Comments (11)
I can't find this route before anywhere, not sure if that is related.
It should be in table 220 (ip route list table 220
). And that table should only be used for traffic that is not marked with the value 220 (ip rule
), which IKE as well as ESP packets should be. That is, these packets should not go via XFRM interface but via regular routing table/interfaces (thus avoiding the loop).
What additional information can I provide to help solve this issue?
Logs by NetworkManager/charon-nm would be helpful (e.g. via journalctl -u NetworkManager
).
from strongswan.
So directly after reboot ip rule
looks like this:
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
Funnily enough table 220 does not even exist then
$ip route list table 220
Error: ipv4: FIB table does not exist.
Dump terminated
After connect there is an additional rule:
$ip rule
0: from all lookup local
220: from all lookup 220
220: not from all fwmark 0xdc lookup 220
32766: from all lookup main
32767: from all lookup default
The table after connect of 220 is then
$ip route list table 220
default dev nm-xfrm-3648987 proto static src 172.29.52.13
throw 10.179.0.0/16 proto static
throw 10.179.1.3 proto static
throw 172.17.0.0/16 proto static
The logs contain a lot of names that I don't want to share here, what would you be looking for?
from strongswan.
Funnily enough table 220 does not even exist then
Obviously, as it's created by charon-nm ;)
That all looks fine so far. Traffic should be routed via XFRM interface, except for IKE and ESP packets (due to the mark they have applied) and packets destined to the subnets that got a throw routes installed (you probably have the bypass-lan plugin enabled, which will install such routes for locally connected subnets).
You can check if the SAs look right via ip -s xfrm state
(the mark should be mentioned, it also shows the traffic counters). But as I said, this all looks as it should. Do you still get Local routing loop detected
errors? If so, for any particular traffic? (The other log message could be caused if the XFRM interface is deleted before the policy and route got uninstalled, this happens concurrently, as the latter will be gone then already.)
from strongswan.
Also, regarding DNS, did you configure ~.
as "additional search domain"? That's required to force DNS resolution via VPN.
from strongswan.
Obviously, as it's created by charon-nm ;)
I was more saying that it is funny that the rule is already there, where does that come from then?
As far as I can see the ip -s xfrm state
mentions the mark as output-mark
. Not sure what else I read out of that.
Do you still get Local routing loop detected errors? If so, for any particular traffic?
I see these messages all the time (155 messages for the last try, and that is without the message repeated N times
), up to a point where I think it decides to kill the VPN afer a while (from the logs it looks like it reconnects because it can't reach something)?
charon-nm: 07[IKE] giving up after 5 retransmits
charon-nm: 07[IKE] peer not responding, trying again (2/0)
I guess the traffic is actually from the DNS also, because resolved
complains that it is switching between TCP and UDP.
Also, regarding DNS, did you configure ~. as "additional search domain"? That's required to force DNS resolution via VPN
That is only the initial symptom, but I can't even ping or dig directly at the nameservers. I can't reach anything inside the VPN network.
from strongswan.
I was more saying that it is funny that the rule is already there, where does that come from then?
Oh, sorry, I missed that. Do you have any other IKE daemons running (charon-systemd, charon)? If so, disable them as that will definitely mess with the rule required by charon-nm (you could theoretically use other IKE daemons concurrently, but they have to be configured the same way for it to work).
from strongswan.
That was apparently it....
Even though I am not 100% sure what fixed it now, I uninstalled a strongswan-starter
and a charon-systemd
. Now the existing rule after reboot is gone and everything works nicely again. Thanks for your help.
I am just wondering if this used to be a combination that worked (because the ip rule was the same) and now stopped working if I am the only one who will hit that after upgrade.
from strongswan.
Yeah, I suppose this combination worked before 5.9.12 out of the box, as charon-nm did not actually use the XFRM interface (i.e. did not install special routes/marks etc.) or didn't use such interfaces at all. We should probably change the default routing table used by charon-nm to avoid that conflict. Just for reference, it's possible to change the table already via charon-nm.routing_table
in strongswan.conf. I pushed a patch to the 2230-nm-routing-table branch.
from strongswan.
I have very similar issue and same error after fresh Ubuntu 24.04 install. Removing strongswan-starter and charon-systemd did not fix the issue.
I patched this by disabling disabling xfrm interface module and now it works, but it's not a proper solution -
Edit /etc/strongswan.d/charon/kernel-netlink.conf and change
kernel-netlink.load = yes
tono
.
from strongswan.
Removing strongswan-starter and charon-systemd did not fix the issue.
Why not? What IKE daemon was still running (besides charon-nm)?
I patched this by disabling disabling xfrm interface module and now it works, but it's not a proper solution -
Well, that basically prevents IKE daemons from starting (on Linux they require that plugin). Since charon-nm does not include these config snippets, it won't be affected, only the other ones. But yeah, that's not really a solution. Remove the IKE daemons if you don't need them, or change the routing table that charon-nm uses (see my last reply above).
from strongswan.
In my case, I have two VPNs that I use. One is IKEv2 and other is standard IKEv1/L2TP.
After fresh upgrade to Ubuntu 24.04 only L2TP version worked. IKEv2 connected, but did not put rules to exempt traffic to VPN gateway, thus no connectivity. #2282 pointed me into looking at strongswan-starter package. As it turns out, stopping that systemd unit (strongswan-starter.service) allows to connect and setup IKEv2 connection successfully, but L2TP doesn't work anymore. Starting service fixes L2TP connection, but allowing strongswan-starter to do something unables to make IKEv2 work up until next reboot.
49cb7b0 seems like good fix, but underlying question is why Network Manager uses two separate ways of invoking charon for essentially differently configured IPSec VPNs?
from strongswan.
Related Issues (20)
- iptables unknown option "--sport" HOT 13
- ip6tables: Interface inserted as 'unknown' when host is not on the local network HOT 3
- Abort message: 'FORTIFY: FD_SET: file descriptor 2467 >= FD_SETSIZE 1024' l HOT 3
- charon-cmd didn't include IDr in IKE_AUTH request 1, resulting bad ID response HOT 9
- charon crashes due to SIGBUS error//strongswan version 5.9.13 HOT 6
- Using Bandwagonhost vps to set up vpn, using iOS built-in ikve2 can not connect issues HOT 1
- Compilation Failure: Compiling forecast module (strongswan-5.9.11)
- Get cert of remote host in tunnel?
- strongswan cross-compilation error (wolfssl related) HOT 4
- StrongSwan Errors on FORTINET VPN connections HOT 1
- Problem handling start action when reloading configs HOT 4
- Inquiry Regarding the Release of StrongSwan 6.0 with PQC Support HOT 2
- StrongSwan fails on TinyCoreLinux 15.0 x86 (32-bit) arch HOT 2
- Add a VICI command that lists all VICI commands HOT 2
- Libipsec does not work with bypass-lan, breaks all local routes HOT 1
- x509 Name Constraints checking applied as AND rather than OR? HOT 1
- UI improvement, Always-on VPN setting and disconnect HOT 4
- Incoming connections are established to IP addresses not specified in <conn>.local_addrs HOT 5
- /usr/sbin/ipsec: unknown command 'pool' HOT 1
- padlock_aes_crypter.c HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strongswan.