Issue #2069
IPSEC tunnel is up (both phase 1 and phase 2), yet packets are not passing via the tunnel (they pass but unsecured)
Description
Hi Guys.
I am struggling for few days in order to understand why the ICMP packets from CPE's are passing unsecured and not via the ipsec tunnel.
My tunnel is:
GW right is Virtual machine with UBUNTU 14.04
GW left is our DUT.
Both GW's are with strongswan build 5.3.5.
Virtual machine connected to to both GW's LAN sides as CPE's.
ipsec tunnel between 2 GW's is up.
Ping between two peers CPE's works fine (static routing)
Ping is wrongly passing none encrypted.
GW right ipsec.conf file:
config setup
conn %default
ikelifetime=600m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no
type=tunnel
conn net-net
left=20.161.23.22
leftsubnet=30.161.23.0
leftid=%any
right=20.161.23.11
rightsubnet=40.161.23.0
rightid=%any
auto=start
ike=aes128-sha256-modp1024!
esp=aes128-sha256-modp1024!
GW left ipsec.conf file:
config setup
conn %default
ikelifetime=600m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no
type=tunnel
conn net-net
left=20.161.23.22
leftsubnet=30.161.23.0
leftid=%any
right=20.161.23.11
rightsubnet=40.161.23.0
rightid=%any
auto=start
ike=aes128-sha256-modp1024!
esp=aes128-sha256-modp1024!
When I am typing ipsec status it seems that there is a problem with my strongswan.conf file (even though I tried to fix it, the error seems not correct):
ipsec statusall
/etc/strongswan.d/scepclient.conf:2: syntax error, unexpected NAME, expecting '{] [
invalid config file '/etc/strongswan.conf'
Status of IKE charon daemon (strongSwan 5.3.5, Linux 3.12.17-intelce-standard, i686):
uptime: 8 minutes, since Jul 06 22:13:24 2016
malloc: sbrk 172032, mmap 0, used 131696, free 40336
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
30.161.23.33
fc00::1
20.161.23.22
Connections:
net-net: 20.161.23.22...20.161.23.11 IKEv1
net-net: local: [20.161.23.22] uses pre-shared key authentication
net-net: remote: uses pre-shared key authentication
net-net: child: 30.161.23.0/32 === 40.161.23.0/32 TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 8 minutes ago, 20.161.23.22[20.161.23.22]...20.161.23.11[20.161.23.11]
net-net[1]: IKEv1 SPIs: 117151a1bab5d359_i* a30570e25457dd7b_r, pre-shared key reauthentication in 9 hours
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
net-net{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7d208dd_i ca977da2_o
net-net{1}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 6 minutes
net-net{1}: 30.161.23.0/32 === 40.161.23.0/32
strongswan.conf file is:
charon
{
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
tcpdump on ipsec tunnel (no NAT because I see that source IP is not changing) while doing ping from 30.161.23.13 CPE to 40.161.23.113 CPE:
30.161.23.13 > 40.161.23.113: ICMP echo request, id 5914, seq 5, length 64
22:25:38.481132 IP (tos 0x0, ttl 63, id 1053, offset 0, flags [none], proto ICMP (1), length 84)
40.161.23.113 > 30.161.23.13: ICMP echo reply, id 5914, seq 5, length 64
22:25:38.696980 IP (tos 0x0, ttl 63, id 1074, offset 0, flags [DF], proto ICMP (1), length 84)
As you can see in the tcpdump all packets are not encrypted (I should have seen them as ESP and not ICMP) so they are not passing via the ipsec tunnel. can someone assist me with that please.
History
#1 Updated by Koby Gueta about 9 years ago
P.S:
This behavior started happening after i upgraded the Virtual machine GW strongswan version from 5.1.2 to 5.3.5
#2 Updated by Tobias Brunner about 9 years ago
- Description updated (diff)
- Category set to configuration
- Status changed from New to Feedback
- Priority changed from Immediate to Normal
/etc/strongswan.d/scepclient.conf:2: syntax error, unexpected NAME, expecting '{] [
Check the contents of that file to fix that error.
But that's not related to the actual problem, which is caused by incorrect traffic selectors:
conn net-net
...
leftsubnet=30.161.23.0
...
rightsubnet=40.161.23.0
That will result in traffic between 30.161.23.0/32 and 40.161.23.0/32 getting tunneled, as can be seen in the status output:
...
net-net: child: 30.161.23.0/32 === 40.161.23.0/32 TUNNEL
...
net-net{1}: 30.161.23.0/32 === 40.161.23.0/32
The IPs of the ICMP message are, however, 30.161.23.13 (not 30.161.23.0) and 40.161.23.113 (not 40.161.23.0). What you probably want is something like:
conn net-net
...
leftsubnet=30.161.23.0/24
...
rightsubnet=40.161.23.0/24
This behavior started happening after i upgraded the Virtual machine GW strongswan version from 5.1.2 to 5.3.5
Unless you also changed the config that should not made a difference as both versions should parse these traffic selectors the same way.
#3 Updated by Koby Gueta about 9 years ago
Hi. Tobias,
Thank you very much for the support. It works fine now.
I don't know how I missed it sorry :-).
#4 Updated by Tobias Brunner about 9 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required
OK, great.