[Swan] Remote access connection not replacing source IP
Scott A. Wozny
sawozny at hotmail.com
Tue Sep 29 02:14:12 UTC 2020
In doing testing, I’ve got a successful site-to-site tunnel up and running and now I’m testing a remote access connection. I used the config examples from the wiki, but I’ve needed to make some modifications for my environment and it’s not working quite right. I’ve made a successful connection from the client to the remote access tunnel terminator, but the problem is my rightaddresspool addresses are not being applied to the remote access connection. I can see this by watching the external interface on the VPN server.
When I do a successful ping across the S2S tunnel, I can see the inbound encrypted packet and then after the ip transform I can see the inbound decrypted packet. I can’t see the cleartext return packet because I’m not watching the internal interface, but I can see the return encrypted packet.
[sawozny at vpnnj ~]$ sudo tcpdump -n -i ens8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens8, link-type EN10MB (Ethernet), capture size 262144 bytes
01:52:23.529182 IP 172.16.1.10.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0x3ab6796e,seq=0x1), length 120
01:52:23.529182 IP 10.1.7.2 > 10.1.4.2: ICMP echo request, id 14891, seq 1, length 64
01:52:23.532210 IP 10.1.2.2.ipsecnatt > 172.16.1.10.ipsecnatt: UDP-encap: ESP(spi=0x1417f33a,seq=0x1), length 120
01:52:24.528970 IP 172.16.1.10.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0x3ab6796e,seq=0x2), length 120
01:52:24.528970 IP 10.1.7.2 > 10.1.4.2: ICMP echo request, id 14891, seq 2, length 64
01:52:24.531468 IP 10.1.2.2.ipsecnatt > 172.16.1.10.ipsecnatt: UDP-encap: ESP(spi=0x1417f33a,seq=0x2), length 120
01:52:25.530583 IP 172.16.1.10.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0x3ab6796e,seq=0x3), length 120
01:52:25.530583 IP 10.1.7.2 > 10.1.4.2: ICMP echo request, id 14891, seq 3, length 64
01:52:25.533075 IP 10.1.2.2.ipsecnatt > 172.16.1.10.ipsecnatt: UDP-encap: ESP(spi=0x1417f33a,seq=0x3), length 120
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel
However, when I try a ping from the remote access machine, I can see the encrypted packet come in but after the IP transform when it gets sent back through the stack, the SIP has not been changed to a pool address and that’s a problem because I need this remote access structure to use specific source IPs once the packets get into this environment (firewall purposes, etc...).
[sawozny at vpnnj ~]$ sudo tcpdump -n -i ens8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens8, link-type EN10MB (Ethernet), capture size 262144 bytes
01:51:09.725555 IP 172.16.1.17.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0xfa8118fe,seq=0x7), length 120
01:51:09.725555 IP 172.16.1.17 > 10.1.4.2: ICMP echo request, id 3393, seq 1, length 64
01:51:10.723563 IP 172.16.1.17.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0xfa8118fe,seq=0x8), length 120
01:51:10.723563 IP 172.16.1.17 > 10.1.4.2: ICMP echo request, id 3393, seq 2, length 64
01:51:11.723351 IP 172.16.1.17.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0xfa8118fe,seq=0x9), length 120
01:51:11.723351 IP 172.16.1.17 > 10.1.4.2: ICMP echo request, id 3393, seq 3, length 64
01:51:12.723375 IP 172.16.1.17.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0xfa8118fe,seq=0xa), length 120
01:51:12.723375 IP 172.16.1.17 > 10.1.4.2: ICMP echo request, id 3393, seq 4, length 64
01:51:14.722554 ARP, Request who-has 10.1.2.2 tell 10.1.2.1, length 46
01:51:14.722615 ARP, Reply 10.1.2.2 is-at 52:54:00:08:e7:33, length 28
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
So can anyone suggest what I might have done wrong or how I can turn up logging to debug this?
Here is the ipsec status, connection config file and ip addressing output of the VPN server. I’ve not included the cert stuff because the tunnel is coming up OK (wanted to set the remote auto to start, but found out that’s a bug with the version I’m using and am bringing it up myself) so I don’t think this is a keying problem.
[sawozny at vpnnj ~]$ sudo ipsec status
[sudo] password for sawozny:
000 using kernel interface: netkey
000 interface ens8/ens8 10.1.2.2 at 4500
000 interface ens8/ens8 10.1.2.2 at 500
000
000
000 fips mode=disabled;
000 SElinux=enabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.25, pluto_vendorid=OE-Libreswan-3.25
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=10.1.2.2, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH22, bits=1024
000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "intersitetunnel": 10.1.4.0/24===10.1.2.2<10.1.2.2>[@vpnnj]...172.16.1.10<172.16.1.10>[@vpnca]===10.1.7.0/24; erouted; eroute owner: #2
000 "intersitetunnel": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "intersitetunnel": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "intersitetunnel": our auth:rsasig, their auth:rsasig
000 "intersitetunnel": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "intersitetunnel": labeled_ipsec:no;
000 "intersitetunnel": policy_label:unset;
000 "intersitetunnel": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "intersitetunnel": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "intersitetunnel": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "intersitetunnel": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "intersitetunnel": conn_prio: 24,24; interface: ens8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "intersitetunnel": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "intersitetunnel": our idtype: ID_FQDN; our id=@vpnnj; their idtype: ID_FQDN; their id=@vpnca
000 "intersitetunnel": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "intersitetunnel": newest ISAKMP SA: #9; newest IPsec SA: #2;
000 "intersitetunnel": IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048
000 "intersitetunnel": ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<Phase1>
000 "remoteaccess": 10.1.4.0/24===10.1.2.2<10.1.2.2>[@vpnnj,MS+XS+S=C]...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "remoteaccess": oriented; my_ip=unset; their_ip=unset; mycert=vpnnj; my_updown=ipsec _updown;
000 "remoteaccess": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "remoteaccess": our auth:rsasig, their auth:rsasig
000 "remoteaccess": modecfg info: us:server, them:client, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "remoteaccess": labeled_ipsec:no;
000 "remoteaccess": policy_label:unset;
000 "remoteaccess": CAs: 'CN=vpnnj CA, O=CompanyName'...'%any'
000 "remoteaccess": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "remoteaccess": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "remoteaccess": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "remoteaccess": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+XAUTH+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "remoteaccess": conn_prio: 24,32; interface: ens8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "remoteaccess": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "remoteaccess": our idtype: ID_FQDN; our id=@vpnnj; their idtype: %none; their id=(none)
000 "remoteaccess": dpd: action:clear; delay:540; timeout:1200; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "remoteaccess": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "remoteaccess"[2]: 10.1.4.0/24===10.1.2.2<10.1.2.2>[@vpnnj,MS+XS+S=C]...172.16.1.17[CN=sawozny-nj.vpnnj, O=CompanyName,+MC+XC+S=C]; erouted; eroute owner: #4
000 "remoteaccess"[2]: oriented; my_ip=unset; their_ip=unset; mycert=vpnnj; my_updown=ipsec _updown;
000 "remoteaccess"[2]: xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "remoteaccess"[2]: our auth:rsasig, their auth:rsasig
000 "remoteaccess"[2]: modecfg info: us:server, them:client, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "remoteaccess"[2]: labeled_ipsec:no;
000 "remoteaccess"[2]: policy_label:unset;
000 "remoteaccess"[2]: CAs: 'CN=vpnnj CA, O=CompanyName'...'%any'
000 "remoteaccess"[2]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "remoteaccess"[2]: retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "remoteaccess"[2]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "remoteaccess"[2]: policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+XAUTH+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "remoteaccess"[2]: conn_prio: 24,32; interface: ens8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "remoteaccess"[2]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "remoteaccess"[2]: our idtype: ID_FQDN; our id=@vpnnj; their idtype: ID_DER_ASN1_DN; their id=CN=sawozny-nj.vpnnj, O=CompanyName
000 "remoteaccess"[2]: dpd: action:clear; delay:540; timeout:1200; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "remoteaccess"[2]: newest ISAKMP SA: #10; newest IPsec SA: #4;
000 "remoteaccess"[2]: IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048
000 "remoteaccess"[2]: ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 3, active 2
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0)
000 IPsec SAs: total(2), authenticated(2), anonymous(0)
000
000 #2: "intersitetunnel":4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REPLACE in 17843s; newest IPSEC; eroute owner; isakmp#9; idle; import:admin initiate
000 #2: "intersitetunnel" esp.1417f33a at 172.16.1.10 esp.3ab6796e at 10.1.2.2 tun.0 at 172.16.1.10 tun.0 at 10.1.2.2 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #9: "intersitetunnel":4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 1211s; newest ISAKMP; idle; import:admin initiate
000 #4: "remoteaccess"[2] 172.16.1.17:4500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_EXPIRE in 18544s; newest IPSEC; eroute owner; isakmp#10; idle; import:respond to stranger
000 #4: "remoteaccess"[2] 172.16.1.17 esp.40ae207 at 172.16.1.17 esp.fa8118fe at 10.1.2.2 tun.0 at 172.16.1.17 tun.0 at 10.1.2.2 ref=0 refhim=0 Traffic: ESPin=336B ESPout=0B! ESPmax=0B
000 #10: "remoteaccess"[2] 172.16.1.17:4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_EXPIRE in 1639s; newest ISAKMP; idle; import:respond to stranger
000
000 Bare Shunt list:
000
[sawozny at vpnnj ~]$ sudo cat /etc/ipsec.d/remoteaccess.conf
# /etc/ipsec.d/remoteaccess.conf
conn remoteaccess
left=10.1.2.2
leftid=@vpnnj
leftsubnet=10.1.4.0/24
leftcert=vpnnj
leftrsasigkey=%cert
leftsendcert=always
leftxauthserver=yes
right=%any
rightaddresspool=10.1.3.64-10.1.3.127
rightrsasigkey=%cert
rightxauthclient=yes
authby=rsasig
ikev2=insist
rekey=no
dpddelay=9m
dpdtimeout=20m
dpdaction=clear
auto=add
[sawozny at vpnnj ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:3a:21:54 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.214/24 brd 192.168.1.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
3: ens8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:08:e7:33 brd ff:ff:ff:ff:ff:ff
inet 10.1.2.2/24 brd 10.1.2.255 scope global noprefixroute ens8
valid_lft forever preferred_lft forever
4: ens9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:25:80:a5 brd ff:ff:ff:ff:ff:ff
inet 10.1.3.2/24 brd 10.1.3.255 scope global noprefixroute ens9
valid_lft forever preferred_lft forever
5: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
[sawozny at vpnnj ~]$
And the same for the client:
[sawozny at ntp2 ~]$ sudo ipsec status
[sudo] password for sawozny:
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface eth0/eth0 172.16.1.17 at 4500
000 interface eth0/eth0 172.16.1.17 at 500
000
000
000 fips mode=disabled;
000 SElinux=enabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.25, pluto_vendorid=OE-Libreswan-3.25
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH22, bits=1024
000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "vpnnj": 172.16.1.17[CN=sawozny-nj.vpnnj, O=CompanyName,+XC+S=C]---172.16.1.254...172.16.1.2<vpnnj>[@vpnnj,+XS+S=C]===10.1.4.0/24; erouted; eroute owner: #2
000 "vpnnj": oriented; my_ip=unset; their_ip=unset; mycert=sawozny-nj.vpnnj; my_updown=ipsec _updown;
000 "vpnnj": xauth us:client, xauth them:server, my_username=[any]; their_username=[any]
000 "vpnnj": our auth:rsasig, their auth:rsasig
000 "vpnnj": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "vpnnj": labeled_ipsec:no;
000 "vpnnj": policy_label:unset;
000 "vpnnj": CAs: 'CN=vpnnj CA, O=CompanyName'...'%any'
000 "vpnnj": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "vpnnj": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "vpnnj": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "vpnnj": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+XAUTH+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO;
000 "vpnnj": conn_prio: 32,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "vpnnj": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "vpnnj": our idtype: ID_DER_ASN1_DN; our id=CN=sawozny-nj.vpnnj, O=CompanyName; their idtype: ID_FQDN; their id=@vpnnj
000 "vpnnj": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "vpnnj": newest ISAKMP SA: #5; newest IPsec SA: #2;
000 "vpnnj": IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048
000 "vpnnj": ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "vpnnj":4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REPLACE in 17869s; newest IPSEC; eroute owner; isakmp#5; idle; import:admin initiate
000 #2: "vpnnj" esp.fa8118fe at 172.16.1.2 esp.40ae207 at 172.16.1.17 tun.0 at 172.16.1.2 tun.0 at 172.16.1.17 ref=0 refhim=0 Traffic: ESPin=0B ESPout=336B! ESPmax=0B
000 #5: "vpnnj":4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 1237s; newest ISAKMP; idle; import:admin initiate
000
000 Bare Shunt list:
000
[sawozny at ntp2 ~]$ sudo cat /etc/ipsec.d/vpnnj.conf
# /etc/ipsec.d/vpnnj.conf
conn vpnnj
left=%defaultroute
leftid=%fromcert
leftcert=sawozny-nj.vpnnj
leftrsasigkey=%cert
leftxauthclient=yes
right=vpnnj
rightid=@vpnnj
rightsubnet=10.1.4.0/24
rightrsasigkey=%cert
rightxauthserver=yes
ikev2=insist
rekey=yes
mobike=yes
auto=add
[sawozny at ntp2 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:d1:6e:ec brd ff:ff:ff:ff:ff:ff
inet 172.16.1.17/24 brd 172.16.1.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
3: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
[sawozny at ntp2 ~]$
Any suggestions on how to troubleshoot this (or if you can see I’ve done something obviously wrong) would be appreciated.
Thanks,
Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200929/a2f05818/attachment-0001.html>
More information about the Swan
mailing list