Victor Medina
2018-11-14 13:48:06 UTC
I am trying to get two networks to flow Multicast traffic. I built a custom
Strongswan using the latest version: 5.7.1. Tunnels is up and working but
still no multicast traffic.
My ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.1, Linux 4.15.0-1027-aws,
x86_64):
uptime: 36 minutes, since Nov 14 12:55:58 2018
malloc: sbrk 4796416, mmap 532480, used 3212832, free 1583584
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon unbound pkcs11 aesni aes des blowfish rc2 sha2
sha3 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints
acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey
pem openssl af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr
ccm gcm ntru newhope bliss files attr kernel-pfkey kernel-netlink resolve
socket-default socket-dynamic bypass-lan connmark forecast farp stroke vici
updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap
xauth-pam xauth-noauth dhcp p-cscf whitelist lookip error-notify certexpire
led duplicheck radattr addrblock unity counters
Listening IP addresses:
10.77.0.104
Connections:
multicast-conn: 10.77.0.104...xxxxxxx IKEv2, dpddelay=30s
multicast-conn: local: [yyyyyyyy] uses pre-shared key authentication
multicast-conn: remote: [xxxxxxxx] uses pre-shared key authentication
multicast-conn: child: 10.77.0.96/28 224.10.0.0/16 239.1.0.0/23 ===
10.50.10.0/25 224.10.0.0/16 239.1.0.0/23 TUNNEL, dpdaction=hold
Shunted Connections:
Bypass LAN 10.77.0.96/28: 10.77.0.96/28 === 10.77.0.96/28 PASS
Bypass LAN 10.77.0.97/32: 10.77.0.97/32 === 10.77.0.97/32 PASS
Bypass LAN fe80::/64: fe80::/64 === fe80::/64 PASS
Routed Connections:
multicast-conn{1}: ROUTED, TUNNEL, reqid 1
multicast-conn{1}: 10.77.0.96/28 224.10.0.0/16 239.1.0.0/23 ===
10.50.10.0/25 224.10.0.0/16 239.1.0.0/23
Security Associations (1 up, 0 connecting):
multicast-conn[1]: ESTABLISHED 36 minutes ago,
10.77.0.104[100.24.163.130]...xxxxxxx[xxxxxxxx]
multicast-conn[1]: IKEv2 SPIs: e52d72342f2f6068_i 0e26010c583bd313_r*,
pre-shared key reauthentication in 23 hours
multicast-conn[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
multicast-conn{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c43bcd7c_i
b7177b76_o
multicast-conn{2}: AES_CBC_256/HMAC_SHA1_96, 2782 bytes_i, 110544 bytes_o
(1316 pkts, 0s ago), rekeying in 7 hours
multicast-conn{2}: 10.77.0.96/28 224.10.0.0/16 239.1.0.0/23 ===
10.50.10.0/25 224.10.0.0/16 239.1.0.0/23
My ipsec config:
config setup
# charondebug="ike 4, knl 4, cfg 4, net 4, esp 4, dmn 4, mgr 4"
charondebug="cfg 2, esp 2"
conn config setup
# charondebug="ike 4, knl 4, cfg 4, net 4, esp 4, dmn 4, mgr 4"
charondebug="cfg 2, esp 2"
conn seedcx-etale-aws
keyexchange=ikev2
authby=secret
# My network
left=10.77.0.104
leftsubnet=10.77.0.96/28,224.10.0.0/16,239.1.1.0/23
leftid=yyyyyyyyyyyy
leftfirewall=yes
# Peer Network
right=xxxxxxxxxxx
rightid=xxxxxxxxx
rightsubnet=10.50.10.0/25,224.10.0.0/16,239.1.1.0/23
# CIPHERS
ike=aes256-sha-modp1024
esp=aes256-sha
# REKEYING
ikelifetime=86400
lifetime=28800
rekeymargin=3m
keyingtries=3
# CONTROL
lefthostaccess=yes
#righthostaccess=yes
dpdaction=hold
mark=%unique
auto=route
keyexchange=ikev2
authby=secret
My forecast conf
forecast {
# Multicast groups to join locally, allowing forwarding of them.
groups = 224.10.0.0/16,239.1.1.0/23
# Local interface to listen for broadcasts to forward.
interface = eth0
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# CHILD_SA configurations names to perform multi/broadcast reinjection.
# reinject =
}
My iptables -L
hain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 239.1.0.0/23 239.1.0.0/23 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 239.1.0.0/23 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25 239.1.0.0/23 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 224.10.0.0/16 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 224.10.0.0/16 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25 224.10.0.0/16 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 ip-10-77-0-96.ec2.internal/28 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 ip-10-77-0-96.ec2.internal/28 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25
ip-10-77-0-96.ec2.internal/28 policy match dir in pol ipsec reqid 2 proto
esp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 239.1.0.0/23 239.1.0.0/23 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 239.1.0.0/23 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 239.1.0.0/23 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 224.10.0.0/16 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25 239.1.0.0/23 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 ip-10-50-10-0.ppp.internal/25 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 224.10.0.0/16 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 239.1.0.0/23 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 224.10.0.0/16 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 224.10.0.0/16 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25 224.10.0.0/16 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 ip-10-50-10-0.ppp.internal/25 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 ip-10-77-0-96.ppp.internal/28 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28 239.1.0.0/23 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 ip-10-77-0-96.ppp.internal/28 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28 224.10.0.0/16 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25
ip-10-77-0-96.ppp.internal/28 policy match dir in pol ipsec reqid 2 proto
esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28
ip-10-50-10-0.ppp.internal/25 policy match dir out pol ipsec reqid 2 proto
esp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 239.1.0.0/23 239.1.0.0/23 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 224.10.0.0/16 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 ip-10-50-10-0.ppp.internal/25 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 239.1.0.0/23 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 224.10.0.0/16 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 ip-10-50-10-0.ppp.internal/25 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28 239.1.0.0/23 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28 224.10.0.0/16 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28
ip-10-50-10-0.ppp.internal/25 policy match dir out pol ipsec reqid 2 proto
esp
The network admin on the other side mentioned this:
I have enabled PIM Sparse mode on my end of the VPN tunnel. Here is the
Certification info:
RP 10.50.10.1 groups 239.1.1.0/23 ... so on a normal networking device
(cisco, arista) you would add the statements:
ip pim rp-address 10.50.10.1 224.10.0.0/16
ip pim rp-address 10.50.10.1 239.1.1.0/23
Is there any way to configure this on Stronswan? Should I kindly ask him to
change something on their side in order to make it work?
Victor Medina
Strongswan using the latest version: 5.7.1. Tunnels is up and working but
still no multicast traffic.
My ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.1, Linux 4.15.0-1027-aws,
x86_64):
uptime: 36 minutes, since Nov 14 12:55:58 2018
malloc: sbrk 4796416, mmap 532480, used 3212832, free 1583584
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon unbound pkcs11 aesni aes des blowfish rc2 sha2
sha3 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints
acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey
pem openssl af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr
ccm gcm ntru newhope bliss files attr kernel-pfkey kernel-netlink resolve
socket-default socket-dynamic bypass-lan connmark forecast farp stroke vici
updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap
xauth-pam xauth-noauth dhcp p-cscf whitelist lookip error-notify certexpire
led duplicheck radattr addrblock unity counters
Listening IP addresses:
10.77.0.104
Connections:
multicast-conn: 10.77.0.104...xxxxxxx IKEv2, dpddelay=30s
multicast-conn: local: [yyyyyyyy] uses pre-shared key authentication
multicast-conn: remote: [xxxxxxxx] uses pre-shared key authentication
multicast-conn: child: 10.77.0.96/28 224.10.0.0/16 239.1.0.0/23 ===
10.50.10.0/25 224.10.0.0/16 239.1.0.0/23 TUNNEL, dpdaction=hold
Shunted Connections:
Bypass LAN 10.77.0.96/28: 10.77.0.96/28 === 10.77.0.96/28 PASS
Bypass LAN 10.77.0.97/32: 10.77.0.97/32 === 10.77.0.97/32 PASS
Bypass LAN fe80::/64: fe80::/64 === fe80::/64 PASS
Routed Connections:
multicast-conn{1}: ROUTED, TUNNEL, reqid 1
multicast-conn{1}: 10.77.0.96/28 224.10.0.0/16 239.1.0.0/23 ===
10.50.10.0/25 224.10.0.0/16 239.1.0.0/23
Security Associations (1 up, 0 connecting):
multicast-conn[1]: ESTABLISHED 36 minutes ago,
10.77.0.104[100.24.163.130]...xxxxxxx[xxxxxxxx]
multicast-conn[1]: IKEv2 SPIs: e52d72342f2f6068_i 0e26010c583bd313_r*,
pre-shared key reauthentication in 23 hours
multicast-conn[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
multicast-conn{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c43bcd7c_i
b7177b76_o
multicast-conn{2}: AES_CBC_256/HMAC_SHA1_96, 2782 bytes_i, 110544 bytes_o
(1316 pkts, 0s ago), rekeying in 7 hours
multicast-conn{2}: 10.77.0.96/28 224.10.0.0/16 239.1.0.0/23 ===
10.50.10.0/25 224.10.0.0/16 239.1.0.0/23
My ipsec config:
config setup
# charondebug="ike 4, knl 4, cfg 4, net 4, esp 4, dmn 4, mgr 4"
charondebug="cfg 2, esp 2"
conn config setup
# charondebug="ike 4, knl 4, cfg 4, net 4, esp 4, dmn 4, mgr 4"
charondebug="cfg 2, esp 2"
conn seedcx-etale-aws
keyexchange=ikev2
authby=secret
# My network
left=10.77.0.104
leftsubnet=10.77.0.96/28,224.10.0.0/16,239.1.1.0/23
leftid=yyyyyyyyyyyy
leftfirewall=yes
# Peer Network
right=xxxxxxxxxxx
rightid=xxxxxxxxx
rightsubnet=10.50.10.0/25,224.10.0.0/16,239.1.1.0/23
# CIPHERS
ike=aes256-sha-modp1024
esp=aes256-sha
# REKEYING
ikelifetime=86400
lifetime=28800
rekeymargin=3m
keyingtries=3
# CONTROL
lefthostaccess=yes
#righthostaccess=yes
dpdaction=hold
mark=%unique
auto=route
keyexchange=ikev2
authby=secret
My forecast conf
forecast {
# Multicast groups to join locally, allowing forwarding of them.
groups = 224.10.0.0/16,239.1.1.0/23
# Local interface to listen for broadcasts to forward.
interface = eth0
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# CHILD_SA configurations names to perform multi/broadcast reinjection.
# reinject =
}
My iptables -L
hain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 239.1.0.0/23 239.1.0.0/23 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 239.1.0.0/23 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25 239.1.0.0/23 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 224.10.0.0/16 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 224.10.0.0/16 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25 224.10.0.0/16 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 ip-10-77-0-96.ec2.internal/28 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 ip-10-77-0-96.ec2.internal/28 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25
ip-10-77-0-96.ec2.internal/28 policy match dir in pol ipsec reqid 2 proto
esp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 239.1.0.0/23 239.1.0.0/23 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 239.1.0.0/23 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 239.1.0.0/23 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 224.10.0.0/16 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25 239.1.0.0/23 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 ip-10-50-10-0.ppp.internal/25 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 224.10.0.0/16 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 239.1.0.0/23 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 224.10.0.0/16 policy match
dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 224.10.0.0/16 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25 224.10.0.0/16 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 ip-10-50-10-0.ppp.internal/25 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 ip-10-77-0-96.ppp.internal/28 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28 239.1.0.0/23 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 ip-10-77-0-96.ppp.internal/28 policy
match dir in pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28 224.10.0.0/16 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-50-10-0.ppp.internal/25
ip-10-77-0-96.ppp.internal/28 policy match dir in pol ipsec reqid 2 proto
esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28
ip-10-50-10-0.ppp.internal/25 policy match dir out pol ipsec reqid 2 proto
esp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 239.1.0.0/23 239.1.0.0/23 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 224.10.0.0/16 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 239.1.0.0/23 ip-10-50-10-0.ppp.internal/25 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 239.1.0.0/23 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 224.10.0.0/16 policy match
dir out pol ipsec reqid 2 proto esp
ACCEPT all -- 224.10.0.0/16 ip-10-50-10-0.ppp.internal/25 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28 239.1.0.0/23 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28 224.10.0.0/16 policy
match dir out pol ipsec reqid 2 proto esp
ACCEPT all -- ip-10-77-0-96.ppp.internal/28
ip-10-50-10-0.ppp.internal/25 policy match dir out pol ipsec reqid 2 proto
esp
The network admin on the other side mentioned this:
I have enabled PIM Sparse mode on my end of the VPN tunnel. Here is the
Certification info:
RP 10.50.10.1 groups 239.1.1.0/23 ... so on a normal networking device
(cisco, arista) you would add the statements:
ip pim rp-address 10.50.10.1 224.10.0.0/16
ip pim rp-address 10.50.10.1 239.1.1.0/23
Is there any way to configure this on Stronswan? Should I kindly ask him to
change something on their side in order to make it work?
Victor Medina