[Swan] one way ping
John Crisp
jcrisp at safeandsoundit.co.uk
Mon Jul 23 23:34:57 UTC 2018
On 20/07/18 01:43, John Crisp wrote:
> I'm sure i have had this before, and I found a solution, but beating my
> head against a wall.
>
> I have a Endian <-> Libre 3.23 v2 ipsec tunnel
>
> It uses certificates and the tunnel comes up fine.
>
Well, I swapped the dummy adaptor for a proper interface with the
virt_io driver just to be sure. However, ping was working even with the
dummy adaptor, so logically the networking was actually functioning.
You can ping happily from Libre -> Endian as soon as the tunnel is up.
You cannot ping from Endian -> Libre unless you have pinged the other
way first.
It wouldn't be so bad if it was in reverse as I rarely need to get from
Libre back to Endian !!
I have tried swapping the 'Start' ends but that doesn't fix it. Updated
to 3.25 and that didn't do it either.
I can only presume it is a routing or firewall issue somewhere but I
just can't fathom how to figure out which. As previously mentioned I
have 3 other boxes with identical setups (now that I have swapped to the
virt_io driver) that all work perfectly.
Here is some config stuff. I'm not that clever on the debugging of this
:-( Damn annoying as the certs always used to be the tricky bit but I
seem to have go that sorted easily now!
Any thoughts on how I can try and trace where the issue is appreciated.
Been banging my head against the wall for days.....
1.1.1.1 Endian home IP
1.1.1.250 Endian Gateway IP
6.6.6.6 Cloud server IP
Libreswan
config setup
protostack=netkey
plutodebug=none
#klipsdebug=none
plutostderrlog=/var/log/pluto/pluto.log
dumpdir=/var/run/pluto/
virtual_private=%v4:192.168.10.0/24
include /etc/ipsec.d/ipsec.conf
conn server2ToHomeMain
type=tunnel
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert="webRegi"
rightcert="1.1.1.1"
auto=add
ikev2=insist
ike=aes256-sha2;dh14
phase2alg=aes256-sha2;dh14
encapsulation=no
keyingtries=0
ikelifetime=3600s
salifetime=28800s
dpdaction=restart
dpddelay=30
dpdtimeout=10
pfs=yes
left=%defaultroute
leftid=%fromcert
leftsourceip=192.168.81.1
leftsubnet=192.168.81.0/24
right=1.1.1.1
rightid=%fromcert
rightsubnet=192.168.10.0/24
Endian
conn server2ToHomeMain
dpdaction=restart
left=1.1.1.1
leftnexthop=1.1.1.250
leftsubnet=192.168.10.0/24
right=6.6.6.6
rightsubnet=192.168.81.0/24
leftcert=1.1.1.1cert.pem
rightcert=webRegicert.pem
authby=pubkey
leftsigkey=%cert
rightsigkey=%cert
leftid="@Endian"
rightid="@www-server2-Home"
ikelifetime=1h
keylife=8h
ike=aes256-sha2_256-modp2048
esp=aes256-sha2_256-modp2048
auto=start
keyexchange=ikev2
Libre log
Jul 24 00:26:06.988354: loading secrets from "/etc/ipsec.secrets"
Jul 24 00:26:06.988436: loading secrets from "/etc/ipsec.d/ipsec.secrets"
Jul 24 00:26:33.657476: packet from 1.1.1.1:500: local IKE proposals for
server2ToHomeMain (IKE SA responder matching remote proposals):
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
Jul 24 00:26:33.657620: packet from 1.1.1.1:500: proposal
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048
chosen from remote proposals
1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match]
2:IKE:ENCR=AES_CBC_128;ENCR=AES_CBC_192;ENCR=AES_CBC_256;ENCR=3DES;INTEG=AES_XCBC_96;INTEG=AES_CMAC_96;INTEG=HMAC_SHA1_96;INTEG=HMAC_MD5_96;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_512_256;PRF=AES128_XCBC;PRF=AES128_CMAC;PRF=HMAC_SHA1;PRF=HMAC_MD5;PRF=HMAC_SHA2_256;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_512;DH=MODP2048;DH=DH23;DH=DH24;DH=MODP1536;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=MODP1024;DH=DH22
Jul 24 00:26:33.665521: "server2ToHomeMain" #1: STATE_PARENT_R1:
received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha256_128
prf=sha2_256 group=MODP2048}
Jul 24 00:26:33.835436: "server2ToHomeMain" #1: certificate verified OK:
CN=1.1.1.1,O=efw,C=IT
Jul 24 00:26:33.835713: "server2ToHomeMain" #1: IKEv2 mode peer ID is
ID_DER_ASN1_DN: 'C=IT, O=efw, CN=1.1.1.1'
Jul 24 00:26:33.835846: "server2ToHomeMain" #1: Authenticated using RSA
Jul 24 00:26:33.853754: "server2ToHomeMain" #1: local ESP/AH proposals
for server2ToHomeMain (IKE SA responder matching remote ESP/AH
proposals):
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED
Jul 24 00:26:33.853871: "server2ToHomeMain" #1: proposal
1:ESP:SPI=cefcc396;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED
chosen from remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match]
2:ESP:ENCR=AES_CBC_128;ENCR=AES_CBC_192;ENCR=AES_CBC_256;ENCR=3DES;ENCR=BLOWFISH(UNUSED)_256;INTEG=HMAC_SHA1_96;INTEG=AES_XCBC_96;INTEG=HMAC_MD5_96;ESN=DISABLED
Jul 24 00:26:33.853979: "server2ToHomeMain" #1: received unsupported
NOTIFY v2N_ADDITIONAL_IP4_ADDRESS
Jul 24 00:26:33.854007: "server2ToHomeMain" #1: received unsupported
NOTIFY v2N_ADDITIONAL_IP4_ADDRESS
Jul 24 00:26:33.854027: "server2ToHomeMain" #1: received unsupported
NOTIFY v2N_EAP_ONLY_AUTHENTICATION
Jul 24 00:26:33.910292: "server2ToHomeMain" #2: negotiated connection
[192.168.81.0-192.168.81.255:0-65535 0] ->
[192.168.10.0-192.168.10.255:0-65535 0]
Jul 24 00:26:33.910338: "server2ToHomeMain" #2: STATE_V2_IPSEC_R: IPsec
SA established tunnel mode {ESP=>0xcefcc396 <0x9a001071
xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=active}
Endian status
Status of IKE charon daemon (weakSwan 5.3.5, Linux 4.1.35.e16.1, x86_64):
uptime: 22 minutes, since Jul 24 00:44:56 2018
malloc: sbrk 2723840, mmap 0, used 731408, free 1992432
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 36
loaded plugins: charon ldap aes des blowfish rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
pgp dnskey sshkey pem fips-prf gmp agent xcbc cmac hmac curl attr
kernel-netlink resolve socket-default farp stroke updown eap-identity
eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth
eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-pam dhcp
lookip addrblock
Listening IP addresses:
1.1.1.1
192.168.10.250
Connections:
server2ToHomeMain: 1.1.1.1...6.6.6.6 IKEv2, dpddelay=30s
server2ToHomeMain: local: [C=IT, O=efw, CN=1.1.1.1] uses public key
authentication
server2ToHomeMain: cert: "C=IT, O=efw, CN=1.1.1.1"
server2ToHomeMain: remote: [C=GB, O=CompanyName, OU=CompanyName,
CN=webRegi] uses public key authentication
server2ToHomeMain: cert: "C=GB, O=CompanyName, OU=CompanyName,
CN=webRegi"
server2ToHomeMain: child: 192.168.10.0/24 === 192.168.81.0/24 TUNNEL,
dpdaction=restart
Security Associations (5 up, 0 connecting):
server2ToHomeMain[14]: ESTABLISHED 8 minutes ago, 1.1.1.1[C=IT, O=efw,
CN=1.1.1.1]...6.6.6.6[C=GB, O=CompanyName, OU=CompanyName, CN=webRegi]
server2ToHomeMain[14]: IKEv2 SPIs: 6718884b7995b90a_i*
4f7dd789a95f2040_r, public key reauthentication in 39 minutes
server2ToHomeMain[14]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
server2ToHomeMain{26}: INSTALLED, TUNNEL, reqid 14, ESP SPIs:
c9504645_i 12cd3293_o
server2ToHomeMain{26}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 504
bytes_o (6 pkts, 480s ago), rekeying in 7 hours
server2ToHomeMain{26}: 192.168.10.0/24 === 192.168.81.0/24
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180724/c96a8a7b/attachment.sig>
More information about the Swan
mailing list