[Swan] ip address assignment
Thomas Stein
himbeere at meine-oma.de
Wed May 9 17:43:33 UTC 2018
On Wednesday, 9 May 2018 17:45:11 CEST Paul Wouters wrote:
> On Wed, 9 May 2018, Thomas Stein wrote:
>
> > I do not have non of this routes. Maybe the output of ipsec status sheds some light?
>
> > 000 #1: "my-vpn":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 3583s; newest ISAKMP; lastdpd=1s(seq in:0 out:0); idle; import:admin initiate
> > 000 #2: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> > 000 #3: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> > 000 #4: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> > 000 #5: "my-vpn":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> > 000 #6: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 28031s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
> > 000 #6: "my-vpn" esp.4535606b at 176.xxx.xxx.xxx esp.b238feb2 at 192.168.178.21 tun.0 at 176.xxx.xxx.xxx tun.0 at 192.168.178.21 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B username=myself
>
> This looks buggy. You should not have those partial quick mode's and a
> fully established IPsec SA.
>
> > 000 Bare Shunt list:
> > 000
> > 000 192.168.178.21/32:51413 -17-> 84.29.208.237/32:16881 => %hold 0 no routed template covers this pair
> > 000 192.168.178.21/32:51413 -17-> 178.83.23.15/32:61970 => %hold 0 no routed template covers this pair
> > 000 192.168.178.21/32:51413 -17-> 178.155.4.210/32:47286 => %hold 0 no routed template covers this pair
>
> And this suggests that the one IPsec SA that is up no longer has the
> eroute, and all your packets are hitting the %trap and are awaiting a
> functional tunnel.
>
> Can you see if the issue goes away with our pre-release code? We did
> make a number of changes in the reconnect/replace logic of connections.
>
> https://download.libreswan.org/development/libreswan-3.24rc4.tar.gz
Now I have the routes in question. But still no internet connectivity.
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "my-vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 27905s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "my-vpn" esp.4535607f at xxx.xxx.xxx.5 esp.5fe2f13b at 192.168.178.21 tun.0 at xxx.xxx.xxx.5 tun.0 at 192.168.178.21 ref=0 refhim=0 Traffic: ESPin=0B ESPout=2KB! ESPmax=4194303B username=myself
000
000 Bare Shunt list:
000
rather /etc/ipsec.d # ip r
0.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193
default via 192.168.178.1 dev wlan0 proto dhcp src 192.168.178.21 metric 2007
128.0.0.0/1 dev wlan0 scope link src xxx.xxx.xxx.193
192.168.178.0/24 dev wlan0 proto dhcp scope link src 192.168.178.21 metric 200
Am I supposed to have some iptables rules? I have non so far:
rather /etc/ipsec.d # iptables -nvL
Chain INPUT (policy ACCEPT 3114K packets, 4431M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1543K packets, 110M bytes)
pkts bytes target prot opt in out source destination
rather /etc/ipsec.d # iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
rather /etc/ipsec.d #
thanks and cheers
t.
More information about the Swan
mailing list