[Swan] ip address assignment

Thomas Stein himbeere at meine-oma.de
Wed May 9 17:43:33 UTC 2018 

On Wednesday, 9 May 2018 17:45:11 CEST Paul Wouters wrote:
> On Wed, 9 May 2018, Thomas Stein wrote:
> 
> > I do not have non of this routes. Maybe the output of ipsec status sheds some light?
> 
> > 000 #1: "my-vpn":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 3583s; newest ISAKMP; lastdpd=1s(seq in:0 out:0); idle; import:admin initiate
> > 000 #2: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> > 000 #3: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> > 000 #4: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> > 000 #5: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> > 000 #6: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 28031s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
> > 000 #6: "my-vpn" esp.4535606b at 176.xxx.xxx.xxx esp.b238feb2 at 192.168.178.21 tun.0 at 176.xxx.xxx.xxx tun.0 at 192.168.178.21 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B username=myself
> 
> This looks buggy. You should not have those partial quick mode's and a
> fully established IPsec SA.
> 
> > 000 Bare Shunt list:
> > 000
> > 000 192.168.178.21/32:51413 -17-> 84.29.208.237/32:16881 => %hold 0    no routed template covers this pair
> > 000 192.168.178.21/32:51413 -17-> 178.83.23.15/32:61970 => %hold 0    no routed template covers this pair
> > 000 192.168.178.21/32:51413 -17-> 178.155.4.210/32:47286 => %hold 0    no routed template covers this pair
> 
> And this suggests that the one IPsec SA that is up no longer has the
> eroute, and all your packets are hitting the %trap and are awaiting a
> functional tunnel.
> 
> Can you see if the issue goes away with our pre-release code? We did
> make a number of changes in the reconnect/replace logic of connections.
> 
> https://download.libreswan.org/development/libreswan-3.24rc4.tar.gz
 
Now I have the routes in question. But still no internet connectivity.

000  
000 Total IPsec connections: loaded 1, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000  
000 #2: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 27905s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "my-vpn" esp.4535607f at xxx.xxx.xxx.5 esp.5fe2f13b at 192.168.178.21 tun.0 at xxx.xxx.xxx.5 tun.0 at 192.168.178.21 ref=0 refhim=0 Traffic: ESPin=0B ESPout=2KB! ESPmax=4194303B username=myself
000  
000 Bare Shunt list:
000  

rather /etc/ipsec.d # ip r
0.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193 
default via 192.168.178.1 dev wlan0 proto dhcp src 192.168.178.21 metric 2007 
128.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193 
192.168.178.0/24 dev wlan0 proto dhcp scope link src 192.168.178.21 metric 200

Am I supposed to have some iptables rules? I have non so far:

rather /etc/ipsec.d # iptables -nvL
Chain INPUT (policy ACCEPT 3114K packets, 4431M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1543K packets, 110M bytes)
 pkts bytes target     prot opt in     out     source               destination         

rather /etc/ipsec.d # iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
rather /etc/ipsec.d # 

thanks and cheers
t.

More information about the Swan mailing list