[Swan] VPN IKEv2 client reporting syntax errors in libexec/ipsec/_updown.xfrm
Mirsad Todorovac
mirsad.todorovac at alu.unizg.hr
Thu Nov 2 22:26:13 EET 2023
On 11/1/23 21:44, Tuomo Soini wrote:
> On Wed, 1 Nov 2023 19:11:03 +0100
> Mirsad Todorovac <mirsad.todorovac at alu.unizg.hr> wrote:
>
>> Hi,
>>
>> This diff seems to fix the syntax error issue:
>> git blame gives commit 32c87516189f6 and 32c87516189f6 as the cause
>> of the problem.
>
> Thank you, that bashism has now been fixed.
:-)
>> About the
>>
>> up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot
>> create /etc/resolv.conf: Permission denied
>>
>> I don't have a clue.
>>
>> Now I get a different output:
>>
>> $ sudo ipsec up grf
>> 181 "grf"[1] 161.53.83.3 #1: initiating IKEv2 connection
>> 181 "grf"[1] 161.53.83.3 #1: sent IKE_SA_INIT request to
>> 161.53.83.3:500 182 "grf"[1] 161.53.83.3 #1: sent IKE_AUTH request
>> {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
>> 003 "grf"[1] 161.53.83.3 #1: initiator established IKE SA;
>> authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital
>> signature using peer certificate '@magrf-ipv4.grf.hr' issued by CA
>> 'CN=GRF-UNIZG CA, O=GRF-UNIZG' 002 "grf"[1] 161.53.83.3 #2: received
>> INTERNAL_IP4_ADDRESS 192.168.100.10 002 "grf"[1] 161.53.83.3 #2:
>> received INTERNAL_IP4_DNS 10.0.0.101 002 "grf"[1] 161.53.83.3 #2:
>> received INTERNAL_IP4_DNS 1.0.0.1 002 "grf"[1] 161.53.83.3 #2:
>> up-client output: updating resolvconf 002 "grf"[1] 161.53.83.3 #2:
>> up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot
>> create /etc/resolv.conf: Permission denied 004 "grf"[1] 161.53.83.3
>> #2: initiator established Child SA using #1; IPsec tunnel
>> [192.168.100.10-192.168.100.10:0-65535 0] ->
>> [0.0.0.0-255.255.255.255:0-65535 0] {ESPinUDP/ESN=>0x4ef1e1f7
>> <0x36c8942c xfrm=AES_GCM_16_256-NONE NATD=161.53.83.3:4500
>> DPD=passive} $
>
> Pluto only works if it can manipulate /etc/resolv.conf, That is: we
> don't have any support for systemd-resolved. No systemd-resolved user
> has provided patches to add support.
I thought of:
# resolvectl dns ppp 1.0.0.1
Failed to resolve interface "ppp": No such device
#
This should be an equivalent of "nameserver 1.0.0.1" in /etc/resolv.conf and
I think I could program that if I knew the device for
# resolvectl dns [LINK [SERVER ...]]
command.
AFAIR, the device of VPN used to be "ppp", or at least in IKEv2 over L2TP.
What would be that now? My powers are failing me ...
resolvectl dns ${PLUTO_INTERFACE} ${PLUTO_PEER_DNS_INFO}
did set DNS for me, but and I see VPN at https://whatismyipaddress.com/, but it is still not
routing me to the sites to see when I connect to the same VPN from Windows 10 ...
Here's the cient log:
https://domac.alu.hr/~mtodorov/tmp/ikev2-client-grf-20231102-01.log
root at defiant:/home/marvin# ipsec down grf
002 "grf"[2] 161.53.83.3: terminating SAs using this connection
002 "grf"[2] 161.53.83.3 #3: intiating delete
005 "grf"[2] 161.53.83.3 #4: ESP traffic information: in=0B out=96KiB
002 "grf"[2] 161.53.83.3 #3: deleting IKE SA (IKE_SA_DELETE) aged 103.87969s and NOT sending notification
root at defiant:/home/marvin# ipsec up grf
181 "grf"[3] 161.53.83.3 #5: initiating IKEv2 connection
181 "grf"[3] 161.53.83.3 #5: sent IKE_SA_INIT request to 161.53.83.3:500
182 "grf"[3] 161.53.83.3 #5: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "grf"[3] 161.53.83.3 #5: initiator established IKE SA; authenticated peer '4096-bit RSASSA-PSS with SHA2_512' digital signature using peer certificate '@magrf-ipv4.grf.hr' issued by CA 'CN=GRF-UNIZG CA, O=GRF-UNIZG'
002 "grf"[3] 161.53.83.3 #6: received INTERNAL_IP4_ADDRESS 192.168.100.10
002 "grf"[3] 161.53.83.3 #6: received INTERNAL_IP4_DNS 10.0.0.101
002 "grf"[3] 161.53.83.3 #6: received INTERNAL_IP4_DNS 1.0.0.1
002 "grf"[3] 161.53.83.3 #6: up-client output: enp16s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
002 "grf"[3] 161.53.83.3 #6: up-client output: inet 192.168.1.6 netmask 255.255.255.0 broadcast 192.168.1.255
002 "grf"[3] 161.53.83.3 #6: up-client output: inet6 fd4a:3230:3435:0:4dfb:3583:629f:e5ec prefixlen 64 scopeid 0x0<global>
002 "grf"[3] 161.53.83.3 #6: up-client output: inet6 fe80::4ec:f424:cf7:f679 prefixlen 64 scopeid 0x20<link>
002 "grf"[3] 161.53.83.3 #6: up-client output: inet6 fd4a:3230:3435:0:e34d:d2b6:d7ca:1807 prefixlen 64 scopeid 0x0<global>
002 "grf"[3] 161.53.83.3 #6: up-client output: inet6 fd4a:3230:3435:0:1f10:9b44:a617:5d28 prefixlen 64 scopeid 0x0<global>
002 "grf"[3] 161.53.83.3 #6: up-client output: inet6 fd4a:3230:3435:0:7a75:9c6d:a760:b249 prefixlen 64 scopeid 0x0<global>
002 "grf"[3] 161.53.83.3 #6: up-client output: ether 9c:6b:00:01:fb:80 txqueuelen 1000 (Ethernet)
002 "grf"[3] 161.53.83.3 #6: up-client output: RX packets 95970631 bytes 131255335735 (131.2 GB)
002 "grf"[3] 161.53.83.3 #6: up-client output: RX errors 0 dropped 11955 overruns 0 frame 0
002 "grf"[3] 161.53.83.3 #6: up-client output: TX packets 12866385 bytes 2279710194 (2.2 GB)
002 "grf"[3] 161.53.83.3 #6: up-client output: TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
002 "grf"[3] 161.53.83.3 #6: up-client output:
002 "grf"[3] 161.53.83.3 #6: up-client output: ip_vti0: flags=128<NOARP> mtu 1480
002 "grf"[3] 161.53.83.3 #6: up-client output: tunnel txqueuelen 1000 (IPIP Tunnel)
002 "grf"[3] 161.53.83.3 #6: up-client output: RX packets 0 bytes 0 (0.0 B)
002 "grf"[3] 161.53.83.3 #6: up-client output: RX errors 0 dropped 0 overruns 0 frame 0
002 "grf"[3] 161.53.83.3 #6: up-client output: TX packets 0 bytes 0 (0.0 B)
002 "grf"[3] 161.53.83.3 #6: up-client output: TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
002 "grf"[3] 161.53.83.3 #6: up-client output:
002 "grf"[3] 161.53.83.3 #6: up-client output: lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
002 "grf"[3] 161.53.83.3 #6: up-client output: inet 127.0.0.1 netmask 255.0.0.0
002 "grf"[3] 161.53.83.3 #6: up-client output: inet6 ::1 prefixlen 128 scopeid 0x10<host>
002 "grf"[3] 161.53.83.3 #6: up-client output: loop txqueuelen 1000 (Local Loopback)
002 "grf"[3] 161.53.83.3 #6: up-client output: RX packets 214803 bytes 22066481 (22.0 MB)
002 "grf"[3] 161.53.83.3 #6: up-client output: RX errors 0 dropped 0 overruns 0 frame 0
002 "grf"[3] 161.53.83.3 #6: up-client output: TX packets 214803 bytes 22066481 (22.0 MB)
002 "grf"[3] 161.53.83.3 #6: up-client output: TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
002 "grf"[3] 161.53.83.3 #6: up-client output:
^[[A002 "grf"[3] 161.53.83.3 #6: up-client output: updating resolvconf
002 "grf"[3] 161.53.83.3 #6: up-client output: /usr/local/libexec/ipsec/_updown.xfrm: 432: cannot create /etc/resolv.conf: Permission denied
004 "grf"[3] 161.53.83.3 #6: initiator established Child SA using #5; IPsec tunnel [192.168.100.10-192.168.100.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] {ESPinUDP/ESN=>0x3145c18a <0x215541e9 xfrm=AES_GCM_16_256-NONE NATD=161.53.83.3:4500 DPD=passive}
root at defiant:/home/marvin# ip xfrm state show
src 192.168.1.6 dst 161.53.83.3
proto esp spi 0x3145c18a reqid 16401 mode tunnel
replay-window 0 flag af-unspec esn
aead rfc4106(gcm(aes)) 0x782134c9a5fa3a046c401a38ca5ecab4f03cbd9f97ee7536ccf22ade0785ed8f35ced835 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
lastused 2023-11-02 20:44:08
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0xe
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
src 161.53.83.3 dst 192.168.1.6
proto esp spi 0x215541e9 reqid 16401 mode tunnel
replay-window 0 flag af-unspec esn
aead rfc4106(gcm(aes)) 0xe84b8b1a8ccbd4c702f56a70fbae3a6b91dfd65aa3fb7e379c88973318eec4dca0afbc4b 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay esn context:
seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
replay_window 128, bitmap-length 4
00000000 00000000 00000000 00000000
root at defiant:/home/marvin#
Thanks,
Mirsad
More information about the Swan
mailing list