Re: [strongSwan] net-to-net with one gateway behind NAT
Hi Martin, I tried it again with Strongswan 4.3.2 (same version as when I reported the issue originally) and I can't see the error anymore. The only difference is that now I build and install from source and before I was using a package from the Debian repository. Maybe, this is why you could not reproduce it. Thanks for your help, Alexis Nov 16 14:24:37 ECM charon: 11[KNL] getting a local address in traffic selector 0.0.0.0/0 Nov 16 14:24:37 ECM charon: 11[KNL] using host %any Nov 16 14:24:37 ECM charon: 11[KNL] getting address to reach 174.90.228.134 Nov 16 14:24:37 ECM charon: 11[KNL] getting interface name for 192.168.21.100 Nov 16 14:24:37 ECM charon: 11[KNL] 192.168.21.100 is on interface eth0 Nov 16 14:24:37 ECM charon: 11[KNL] installing route: 172.22.0.0/28 via 192.168.21.20 src %any dev eth0 Nov 16 14:24:37 ECM charon: 11[KNL] getting iface index for eth0 Nov 16 14:24:37 ECM charon: 11[KNL] getting interface name for 192.168.21.100 Nov 16 14:24:37 ECM charon: 11[KNL] 192.168.21.100 is on interface eth0 ~# ip route show table 220 172.22.0.0/28 via 192.168.21.20 dev eth0 proto static # ip rule 0: from all lookup local 220:from all lookup 220 32766: from all lookup main 32767: from all lookup default -Original Message- From: Martin Willi [mailto:mar...@strongswan.org] Sent: November-11-10 1:04 AM To: Alexis Salinas Cc: users@lists.strongswan.org Subject: Re: [strongSwan] net-to-net with one gateway behind NAT Hi Alexis, > getting a local address in traffic selector 0.0.0.0/0 using host %any > getting address to reach 174.90.242.85 getting interface name for > 192.168.21.100 192.168.21.100 is on interface eth0 getting iface index > for eth0 received netlink error: No such process (3) unable to install > source route for %any Yes, I have seen this error once. But I was unable to reproduce or fix it. The daemon tries to install a source route for this policy, like: ip route add 172.22.0.0/28 via GATEWAY src 192.168.21.100 dev eth0 But the kernel does not like that route. Maybe the gateway lookup does not work correctly on your setup, hard to say. Please apply the attached patch. It shows the complete route the daemon tries to install. Does that route makes sense for your setup? Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] net-to-net with one gateway behind NAT
Hello Martin, Sorry it took me so long to set this up. Here is the output with the patch. I think it makes sense, but is no longer giving me the error. It may had something to do with the fact that I loaded the patch in the newest version of strongswan (4.5.0), maybe I should try again with the older version and see what is different: 01[KNL] getting a local address in traffic selector 0.0.0.0/0 01[KNL] using host %any 01[KNL] getting address to reach 174.90.237.73 01[KNL] getting interface name for 192.168.21.100 01[KNL] 192.168.21.100 is on interface eth0 01[KNL] installing route: 172.22.0.0/28 via 192.168.21.20 src %any dev eth0 01[KNL] getting iface index for eth0 01[KNL] getting interface name for 192.168.21.100 01[KNL] 192.168.21.100 is on interface eth0 01[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ] 01[NET] sending packet: from 192.168.21.100[4500] to 174.90.237.73[4500] 04[KNL] received a XFRM_MSG_MAPPING Also, I can see table 220 created: # ip route show table 220 172.22.0.0/28 via 192.168.21.20 dev eth0 proto static # ip rule 0: from all lookup local 220:from all lookup 220 220:from all lookup 220 32766: from all lookup main 32767: from all lookup default Cheers, Alexis -Original Message- From: Martin Willi [mailto:mar...@strongswan.org] Sent: November-11-10 1:04 AM To: Alexis Salinas Cc: users@lists.strongswan.org Subject: Re: [strongSwan] net-to-net with one gateway behind NAT Hi Alexis, > getting a local address in traffic selector 0.0.0.0/0 using host %any > getting address to reach 174.90.242.85 getting interface name for > 192.168.21.100 192.168.21.100 is on interface eth0 getting iface index > for eth0 received netlink error: No such process (3) unable to install > source route for %any Yes, I have seen this error once. But I was unable to reproduce or fix it. The daemon tries to install a source route for this policy, like: ip route add 172.22.0.0/28 via GATEWAY src 192.168.21.100 dev eth0 But the kernel does not like that route. Maybe the gateway lookup does not work correctly on your setup, hard to say. Please apply the attached patch. It shows the complete route the daemon tries to install. Does that route makes sense for your setup? Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] net-to-net with one gateway behind NAT
Hi Alexis, > getting a local address in traffic selector 0.0.0.0/0 > using host %any > getting address to reach 174.90.242.85 > getting interface name for 192.168.21.100 > 192.168.21.100 is on interface eth0 > getting iface index for eth0 > received netlink error: No such process (3) > unable to install source route for %any Yes, I have seen this error once. But I was unable to reproduce or fix it. The daemon tries to install a source route for this policy, like: ip route add 172.22.0.0/28 via GATEWAY src 192.168.21.100 dev eth0 But the kernel does not like that route. Maybe the gateway lookup does not work correctly on your setup, hard to say. Please apply the attached patch. It shows the complete route the daemon tries to install. Does that route makes sense for your setup? Regards Martin >From 213884f9471c6f94138279a4e9de373cb671f1a4 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Thu, 11 Nov 2010 09:59:02 +0100 Subject: [PATCH] Print full source route on DBG2 that gets installed --- .../plugins/kernel_netlink/kernel_netlink_ipsec.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 8cc9a62..4e687c0 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -1813,6 +1813,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, if (route->if_name) { +DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", + src_ts, route->gateway, route->src_ip, route->if_name); switch (hydra->kernel_interface->add_route( hydra->kernel_interface, route->dst_net, route->prefixlen, route->gateway, -- 1.7.1 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] net-to-net with one gateway behind NAT
Hi all, I tested this configuration successfully many times without the NAT. This time I connected one of the GW behind a NAT/FIREWALL device and although the tunnel comes up I get an error message regarding routes (you can see almost at the bottom of the log). Have you seen this before?. Thanks in advance for your help Cheers, Alexis My setup: 172.22.0.0/28--GW1--Internet--(24.207.4.81)NAT_DEVICE--(192.168.21.100)GW2--10.0.0.0/24--OTHER_ROUTERS My configuration (full tunnel) GW1(Linux strongSwan U4.3.5/K2.6.30-310): config setup cachecrls=no charonstart=yes crlcheckinterval=0 plutostart=yes strictcrlpolicy=no nat_traversal=yes plutodebug=none charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, enc 0, lib 0" conn net-to-net left=%defaultroute left...@gw1 leftsubnet=172.22.0.0/28 leftfirewall=yes right=24.207.4.81 right...@gw2 rightsubnet=0.0.0.0/0 keyexchange=ikev2 mobike=yes ikelifetime=60m keylife=20m compress=no authby=secret dpdaction=restart dpddelay=10 dpdtimeout=30 auto=add keyingtries=1 rekeymargin=3m forceencaps=no GW2 (Linux strongSwan U4.3.2/K2.6.31-1) config setup charonstart=yes nat_traversal=yes charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 2, net 0, enc 0, lib 0" conn net2net left=192.168.21.100 left...@gw2 right=%any right...@gw1 rekey=no leftsubnet=0.0.0.0/0 rightsubnet=172.22.0.0/28 ike=aes128-md5-modp1536! ikelifetime=3600s keyexchange=ikev2 mobike=yes dpddelay=30s dpdtimeout=120s dpdaction=clear esp=aes128-md5! keylife=1200s rekeymargin=540s type=tunnel pfs=yes compress=no authby=secret auto=add GW2 logs (I cut removed some part for brevity, let me now if you need the whole thing) Nov 9 10:56:46 GW2 charon: 09[IKE] 174.90.242.85 is initiating an IKE_SA Nov 9 10:56:46 GW2 charon: 09[IKE] 174.90.242.85 is initiating an IKE_SA Nov 9 10:56:46 GW2 charon: 09[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING Nov 9 10:56:46 GW2 charon: 09[IKE] local host is behind NAT, sending keep alives Nov 9 10:56:46 GW2 charon: 08[IKE] authentication of 'GW1' with pre-shared key successful Nov 9 10:56:46 GW2 charon: 08[IKE] peer supports MOBIKE Nov 9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 172.22.0.1 Nov 9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 172.22.1.1 Nov 9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 172.22.2.1 Nov 9 10:56:46 GW2 charon: 08[IKE] authentication of 'GW2' (myself) with pre-shared key Nov 9 10:56:46 GW2 charon: 08[IKE] successfully created shared key MAC Nov 9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] state change: CONNECTING => ESTABLISHED Nov 9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] established between 192.168.21.100[GW2]...174.90.242.85[GW1] Nov 9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] established between 192.168.21.100[GW2]...174.90.242.85[GW1] Nov 9 10:56:46 GW2 charon: 08[KNL] getting SPI for reqid {1} Nov 9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_ALLOCSPI: => 244 bytes @ 0xb38adc68 Nov 9 10:56:46 GW2 charon: 08[KNL]0: F4 00 00 00 16 00 01 00 C9 00 00 00 14 42 00 00 .B.. Nov 9 10:56:46 GW2 charon: 08[KNL] 240: FF FF FF CF Nov 9 10:56:46 GW2 charon: 08[KNL] got SPI ccbe182c for reqid {1} Nov 9 10:56:46 GW2 charon: 08[KNL] adding SAD entry with SPI ccbe182c and reqid {1} Nov 9 10:56:46 GW2 charon: 08[KNL] using encryption algorithm AES_CBC with key size 128 Nov 9 10:56:46 GW2 charon: 08[KNL] using integrity algorithm HMAC_MD5_96 with key size 128 Nov 9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_UPDSA: => 440 bytes @ 0xb38adbc4 Nov 9 10:56:46 GW2 charon: 08[KNL]0: B8 01 00 00 1A 00 05 00 CA 00 00 00 14 42 00 00 .B.. Nov 9 10:56:46 GW2 charon: 08[KNL] 432: 00 00 00 00 00 00 00 00 Nov 9 10:56:46 GW2 charon: 08[KNL] adding SAD entry with SPI c94ea202 and reqid {1} Nov 9 10:56:46 GW2 charon: 08[KNL] using encryption algorithm AES_CBC with key size 128 Nov 9 10:56:46 GW2 charon: 08[KNL] using integrity algorithm HMAC_MD5_96 with key size 128 Nov 9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_NEWSA: => 440 bytes @ 0xb38adbc4 Nov 9 10:56:46 GW2 charon: 08[KNL]0: B8 01 00 00 10 00 05 00 CB 00 00 00 14 42 00 00 .B.. Nov 9 10:56:46 GW2 charon: 08[KNL] 432: 00 00 00 00 00 00 00 00 Nov 9 10:56:46 GW2 charon: 08[KNL] adding policy 0.0.0.0/0 === 172.22.0.0/28 out Nov 9 10:56:46 GW2 charon: 08[KNL] se