<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Good morning Libreswan-folks!<div><br></div><div>I cannot understand, why my libreswan-VPN does not work correctly. It connects but, I get no data through - no ping, no ssh.</div><div><br></div><div>Before I start my vpn the routing is like this:</div><div><div>$ ip ro </div><div>default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100 </div><div><a href="http://169.254.0.0/16">169.254.0.0/16</a> dev enp0s12u2 scope link metric 1000 </div><div><a href="http://192.168.42.0/24">192.168.42.0/24</a> dev enp0s12u2 proto kernel scope link src 192.168.42.91 metric 100 </div><div>192.168.42.129 dev enp0s12u2 scope link</div></div><div><br></div><div>for explanation: The client is a roadwarrior, in this case my DHCP-server/router is 192.168.42.129 and my local address is 192.168.42.91</div><div><br></div><div>Now I start my vpn with following configuration</div><div><br></div><div><div>config setup</div><div><span style="white-space:pre"> </span>protostack<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>netkey</div><div><span style="white-space:pre"> </span></div><div>conn Office1</div><div> type = tunnel</div><div> authby = secret</div><div><span style="white-space:pre"> </span>left<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>192.168.42.91</div><div><span style="white-space:pre"> </span>leftid<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>@office_vpn_admin</div><div><span style="white-space:pre"> </span>leftsubnet<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span><a href="http://192.168.92.0/24">192.168.92.0/24</a></div><div><span style="white-space:pre"> </span>leftvti<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span><a href="http://192.168.92.234/24">192.168.92.234/24</a></div><div><span style="white-space:pre"> </span>right<span style="white-space:pre"> </span>= some-domain.tld</div><div> rightid<span style="white-space:pre"> </span>= @Office</div><div><span style="white-space:pre"> </span>keyexchange<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>ike</div><div><span style="white-space:pre"> </span>ike<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>aes256-sha2;dh14</div><div><span style="white-space:pre"> </span>phase2<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>esp</div><div><span style="white-space:pre"> </span>phase2alg<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>aes256-sha2;dh14</div><div><span style="white-space:pre"> </span>sha2_truncbug<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>yes</div><div><span style="white-space:pre"> </span>ikelifetime<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>4h</div><div><span style="white-space:pre"> </span>keylife<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>8h</div><div><span style="white-space:pre"> </span>auto<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>route</div><div><span style="white-space:pre"> </span>aggrmode<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>yes</div><div><span style="white-space:pre"> </span>vti-interface<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>vti0</div><div><span style="white-space:pre"> </span>vti-routing<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>yes</div><div><span style="white-space:pre"> </span>mark<span style="white-space:pre"> </span>=<span style="white-space:pre"> </span>5/0xffffffff</div></div><div><br></div><div>The connection show up:</div><div><br></div><div><div>003 "Office1": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's</div><div>002 "Office1" #17: initiating Aggressive Mode</div><div>112 "Office1" #17: STATE_AGGR_I1: initiate</div><div>010 "Office1" #17: STATE_AGGR_I1: retransmission; will wait 0.5 seconds for response</div><div>010 "Office1" #17: STATE_AGGR_I1: retransmission; will wait 1 seconds for response</div><div>003 "Office1" #17: ignoring unknown Vendor ID payload [0048e2270bea8395ed778d343cc2a076]</div><div>003 "Office1" #17: ignoring unknown Vendor ID payload [5cbeb399eb835a7d7a2eb495905db061]</div><div>003 "Office1" #17: ignoring unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]</div><div>002 "Office1" #17: Peer ID is ID_FQDN: '@Office'</div><div>002 "Office1" #17: WARNING: connection Office1 PSK length of 13 bytes is too short for sha2_256 PRF in FIPS mode (16 bytes required)</div><div>002 "Office1" #17: Peer ID is ID_FQDN: '@Office'</div><div>004 "Office1" #17: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}</div><div>002 "Office1" #18: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#17 msgid:d10ecd44 proposal=AES_CBC_256-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}</div><div>117 "Office1" #18: STATE_QUICK_I1: initiate</div><div>010 "Office1" #18: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response</div><div>002 "Office1" #18: prepare-client output: net.ipv4.conf.vti0.disable_policy = 1</div><div>002 "Office1" #18: prepare-client output: net.ipv4.conf.vti0.rp_filter = 0</div><div>002 "Office1" #18: prepare-client output: net.ipv4.conf.vti0.forwarding = 1</div><div>002 "Office1" #18: route-client output: done ip route</div><div>004 "Office1" #18: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x63b84f91 <0x9be80fa8 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=xx.yyy.zzz.vv:4500 DPD=passive}</div></div><div><br></div><div>routing then shows</div><div><br></div><div><div>$ ip ro </div><div>default via 192.168.42.129 dev enp0s12u2 proto dhcp metric 100 </div><div>xx.yyy.zzz.vv dev vti0 scope link </div><div><a href="http://169.254.0.0/16">169.254.0.0/16</a> dev enp0s12u2 scope link metric 1000 </div><div><a href="http://192.168.42.0/24">192.168.42.0/24</a> dev enp0s12u2 proto kernel scope link src 192.168.42.91 metric 100 </div><div>192.168.42.129 dev enp0s12u2 scope link </div><div><a href="http://192.168.92.0/24">192.168.92.0/24</a> dev vti0 proto kernel scope link src 192.168.92.234 </div></div><div><br></div><div><div>$ route</div><div>Kernel-IP-Routentabelle</div><div>Ziel Router Genmask Flags Metric Ref Use Iface</div><div>default _gateway 0.0.0.0 UG 100 0 0 enp0s12u2</div><div>pXXXXaXXX.dip0. 0.0.0.0 255.255.255.255 UH 0 0 0 vti0</div><div>link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp0s12u2</div><div>192.168.42.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s12u2</div><div>_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 enp0s12u2</div><div>192.168.92.0 0.0.0.0 255.255.255.0 U 0 0 0 vti0</div><div><div><br></div><div>$ ping 192.168.92.10</div><div>PING 192.168.92.10 (192.168.92.10) 56(84) bytes of data.</div><div>From 192.168.92.234 icmp_seq=1 Destination Host Unreachable</div></div><div><br></div><div>Again I ask you for help. I cannot understand why this will not work. Maybe this is special to ubuntu/debian-distro?</div><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Best regards<br></div>Johannes C. Schulz<br><br>
<p><span style="color:rgb(204,204,204)"><font size="1">„<b><i>Programmer
- n. [proh-gram-er] an organism that turns caffeine and pizza into software“</i></b></font></span><br></p></div></div></div></div></div></div></div></div></div></div></div></div>