You are not logged in.

Pages: 1

#1 2016-08-16 20:39:39

Body
Member
Registered: 2016-08-16
Posts: 1

[solved] Strongswan ipsec routing issue

Hello,

First of all, I apologize if I'm in wrong forum and mostly for my bad english.

In my home, I have a Ubiquiti EdgeMax Router (EdgeOS 1.8.5) and in my dedicated server, I have Strongswan (5.5) installed on my Arch Linux firewall/router VM.

I've succesfull configured IPSEC in my EdgeMax and I have configured Strongwan from the EdgeMax config generated. I used the x509 authentication. (I have my personal PKI).

The tunnel is established correctly and from my home lan, I can ping all my VM. But, from my VM, I can't ping PC of my lan. The packet is not transfered in the tunnel.

There is a special configuration to do with ArchLinux? Because, I already configured strongswan before with Debian and I never had this problem but I maybe made a mistake hmm


Above, my configuration and logs:


From Archlinux (the problem is here)

# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

config setup


conn %default
        keyexchange=ikev2
        ike=aes256-sha512-modp2048s256!
        reauth=yes
        ikelifetime=43200s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
        esp=aes256-sha512-modp2048s256!
        keylife=3600s
        rekeymargin=540s
        compress=no


conn Home
        left=%defaultroute
        leftcert=arch-fw.cert.pem
        leftsubnet=172.16.1.0/24
        leftfirewall=yes
        leftid="arch-fw.mydomain.com"
        right=%any
        rightsubnet=192.168.1.100/24
        rightid="ubnt.mydomain.com"
        auto=add
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.0, Linux 4.6.4-1-ARCH, x86_64):
  uptime: 3 days, since Aug 13 00:22:05 2016
  malloc: sbrk 1773568, mmap 0, used 660032, free 1113536
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aesni aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp chapoly xcbc cmac hmac curl sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity
Listening IP addresses:
  111.111.111.111
  172.16.1.1
Connections:
        Home:  %any...%any  IKEv2, dpddelay=30s
        Home:   local:  [arch-fw.mydomain.com] uses public key authentication
        Home:    cert:  "C=FR, ST=IDF, L=PARIS, O=MYDOMAIN, OU=Certificate Authority Intermediate, CN=arch-fw.mydomain.com, E=admin@mydomain.com"
        Home:   remote: [ubnt.mydomain.com] uses public key authentication
        Home:   child:  172.16.1.0/24 === 192.168.1.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
        Home[61]: ESTABLISHED 11 hours ago, 111.111.111.111[arch-fw.mydomain.com]...111.111.111.222[ubnt.mydomain.com]
        Home[61]: IKEv2 SPIs: 0af07c399aba0583_i c68171d1d5abaca4_r*, public key reauthentication in 44 minutes
        Home[61]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048_256
        Home{167}:  INSTALLED, TUNNEL, reqid 60, ESP in UDP SPIs: ced0dc9a_i cd01b4e1_o
        Home{167}:  AES_CBC_256/HMAC_SHA2_512_256/MODP_2048_256, 5480 bytes_i (79 pkts, 0s ago), 5152 bytes_o (46 pkts, 6s ago), rekeying in 31 minutes
        Home{167}:   172.16.1.0/24 === 192.168.1.0/24
# ip xfrm policy
src 172.16.1.0/24 dst 192.168.1.0/24
        dir fwd priority 287712
src 192.168.1.0/24 dst 172.16.1.0/24
        dir fwd priority 187712
        tmpl src 111.111.111.222 dst 111.111.111.111
                proto esp reqid 60 mode tunnel
src 192.168.1.0/24 dst 172.16.1.0/24
        dir in priority 187712
        tmpl src 111.111.111.222 dst 111.111.111.111
                proto esp reqid 60 mode tunnel
src 172.16.1.0/24 dst 192.168.1.0/24
        dir out priority 187712
        tmpl src 111.111.111.111 dst 111.111.111.222
                proto esp reqid 60 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         111.111.111.001    0.0.0.0         UG    0      0        0 ens32
111.111.111.001    0.0.0.0         255.255.255.255 UH    0      0        0 ens32
172.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 ens34
172.16.2.0      172.16.1.4      255.255.255.0   UG    0      0        0 ens34
192.168.1.0     111.111.111.001    255.255.255.0   UG    0      0        0 ens32

Ubiquiti EdgeMax

vbash-4.1# cat /etc/ipsec.conf
# generated by /opt/vyatta/sbin/vpn-config.pl

config setup

conn %default
        keyexchange=ikev1


conn peer-111.111.111.111-tunnel-1
        left=%defaultroute
        leftid="ubnt.mydomain.com"
        right=111.111.111.111
        rightid="arch-fw.mydomain.com"
        leftsubnet=192.168.1.0/24
        rightsubnet=172.16.1.0/24
        ike=aes256-sha512-modp2048s256!
        keyexchange=ikev2
        reauth=yes
        ikelifetime=43200s
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
        esp=aes256-sha512-modp2048s256!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        rightca=%same
        leftcert=/etc/ipsec.d/certs/ubnt.cert.pem
        auto=route
        keyingtries=1
vbash-4.1# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64):
  uptime: 3 days, since Aug 13 00:29:16 2016
  malloc: sbrk 410768, mmap 0, used 315344, free 95424
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock
Listening IP addresses:
  192.168.1.100
Connections:
peer-111.111.111.111-tunnel-1:  %any...111.111.111.111  IKEv2, dpddelay=30s
peer-111.111.111.111-tunnel-1:   local:  [ubnt.mydomain.com] uses public key authentication
peer-111.111.111.111-tunnel-1:    cert:  "C=FR, ST=IDF, L=PARIS, O=MYODMAIN, OU=Certificate Authority Intermediate, CN=ubnt.mydomain.com, E=admin@mydomain.com"
peer-111.111.111.111-tunnel-1:   remote: [arch-fw.mydomain.com] uses public key authentication
peer-111.111.111.111-tunnel-1:   child:  192.168.1.0/24 === 172.16.1.0/24 TUNNEL, dpdaction=restart
Routed Connections:
peer-111.111.111.111-tunnel-1{1}:  ROUTED, TUNNEL
peer-111.111.111.111-tunnel-1{1}:   192.168.1.0/24 === 172.16.1.0/24
Security Associations (1 up, 0 connecting):
peer-111.111.111.111-tunnel-1[58]: ESTABLISHED 11 hours ago, 192.168.1.100[ubnt.mydomain.com]...111.111.111.111[arch-fw.mydomain.com]
peer-111.111.111.111-tunnel-1[58]: IKEv2 SPIs: 0af07c399aba0583_i* c68171d1d5abaca4_r, public key reauthentication in 31 minutes
peer-111.111.111.111-tunnel-1[58]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048_256
peer-111.111.111.111-tunnel-1{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cd01b4e1_i ced0dc9a_o
peer-111.111.111.111-tunnel-1{1}:  AES_CBC_256/HMAC_SHA2_512_256, 12512 bytes_i (78 pkts, 56s ago), 6744 bytes_o (105 pkts, 56s ago), rekeying in 31 minutes
peer-111.111.111.111-tunnel-1{1}:   192.168.1.0/24 === 172.16.1.0/24
vbash-4.1#  ip xfrm policy
src 172.16.1.0/24 dst 192.168.1.0/24
        dir fwd priority 2883
        tmpl src 111.111.111.111 dst 192.168.1.100
                proto esp reqid 1 mode tunnel
src 172.16.1.0/24 dst 192.168.1.0/24
        dir in priority 2883
        tmpl src 111.111.111.111 dst 192.168.1.100
                proto esp reqid 1 mode tunnel
src 192.168.1.0/24 dst 172.16.1.0/24
        dir out priority 2883
        tmpl src 192.168.1.100 dst 111.111.111.111
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
vbash-4.1# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

I have no firewall rules in my Ubiquiti because it is behind my box ISP and in my Arch I just open the port UDP 500 and 4500. The nat traversal works fine.

If you need more infos, don't hesitate smile

Thanks!

Last edited by Body (2016-08-17 23:19:40)

Offline

Pages: 1

Board footer

Powered by FluxBB