[Swan] ip address assignment

Thomas Stein himbeere at meine-oma.de
Wed May 9 15:26:28 UTC 2018


On Tuesday, 8 May 2018 22:29:15 CEST you wrote:
> On Tue, 8 May 2018, Thomas Stein wrote:
> 
> >> yes it will get an IP from the remote server and assign it to the
> >> loopback interface.
> >
> > Thanks for your answer. Thats exactly my setup, yes
> >
> >> Why do you think this is a problem? :)
> >
> > Well, i have no connectivity and i have to admit i'm a little bit lost now. Is there a documentation
> > somewhere how to configure the rest? I guess there is some iptables foo to do now?
> 
> You should see two "half routes" that cover the entire address space, eg:
> 
> 0.0.0.0/1 via YourGW dev iface src IPyouGot
> 128.0.0.0/1 via YourGW dev iface src IPyouGot

Thanks again for taking the time to answer.

I do not have non of this routes. Maybe the output of ipsec status sheds some light?

rather ~ # ipsec status my-vpn
000 using kernel interface: netkey
000 interface lo/lo ::1 at 500
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface wlan0/wlan0 192.168.178.21 at 4500
000 interface wlan0/wlan0 192.168.178.21 at 500
000  
000  
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=disabled
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.23, pluto_vendorid=OE-Libreswan-3.23
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=<unsupported>
000 debug none
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000  
000 ESP algorithms supported:
000  
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,6,64} trans={0,6,3744} attrs={0,6,2496} 
000  
000 Connection list:
000  
000 "my-vpn": xxx.xxx.xxx.193/32===192.168.178.21<192.168.178.21>[+MC+XC+S=C]...176.xxx.xxx.xxx<176.xxx.xxx.xxx>[MS+XS+S=C]===0.0.0.0/0; erouted; eroute owner: #6
000 "my-vpn":     oriented; my_ip=xxx.xxx.xxx.193; their_ip=unset; my_updown=ipsec _updown;
000 "my-vpn":   xauth us:client, xauth them:server,  my_username=myself; their_username=[any]
000 "my-vpn":   our auth:secret, their auth:secret
000 "my-vpn":   modecfg info: us:client, them:server, modecfg policy:pull, dns:unset, domains:unset, banner:unset, cat:unset;
000 "my-vpn":   labeled_ipsec:no;
000 "my-vpn":   policy_label:unset;
000 "my-vpn":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "my-vpn":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "my-vpn":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "my-vpn":   policy: PSK+ENCRYPT+TUNNEL+PFS+DONT_REKEY+UP+XAUTH+MODECFG_PULL+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "my-vpn":   conn_prio: 24,0; interface: wlan0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "my-vpn":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "my-vpn":   our idtype: ID_IPV4_ADDR; our id=192.168.178.21; their idtype: ID_IPV4_ADDR; their id=176.xxx.xxx.xxx
000 "my-vpn":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "my-vpn":   newest ISAKMP SA: #1; newest IPsec SA: #6;
000 "my-vpn":   IKE algorithm newest: 3DES_CBC_192-HMAC_SHA1-MODP1536
000 "my-vpn":   ESP algorithms: AES_CBC_256-HMAC_SHA1_96-MODP1536
000 "my-vpn":   ESP algorithm newest: AES_CBC_256-HMAC_SHA1_96; pfsgroup=MODP1536
000  
000 Total IPsec connections: loaded 1, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(5), authenticated(5), anonymous(0)
000  
000 #1: "my-vpn":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 3583s; newest ISAKMP; lastdpd=1s(seq in:0 out:0); idle; import:admin initiate
000 #2: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #3: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #4: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #5: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #6: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 28031s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #6: "my-vpn" esp.4535606b at 176.xxx.xxx.xxx esp.b238feb2 at 192.168.178.21 tun.0 at 176.xxx.xxx.xxx tun.0 at 192.168.178.21 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B username=myself
000  
000 Bare Shunt list:
000  
000 192.168.178.21/32:51413 -17-> 84.29.208.237/32:16881 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 178.83.23.15/32:61970 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 178.155.4.210/32:47286 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:48740 -17-> 192.168.178.1/32:53 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:46188 -6-> 54.36.237.133/32:993 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 118.102.75.161/32:6550 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:45418 -17-> 37.123.105.117/32:53 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 31.27.210.188/32:41511 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 67.252.36.27/32:35336 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 84.236.109.132/32:35179 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 81.182.198.155/32:8999 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:41433 -17-> 37.123.105.116/32:53 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 122.161.67.167/32:37853 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 109.161.131.68/32:11543 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 115.143.205.160/32:53235 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 83.156.49.2/32:28801 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 191.177.189.227/32:61040 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 27.145.131.135/32:32356 => %hold 0    no routed template covers this pair
000 192.168.178.21/32:51413 -17-> 2.27.122.73/32:51413 => %hold 0    no routed template covers this pair
rather ~ # ip r
default via 192.168.178.1 dev wlan0 proto dhcp src 192.168.178.21 metric 2007 
192.168.178.0/24 dev wlan0 proto dhcp scope link src 192.168.178.21 metric 2007 
rather ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
       valid_lft forever preferred_lft forever
    inet xxx.xxx.xxx.193/32 scope 50 lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 54:ee:75:07:92:a9 brd ff:ff:ff:ff:ff:ff
3: ip6_vti0 at NONE: <NOARP> mtu 1364 qdisc noop state DOWN group default qlen 1000
    link/tunnel6 :: brd ::
4: sit0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
5: ip6tnl0 at NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000
    link/tunnel6 :: brd ::
6: usb0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ff:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 7c:7a:91:a5:1f:18 brd ff:ff:ff:ff:ff:ff
    inet 192.168.178.21/24 brd 192.168.178.255 scope global noprefixroute wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::7e7a:91ff:fea5:1f18/64 scope link 
       valid_lft forever preferred_lft forever
8: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
rather ~ # /etc/init.d/ipsec stop

rather ~ # iptables -nvL
Chain INPUT (policy ACCEPT 688K packets, 981M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 341K packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination         
rather ~ #

thanks again
t.




More information about the Swan mailing list