I'm having some trouble getting a working site-to-site tunnel when using 'installpolicy=no' in my strongswan configuration and I can't really figure this out even after an entire day of googling. IPsec SAs never form.
OS: OpenWRT trunk
StrongSwan: 4.5.3
Side 1:
WAN = 10.0.0.1
LAN = 192.168.1.0/24
ipsec.conf
config setup
plutodebug=control
plutostart=no
charondebug=control
charonstart=yes
nat_traversal=yes
conn $default
auth=esp
authby=psk
closeaction=restart
compress=no
dpdaction=restart
installpolicy=no
keyingtries=%forever
leftfirewall=yes
lefthostaccess=yes
margintime=9m
mobike=no
reauth=yes
rekey=yes
rightfirewall=yes
righthostaccess=yes
type=tunnel
conn 1
auto=start
dpddelay=60s
esp=aes128-sha1-modp1024!
forceencaps=no
ike=aes128-sha1-modp1024!
ikelifetime=3h
keyexchange=ikev2
left=10.0.0.1
leftsubnet=192.168.1.0/24
lifetime=8h
pfs=yes
pfsgroup=modp1024
reqid=305
right=10.0.0.2
rightsubnet=192.168.2.0/24
Side 2:
WAN = 10.0.0.2
LAN = 192.168.2.0/24
ipsec.conf
config setup
plutodebug=control
plutostart=no
charondebug=control
charonstart=yes
nat_traversal=yes
conn $default
auth=esp
authby=psk
closeaction=restart
compress=no
dpdaction=restart
installpolicy=no
keyingtries=%forever
leftauth=psk
leftfirewall=yes
lefthostaccess=yes
margintime=9m
mobike=no
reauth=yes
rekey=yes
rightauth=psk
rightfirewall=yes
righthostaccess=yes
type=tunnel
conn 1
auto=start
dpddelay=60s
esp=aes128-sha1-modp1024!
forceencaps=no
ike=aes128-sha1-modp1024!
ikelifetime=3h
keyexchange=ikev2
left=10.0.0.2
leftsubnet=192.168.2.0/24
lifetime=8h
pfs=yes
pfsgroup=modp1024
reqid=305
right=10.0.0.1
rightsubnet=192.168.1.0/24
I've messed with ip xfrm with the lines below:
Side 1:
ip xfrm policy add dir in src 192.168.2.0/24 dst 192.168.1.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.2 dst 10.0.0.1 proto esp level required
ip xfrm policy add dir out src 192.168.1.0/24 dst 192.168.2.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.1 dst 10.0.0.2 proto esp level required
ip xfrm policy add dir fwd src 192.168.2.0/24 dst 192.168.1.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.2 dst 10.0.0.1 proto esp level required
Side 2:
ip xfrm policy add dir in src 192.168.1.0/24 dst 192.168.2.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.1 dst 10.0.0.2 proto esp level required
ip xfrm policy add dir out src 192.168.2.0/24 dst 192.168.1.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.2 dst 10.0.0.1 proto esp level required
ip xfrm policy add dir fwd src 192.168.1.0/24 dst 192.168.2.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.1 dst 10.0.0.2 proto esp level required
Side 1 syslog:
Code:
Jun 6 20:55:50 OpenWrt authpriv.warn ipsec_starter[2720]: Starting strongSwan 4.5.3 IPsec [starter]...
Jun 6 20:55:50 OpenWrt authpriv.warn ipsec_starter[2720]: no default route - cannot cope with %defaultroute!!!
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] listening on interfaces:
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] eth0
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] eth1
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] 10.0.0.1
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] br-lan
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] 192.168.1.1
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] eth0.1
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] received netlink error: Address family not supported by protocol (124)
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] unable to create IPv6 routing table rule
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[NET] unable to create raw socket: Address family not supported by protocol
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[NET] could not open IPv6 receive socket, IPv6 disabled
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loaded IKE secret for 10.0.0.1 10.0.0.2
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
Jun 6 20:55:50 OpenWrt daemon.info syslog: 00[JOB] spawning 16 worker threads
Jun 6 20:55:50 OpenWrt authpriv.warn ipsec_starter[2744]: charon (2745) started after 40 ms
Jun 6 20:55:50 OpenWrt daemon.info syslog: 07[CFG] received stroke: add connection '1'
Jun 6 20:55:50 OpenWrt daemon.info syslog: 07[CFG] added configuration '1'
Jun 6 20:55:50 OpenWrt daemon.info syslog: 09[CFG] received stroke: route '1'
Jun 6 20:55:50 OpenWrt authpriv.warn ipsec_starter[2744]: '1' routed
Jun 6 20:55:52 OpenWrt daemon.info syslog: 11[NET] received packet: from 10.0.0.2[500] to 10.0.0.1[500]
Jun 6 20:55:52 OpenWrt daemon.info syslog: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 6 20:55:52 OpenWrt daemon.info syslog: 11[IKE] 10.0.0.2 is initiating an IKE_SA
Jun 6 20:55:52 OpenWrt authpriv.info syslog: 11[IKE] 10.0.0.2 is initiating an IKE_SA
Jun 6 20:55:53 OpenWrt daemon.info syslog: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 6 20:55:53 OpenWrt daemon.info syslog: 11[NET] sending packet: from 10.0.0.1[500] to 10.0.0.2[500]
Jun 6 20:56:22 OpenWrt daemon.info syslog: 14[JOB] deleting half open IKE_SA after timeout
side 2 syslog:
Code:
Jun 6 20:43:44 OpenWrt authpriv.warn ipsec_starter[2606]: Starting strongSwan 4.5.3 IPsec [starter]...
Jun 6 20:43:44 OpenWrt authpriv.warn ipsec_starter[2606]: no default route - cannot cope with %defaultroute!!!
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] listening on interfaces:
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] eth0
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] eth1
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] 10.0.0.2
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] br-lan
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] 192.168.2.1
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] eth0.1
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] received netlink error: Address family not supported by protocol (124)
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] unable to create IPv6 routing table rule
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[NET] unable to create raw socket: Address family not supported by protocol
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[NET] could not open IPv6 receive socket, IPv6 disabled
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loaded IKE secret for 10.0.0.2 10.0.0.1
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
Jun 6 20:43:44 OpenWrt daemon.info syslog: 00[JOB] spawning 16 worker threads
Jun 6 20:43:44 OpenWrt authpriv.warn ipsec_starter[2631]: charon (2632) started after 40 ms
Jun 6 20:43:44 OpenWrt daemon.info syslog: 07[CFG] received stroke: add connection '1'
Jun 6 20:43:44 OpenWrt daemon.info syslog: 07[CFG] added configuration '1'
Jun 6 20:43:44 OpenWrt daemon.info syslog: 09[CFG] received stroke: route '1'
Jun 6 20:43:44 OpenWrt authpriv.warn ipsec_starter[2631]: '1' routed
Jun 6 20:43:45 OpenWrt daemon.info syslog: 02[KNL] creating acquire job for policy 192.168.2.125/32[icmp/8] === 192.168.1.236/32[icmp] with reqid {305}
Jun 6 20:43:45 OpenWrt daemon.info syslog: 11[IKE] initiating IKE_SA 1[1] to 10.0.0.1
Jun 6 20:43:45 OpenWrt authpriv.info syslog: 11[IKE] initiating IKE_SA 1[1] to 10.0.0.1
Jun 6 20:43:45 OpenWrt daemon.info syslog: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 6 20:43:45 OpenWrt daemon.info syslog: 11[NET] sending packet: from 10.0.0.2[500] to 10.0.0.1[500]
Jun 6 20:43:49 OpenWrt daemon.info syslog: 12[IKE] retransmit 1 of request with message ID 0
Jun 6 20:43:49 OpenWrt daemon.info syslog: 12[NET] sending packet: from 10.0.0.2[500] to 10.0.0.1[500]
Jun 6 20:43:50 OpenWrt daemon.info syslog: 13[NET] received packet: from 10.0.0.1[500] to 10.0.0.2[500]
Jun 6 20:43:50 OpenWrt daemon.info syslog: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
I'm not sure what I'm doing wrong or what else I need to do for traffic to start flowing but if anyone could help out it would be much appreciated.