[Swan] Data sent in clear despite established tunnel
Phil Nightowl
phil.nightowl at gmail.com
Wed Apr 17 11:13:54 EEST 2024
Hello everyone!
I have problems setting up a roadwarrior config. Both ends sit behind a NAT;
the roadwarrior/initiator as usual with unpredictable IPs, the
server/responder with a fixed set of public/private IPs
(198.51.100.33/192.168.1.1). I shall write the initiator addresses as
rw.pp.uu.bb and rw.ii.nn.tt, respectively. The 198.51.100.33 is, as commonly
with NAT, in fact the public address of the whole LAN behind it, but
incoming connections to udp/500 and udp/4500 are being forwarded to the
responder.
Currently, my issue is that the tunnel seems to get established correctly,
but when trying to ping the responder from the initiator, the ICMP packets
travel back and forth in clear.
This is the status output from the initiator:
000 Connection list:
000
000 "main": 0.0.0.0/0===rw.ii.nn.tt[C=ZZ, O=Privdomain, CN=roadw.privdomain]---192.168.43.65...198.51.100.33[%fromcert]===192.168.1.1/32; unrouted; eroute owner: #0
000 "main": oriented; my_ip=unset; their_ip=unset; mycert=roadw; my_updown=ipsec _updown;
000 "main": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "main": our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+RSASIG_v1_5, our autheap:none, their autheap:none;
000 "main": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "main": sec_label:unset;
000 "main": CAs: 'CN=Privdomain CA'...'CN=Privdomain CA'
000 "main": ike_life: 28800s; ipsec_life: 3600s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "main": retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "main": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "main": policy: IKEv2+RSASIG+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+failureDROP;
000 "main": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "main": conn_prio: 0,32; interface: wlp4s2; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "main": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "main": our idtype: ID_DER_ASN1_DN; our id=C=ZZ, O=Privdomain, CN=roadw.privdomain; their idtype: %fromcert; their id=%fromcert
000 "main": liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "main": nat-traversal: encaps:auto; keepalive:20s
000 "main": newest IKE SA: #0; newest IPsec SA: #0; conn serial: $1;
000 "main"[1]: rw.pp.uu.bb/32===rw.ii.nn.tt[C=ZZ, O=Privdomain, CN=roadw.privdomain]---192.168.43.65...198.51.100.33:4500[C=ZZ, O=Privdomain, CN=server.privdomain]===192.168.1.1/32; erouted; eroute owner: #8
000 "main"[1]: oriented; my_ip=unset; their_ip=unset; mycert=roadw; my_updown=ipsec _updown;
000 "main"[1]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "main"[1]: our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+RSASIG_v1_5, our autheap:none, their autheap:none;
000 "main"[1]: modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "main"[1]: sec_label:unset;
000 "main"[1]: CAs: 'CN=Privdomain CA'...'CN=Privdomain CA'
000 "main"[1]: ike_life: 28800s; ipsec_life: 3600s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2;
000 "main"[1]: retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "main"[1]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "main"[1]: policy: IKEv2+RSASIG+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+failureDROP;
000 "main"[1]: v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "main"[1]: conn_prio: 32,32; interface: wlp4s2; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "main"[1]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "main"[1]: our idtype: ID_DER_ASN1_DN; our id=C=ZZ, O=Privdomain, CN=roadw.privdomain; their idtype: ID_DER_ASN1_DN; their id=C=ZZ, O=Privdomain, CN=server.privdomain
000 "main"[1]: liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "main"[1]: nat-traversal: encaps:auto; keepalive:20s
000 "main"[1]: newest IKE SA: #7; newest IPsec SA: #8; conn serial: $2, instantiated from: $1;
000 "main"[1]: IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048
000 "main"[1]: ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 2, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #7: "main"[1] 198.51.100.33:4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 27182s; REPLACE in 27743s; newest; idle;
000 #8: "main"[1] 198.51.100.33:4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 1858s; REPLACE in 2543s; newest; eroute owner; IKE SA #7; idle;
000 #8: "main"[1] 198.51.100.33 esp.9a83587d at 198.51.100.33 esp.828f657b at rw.ii.nn.tt tun.0 at 198.51.100.33 tun.0 at rw.ii.nn.tt Traffic: ESPin=0B ESPout=0B ESPmax=2^63B
000
000 Bare Shunt list:
000
Here, 192.168.43.65 seems to be the gateway/next hop of rw.ii.nn.tt.
/proc/net/xfrm_stat shows only zeroes. The xfrm policies seem OK to me:
src rw.pp.uu.bb/32 dst 192.168.1.1/32
dir out priority 1753280 ptype main
tmpl src rw.ii.nn.tt dst 198.51.100.33
proto esp reqid 16393 mode tunnel
src 192.168.1.1/32 dst rw.pp.uu.bb/32
dir fwd priority 1753280 ptype main
tmpl src 198.51.100.33 dst rw.ii.nn.tt
proto esp reqid 16393 mode tunnel
src 192.168.1.1/32 dst rw.pp.uu.bb/32
dir in priority 1753280 ptype main
tmpl src 198.51.100.33 dst rw.ii.nn.tt
proto esp reqid 16393 mode tunnel
What am I missing?
Many thanks,
Phil
More information about the Swan
mailing list