StrongSwan policy question

arfett · 06-05-2012, 05:37 PM

I'm having some trouble getting a working site-to-site tunnel when using 'installpolicy=no' in my strongswan configuration and I can't really figure this out even after an entire day of googling. IPsec SAs never form.

OS: OpenWRT trunk
StrongSwan: 4.5.3

Side 1:
WAN = 10.0.0.1
LAN = 192.168.1.0/24

ipsec.conf
config setup
plutodebug=control
plutostart=no
charondebug=control
charonstart=yes
nat_traversal=yes

conn $default
auth=esp
authby=psk
closeaction=restart
compress=no
dpdaction=restart
installpolicy=no
keyingtries=%forever
leftfirewall=yes
lefthostaccess=yes
margintime=9m
mobike=no
reauth=yes
rekey=yes
rightfirewall=yes
righthostaccess=yes
type=tunnel

conn 1
auto=start
dpddelay=60s
esp=aes128-sha1-modp1024!
forceencaps=no
ike=aes128-sha1-modp1024!
ikelifetime=3h
keyexchange=ikev2
left=10.0.0.1
leftsubnet=192.168.1.0/24
lifetime=8h
pfs=yes
pfsgroup=modp1024
reqid=305
right=10.0.0.2
rightsubnet=192.168.2.0/24

Side 2:
WAN = 10.0.0.2
LAN = 192.168.2.0/24

ipsec.conf
config setup
plutodebug=control
plutostart=no
charondebug=control
charonstart=yes
nat_traversal=yes

conn $default
auth=esp
authby=psk
closeaction=restart
compress=no
dpdaction=restart
installpolicy=no
keyingtries=%forever
leftauth=psk
leftfirewall=yes
lefthostaccess=yes
margintime=9m
mobike=no
reauth=yes
rekey=yes
rightauth=psk
rightfirewall=yes
righthostaccess=yes
type=tunnel

conn 1
auto=start
dpddelay=60s
esp=aes128-sha1-modp1024!
forceencaps=no
ike=aes128-sha1-modp1024!
ikelifetime=3h
keyexchange=ikev2
left=10.0.0.2
leftsubnet=192.168.2.0/24
lifetime=8h
pfs=yes
pfsgroup=modp1024
reqid=305
right=10.0.0.1
rightsubnet=192.168.1.0/24

I've messed with ip xfrm with the lines below:

Side 1:
ip xfrm policy add dir in src 192.168.2.0/24 dst 192.168.1.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.2 dst 10.0.0.1 proto esp level required
ip xfrm policy add dir out src 192.168.1.0/24 dst 192.168.2.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.1 dst 10.0.0.2 proto esp level required
ip xfrm policy add dir fwd src 192.168.2.0/24 dst 192.168.1.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.2 dst 10.0.0.1 proto esp level required

Side 2:
ip xfrm policy add dir in src 192.168.1.0/24 dst 192.168.2.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.1 dst 10.0.0.2 proto esp level required
ip xfrm policy add dir out src 192.168.2.0/24 dst 192.168.1.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.2 dst 10.0.0.1 proto esp level required
ip xfrm policy add dir fwd src 192.168.1.0/24 dst 192.168.2.0/24 proto any action allow priority 100 tmpl mode tunnel reqid 305 src 10.0.0.1 dst 10.0.0.2 proto esp level required

Side 1 syslog:

Code:

Jun  6 20:55:50 OpenWrt authpriv.warn ipsec_starter[2720]: Starting strongSwan 4.5.3 IPsec [starter]...
Jun  6 20:55:50 OpenWrt authpriv.warn ipsec_starter[2720]: no default route - cannot cope with %defaultroute!!!
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] listening on interfaces:
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[KNL]   eth0
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[KNL]   eth1
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[KNL]     10.0.0.1
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[KNL]   br-lan
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[KNL]     192.168.1.1
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[KNL]   eth0.1
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] received netlink error: Address family not supported by protocol (124)
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[KNL] unable to create IPv6 routing table rule
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[NET] unable to create raw socket: Address family not supported by protocol
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[NET] could not open IPv6 receive socket, IPv6 disabled
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[CFG]   loaded IKE secret for 10.0.0.1 10.0.0.2
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown 
Jun  6 20:55:50 OpenWrt daemon.info syslog: 00[JOB] spawning 16 worker threads
Jun  6 20:55:50 OpenWrt authpriv.warn ipsec_starter[2744]: charon (2745) started after 40 ms
Jun  6 20:55:50 OpenWrt daemon.info syslog: 07[CFG] received stroke: add connection '1'
Jun  6 20:55:50 OpenWrt daemon.info syslog: 07[CFG] added configuration '1'
Jun  6 20:55:50 OpenWrt daemon.info syslog: 09[CFG] received stroke: route '1'
Jun  6 20:55:50 OpenWrt authpriv.warn ipsec_starter[2744]: '1' routed
Jun  6 20:55:52 OpenWrt daemon.info syslog: 11[NET] received packet: from 10.0.0.2[500] to 10.0.0.1[500]
Jun  6 20:55:52 OpenWrt daemon.info syslog: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun  6 20:55:52 OpenWrt daemon.info syslog: 11[IKE] 10.0.0.2 is initiating an IKE_SA
Jun  6 20:55:52 OpenWrt authpriv.info syslog: 11[IKE] 10.0.0.2 is initiating an IKE_SA
Jun  6 20:55:53 OpenWrt daemon.info syslog: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun  6 20:55:53 OpenWrt daemon.info syslog: 11[NET] sending packet: from 10.0.0.1[500] to 10.0.0.2[500]
Jun  6 20:56:22 OpenWrt daemon.info syslog: 14[JOB] deleting half open IKE_SA after timeout

side 2 syslog:

Code:

Jun  6 20:43:44 OpenWrt authpriv.warn ipsec_starter[2606]: Starting strongSwan 4.5.3 IPsec [starter]...
Jun  6 20:43:44 OpenWrt authpriv.warn ipsec_starter[2606]: no default route - cannot cope with %defaultroute!!!
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] listening on interfaces:
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[KNL]   eth0
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[KNL]   eth1
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[KNL]     10.0.0.2
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[KNL]   br-lan
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[KNL]     192.168.2.1
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[KNL]   eth0.1
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] received netlink error: Address family not supported by protocol (124)
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[KNL] unable to create IPv6 routing table rule
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[NET] unable to create raw socket: Address family not supported by protocol
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[NET] could not open IPv6 receive socket, IPv6 disabled
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[CFG]   loaded IKE secret for 10.0.0.2 10.0.0.1
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown 
Jun  6 20:43:44 OpenWrt daemon.info syslog: 00[JOB] spawning 16 worker threads
Jun  6 20:43:44 OpenWrt authpriv.warn ipsec_starter[2631]: charon (2632) started after 40 ms
Jun  6 20:43:44 OpenWrt daemon.info syslog: 07[CFG] received stroke: add connection '1'
Jun  6 20:43:44 OpenWrt daemon.info syslog: 07[CFG] added configuration '1'
Jun  6 20:43:44 OpenWrt daemon.info syslog: 09[CFG] received stroke: route '1'
Jun  6 20:43:44 OpenWrt authpriv.warn ipsec_starter[2631]: '1' routed
Jun  6 20:43:45 OpenWrt daemon.info syslog: 02[KNL] creating acquire job for policy 192.168.2.125/32[icmp/8] === 192.168.1.236/32[icmp] with reqid {305}
Jun  6 20:43:45 OpenWrt daemon.info syslog: 11[IKE] initiating IKE_SA 1[1] to 10.0.0.1
Jun  6 20:43:45 OpenWrt authpriv.info syslog: 11[IKE] initiating IKE_SA 1[1] to 10.0.0.1
Jun  6 20:43:45 OpenWrt daemon.info syslog: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun  6 20:43:45 OpenWrt daemon.info syslog: 11[NET] sending packet: from 10.0.0.2[500] to 10.0.0.1[500]
Jun  6 20:43:49 OpenWrt daemon.info syslog: 12[IKE] retransmit 1 of request with message ID 0
Jun  6 20:43:49 OpenWrt daemon.info syslog: 12[NET] sending packet: from 10.0.0.2[500] to 10.0.0.1[500]
Jun  6 20:43:50 OpenWrt daemon.info syslog: 13[NET] received packet: from 10.0.0.1[500] to 10.0.0.2[500]
Jun  6 20:43:50 OpenWrt daemon.info syslog: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]

I'm not sure what I'm doing wrong or what else I need to do for traffic to start flowing but if anyone could help out it would be much appreciated.

nikmit · 06-06-2012, 03:03 AM

Quote:

plutodebug=control
plutostart=no
charonstart=yes

You are using charon, but debugging pluto - change that and see if you get any helpful logs.

This is from http://wiki.strongswan.org/projects/...igSetupSection:

Quote:

IKEv2 charon daemon only

charondebug = <debug list>

how much Charon debugging output should be logged. A comma-separated list containing
type/level pairs may be specified, e.g: dmn 3, ike 1, net -1. Acceptable values for
types are dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, tls, tnc, imc, imv, pts and the level is one of
[-1, 0, 1, 2, 3, 4] (for silent, audit, control, controlmore, raw, private). By default, the level is
set to 1 for all types.

ecdsa · 06-06-2012, 04:13 AM

Without any logs it's hard to tell what the problem is. You don't even write if the IKE_SA is established successfully or how you test if traffic is flowing or not.

What exactly is the reason you use installpolicy=no in the first place? Does it work if you use installpolicy=yes?

arfett · 06-06-2012, 04:23 PM

pluto debugging is on because ikev1 will be used on some tunnels. I've updated the original post with more information.

I do not want strongswan entering the kernel traps because the tunnels will be set to pass all traffic down the VPN and I need rules before them for specific traffic to keep it out of the tunnel.

nikmit · 06-07-2012, 01:52 AM

Quote:

Jun 6 20:55:53 OpenWrt daemon.info syslog: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 6 20:55:53 OpenWrt daemon.info syslog: 11[NET] sending packet: from 10.0.0.1[500] to 10.0.0.2[500]
Jun 6 20:56:22 OpenWrt daemon.info syslog: 14[JOB] deleting half open IKE_SA after timeout

Side one doesn't get a responce on port 500, are all firewalls in the way configured to allow it?
On side two it looks like you have trimmed the logs short of the interesting stuff that might be there.

Quote:

Jun 6 20:43:45 OpenWrt daemon.info syslog: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jun 6 20:43:45 OpenWrt daemon.info syslog: 11[NET] sending packet: from 10.0.0.2[500] to 10.0.0.1[500]
Jun 6 20:43:49 OpenWrt daemon.info syslog: 12[IKE] retransmit 1 of request with message ID 0
Jun 6 20:43:49 OpenWrt daemon.info syslog: 12[NET] sending packet: from 10.0.0.2[500] to 10.0.0.1[500]
Jun 6 20:43:50 OpenWrt daemon.info syslog: 13[NET] received packet: from 10.0.0.1[500] to 10.0.0.2[500]
Jun 6 20:43:50 OpenWrt daemon.info syslog: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]

It received a packet from side 1, but we can't see if it responded or not.

arfett · 06-07-2012, 12:59 PM

Quote:

Originally Posted by nikmit

Side one doesn't get a responce on port 500, are all firewalls in the way configured to allow it?
On side two it looks like you have trimmed the logs short of the interesting stuff that might be there.

It received a packet from side 1, but we can't see if it responded or not.

Both sides are identical in all configurations. They are the same router model with the same firmware image loaded. Both sides are receiving the packets according to tcpdump. I haven't cut the logs. It just repeats those same final messages over and over.

side 1 tcpdump:

Code:

17:47:52.353965 IP 10.0.0.1.500 > 10.0.0.2.500: UDP, length 304
17:47:52.475216 IP 10.0.0.2.500 > 10.0.0.1.500: UDP, length 312
17:47:55.695780 IP 10.0.0.2.500 > 10.0.0.1.500: UDP, length 304
17:47:55.814532 IP 10.0.0.1.500 > 10.0.0.2.500: UDP, length 312

side 2 tcpdump:

Code:

17:35:50.445765 IP 10.0.0.1.500 > 10.0.0.2.500: UDP, length 304
17:35:50.566941 IP 10.0.0.2.500 > 10.0.0.1.500: UDP, length 312
17:35:53.787504 IP 10.0.0.2.500 > 10.0.0.1.500: UDP, length 304
17:35:53.906356 IP 10.0.0.1.500 > 10.0.0.2.500: UDP, length 312