Project

General

Profile

Issue #3361

No routes are being added when connected.

Added by Mark Hayward 5 months ago. Updated 5 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.8.2
Resolution:

Description

Hello

I am setting up a VPN between strongswan and a juniper (I don't have access to this). They both have public IP addresses. I am trying to send plain text traffic over the IPSEC tunnel but it seems that traffic is not being sent over the encrypted tunnel. I don't have any routes being added.

I have one server running strongswan which is also running a service on port 443. The other end is a juniper router (209.97.111.12) with an server sitting behind it (209.97.112.25/32). I need to be able to communicate between the servers over this VPN tunnel.

178.62.150.163 (runs app on 443) ----------VPN---------- 209.97.111.12 (Juniper) --- 209.97.112.25 ( Accesses my server on 443 over VPN)

There is no NAT at all. Everything is using public IPs.

config setup
     strictcrlpolicy=no
     uniqueids = no

conn any
    leftid=178.62.150.163
    leftsubnet=178.62.150.163/32
    leftsourceip=178.62.150.163
    right=209.97.111.12
    rightsubnet=209.97.112.25/32
    rightid=%config
    keyingtries=%forever
    ike=aes256-sha2_512-modp1536
    esp=aes256-sha2_512-modp1536
    ikelifetime=3h
    keylife=1h
    compress=yes
    dpdaction=restart
    dpddelay=30
    dpdtimeout=120
    authby=secret
    fragmentation=yes
    auto=add
    authby=secret
    keyexchange=ike
    type=tunnel

The VPN seems to be initiated.

root@ubuntu-s-1vcpu-1gb-lon1-01:~# ipsec statusall any
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-66-generic, x86_64):
  uptime: 10 minutes, since Mar 04 10:51:54 2020
  malloc: sbrk 1630208, mmap 0, used 662496, free 967712
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  178.62.150.163
  10.16.0.7
Connections:
         any:  %any...209.97.111.12  IKEv1/2, dpddelay=30s
         any:   local:  [178.62.150.163] uses pre-shared key authentication
         any:   remote: [209.97.111.12] uses pre-shared key authentication
         any:   child:  178.62.150.163/32 === 209.97.111.12/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
         any[1]: ESTABLISHED 10 minutes ago, 178.62.150.163[178.62.150.163]...209.97.111.12[209.97.111.12]
         any[1]: IKEv2 SPIs: a5c8f64f5221786c_i* e7b90ff29d2566e9_r, pre-shared key reauthentication in 2 hours
         any[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536

However. When I try and traceroute between the two IPs it seems to go out to the internet :

root@ubuntu-s-1vcpu-1gb-lon1-01:~# traceroute 209.97.111.12
traceroute to 209.97.111.12 (209.97.111.12), 30 hops max, 60 byte packets
 1  46.101.0.253 (46.101.0.253)  0.676 ms 46.101.0.254 (46.101.0.254)  4.185 ms 46.101.0.253 (46.101.0.253)  0.644 ms
 2  138.197.249.106 (138.197.249.106)  0.939 ms 138.197.249.122 (138.197.249.122)  1.041 ms 138.197.249.120 (138.197.249.120)  1.460 ms
 3  138.197.249.119 (138.197.249.119)  0.580 ms 138.197.249.125 (138.197.249.125)  0.588 ms 138.197.249.109 (138.197.249.109)  0.603 ms
 4  209.97.111.12 (209.97.111.12)  1.661 ms  1.682 ms  1.660 ms

From what I have read there should be a route in this command : ip -s xfrm state

This command returns nothing though. I also do not have any interfaces created, I only see lo and eth0 even though the VPN is initiated.

Can anybody help?

History

#1 Updated by Tobias Brunner 5 months ago

  • Description updated (diff)
  • Category set to configuration
  • Status changed from New to Feedback

The VPN seems to be initiated.

Unfortunately, it is not. You only have an IKE_SA, no IPsec/CHILD_SA. Check the log for details on why establishing that failed (see LoggerConfiguration and HelpRequests).

From what I have read there should be a route in this command : ip -s xfrm state

That command shows the IPsec SAs installed in the kernel, not routes. See IntroductionTostrongSwan.

Also available in: Atom PDF