE) ]Apr 22
12:22:52 gateway charon:11[NET] sending packet: from external_ip[500]
to x.x.9.223[8351] (38bytes)Apr 22 12:22:52 gateway charon: 12[NET]
received packet: fromx.x.9.223[8351] to external_ip[500] (896
bytes)Apr 22 12:22:52 gatewaycharon: 12[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP)N(NATD_D_IP) N((16430)) N((16431))
N(REDIR_SUP) ]Apr 22 12:22:52gateway charon: 12[IKE] x.x.9.223 is
initiating an IKE_SAApr 2212:22:52 gateway charon: 12[IKE] x.x.9.223
is initiating an IKE_SAApr22 12:22:52 gateway charon: 12[IKE] remote
host is behind NATApr 2212:22:52 gateway charon: 12[IKE] sending cert
request for "C=CH,O=strongSwan, CN=strongSwan Root CA"Apr 22 12:22:52
gateway charon:12[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP)N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]Apr 22 12:22:52
gateway charon:12[NET] sending packet: from external_ip[500] to
x.x.9.223[8351] (465bytes)Apr 22 12:22:53 gateway charon: 14[NET]
received packet: fromx.x.9.223[8331] to external_ip[4500] (5100
bytes)Apr 22 12:22:53gateway charon: 14[ENC] parsed IKE_AUTH request
1 [ IDi CERTN(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6)
N(ESP_TFC_PAD_N)SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
N(EAP_ONLY)N(MSG_ID_SYN_SUP) ]Apr 22 12:22:53 gateway charon: 14[IKE]
receivedcert request for "C=CH, O=strongSwan, CN=strongSwan Root
CA"Apr 2212:22:53 gateway charon: 14[IKE] received 156 cert requests
for anunknown caApr 22 12:22:53 gateway charon: 14[IKE] received end
gatewaycharon: 14[CFG] looking for peer configs
matchingexternal_ip[%any]...x.x.9.223[C=CH, O=strongSwan,
config 'rw'Apr 2212:22:53 gateway charon: 14[CFG] using certificate
charon:14[CFG] using trusted ca certificate "C=CH,
14[CFG] checkingcertificate status of "C=CH, O=strongSwan,
14[CFG] reached self-signed root ca witha path length of 0Apr 22
12:22:53 gateway charon: 14[IKE]authentication of 'C=CH,
12:22:53 gateway charon: 14[IKE]
receivedESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC paddingApr
2212:22:53 gateway charon: 14[IKE] peer supports MOBIKEApr 22
12:22:53gateway charon: 14[IKE] authentication of 'C=CH,
O=strongSwan,CN=ns1.domain' (myself) with RSA signature successfulApr
22 12:22:53gateway charon: 14[IKE] IKE_SA rw[6] established
betweenexternal_ip[C=CH, O=strongSwan,
12:22:53 gateway charon: 14[IKE]IKE_SA rw[6] established between
external_ip[C=CH, O=strongSwan,CN=ns1.domain]...x.x.9.223[C=CH,
14[IKE] sending end entity cert"C=CH, O=strongSwan, CN=ns1.domain"Apr
22 12:22:53 gateway charon:14[IKE] peer requested virtual IP %anyApr
22 12:22:53 gateway charon:14[CFG] reassigning offline lease to
14[IKE] assigning virtual IP192.168.1.11 to peer 'C=CH, O=strongSwan,
virtual IP %any6Apr 2212:22:53 gateway charon: 14[IKE] no virtual IP
22 12:22:53gateway charon: 14[IKE] CHILD_SA rw{4} established with
SPIs cab12a0f_i17e464af_o and TS 192.168.1.0/24 === 192.168.1.11/32
Apr 22 12:22:53gateway charon: 14[IKE] CHILD_SA rw{4} established
with SPIs cab12a0f_i17e464af_o and TS 192.168.1.0/24 ===
192.168.1.11/32 Apr 22 12:22:53gateway charon: 14[ENC] generating
IKE_AUTH response 1 [ IDr CERT AUTHCPRP(ADDR) SA TSi TSr N(AUTH_LFT)
N(MOBIKE_SUP) N(ADD_4_ADDR) ]Apr 2212:22:53 gateway charon: 14[NET]
sending packet: from external_ip[4500]to x.x.9.223[8331] (2204
bytes)Apr 22 12:22:53 gateway charon: 15[NET]received packet: from
x.x.9.223[8331] to external_ip[4500] (76bytes)Apr 22 12:22:53 gateway
charon: 15[ENC] parsed INFORMATIONALrequest 2 [ N(NO_ADD_ADDR) ]Apr
22 12:22:53 gateway charon: 15[ENC]generating INFORMATIONAL response
2 [ ]Apr 22 12:22:53 gateway charon:15[NET] sending packet: from
external_ip[4500] to x.x.9.223[8331] (76bytes)Apr 22 12:23:24 gateway
charon: 06[NET] received packet: fromx.x.9.223[8331] to
external_ip[4500] (76 bytes)Apr 22 12:23:24 gatewaycharon: 06[ENC]
06[IKE] received DELETE for IKE_SA rw[6]Apr 22 12:23:24gateway
charon: 06[IKE] deleting IKE_SA rw[6] between
external_ip[C=CH,O=strongSwan, CN=ns1.domain]...x.x.9.223[C=CH,
deleting IKE_SA rw[6]between external_ip[C=CH,
O=strongSwan,CN=ns1.domain]...x.x.9.223[C=CH, O=strongSwan,
deletedApr 22 12:23:24 gatewaycharon: 06[IKE] IKE_SA deletedApr 22
12:23:24 gateway charon: 06[ENC]generating INFORMATIONAL response 3 [
]Apr 22 12:23:24 gateway charon:06[NET] sending packet: from
external_ip[4500] to x.x.9.223[8331] (76bytes)Apr 22 12:23:24 gateway
charon: 06[CFG] lease 192.168.1.11 by'C=CH, O=strongSwan,
Tobias Brunner
2018-10-16 12:58:40 UTC
Permalink
Hi James,
Post by James Lay
However when I attempt to ping, I see the ping on the ppp0 interface,
2018-07-25 18:26:37.085194521      8.0.0.1 → 192.168.1.1 ICMP 100 Echo
(ping) request  id=0x0004, seq=1/256, ttl=64
That indicates you ran into a bug in the 4.15 kernel. See my response
at [1] and if you use Ubuntu 18.04, there might soon be a fix [2].

Regards,
Tobias


[1] https://serverfault.com/a/933614/95913
[2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1795653
James Lay
2018-10-16 23:40:33 UTC
Permalink
Thank you much Tobias...I will be patient and wait for a fix.

James
Post by Tobias Brunner
Hi James,
However when I attempt to ping, I see the ping on the ppp0
interface,and the source isn't 172.16.0.1:2018-07-25
18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100 Echo(ping)
request id=0x0004, seq=1/256, ttl=64
That indicates you ran into a bug in the 4.15 kernel. See my
responseat [1] and if you use Ubuntu 18.04, there might soon be a fix
[2].
Regards,Tobias
[1] https://serverfault.com/a/933614/95913[2]
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1795653
James Lay
2018-11-15 01:39:13 UTC
Permalink
Post by Tobias Brunner
Hi James,
However when I attempt to ping, I see the ping on the ppp0
interface,and the source isn't 172.16.0.1:2018-07-25
18:26:37.085194521 8.0.0.1 → 192.168.1.1 ICMP 100 Echo(ping)
request id=0x0004, seq=1/256, ttl=64
That indicates you ran into a bug in the 4.15 kernel. See my
responseat [1] and if you use Ubuntu 18.04, there might soon be a fix
[2].
Regards,Tobias
[1] https://serverfault.com/a/933614/95913[2]
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1795653
As of 4.15.0-39-generic for Bionic this now appears to be fixed. Glory
be and pass the salt...thank you!

James

Loading...