[Swan] Again: VPN connects but not data traffic through tunnel

Johannes C. Schulz enzephalon76 at googlemail.com
Mon Oct 22 09:09:19 UTC 2018 

Good morning Libreswan-folks!

I cannot understand, why my libreswan-VPN does not work correctly. It
connects but, I get no data through - no ping, no ssh.

Before I start my vpn the routing is like this:
$ ip ro
default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100
169.254.0.0/16 dev enp0s12u2 scope link metric 1000
192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91
metric 100
192.168.42.129 dev enp0s12u2 scope link

for explanation: The client is a roadwarrior, in this case my
DHCP-server/router is 192.168.42.129 and my local address is 192.168.42.91

Now I start my vpn with following configuration

config setup
protostack = netkey
conn Office1
        type            =       tunnel
        authby          =       secret
left = 192.168.42.91
leftid = @office_vpn_admin
leftsubnet = 192.168.92.0/24
leftvti = 192.168.92.234/24
right =       some-domain.tld
        rightid =       @Office
keyexchange = ike
ike = aes256-sha2;dh14
phase2 = esp
phase2alg = aes256-sha2;dh14
sha2_truncbug = yes
ikelifetime = 4h
keylife = 8h
auto = route
aggrmode = yes
vti-interface = vti0
vti-routing = yes
mark = 5/0xffffffff

The connection show up:

003 "Office1": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary
attacks and is cracked on large scale by TLA's
002 "Office1" #17: initiating Aggressive Mode
112 "Office1" #17: STATE_AGGR_I1: initiate
010 "Office1" #17: STATE_AGGR_I1: retransmission; will wait 0.5 seconds for
response
010 "Office1" #17: STATE_AGGR_I1: retransmission; will wait 1 seconds for
response
003 "Office1" #17: ignoring unknown Vendor ID payload
[0048e2270bea8395ed778d343cc2a076]
003 "Office1" #17: ignoring unknown Vendor ID payload
[5cbeb399eb835a7d7a2eb495905db061]
003 "Office1" #17: ignoring unknown Vendor ID payload
[810fa565f8ab14369105d706fbd57279]
002 "Office1" #17: Peer ID is ID_FQDN: '@Office'
002 "Office1" #17: WARNING: connection Office1 PSK length of 13 bytes is
too short for sha2_256 PRF in FIPS mode (16 bytes required)
002 "Office1" #17: Peer ID is ID_FQDN: '@Office'
004 "Office1" #17: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
002 "Office1" #18: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#17 msgid:d10ecd44
proposal=AES_CBC_256-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}
117 "Office1" #18: STATE_QUICK_I1: initiate
010 "Office1" #18: STATE_QUICK_I1: retransmission; will wait 0.5 seconds
for response
002 "Office1" #18: prepare-client output: net.ipv4.conf.vti0.disable_policy
= 1
002 "Office1" #18: prepare-client output: net.ipv4.conf.vti0.rp_filter = 0
002 "Office1" #18: prepare-client output: net.ipv4.conf.vti0.forwarding = 1
002 "Office1" #18: route-client output: done ip route
004 "Office1" #18: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP/NAT=>0x63b84f91 <0x9be80fa8 xfrm=AES_CBC_256-HMAC_SHA2_256_128
NATOA=none NATD=xx.yyy.zzz.vv:4500 DPD=passive}

routing then shows

$ ip ro
default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100
xx.yyy.zzz.vv dev vti0 scope link
169.254.0.0/16 dev enp0s12u2 scope link metric 1000
192.168.42.0/24 dev enp0s12u2 proto kernel scope link src 192.168.42.91
metric 100
192.168.42.129 dev enp0s12u2 scope link
192.168.92.0/24 dev vti0 proto kernel scope link src 192.168.92.234

$ route
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use
Iface
default         _gateway        0.0.0.0         UG    100    0        0
enp0s12u2
pXXXXaXXX.dip0. 0.0.0.0         255.255.255.255 UH    0      0        0 vti0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0
enp0s12u2
192.168.42.0    0.0.0.0         255.255.255.0   U     100    0        0
enp0s12u2
_gateway        0.0.0.0         255.255.255.255 UH    0      0        0
enp0s12u2
192.168.92.0    0.0.0.0         255.255.255.0   U     0      0        0 vti0

$ ping 192.168.92.10
PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data.
>From 192.168.92.234 icmp_seq=1 Destination Host Unreachable

Again I ask you for help. I cannot understand why this will not work. Maybe
this is special to ubuntu/debian-distro?

-- 
Best regards
Johannes C. Schulz

„*Programmer - n. [proh-gram-er] an organism that turns caffeine and pizza
into software“*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181022/8aba8493/attachment-0001.html>

More information about the Swan mailing list