subject:"\[strongSwan\] net\-to\-net with one gateway behind NAT"

Re: [strongSwan] net-to-net with one gateway behind NAT

2010-11-16 Thread Alexis Salinas

Hi Martin,
I tried it again with Strongswan 4.3.2 (same version as when I reported the 
issue originally) and I can't see the error anymore. The only difference is 
that now I build and install from source and before I was using a package from 
the Debian repository. Maybe, this is why you could not reproduce it.

Thanks for your help,
Alexis 

Nov 16 14:24:37 ECM charon: 11[KNL] getting a local address in traffic selector 
0.0.0.0/0
Nov 16 14:24:37 ECM charon: 11[KNL] using host %any
Nov 16 14:24:37 ECM charon: 11[KNL] getting address to reach 174.90.228.134
Nov 16 14:24:37 ECM charon: 11[KNL] getting interface name for 192.168.21.100
Nov 16 14:24:37 ECM charon: 11[KNL] 192.168.21.100 is on interface eth0
Nov 16 14:24:37 ECM charon: 11[KNL] installing route: 172.22.0.0/28 via 
192.168.21.20 src %any dev eth0
Nov 16 14:24:37 ECM charon: 11[KNL] getting iface index for eth0
Nov 16 14:24:37 ECM charon: 11[KNL] getting interface name for 192.168.21.100
Nov 16 14:24:37 ECM charon: 11[KNL] 192.168.21.100 is on interface eth0

~# ip route show table 220
172.22.0.0/28 via 192.168.21.20 dev eth0  proto static
# ip rule
0:  from all lookup local
220:from all lookup 220
32766:  from all lookup main
32767:  from all lookup default


-Original Message-
From: Martin Willi [mailto:mar...@strongswan.org] 
Sent: November-11-10 1:04 AM
To: Alexis Salinas
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] net-to-net with one gateway behind NAT

Hi Alexis,

> getting a local address in traffic selector 0.0.0.0/0 using host %any 
> getting address to reach 174.90.242.85 getting interface name for 
> 192.168.21.100 192.168.21.100 is on interface eth0 getting iface index 
> for eth0 received netlink error: No such process (3) unable to install 
> source route for %any

Yes, I have seen this error once. But I was unable to reproduce or fix it. The 
daemon tries to install a source route for this policy, like:

  ip route add 172.22.0.0/28 via GATEWAY src 192.168.21.100 dev eth0

But the kernel does not like that route. Maybe the gateway lookup does not work 
correctly on your setup, hard to say.

Please apply the attached patch. It shows the complete route the daemon tries 
to install. Does that route makes sense for your setup?

Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] net-to-net with one gateway behind NAT

2010-11-16 Thread Alexis Salinas

Hello Martin,
Sorry it took me so long to set this up. Here is the output with the patch. I 
think it makes sense, but is no longer giving me the error. It may had 
something to do with the fact that I loaded the patch in the newest version of 
strongswan (4.5.0), maybe I should try again with the older version and see 
what is different:

 
01[KNL] getting a local address in traffic selector 0.0.0.0/0
01[KNL] using host %any
01[KNL] getting address to reach 174.90.237.73
01[KNL] getting interface name for 192.168.21.100
01[KNL] 192.168.21.100 is on interface eth0
01[KNL] installing route: 172.22.0.0/28 via 192.168.21.20 src %any dev eth0
01[KNL] getting iface index for eth0
01[KNL] getting interface name for 192.168.21.100
01[KNL] 192.168.21.100 is on interface eth0
01[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) 
N(ADD_4_ADDR) ]
01[NET] sending packet: from 192.168.21.100[4500] to 174.90.237.73[4500]
04[KNL] received a XFRM_MSG_MAPPING


Also, I can see table 220 created:
# ip route show table 220
172.22.0.0/28 via 192.168.21.20 dev eth0  proto static

# ip rule
0:  from all lookup local
220:from all lookup 220
220:from all lookup 220
32766:  from all lookup main
32767:  from all lookup default

Cheers,
Alexis

-Original Message-
From: Martin Willi [mailto:mar...@strongswan.org] 
Sent: November-11-10 1:04 AM
To: Alexis Salinas
Cc: users@lists.strongswan.org
Subject: Re: [strongSwan] net-to-net with one gateway behind NAT

Hi Alexis,

> getting a local address in traffic selector 0.0.0.0/0 using host %any 
> getting address to reach 174.90.242.85 getting interface name for 
> 192.168.21.100 192.168.21.100 is on interface eth0 getting iface index 
> for eth0 received netlink error: No such process (3) unable to install 
> source route for %any

Yes, I have seen this error once. But I was unable to reproduce or fix it. The 
daemon tries to install a source route for this policy, like:

  ip route add 172.22.0.0/28 via GATEWAY src 192.168.21.100 dev eth0

But the kernel does not like that route. Maybe the gateway lookup does not work 
correctly on your setup, hard to say.

Please apply the attached patch. It shows the complete route the daemon tries 
to install. Does that route makes sense for your setup?

Regards
Martin
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] net-to-net with one gateway behind NAT

2010-11-11 Thread Martin Willi

Hi Alexis,

> getting a local address in traffic selector 0.0.0.0/0
> using host %any
> getting address to reach 174.90.242.85
> getting interface name for 192.168.21.100
> 192.168.21.100 is on interface eth0
> getting iface index for eth0
> received netlink error: No such process (3)
> unable to install source route for %any

Yes, I have seen this error once. But I was unable to reproduce or fix
it. The daemon tries to install a source route for this policy, like:

  ip route add 172.22.0.0/28 via GATEWAY src 192.168.21.100 dev eth0

But the kernel does not like that route. Maybe the gateway lookup does
not work correctly on your setup, hard to say.

Please apply the attached patch. It shows the complete route the daemon
tries to install. Does that route makes sense for your setup?

Regards
Martin
>From 213884f9471c6f94138279a4e9de373cb671f1a4 Mon Sep 17 00:00:00 2001
From: Martin Willi 
Date: Thu, 11 Nov 2010 09:59:02 +0100
Subject: [PATCH] Print full source route on DBG2 that gets installed

---
 .../plugins/kernel_netlink/kernel_netlink_ipsec.c  |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 8cc9a62..4e687c0 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1813,6 +1813,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
 
 			if (route->if_name)
 			{
+DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s",
+	 src_ts, route->gateway, route->src_ip, route->if_name);
 switch (hydra->kernel_interface->add_route(
 	hydra->kernel_interface, route->dst_net,
 	route->prefixlen, route->gateway,
-- 
1.7.1

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] net-to-net with one gateway behind NAT

2010-11-10 Thread Alexis Salinas

Hi all,
I tested this configuration successfully many times without the NAT. This time 
I connected one of the GW behind a NAT/FIREWALL device and although the tunnel 
comes up I get an error message regarding routes (you can see almost at the 
bottom of the log). Have you seen this before?. Thanks in advance for your help
Cheers,
Alexis

My setup:
172.22.0.0/28--GW1--Internet--(24.207.4.81)NAT_DEVICE--(192.168.21.100)GW2--10.0.0.0/24--OTHER_ROUTERS

My configuration (full tunnel)
GW1(Linux strongSwan U4.3.5/K2.6.30-310):
config setup
cachecrls=no
charonstart=yes
crlcheckinterval=0
plutostart=yes
strictcrlpolicy=no
nat_traversal=yes
plutodebug=none
charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, 
enc 0, lib 0"

conn net-to-net
left=%defaultroute
left...@gw1
leftsubnet=172.22.0.0/28
leftfirewall=yes
right=24.207.4.81
right...@gw2
rightsubnet=0.0.0.0/0
keyexchange=ikev2
mobike=yes
ikelifetime=60m
keylife=20m
compress=no
authby=secret
dpdaction=restart
dpddelay=10
dpdtimeout=30
auto=add
keyingtries=1
rekeymargin=3m
forceencaps=no 


GW2 (Linux strongSwan U4.3.2/K2.6.31-1)
config setup
charonstart=yes
nat_traversal=yes
charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 2, net 0, 
enc 0, lib 0"

conn net2net
left=192.168.21.100
left...@gw2
right=%any
right...@gw1
rekey=no
leftsubnet=0.0.0.0/0
rightsubnet=172.22.0.0/28
ike=aes128-md5-modp1536!
ikelifetime=3600s
keyexchange=ikev2
mobike=yes
dpddelay=30s
dpdtimeout=120s
dpdaction=clear
esp=aes128-md5!
keylife=1200s
rekeymargin=540s
type=tunnel
pfs=yes
compress=no
authby=secret
auto=add

GW2 logs (I cut removed some part for brevity, let me now if you need the whole 
thing)
Nov  9 10:56:46 GW2 charon: 09[IKE] 174.90.242.85 is initiating an IKE_SA
Nov  9 10:56:46 GW2 charon: 09[IKE] 174.90.242.85 is initiating an IKE_SA
Nov  9 10:56:46 GW2 charon: 09[IKE] IKE_SA (unnamed)[1] state change: CREATED 
=> CONNECTING
Nov  9 10:56:46 GW2 charon: 09[IKE] local host is behind NAT, sending keep 
alives
Nov  9 10:56:46 GW2 charon: 08[IKE] authentication of 'GW1' with pre-shared key 
successful
Nov  9 10:56:46 GW2 charon: 08[IKE] peer supports MOBIKE
Nov  9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 
172.22.0.1
Nov  9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 
172.22.1.1
Nov  9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 
172.22.2.1
Nov  9 10:56:46 GW2 charon: 08[IKE] authentication of 'GW2' (myself) with 
pre-shared key
Nov  9 10:56:46 GW2 charon: 08[IKE] successfully created shared key MAC
Nov  9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] state change: CONNECTING 
=> ESTABLISHED
Nov  9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] established between 
192.168.21.100[GW2]...174.90.242.85[GW1]
Nov  9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] established between 
192.168.21.100[GW2]...174.90.242.85[GW1]
Nov  9 10:56:46 GW2 charon: 08[KNL] getting SPI for reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_ALLOCSPI: => 244 bytes @ 
0xb38adc68
Nov  9 10:56:46 GW2 charon: 08[KNL]0: F4 00 00 00 16 00 01 00 C9 00 00 00 
14 42 00 00  .B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  240: FF FF FF CF   
   
Nov  9 10:56:46 GW2 charon: 08[KNL] got SPI ccbe182c for reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL] adding SAD entry with SPI ccbe182c and 
reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL]   using encryption algorithm AES_CBC with 
key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL]   using integrity algorithm HMAC_MD5_96 
with key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_UPDSA: => 440 bytes @ 
0xb38adbc4
Nov  9 10:56:46 GW2 charon: 08[KNL]0: B8 01 00 00 1A 00 05 00 CA 00 00 00 
14 42 00 00  .B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  432: 00 00 00 00 00 00 00 00   
   
Nov  9 10:56:46 GW2 charon: 08[KNL] adding SAD entry with SPI c94ea202 and 
reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL]   using encryption algorithm AES_CBC with 
key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL]   using integrity algorithm HMAC_MD5_96 
with key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_NEWSA: => 440 bytes @ 
0xb38adbc4
Nov  9 10:56:46 GW2 charon: 08[KNL]0: B8 01 00 00 10 00 05 00 CB 00 00 00 
14 42 00 00  .B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  432: 00 00 00 00 00 00 00 00   
   
Nov  9 10:56:46 GW2 charon: 08[KNL] adding policy 0.0.0.0/0 === 172.22.0.0/28 
out
Nov  9 10:56:46 GW2 charon: 08[KNL] se

Re: [strongSwan] net-to-net with one gateway behind NAT

Re: [strongSwan] net-to-net with one gateway behind NAT

Re: [strongSwan] net-to-net with one gateway behind NAT

[strongSwan] net-to-net with one gateway behind NAT

4 matches

Site Navigation

Mail list logo

Footer information