Comments (10)
(I'm also a bit surprised that a route is needed: I thought the policies visible through
setkey -D -P
were supposed to be enough).
The route is needed exactly in order for packets to match the policy as it forces the virtual IP (the local traffic selector in the policy) as source IP when sending packets to the destination (remote traffic selector). On Linux, we use routes with preferred source IP, on FreeBSD/macOS, we use routes via TUN devices instead (which are only used to force the source IP, not to actually send any traffic through).
Mon, 2023-07-24, 08:35:42 09[KNL2] <myvpn|1> getting a local address in traffic selector 172.24.1.1/32
Mon, 2023-07-24, 08:35:42 09[KNL2] <myvpn|1> using host 172.24.1.1
Mon, 2023-07-24, 08:35:42 09[KNL2] <myvpn|1> using 192.168.1.5 as nexthop to reach myremoteserverip
Mon, 2023-07-24, 08:35:42 09[KNL2] <myvpn|1> installing route: 172.24.0.0/16 via 192.168.1.5 src 172.24.1.1 dev wlan0
This looks like the virtual IP is not treated as such. If it was, you'd see a message saying virtual IP 172.24.1.1 is on interface tun0
and the route would go via tun0
.
Mon, 2023-07-24, 08:35:42 09[IKE1] <myvpn|1> installing new virtual IP 172.24.1.1
Mon, 2023-07-24, 08:35:42 09[LIB1] <myvpn|1> created TUN device: tun0
Mon, 2023-07-24, 08:35:42 08[KNL1] interface tun0 appeared
Mon, 2023-07-24, 08:35:42 09[KNL2] <myvpn|1> 172.24.1.1 is not a local address or the interface is down
Mon, 2023-07-24, 08:35:42 09[KNL2] <myvpn|1> 172.24.1.1 is not a local address or the interface is down
Mon, 2023-07-24, 08:35:42 08[KNL1] interface tun0 activated
At a first glance this looks fine. That is, the interface is known, as is the IP address on it (otherwise, we'd see an error saying virtual IP 172.24.1.1 did not appear on tun0
).
However, after waiting for the virtual IP address to appear on an interface, we mark the address as virtual in the internal address list so it can later be treated differently (as described above). The problem is that the event that handles changes of interface flags (in this case that the interface is activated) clears and repopulates the internal address list for that interface. If this happens after the address has already been marked, that virtual IP status is currently lost.
I've pushed a possible fix for this to the 1807-pfroute-vip branch.
from strongswan.
(I'm also a bit surprised that a route is needed: I thought the policies visible through
setkey -D -P
were supposed to be enough).The route is needed exactly in order for packets to match the policy as it forces the virtual IP (the local traffic selector in the policy) as source IP when sending packets to the destination (remote traffic selector). On Linux, we use routes with preferred source IP, on FreeBSD/macOS, we use routes via TUN devices instead (which are only used to force the source IP, not to actually send any traffic through).
I see. I don't think I could infer this from the docs, so thank you for the explanation.
As a side note, is there a way to select the source ip address used by the responder for the inner packets?
When I ping the roadwarrior from the responder, the inner packets from the responder come with an ip address that does not belong to the private lan (rather, they come with the public ip address of the responder).
[snip logs]
[snip other replies]
At a first glance this looks fine. That is, the interface is known, as is the IP address on it (otherwise, we'd see an error sayingvirtual IP 172.24.1.1 did not appear on tun0
).However, after waiting for the virtual IP address to appear on an interface, we mark the address as virtual in the internal address list so it can later be treated differently (as described above). The problem is that the event that handles changes of interface flags (in this case that the interface is activated) clears and repopulates the internal address list for that interface. If this happens after the address has already been marked, that virtual IP status is currently lost.
Thank you for the thorough explanation. Glad to hear it wasn't a misconfiguration on my side.
I've pushed a possible fix for this to the 1807-pfroute-vip branch.
Thanks, I'll give it a try later today.
from strongswan.
As a side note, is there a way to select the source ip address used by the responder for the inner packets?
Depends on the platform, the existing routes and interfaces etc. If the server is running FreeBSD as well, you might have to enable charon.plugins.kernel-pfkey.route_via_internal
in strongswan.conf.
Also, since the virtual IPs are from your remote LAN, are you using the farp plugin?
from strongswan.
As a side note, is there a way to select the source ip address used by the responder for the inner packets?
Depends on the platform, the existing routes and interfaces etc. If the server is running FreeBSD as well, you might have to enable
charon.plugins.kernel-pfkey.route_via_internal
in strongswan.conf.
Yes, it is running FreeBSD. I'll give it a shot.
Also, since the virtual IPs are from your remote LAN, are you using the farp plugin?
Not yet, but it is on my list of things to setup.
from strongswan.
I've pushed a possible fix for this to the 1807-pfroute-vip branch.
Thanks, I'll give it a try later today.
I compiled it, and run charon and swanctl from the build directory. I don't see any difference: the route is still installed "through" wlan0
. Log from charon follows:
Tue, 2023-07-25, 15:54:55 13[CFG2] vici client 2 connected
Tue, 2023-07-25, 15:54:55 15[CFG2] vici client 2 registered for: control-log
Tue, 2023-07-25, 15:54:55 15[CFG2] vici client 2 requests: initiate
Tue, 2023-07-25, 15:54:55 15[CFG1] vici initiate CHILD_SA 'myvpn-lan'
Tue, 2023-07-25, 15:54:55 12[MGR2] checkout IKE_SA by config
Tue, 2023-07-25, 15:54:55 12[MGR2] created IKE_SA (unnamed)[1]
Tue, 2023-07-25, 15:54:55 17[LIB2] created thread 17 [fd0d3054000]
Tue, 2023-07-25, 15:54:57 12[KNL2] <myvpn|1> using 192.168.1.10 as address to reach myremoteserverip
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> queueing IKE_VENDOR task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> queueing IKE_INIT task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> queueing IKE_NATD task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> queueing IKE_CERT_PRE task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> queueing IKE_AUTH task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> queueing IKE_CERT_POST task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> queueing IKE_CONFIG task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> queueing IKE_AUTH_LIFETIME task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> queueing IKE_MOBIKE task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> queueing IKE_ESTABLISH task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> queueing CHILD_CREATE task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating new tasks
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating IKE_VENDOR task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating IKE_INIT task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating IKE_NATD task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating IKE_CERT_PRE task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating IKE_AUTH task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating IKE_CERT_POST task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating IKE_CONFIG task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating IKE_AUTH_LIFETIME task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating IKE_MOBIKE task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating IKE_ESTABLISH task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> activating CHILD_CREATE task
Tue, 2023-07-25, 15:54:57 12[IKE0] <myvpn|1> initiating IKE_SA myvpn[1] to myremoteserverip
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> IKE_SA myvpn[1] state change: CREATED => CONNECTING
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/CURVE_25519/MODP_4096, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_521/MODP_4096
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Tue, 2023-07-25, 15:54:57 12[ENC1] <myvpn|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Tue, 2023-07-25, 15:54:57 12[NET1] <myvpn|1> sending packet: from 192.168.1.10[500] to myremoteserverip[500] (284 bytes)
Tue, 2023-07-25, 15:54:57 12[MGR2] <myvpn|1> checkin IKEv2 SA myvpn[1] with SPIs fcfc635528403727_i 0000000000000000_r
Tue, 2023-07-25, 15:54:57 12[MGR2] <myvpn|1> checkin of IKE_SA successful
Tue, 2023-07-25, 15:54:57 04[NET2] sending packet: from 192.168.1.10[500] to myremoteserverip[500]
Tue, 2023-07-25, 15:54:57 03[NET2] received packet: from myremoteserverip[500] to 192.168.1.10[500]
Tue, 2023-07-25, 15:54:57 03[NET2] waiting for data on sockets
Tue, 2023-07-25, 15:54:57 12[MGR2] checkout IKEv2 SA by message with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:54:57 12[MGR2] IKE_SA myvpn[1] successfully checked out
Tue, 2023-07-25, 15:54:57 12[NET1] <myvpn|1> received packet: from myremoteserverip[500] to 192.168.1.10[500] (265 bytes)
Tue, 2023-07-25, 15:54:57 12[ENC1] <myvpn|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> received FRAGMENTATION_SUPPORTED notify
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> received SIGNATURE_HASH_ALGORITHMS notify
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> received CHILDLESS_IKEV2_SUPPORTED notify
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> selecting proposal:
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> proposal matches
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/CURVE_25519
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/CURVE_25519/MODP_4096, IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_521/MODP_4096
Tue, 2023-07-25, 15:54:57 12[CFG1] <myvpn|1> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/CURVE_25519
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> received supported signature hash algorithms: sha256 sha384 sha512 identity
Tue, 2023-07-25, 15:54:57 12[IKE1] <myvpn|1> local host is behind NAT, sending keep alives
Tue, 2023-07-25, 15:54:57 12[IKE1] <myvpn|1> received cert request for "C=US, ST=mystate, L=mytown, O=myorg, CN=myca"
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> reinitiating already active tasks
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> IKE_CERT_PRE task
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> IKE_AUTH task
Tue, 2023-07-25, 15:54:57 12[IKE1] <myvpn|1> sending cert request for "C=US, ST=mystate, L=mytown, O=myorg, CN=myca"
Tue, 2023-07-25, 15:54:57 12[IKE1] <myvpn|1> authentication of 'myclient' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Tue, 2023-07-25, 15:54:57 12[IKE1] <myvpn|1> sending end entity cert "C=US, ST=mystate, L=mytown, O=myorg, CN=myclient"
Tue, 2023-07-25, 15:54:57 12[IKE2] <myvpn|1> building INTERNAL_IP4_DNS attribute
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> proposing traffic selectors for us:
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> 0.0.0.0/0
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> proposing traffic selectors for other:
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> 172.24.0.0/16
Tue, 2023-07-25, 15:54:57 12[CFG2] <myvpn|1> configured proposals: ESP:AES_GCM_16_256/EXT_SEQ
Tue, 2023-07-25, 15:54:57 12[IKE0] <myvpn|1> establishing CHILD_SA myvpn-lan{1}
Tue, 2023-07-25, 15:54:57 12[KNL2] <myvpn|1> got SPI cf67761d
Tue, 2023-07-25, 15:54:57 12[KNL2] <myvpn|1> getting CPI
Tue, 2023-07-25, 15:54:57 12[KNL2] <myvpn|1> got CPI 6a72
Tue, 2023-07-25, 15:54:57 12[ENC1] <myvpn|1> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) N(IPCOMP_SUP) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Tue, 2023-07-25, 15:54:57 12[ENC1] <myvpn|1> splitting IKE message (2256 bytes) into 2 fragments
Tue, 2023-07-25, 15:54:57 12[ENC1] <myvpn|1> generating IKE_AUTH request 1 [ EF(1/2) ]
Tue, 2023-07-25, 15:54:57 12[ENC1] <myvpn|1> generating IKE_AUTH request 1 [ EF(2/2) ]
Tue, 2023-07-25, 15:54:57 12[NET1] <myvpn|1> sending packet: from 192.168.1.10[4500] to myremoteserverip[4500] (1248 bytes)
Tue, 2023-07-25, 15:54:57 12[NET1] <myvpn|1> sending packet: from 192.168.1.10[4500] to myremoteserverip[4500] (1073 bytes)
Tue, 2023-07-25, 15:54:57 04[NET2] sending packet: from 192.168.1.10[4500] to myremoteserverip[4500]
Tue, 2023-07-25, 15:54:57 12[MGR2] <myvpn|1> checkin IKEv2 SA myvpn[1] with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:54:57 12[MGR2] <myvpn|1> checkin of IKE_SA successful
Tue, 2023-07-25, 15:54:57 04[NET2] sending packet: from 192.168.1.10[4500] to myremoteserverip[4500]
Tue, 2023-07-25, 15:54:57 03[NET2] received packet: from myremoteserverip[4500] to 192.168.1.10[4500]
Tue, 2023-07-25, 15:54:57 03[NET2] waiting for data on sockets
Tue, 2023-07-25, 15:54:57 12[MGR2] checkout IKEv2 SA by message with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:54:57 03[NET2] received packet: from myremoteserverip[4500] to 192.168.1.10[4500]
Tue, 2023-07-25, 15:54:57 12[MGR2] IKE_SA myvpn[1] successfully checked out
Tue, 2023-07-25, 15:54:57 03[NET2] waiting for data on sockets
Tue, 2023-07-25, 15:54:57 12[NET1] <myvpn|1> received packet: from myremoteserverip[4500] to 192.168.1.10[4500] (1248 bytes)
Tue, 2023-07-25, 15:54:57 11[MGR2] checkout IKEv2 SA by message with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:54:57 12[ENC1] <myvpn|1> parsed IKE_AUTH response 1 [ EF(1/2) ]
Tue, 2023-07-25, 15:54:57 12[ENC1] <myvpn|1> received fragment #1 of 2, waiting for complete IKE message
Tue, 2023-07-25, 15:54:57 12[MGR2] <myvpn|1> checkin IKEv2 SA myvpn[1] with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:54:57 12[MGR2] <myvpn|1> checkin of IKE_SA successful
Tue, 2023-07-25, 15:54:57 11[MGR2] IKE_SA myvpn[1] successfully checked out
Tue, 2023-07-25, 15:54:57 11[NET1] <myvpn|1> received packet: from myremoteserverip[4500] to 192.168.1.10[4500] (1113 bytes)
Tue, 2023-07-25, 15:54:57 11[ENC1] <myvpn|1> parsed IKE_AUTH response 1 [ EF(2/2) ]
Tue, 2023-07-25, 15:54:57 11[ENC1] <myvpn|1> received fragment #2 of 2, reassembled fragmented IKE message (2296 bytes)
Tue, 2023-07-25, 15:54:57 11[ENC1] <myvpn|1> parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) N(IPCOMP_SUP) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Tue, 2023-07-25, 15:54:57 11[LIB2] <myvpn|1> builder L0 CRED_CERTIFICATE - X509 of plugin 'x509'
Tue, 2023-07-25, 15:54:57 11[LIB2] <myvpn|1> builder L0 CRED_CERTIFICATE - X509 of plugin 'x509'
Tue, 2023-07-25, 15:54:57 11[LIB2] <myvpn|1> builder L1 CRED_PUBLIC_KEY - ANY of plugin 'pkcs1'
Tue, 2023-07-25, 15:54:57 11[LIB2] <myvpn|1> builder L2 CRED_PUBLIC_KEY - RSA of plugin 'pkcs1'
Tue, 2023-07-25, 15:54:57 11[LIB2] <myvpn|1> builder L3 CRED_PUBLIC_KEY - RSA of plugin 'pkcs1'
Tue, 2023-07-25, 15:54:57 11[LIB2] <myvpn|1> builder L3 CRED_PUBLIC_KEY - RSA of plugin 'pgp'
Tue, 2023-07-25, 15:54:57 11[LIB2] <myvpn|1> builder L3 CRED_PUBLIC_KEY - RSA of plugin 'dnskey'
Tue, 2023-07-25, 15:54:57 11[LIB2] <myvpn|1> builder L3 CRED_PUBLIC_KEY - RSA of plugin 'openssl'
Tue, 2023-07-25, 15:54:57 11[IKE1] <myvpn|1> received end entity cert "C=US, ST=mystate, L=mytown, O=myorg, CN=myremoteserver"
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> received IPCOMP_SUPPORTED notify
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> received ESP_TFC_PADDING_NOT_SUPPORTED notify
Tue, 2023-07-25, 15:54:57 11[CFG1] <myvpn|1> using certificate "C=US, ST=mystate, L=mytown, O=myorg, CN=myremoteserver"
Tue, 2023-07-25, 15:54:57 11[CFG2] <myvpn|1> certificate "C=US, ST=mystate, L=mytown, O=myorg, CN=myremoteserver" key: 4096 bit RSA
Tue, 2023-07-25, 15:54:57 11[CFG1] <myvpn|1> using trusted ca certificate "C=US, ST=mystate, L=mytown, O=myorg, CN=myca"
Tue, 2023-07-25, 15:54:57 11[CFG2] <myvpn|1> certificate "C=US, ST=mystate, L=mytown, O=myorg, CN=myca" key: 4096 bit RSA
Tue, 2023-07-25, 15:54:57 11[CFG1] <myvpn|1> reached self-signed root ca with a path length of 0
Tue, 2023-07-25, 15:54:57 11[CFG1] <myvpn|1> checking certificate status of "C=US, ST=mystate, L=mytown, O=myorg, CN=myremoteserver"
Tue, 2023-07-25, 15:54:57 11[CFG2] <myvpn|1> ocsp check skipped, no ocsp found
Tue, 2023-07-25, 15:54:57 11[CFG1] <myvpn|1> certificate status is not available
Tue, 2023-07-25, 15:54:57 11[IKE1] <myvpn|1> authentication of 'myremoteserver' with RSA_EMSA_PKCS1_SHA2_384 successful
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> processing INTERNAL_IP4_ADDRESS attribute
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> processing INTERNAL_IP4_DNS attribute
Tue, 2023-07-25, 15:54:57 11[IKE1] <myvpn|1> installing DNS server 172.24.2.1 via resolvconf
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> 192.168.1.10 is on interface wlan0
Tue, 2023-07-25, 15:54:57 11[IKE1] <myvpn|1> installing new virtual IP 172.24.1.1
Tue, 2023-07-25, 15:54:57 11[LIB1] <myvpn|1> created TUN device: tun0
Tue, 2023-07-25, 15:54:57 12[KNL1] interface tun0 appeared
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> 172.24.1.1 is not a local address or the interface is down
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> 172.24.1.1 is not a local address or the interface is down
Tue, 2023-07-25, 15:54:57 12[KNL1] interface tun0 activated
Tue, 2023-07-25, 15:54:57 11[IKE1] <myvpn|1> peer supports MOBIKE
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> got additional MOBIKE peer address: 10.108.4.14
Tue, 2023-07-25, 15:54:57 11[IKE0] <myvpn|1> IKE_SA myvpn[1] established between 192.168.1.10[myclient]...myremoteserverip[myremoteserver]
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> IKE_SA myvpn[1] state change: CONNECTING => ESTABLISHED
Tue, 2023-07-25, 15:54:57 11[IKE1] <myvpn|1> scheduling rekeying in 6574s
Tue, 2023-07-25, 15:54:57 11[IKE1] <myvpn|1> maximum IKE_SA lifetime 7294s
Tue, 2023-07-25, 15:54:57 11[IKE1] <myvpn|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Tue, 2023-07-25, 15:54:57 11[CFG2] <myvpn|1> selecting proposal:
Tue, 2023-07-25, 15:54:57 11[CFG2] <myvpn|1> proposal matches
Tue, 2023-07-25, 15:54:57 11[CFG2] <myvpn|1> received proposals: ESP:AES_GCM_16_256/EXT_SEQ
Tue, 2023-07-25, 15:54:57 11[CFG2] <myvpn|1> configured proposals: ESP:AES_GCM_16_256/CURVE_25519/ECP_521/MODP_4096/EXT_SEQ
Tue, 2023-07-25, 15:54:57 11[CFG1] <myvpn|1> selected proposal: ESP:AES_GCM_16_256/EXT_SEQ
Tue, 2023-07-25, 15:54:57 11[CFG2] <myvpn|1> selecting traffic selectors for us:
Tue, 2023-07-25, 15:54:57 11[CFG2] <myvpn|1> config: 172.24.1.1/32, received: 172.24.1.1/32 => match: 172.24.1.1/32
Tue, 2023-07-25, 15:54:57 11[CFG2] <myvpn|1> selecting traffic selectors for other:
Tue, 2023-07-25, 15:54:57 11[CFG2] <myvpn|1> config: 172.24.0.0/16, received: 172.24.0.0/16 => match: 172.24.0.0/16
Tue, 2023-07-25, 15:54:57 11[CHD2] <myvpn|1> CHILD_SA myvpn-lan{1} state change: CREATED => INSTALLING
Tue, 2023-07-25, 15:54:57 11[CHD2] <myvpn|1> using AES_GCM_16 for encryption
Tue, 2023-07-25, 15:54:57 11[CHD2] <myvpn|1> adding inbound ESP SA
Tue, 2023-07-25, 15:54:57 11[CHD2] <myvpn|1> SPI 0xcf67761d, src myremoteserverip dst 192.168.1.10
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> deleting SAD entry with SPI 00006a72
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> deleted SAD entry with SPI 00006a72
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> adding SAD entry with SPI 00006a72 and reqid {1}
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> deleting SAD entry with SPI cf67761d
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> deleted SAD entry with SPI cf67761d
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> adding SAD entry with SPI cf67761d and reqid {1}
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> using extended sequence numbers (ESN)
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> using encryption algorithm AES_GCM_16 with key size 288
Tue, 2023-07-25, 15:54:57 11[CHD2] <myvpn|1> adding outbound ESP SA
Tue, 2023-07-25, 15:54:57 11[CHD2] <myvpn|1> SPI 0xce09146b, src 192.168.1.10 dst myremoteserverip
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> adding SAD entry with SPI 00003769 and reqid {1}
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> adding SAD entry with SPI ce09146b and reqid {1}
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> using extended sequence numbers (ESN)
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> using encryption algorithm AES_GCM_16 with key size 288
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> adding policy 172.24.0.0/16 === 172.24.1.1/32 in
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> adding policy 172.24.1.1/32 === 172.24.0.0/16 out
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> getting a local address in traffic selector 172.24.1.1/32
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> using host 172.24.1.1
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> using 192.168.1.5 as nexthop to reach myremoteserverip
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> installing route: 172.24.0.0/16 via 192.168.1.5 src 172.24.1.1 dev wlan0
Tue, 2023-07-25, 15:54:57 11[IKE0] <myvpn|1> CHILD_SA myvpn-lan{1} established with SPIs cf67761d_i ce09146b_o and TS 172.24.1.1/32 === 172.24.0.0/16
Tue, 2023-07-25, 15:54:57 11[CHD2] <myvpn|1> CHILD_SA myvpn-lan{1} state change: INSTALLING => INSTALLED
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> activating new tasks
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> nothing to initiate
Tue, 2023-07-25, 15:54:57 11[MGR2] <myvpn|1> checkin IKEv2 SA myvpn[1] with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:54:57 11[MGR2] <myvpn|1> checkin of IKE_SA successful
Tue, 2023-07-25, 15:54:57 08[CFG2] vici client 2 disconnected
Tue, 2023-07-25, 15:54:57 11[KNL2] creating roam job due to address/link change
Tue, 2023-07-25, 15:54:57 11[MGR2] checkout IKEv2 SA with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:54:57 11[MGR2] IKE_SA myvpn[1] successfully checked out
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> using 192.168.1.10 as address to reach myremoteserverip
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> keeping connection path 192.168.1.10 - myremoteserverip
Tue, 2023-07-25, 15:54:57 11[IKE1] <myvpn|1> sending address list update using MOBIKE
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> queueing IKE_MOBIKE task
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> activating new tasks
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> activating IKE_MOBIKE task
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> using 192.168.1.10 as address to reach myremoteserverip
Tue, 2023-07-25, 15:54:57 11[ENC1] <myvpn|1> generating INFORMATIONAL request 2 [ N(ADD_4_ADDR) ]
Tue, 2023-07-25, 15:54:57 11[KNL2] <myvpn|1> using 192.168.1.10 as address to reach myremoteserverip
Tue, 2023-07-25, 15:54:57 11[NET1] <myvpn|1> sending packet: from 192.168.1.10[4500] to myremoteserverip[4500] (69 bytes)
Tue, 2023-07-25, 15:54:57 11[MGR2] <myvpn|1> checkin IKEv2 SA myvpn[1] with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:54:57 11[MGR2] <myvpn|1> checkin of IKE_SA successful
Tue, 2023-07-25, 15:54:57 04[NET2] sending packet: from 192.168.1.10[4500] to myremoteserverip[4500]
Tue, 2023-07-25, 15:54:57 03[NET2] received packet: from myremoteserverip[4500] to 192.168.1.10[4500]
Tue, 2023-07-25, 15:54:57 03[NET2] waiting for data on sockets
Tue, 2023-07-25, 15:54:57 11[MGR2] checkout IKEv2 SA by message with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:54:57 11[MGR2] IKE_SA myvpn[1] successfully checked out
Tue, 2023-07-25, 15:54:57 11[NET1] <myvpn|1> received packet: from myremoteserverip[4500] to 192.168.1.10[4500] (57 bytes)
Tue, 2023-07-25, 15:54:57 11[ENC1] <myvpn|1> parsed INFORMATIONAL response 2 [ ]
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> activating new tasks
Tue, 2023-07-25, 15:54:57 11[IKE2] <myvpn|1> nothing to initiate
Tue, 2023-07-25, 15:54:57 11[MGR2] <myvpn|1> checkin IKEv2 SA myvpn[1] with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:54:57 11[MGR2] <myvpn|1> checkin of IKE_SA successful
Tue, 2023-07-25, 15:55:01 11[MGR2] checkout IKEv2 SA with SPIs fcfc635528403727_i 0000000000000000_r
Tue, 2023-07-25, 15:55:01 11[MGR2] IKE_SA myvpn[1] successfully checked out
Tue, 2023-07-25, 15:55:01 11[MGR2] <myvpn|1> checkin IKEv2 SA myvpn[1] with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:55:01 11[MGR2] <myvpn|1> checkin of IKE_SA successful
Tue, 2023-07-25, 15:55:01 11[MGR2] checkout IKEv2 SA with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:55:01 11[MGR2] IKE_SA myvpn[1] successfully checked out
Tue, 2023-07-25, 15:55:01 11[MGR2] <myvpn|1> checkin IKEv2 SA myvpn[1] with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:55:01 11[MGR2] <myvpn|1> checkin of IKE_SA successful
Tue, 2023-07-25, 15:55:01 11[MGR2] checkout IKEv2 SA with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:55:01 11[MGR2] IKE_SA myvpn[1] successfully checked out
Tue, 2023-07-25, 15:55:01 11[MGR2] <myvpn|1> checkin IKEv2 SA myvpn[1] with SPIs fcfc635528403727_i a9569b3c4bf0a9ee_r
Tue, 2023-07-25, 15:55:01 11[MGR2] <myvpn|1> checkin of IKE_SA successful
from strongswan.
I should also note that I get the following message when trying to terminate the connection:
myclient ~/strongswan/src [1807-pfroute-vip△] % sudo swanctl/swanctl -t -c myvpn-lan
[IKE] closing CHILD_SA trismegistusvpn-lan{1} with SPIs cb55248b_i (0 bytes) c6571e2b_o (0 bytes) and TS 172.24.1.1/32 === 172.24.0.0/16
terminate failed: terminating SA failed
and the tun0
interface is not destroyed. This even when I don't change the route for the workaround.
from strongswan.
I compiled it, and run charon and swanctl from the build directory.
That won't work as the kernel-pfroute plugin will just be dynamically loaded from the default location (i.e. you won't get the new code). Only for the unit tests (make check
) are the plugins from the build directory getting used. So either install the new build, or try building the libraries monolithically (--enable-monolithic
, so plugins are compiled into the libraries, I think those should then be loaded from the build directory thanks to rpath).
I should also note that I get the following message when trying to terminate the connection:
Note that with -c
you are only terminating the CHILD_SA. Use -i
to terminate the IKE_SA.
That CHILD_SA is apparently in a state that doesn't allow a proper delete.
and the
tun0
interface is not destroyed.
The virtual IP and with it the TUN device are properties of the IKE_SA.
from strongswan.
I compiled it, and run charon and swanctl from the build directory.
That won't work as the kernel-pfroute plugin will just be dynamically loaded from the default location (i.e. you won't get the new code). Only for the unit tests (
make check
) are the plugins from the build directory getting used. So either install the new build, or try building the libraries monolithically (--enable-monolithic
, so plugins are compiled into the libraries, I think those should then be loaded from the build directory thanks to rpath).
Hah, that's exactly why I mentioned running from the build directory, so you could tell me if what I did was wrong. I'll try again this afternoon.
I should also note that I get the following message when trying to terminate the connection:
Note that with
-c
you are only terminating the CHILD_SA. Use-i
to terminate the IKE_SA.
Okay, thanks!
That CHILD_SA is apparently in a state that doesn't allow a proper delete.
and the
tun0
interface is not destroyed.The virtual IP and with it the TUN device are properties of the IKE_SA.
Got it!
from strongswan.
I installed the version from the 1807-pfroute-vip branch, and the route is correctly added to be "through" tun0
.
Everything seems to be working correctly.
from strongswan.
Great, thanks for testing. I've pushed the fix to master.
from strongswan.
Related Issues (20)
- two child SAs have same reqid only after DPD loss HOT 9
- Bugfix: Solution - Issue connecting to vici.Session on Windows via Python. HOT 2
- IKEv2 rekey: outbound SPI is not installed in detected CHILD_REKEY collision with CHILD_REKEY with lost packet HOT 6
- The revocation doesn't seem to be working. HOT 2
- Issue with multiple wan interfaces
- Add support for AWS-LC in the openssl plugin HOT 25
- Make fails with ha plugin (Ubuntu 22.04 LTS with stock/unpatched kernel) HOT 6
- Throughput Performance on Gateway-to-Gateway is very low after inserting a rule that accepts packets with a matching IPsec policy in the POSTROUTING chain
- ipsec setup many SAs when rekey_time is less than reauth_time with IKE1 HOT 1
- Reject ECDSA Keys/Certificates With Explicitly Encoded Curve Parameters
- Libsharon crashes (somehow related to ppk_id) HOT 3
- Mobike Port Change unable to add attribute, buffer too small HOT 4
- pki --req --san add support for uri HOT 5
- Support for X.509 nameConstraints in the openssl plugin
- Support for X.509 nameConstraints of type iPAddress
- Adopt subjectKeyIdentifier of CA certificate as authorityKeyIdentifier if available
- IPsec set two IP address on 'left' options. Tunnel hints are always built on the first IP, but are actually built on the second IP HOT 5
- AndroidTV / FireTV App Problems HOT 1
- Segmentation fault in x509_ocsp_response.c:896 HOT 5
- Maybe add support for SHA2_512 in pubkey_authenticator.c ? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strongswan.