[Swan] LibreSwan not generating ESP packets (Not Encapsulating)

Madden, Joe Joe.Madden at mottmac.com
Mon Jul 9 08:24:17 UTC 2018


Morning All,


We have  a VPN connection that appears to be established to a third party with a successful connection, however we can't seem to get any traffic flow to pass over the network.

Ipsec Verify passed ok:

Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.23 (netkey) on 3.10.0-693.21.1.el7.x86_64
Checking for IPsec support in kernel                    [OK]
NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
Pluto listening for IKE on udp 500                     [OK]
Pluto listening for IKE/NAT-T on udp 4500              [OK]
Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]


And the VPN seems to be established:

000 "ipsec-1": 192.168.142.132/32===51.148.60.157<51.148.60.157>---51.148.60.158...87.242.152.6<87.242.152.6>===10.0.22.3/32; erouted; eroute owner: #2
000 "ipsec-1":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "ipsec-1":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "ipsec-1":   our auth:secret, their auth:secret
000 "ipsec-1":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "ipsec-1":   labeled_ipsec:no;
000 "ipsec-1":   policy_label:unset;
000 "ipsec-1":   ike_life: 86400s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0;
000 "ipsec-1":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "ipsec-1":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "ipsec-1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "ipsec-1":   conn_prio: 32,32; interface: eno1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "ipsec-1":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "ipsec-1":   our idtype: ID_IPV4_ADDR; our id=51.148.60.157; their idtype: ID_IPV4_ADDR; their id=87.242.152.6
000 "ipsec-1":   dpd: action:restart; delay:30; timeout:120; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "ipsec-1":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "ipsec-1":   IKE algorithms: AES_CBC_256-HMAC_SHA2_256-DH19
000 "ipsec-1":   IKEv2 algorithm newest: AES_CBC_256-HMAC_SHA2_256-DH19
000 "ipsec-1":   ESP algorithms: AES_CBC_256-HMAC_SHA2_256_128
000 "ipsec-1":   ESP algorithm newest: AES_CBC_256-HMAC_SHA2_256_128; pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #1: "ipsec-1":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 85992s; newest ISAKMP; idle; import:admin initiate
000 #2: "ipsec-1":500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REPLACE in 28322s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "ipsec-1" esp.7cba7376 at 87.242.152.6 esp.f60e0a3a at 51.148.60.157 tun.0 at 87.242.152.6 tun.0 at 51.148.60.157 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B

Our config as follows:

conn ipsec-1
        authby=                 secret
        auto=                   start
        type=                   tunnel
        forceencaps=            no
        rekeymargin=            3m
        keyingtries=            %forever
        salifetime=             8h
        ikelifetime=            24h
        ikev2=                  insist

        #RTT
        left=           51.148.60.157
        leftsubnet=     192.168.142.132/32
        leftid=         51.148.60.157
        leftnexthop=    51.148.60.158

        #SAA
        right=          87.242.152.6
        rightid=        87.242.152.6
        rightsubnet=    10.0.22.3/32

        #Key Settings
        ike=            aes256-sha2_256;dh19
        phase2=         esp
        phase2alg=      aes256-sha2_256
        pfs=            yes
        sha2_truncbug=  no

        #Dead Peer Detection
        dpdaction=      restart
        dpddelay=       30
        dpdtimeout=     120

Secrets file:
51.148.60.157 87.242.152.6: PSK "######"

Ipsec.conf

config setup
        # which IPsec stack to use, "netkey" (the default), "klips" or "mast".
        # For MacOSX use "bsd"
        protostack=netkey
        #
        # Normally, pluto logs via syslog. If you want to log to a file,
        # specify below or to disable logging, eg for embedded systems, use
        # the file name /dev/null
        # Note: SElinux policies might prevent pluto writing to a log file at
        #       an unusual location.
        #logfile=/var/log/pluto.log
        #
        # Do not enable debug options to debug configuration issues!
        #
        # plutodebug "all", "none" or a combation from below:
        # "raw crypt parsing emitting control controlmore kernel pfkey
        #  natt x509 dpd dns oppo oppoinfo private".
        # Note: "private" is not included with "all", as it can show confidential
        #       information. It must be specifically specified
        # examples:
        # plutodebug="control parsing"
        # plutodebug="all crypt"
        # Again: only enable plutodebug when asked by a developer
        # plutodebug=all
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: SElinux policies might prevent pluto writing the core at
        #       unusual locations
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their wireless networks.
        # This range has never been announced via BGP (at least up to 2015)
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10
        #virtual_private=

# For example connections, see your distribution's documentation directory,
# or https://libreswan.org/wiki/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
#
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf


For some reason the VPN establishes OK as far as I can see. We try from 192.168.142.132 to connect to a webservice on 10.0.22.3/32 but it times out,  a TCPdump  - tcpdump -i eno1 -nnvvv \(port 500 or port 4500 or proto 50\) - on interface 51.148.60.157 shows no esp or 4500 being sent as we attempt a request.

Does anyone have any ideas what can cause this? It like the Interesting traffic is not being detected correctly?

Cheers

Joe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180709/c030e221/attachment-0001.html>


More information about the Swan mailing list