[Swan] roadwarrior connects but no data
Johannes C. Schulz
enzephalon76 at googlemail.com
Thu Oct 4 08:44:28 UTC 2018
Hello LibreSwan community!
It was a long way to get my libreswan connecting to a vpn-server (which is
actually a dsl-router from bintec). The server accepts IPsec IKEv1
connection with PSK. I can connect, but there is no traffic through the
tunnel.
The problem must be on roadwarriors-side, because I can connect and
transfer data through the tunnel if I connect with a windows machine to the
vpn-server (using ShrewSoft).
I wrote this config:
config setup
protostack = netkey
conn Office1
authby = secret
right = some.domain.tld
rightid = @Office_admin
rightnexthop = %defaultroute
left = 192.168.42.91
leftsubnet = 192.168.92.0/24
leftvti = 192.168.92.234/24
leftid = @Office
keyexchange = ike
ike = aes256-sha2;modp2048
esp = aes256-sha2;modp2048
ikelifetime = 4h
keylife = 8h
auto = add
aggrmode = yes
vti-interface = vti0
vti-routing = yes
mark = 5/0xffffffff
the roadwarrior connects
003 "Office1": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary
attacks and is cracked on large scale by TLA's
002 "Office1" #1: initiating Aggressive Mode
112 "Office1" #1: STATE_AGGR_I1: initiate
010 "Office1" #1: STATE_AGGR_I1: retransmission; will wait 0.5 seconds for
response
010 "Office1" #1: STATE_AGGR_I1: retransmission; will wait 1 seconds for
response
003 "Office1" #1: ignoring unknown Vendor ID payload
[0048e2270bea8395ed778d343cc2a076]
003 "Office1" #1: ignoring unknown Vendor ID payload
[5cbeb399eb835a7d7a2eb495905db061]
003 "Office1" #1: ignoring unknown Vendor ID payload
[810fa565f8ab14369105d706fbd57279]
002 "Office1" #1: Peer ID is ID_FQDN: '@Office'
002 "Office1" #1: WARNING: connection Office1 PSK length of 13 bytes is too
short for sha2_256 PRF in FIPS mode (16 bytes required)
002 "Office1" #1: Peer ID is ID_FQDN: '@Office'
004 "Office1" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
002 "Office1" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#1 msgid:f067a0d5
proposal=AES_CBC_256-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}
117 "Office1" #2: STATE_QUICK_I1: initiate
010 "Office1" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for
response
002 "Office1" #2: prepare-client output: net.ipv4.conf.vti0.disable_policy
= 1
002 "Office1" #2: prepare-client output: net.ipv4.conf.vti0.rp_filter = 0
002 "Office1" #2: prepare-client output: net.ipv4.conf.vti0.forwarding = 1
002 "Office1" #2: route-client output: done ip route
004 "Office1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP/NAT=>0x7ab81f99 <0xa80c1c82 xfrm=AES_CBC_256-HMAC_SHA2_256_128
NATOA=none NATD=xx.yyy.zzz.vv:4500 DPD=passive}
sudo ipsec auto --up Office1
netstat -r -n
Kernel-IP-Routentabelle
Ziel Router Genmask Flags MSS Fenster irtt
Iface
0.0.0.0 192.168.42.129 0.0.0.0 UG 0 0 0
enp0s12u2
xx.yyy.zzz.vv 0.0.0.0 255.255.255.255 UH 0 0 0
vti0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
enp0s12u2
192.168.42.0 0.0.0.0 255.255.255.0 U 0 0 0
enp0s12u2
192.168.92.0 0.0.0.0 255.255.255.0 U 0 0 0
vti0
ping 192.168.92.10
PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data.
>From 192.168.92.234 icmp_seq=1 Destination Host Unreachable
On roadwarrior-side there is no iptables configured:
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I would be very happy, if someone can help me.
--
Thanx a lot
Johannes C. Schulz
„*Programmer - n. [proh-gram-er] an organism that turns caffeine and pizza
into software“*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181004/1c807875/attachment.html>
More information about the Swan
mailing list