Trouble routing traffic through Strongswan IPSec tunnel

detached · 01-16-2018, 04:08 AM

Hi LinuxQuestions Forum,

I have to setup a tunnel to an IPSec ikev1 VPN with Strongswan on Fedora 27.
Creating the connection with Strongswan is easy, I get an IP from the Server and Strongswan reports that the tunnel is established.
Unfortunatley no traffic is routed through the tunnel.

The same config with strongswan libipsec backend works: Strongswan creates a tun device and I can access servers behind the gateway.

I post this thread in the Fedora forum because the exact same configuration works on Ubuntu and Debian, so I think it might be related to a Fedora specific thing.

Can someone of you help me with this?

Here is what I did:

Quote:

dnf install strongswan

Add ipsec.conf:

Quote:

conn %default
aggressive=no
authby=xauthpsk
fragmentation=no
ike=aes256-sha1-modp1024
esp=aes256-sha1
keyexchange=ikev1
xauth=client

conn myCompany
leftsourceip=%config
leftauth=psk
leftauth2=xauth
right=$ipOfTheGateway
rightsubnet=0.0.0.0/0
rightauth=psk
xauth_identity=$myUsername
auto=start

Starting strongswan creates the following logs:

Quote:

Jan 16 10:39:36 strongswan[6536]: Starting strongSwan 5.6.0 IPsec [starter]...
Jan 16 10:39:36 ipsec_starter[6536]: Starting strongSwan 5.6.0 IPsec [starter]...
Jan 16 10:39:36 charon[6552]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 4.14.11-300.fc27.x86_64, x86_64)
Jan 16 10:39:36 charon[6552]: 00[CFG] PKCS11 module '<name>' lacks library path
Jan 16 10:39:36 charon[6552]: 00[LIB] openssl FIPS mode(2) - enabled
Jan 16 10:39:36 charon[6552]: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Jan 16 10:39:36 charon[6552]: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Jan 16 10:39:36 charon[6552]: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Jan 16 10:39:36 charon[6552]: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Jan 16 10:39:36 charon[6552]: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Jan 16 10:39:36 charon[6552]: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Jan 16 10:39:36 charon[6552]: 00[CFG] loaded IKE secret for %any
Jan 16 10:39:36 charon[6552]: 00[CFG] loaded EAP secret for @myUsername
Jan 16 10:39:36 charon[6552]: 00[CFG] opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory
Jan 16 10:39:36 charon[6552]: 00[CFG] HA config misses local/remote address
Jan 16 10:39:36 charon[6552]: 00[CFG] no script for ext-auth script defined, disabled
Jan 16 10:39:36 strongswan[6536]: charon (6552) started after 40 ms
Jan 16 10:39:36 charon[6552]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gc
Jan 16 10:39:36 charon[6552]: 00[JOB] spawning 16 worker threads
Jan 16 10:39:36 ipsec_starter[6536]: charon (6552) started after 40 ms
Jan 16 10:39:36 charon[6552]: 06[CFG] received stroke: add connection 'myCompany'
Jan 16 10:39:36 charon[6552]: 06[CFG] added configuration 'myCompany'
Jan 16 10:39:36 charon[6552]: 08[CFG] received stroke: initiate 'myCompany'
Jan 16 10:39:36 charon[6552]: 08[IKE] initiating Main Mode IKE_SA myCompany[1] to $gatewayIP
Jan 16 10:39:36 charon[6552]: 08[IKE] initiating Main Mode IKE_SA myCompany[1] to $gatewayIP
Jan 16 10:39:36 charon[6552]: 08[ENC] generating ID_PROT request 0 [ SA V V V V ]
Jan 16 10:39:36 charon[6552]: 08[NET] sending packet: from 192.168.168.161[500] to $gatewayIP[500] (216 bytes)
Jan 16 10:39:36 charon[6552]: 09[NET] received packet: from $gatewayIP[500] to 192.168.168.161[500] (156 bytes)
Jan 16 10:39:36 charon[6552]: 09[ENC] parsed ID_PROT response 0 [ SA V V V V ]
Jan 16 10:39:36 charon[6552]: 09[IKE] received NAT-T (RFC 3947) vendor ID
Jan 16 10:39:36 charon[6552]: 09[IKE] received DPD vendor ID
Jan 16 10:39:36 charon[6552]: 09[IKE] received XAuth vendor ID
Jan 16 10:39:36 charon[6552]: 09[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
Jan 16 10:39:36 charon[6552]: 09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 16 10:39:36 charon[6552]: 09[NET] sending packet: from 192.168.168.161[500] to $gatewayIP[500] (244 bytes)
Jan 16 10:39:36 charon[6552]: 10[NET] received packet: from $gatewayIP[500] to 192.168.168.161[500] (228 bytes)
Jan 16 10:39:36 charon[6552]: 10[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jan 16 10:39:36 charon[6552]: 10[IKE] local host is behind NAT, sending keep alives
Jan 16 10:39:36 charon[6552]: 10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jan 16 10:39:36 strongswan[6536]: 10[NET] sending packet: from 192.168.168.161[4500] to $gatewayIP[4500] (108 bytes)
Jan 16 10:39:36 strongswan[6536]: 11[NET] received packet: from $gatewayIP[4500] to 192.168.168.161[4500] (76 bytes)
Jan 16 10:39:36 strongswan[6536]: 11[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jan 16 10:39:36 strongswan[6536]: 12[NET] received packet: from $gatewayIP[4500] to 192.168.168.161[4500] (76 bytes)
Jan 16 10:39:36 strongswan[6536]: 12[ENC] parsed TRANSACTION request 2231888642 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
Jan 16 10:39:36 strongswan[6536]: 12[ENC] generating TRANSACTION response 2231888642 [ HASH CPRP(X_USER X_PWD) ]
Jan 16 10:39:36 strongswan[6536]: 12[NET] sending packet: from 192.168.168.161[4500] to $gatewayIP[4500] (92 bytes)
Jan 16 10:39:36 strongswan[6536]: 13[NET] received packet: from $gatewayIP[4500] to 192.168.168.161[4500] (76 bytes)
Jan 16 10:39:36 strongswan[6536]: 13[ENC] parsed TRANSACTION request 1405914515 [ HASH CPS(X_STATUS) ]
Jan 16 10:39:36 strongswan[6536]: 13[IKE] XAuth authentication of '$myUsername' (myself) successful
Jan 16 10:39:36 strongswan[6536]: 13[IKE] IKE_SA myCompany[1] established between 192.168.168.161[192.168.168.161]...$gatewayIP[$gatewayIP]
Jan 16 10:39:36 strongswan[6536]: 13[IKE] scheduling reauthentication in 9906s
Jan 16 10:39:36 strongswan[6536]: 13[IKE] maximum IKE_SA lifetime 10446s
Jan 16 10:39:36 strongswan[6536]: 13[ENC] generating TRANSACTION response 1405914515 [ HASH CPA(X_STATUS) ]
Jan 16 10:39:36 strongswan[6536]: 13[NET] sending packet: from 192.168.168.161[4500] to $gatewayIP[4500] (76 bytes)
Jan 16 10:39:36 strongswan[6536]: 13[ENC] generating TRANSACTION request 2447955566 [ HASH CPRQ(ADDR DNS) ]
Jan 16 10:39:36 strongswan[6536]: 13[NET] sending packet: from 192.168.168.161[4500] to $gatewayIP[4500] (76 bytes)
Jan 16 10:39:36 strongswan[6536]: 15[NET] received packet: from $gatewayIP[4500] to 192.168.168.161[4500] (92 bytes)
Jan 16 10:39:36 strongswan[6536]: 15[ENC] parsed TRANSACTION response 2447955566 [ HASH CPRP(ADDR DNS) ]
Jan 16 10:39:36 strongswan[6536]: 15[IKE] installing DNS server 172.29.0.8 to /etc/resolv.conf.strongswan
Jan 16 10:39:36 strongswan[6536]: 15[IKE] installing new virtual IP 172.29.12.12
Jan 16 10:39:36 audit: MAC_IPSEC_EVENT op=SAD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 src=$gatewayIP dst=192.168.168.161 spi=3291329967(0xc42db5af) res=1
Jan 16 10:39:36 audit: MAC_IPSEC_EVENT op=SAD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 src=192.168.168.161 dst=$gatewayIP spi=113095575(0x6bdb397) res=1
Jan 16 10:39:36 audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=172.29.12.12 dst=0.0.0.0 dst_prefixlen=0
Jan 16 10:39:36 audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0.0.0.0 src_prefixlen=0 dst=172.29.12.12
Jan 16 10:39:36 audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=0.0.0.0 src_prefixlen=0 dst=172.29.12.12
Jan 16 10:39:36 audit: MAC_IPSEC_EVENT op=SPD-add auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 src=172.29.12.12 dst=0.0.0.0 dst_prefixlen=0
Jan 16 10:39:36 charon[6552]: 15[ENC] generating QUICK_MODE request 1202224229 [ HASH SA No ID ID ]
Jan 16 10:39:36 charon[6552]: 15[NET] sending packet: from 192.168.168.161[4500] to $gatewayIP[4500] (204 bytes)
Jan 16 10:39:36 charon[6552]: 05[NET] received packet: from $gatewayIP[4500] to 192.168.168.161[4500] (156 bytes)
Jan 16 10:39:36 charon[6552]: 05[ENC] parsed QUICK_MODE response 1202224229 [ HASH SA No ID ID ]
Jan 16 10:39:36 charon[6552]: 05[IKE] CHILD_SA myCompany{1} established with SPIs c42db5af_i 06bdb397_o and TS 172.29.12.12/32 === 0.0.0.0/0
Jan 16 10:39:36 charon[6552]: 05[IKE] CHILD_SA myCompany{1} established with SPIs c42db5af_i 06bdb397_o and TS 172.29.12.12/32 === 0.0.0.0/0
Jan 16 10:39:36 charon[6552]: 05[ENC] generating QUICK_MODE request 1202224229 [ HASH ]
Jan 16 10:39:36 charon[6552]: 05[NET] sending packet: from 192.168.168.161[4500] to $gatewayIP[4500] (60 bytes)
Jan 16 10:39:46 charon[6552]: 11[NET] received packet: from $gatewayIP[4500] to 192.168.168.161[4500] (92 bytes)
Jan 16 10:39:46 charon[6552]: 11[ENC] parsed INFORMATIONAL_V1 request 1493281689 [ HASH N(DPD) ]
...

swanctl -l

Quote:

myCompany: #1, ESTABLISHED, IKEv1, 64094aa8463b93be_i* 925b9fa16090772b_r
local '192.168.168.161' @ 192.168.168.161[4500] [172.29.12.12]
remote '$gatewayIp' @ $gatewayIp[4500]
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 654s ago, reauth in 9252s
myCompany: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
installed 654s ago, rekeying in 2319s, expires in 2946s
in c42db5af, 0 bytes, 0 packets
out 06bdb397, 0 bytes, 0 packets, 6s ago
local 172.29.12.12/32
remote 0.0.0.0/0

ip a:

Quote:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether d4:81:d7:82:6f:ab brd ff:ff:ff:ff:ff:ff
inet 192.168.168.161/24 brd 192.168.168.255 scope global dynamic enp0s31f6
valid_lft 82660sec preferred_lft 82660sec
inet 172.29.12.12/32 scope global enp0s31f6
valid_lft forever preferred_lft forever
inet6 fe80::d75b:9b6:3bc:b0b4/64 scope link
valid_lft forever preferred_lft forever

ip route:

Quote:

default via 192.168.168.6 dev enp0s31f6 proto static metric 100
192.168.168.0/24 dev enp0s31f6 proto kernel scope link src 192.168.168.161 metric 100

ip xfrm state:

Quote:

src 192.168.168.161 dst $gatewayIp
proto esp spi 0x06bdb397 reqid 1 mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(sha1) 0x$sha1key 96
enc cbc(aes) 0x$aesKey
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src $gatewayIp dst 192.168.168.161
proto esp spi 0xc42db5af reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x$sha1key 96
enc cbc(aes) 0x$aesKey
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

ip xfrm policy:

Quote:

src 172.29.12.12/32 dst 0.0.0.0/0
dir out priority 383615 ptype main
tmpl src 192.168.168.161 dst $gatewayIp
proto esp spi 0x06bdb397 reqid 1 mode tunnel
src 0.0.0.0/0 dst 172.29.12.12/32
dir fwd priority 383615 ptype main
tmpl src $gatewayIp dst 192.168.168.161
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 172.29.12.12/32
dir in priority 383615 ptype main
tmpl src $gatewayIp dst 192.168.168.161
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main