Project

General

Profile

Issue #3368

"error writing to socket: Invalid argument" in the case of SA multicast with configuration Client VPN on Android and Server on Linux

Added by Jean-Luc Jordan 5 months ago. Updated 5 months ago.

Status:
Feedback
Priority:
Low
Assignee:
-
Category:
-
Affected version:
5.8.1
Resolution:

Description

Hi,

The aim is to test the SA multicast between a strongswan client VPN on Android and a strongswan server on Linux.
"SA multicast" means that on client side, the tunnel source ip address is an unicast address and the tunnel destination ip address is a multicast address.
For that, a configuration is set, firstly SA unicast (tunnel source ip and destination ip are unicast @) is tested successfully.
Secondly SA multicast is executed but on server side the message "error writing to socket: Invalid argument" is displayed.
Could you help me please ?

Thanks in advance for your answer,
Kind Regards,
Jean-Luc J

The configuration is the following:
on left side, strongswan server on Linux with a subnet on local unicast network (11.11.11.1/24) and on multicast network (240.0.1.150/32);
on right side, client VPN on Android.
It communicates on WiFi thanks to a Netgear Wireless Access Point.
Please refer to the configuration files below.

SA UNICAST (all is ok) ==========
on client side, source tunnel ip addr = 192.168.0.64 and destination tunnel ip addr = 192.168.0.24

CLIENT SIDE

client VPN strongswan 5.8.2dr1, Android 9 - PQ3B.190705.003/2019-07-05, Pixel 3a - google/sargo/Google, Linux 4.9.124-gb3668ca20417-ab5599295, aarch64
loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
server
192.168.0.24
VPN type
IKEv2 EAP (Username/Password)
Username
toto
Paswword
123456

CA certificate
VPN root CA

Status: Connected
Profile: 192.168.0.24

SERVER SIDE

/etc/strongswan/ipsec.conf

config setup
   charondebug="all" 
   uniqueids=no

conn ikev2-vpn
   auto=add
   compress=no
   type=tunnel
   keyexchange=ikev2
   fragmentation=yes
   forceencaps=yes
   ike=aes256-sha1-modp2048,3des-sha1-modp2048!
   esp=aes256-sha1,3des-sha1!
   dpdaction=clear
   dpddelay=300s
   rekey=no
   left=192.168.0.24
   leftcert=/etc/strongswan/ipsec.d/certs/server-cert.pem
   leftsendcert=always
   leftsubnet=11.11.11.0/24
   right=192.168.0.64
   rightid=toto
   rightsubnet=0.0.0.0/0
   rightauth=eap-mschapv2
   rightsourceip=11.11.10.0/24
   rightsendcert=never
   eap_identity=%identity
   mark=%unique

ipsec.secrets

: RSA "/etc/strongswan/ipsec.d/private/server-key.pem" 
toto : EAP "123456" 

strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
    load_modular = yes
        multiple_authentication = no
    plugins {
        include strongswan.d/charon/*.conf
                forecast {
                          groups = 224.0.1.150
                          interface = enp1s0
                }
    }
}

include strongswan.d/*.conf

sudo tail -f -n 100 /var/log/daemon.log
Mar 11 11:47:11 dev-jlj charon: 00[DMN] signal of type SIGINT received. Shutting down
Mar 11 11:47:14 dev-jlj charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64)
Mar 11 11:47:14 dev-jlj systemd-udevd[18488]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Mar 11 11:47:14 dev-jlj charon: 00[LIB] created TUN device: ipsec0
Mar 11 11:47:14 dev-jlj charon: 00[NET] using forecast interface enp1s0
Mar 11 11:47:14 dev-jlj charon: 00[CFG] joining forecast multicast groups: 224.0.1.150
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG]   loaded ca certificate "CN=VPN root CA" from '/etc/strongswan/ipsec.d/cacerts/ca-cert.pem'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Mar 11 11:47:14 dev-jlj charon: 00[CFG]   loaded RSA private key from '/etc/strongswan/ipsec.d/private/server-key.pem'
Mar 11 11:47:14 dev-jlj charon: 00[CFG]   loaded EAP secret for toto
Mar 11 11:47:14 dev-jlj charon: 00[CFG] coupling file path unspecified
Mar 11 11:47:14 dev-jlj charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Mar 11 11:47:14 dev-jlj charon: 00[JOB] spawning 16 worker threads
Mar 11 11:47:14 dev-jlj charon: 09[CFG] received stroke: add connection 'ikev2-vpn'
Mar 11 11:47:14 dev-jlj charon: 09[CFG] adding virtual IP address pool 11.11.10.0/24
Mar 11 11:47:14 dev-jlj charon: 09[CFG]   loaded certificate "CN=192.168.0.24" from '/etc/strongswan/ipsec.d/certs/server-cert.pem'
Mar 11 11:47:14 dev-jlj charon: 09[CFG] added configuration 'ikev2-vpn'

Mar 11 11:49:00 dev-jlj charon: 12[NET] received packet: from 192.168.0.64[37830] to 192.168.0.24[500] (716 bytes)
Mar 11 11:49:00 dev-jlj charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 12[IKE] 192.168.0.64 is initiating an IKE_SA
Mar 11 11:49:00 dev-jlj charon: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Mar 11 11:49:00 dev-jlj charon: 12[IKE] remote host is behind NAT
Mar 11 11:49:00 dev-jlj charon: 12[IKE] DH group ECP_256 unacceptable, requesting MODP_2048
Mar 11 11:49:00 dev-jlj charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Mar 11 11:49:00 dev-jlj charon: 12[NET] sending packet: from 192.168.0.24[500] to 192.168.0.64[37830] (38 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[NET] received packet: from 192.168.0.64[37830] to 192.168.0.24[500] (908 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 13[IKE] 192.168.0.64 is initiating an IKE_SA
Mar 11 11:49:00 dev-jlj charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Mar 11 11:49:00 dev-jlj charon: 13[IKE] remote host is behind NAT
Mar 11 11:49:00 dev-jlj charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 13[NET] sending packet: from 192.168.0.24[500] to 192.168.0.64[37830] (464 bytes)
Mar 11 11:49:00 dev-jlj charon: 14[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (444 bytes)
Mar 11 11:49:00 dev-jlj charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 14[IKE] received cert request for "CN=VPN root CA" 
Mar 11 11:49:00 dev-jlj charon: 14[CFG] looking for peer configs matching 192.168.0.24[%any]...192.168.0.64[toto]
Mar 11 11:49:00 dev-jlj charon: 14[CFG] selected peer config 'ikev2-vpn'
Mar 11 11:49:00 dev-jlj charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 11 11:49:00 dev-jlj charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mar 11 11:49:00 dev-jlj charon: 14[IKE] peer supports MOBIKE
Mar 11 11:49:00 dev-jlj charon: 14[IKE] authentication of '192.168.0.24' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Mar 11 11:49:00 dev-jlj charon: 14[IKE] sending end entity cert "CN=192.168.0.24" 
Mar 11 11:49:00 dev-jlj charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar 11 11:49:00 dev-jlj charon: 14[ENC] splitting IKE message (1916 bytes) into 2 fragments
Mar 11 11:49:00 dev-jlj charon: 14[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Mar 11 11:49:00 dev-jlj charon: 14[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Mar 11 11:49:00 dev-jlj charon: 14[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (1248 bytes)
Mar 11 11:49:00 dev-jlj charon: 14[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (736 bytes)
Mar 11 11:49:00 dev-jlj charon: 15[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar 11 11:49:00 dev-jlj charon: 15[IKE] received EAP identity 'toto'
Mar 11 11:49:00 dev-jlj charon: 15[IKE] initiating EAP_MSCHAPV2 method (id 0x7E)
Mar 11 11:49:00 dev-jlj charon: 15[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 15[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (108 bytes)
Mar 11 11:49:00 dev-jlj charon: 08[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (140 bytes)
Mar 11 11:49:00 dev-jlj charon: 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 08[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (140 bytes)
Mar 11 11:49:00 dev-jlj charon: 09[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 09[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 09[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar 11 11:49:00 dev-jlj charon: 09[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Mar 11 11:49:00 dev-jlj charon: 09[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 11[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (92 bytes)
Mar 11 11:49:00 dev-jlj charon: 11[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Mar 11 11:49:00 dev-jlj charon: 11[IKE] authentication of 'toto' with EAP successful
Mar 11 11:49:00 dev-jlj charon: 11[IKE] authentication of '192.168.0.24' (myself) with EAP
Mar 11 11:49:00 dev-jlj charon: 11[IKE] IKE_SA ikev2-vpn[2] established between 192.168.0.24[192.168.0.24]...192.168.0.64[toto]
Mar 11 11:49:00 dev-jlj charon: 11[IKE] peer requested virtual IP %any
Mar 11 11:49:00 dev-jlj charon: 11[CFG] assigning new lease to 'toto'
Mar 11 11:49:00 dev-jlj charon: 11[IKE] assigning virtual IP 11.11.10.1 to peer 'toto'
Mar 11 11:49:00 dev-jlj charon: 11[IKE] peer requested virtual IP %any6
Mar 11 11:49:00 dev-jlj charon: 11[IKE] no virtual IP found for %any6 requested by 'toto'
Mar 11 11:49:00 dev-jlj charon: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 11 11:49:00 dev-jlj charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs 630ae407_i a635e82a_o and TS 11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0
Mar 11 11:49:00 dev-jlj charon: 11[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Mar 11 11:49:00 dev-jlj charon: 11[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (252 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[ENC] parsed INFORMATIONAL request 6 [ N(NO_ADD_ADDR) ]
Mar 11 11:49:00 dev-jlj charon: 13[ENC] generating INFORMATIONAL response 6 [ ]
Mar 11 11:49:00 dev-jlj charon: 13[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (76 bytes)
sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64):
  uptime: 3 minutes, since Mar 11 11:47:14 2020
  malloc: sbrk 2854912, mmap 0, used 808480, free 2046432
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Virtual IP pools (size/online/offline):
  11.11.10.0/24: 254/1/0
Listening IP addresses:
  192.168.0.24
  11.11.11.1
  192.168.1.5
Connections:
   ikev2-vpn:  192.168.0.24...192.168.0.64  IKEv2, dpddelay=300s
   ikev2-vpn:   local:  [192.168.0.24] uses public key authentication
   ikev2-vpn:    cert:  "CN=192.168.0.24" 
   ikev2-vpn:   remote: [toto] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   ikev2-vpn:   child:  11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
   ikev2-vpn[2]: ESTABLISHED 78 seconds ago, 192.168.0.24[192.168.0.24]...192.168.0.64[toto]
   ikev2-vpn[2]: IKEv2 SPIs: 1249916ca3001fe9_i b2d37a5ac8d9ade3_r*, rekeying disabled
   ikev2-vpn[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   ikev2-vpn{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 630ae407_i a635e82a_o
   ikev2-vpn{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 3097 bytes_o (41 pkts, 2s ago), rekeying disabled
   ikev2-vpn{1}:   11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:4e:01:a2:e2:85 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.24/24 brd 192.168.0.255 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet 11.11.11.1/24 brd 11.11.11.255 scope global enp1s0:1
       valid_lft forever preferred_lft forever
    inet 192.168.1.5/24 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::24e:1ff:fea2:e285/64 scope link 
       valid_lft forever preferred_lft forever
32: pimreg@NONE: <NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state UNKNOWN group default qlen 1000
    link/pimreg 
56: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet6 fe80::d9de:d1f:c8c8:7ba5/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

ip route
11.11.11.0/24 dev enp1s0 proto kernel scope link src 11.11.11.1 
33.33.33.0/24 via 192.168.0.24 dev enp1s0 
192.168.0.0/24 dev enp1s0 proto kernel scope link src 192.168.0.24 
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.1.5 

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
# Warning: iptables-legacy tables present, use iptables-legacy to see them

SA MULTICAST (with the error) ============
on client side, source tunnel ip addr = 192.168.0.64, dest tunnel ip addr = 224.0.1.250

CLIENT SIDE
client VPN strongswan 5.8.2dr1, Android 9 - PQ3B.190705.003/2019-07-05, Pixel 3a - google/sargo/Google, Linux 4.9.124-gb3668ca20417-ab5599295, aarch64
loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
server
224.0.1.250
VPN type
IKEv2 EAP (Username/Password)
Username
toto
Paswword
123456

CA certificate
VPN root CA

SERVEUR SIDE

/etc/strongswan/ipsec.conf
ipsec.secrets
strongswan.conf
same configuration files as SA UNICAST

sudo tail -f -n 100 /var/log/daemon.log
Mar 11 12:34:56 dev-jlj charon: 00[DMN] signal of type SIGINT received. Shutting down
Mar 11 12:34:58 dev-jlj charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64)
Mar 11 12:34:58 dev-jlj charon: 00[LIB] created TUN device: ipsec0
Mar 11 12:34:58 dev-jlj systemd-udevd[18723]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Mar 11 12:34:58 dev-jlj charon: 00[NET] using forecast interface enp1s0
Mar 11 12:34:58 dev-jlj charon: 00[CFG] joining forecast multicast groups: 224.0.1.150
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG]   loaded ca certificate "CN=VPN root CA" from '/etc/strongswan/ipsec.d/cacerts/ca-cert.pem'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Mar 11 12:34:58 dev-jlj systemd[1]: Started Run anacron jobs.
Mar 11 12:34:58 dev-jlj systemd[1]: anacron.service: Succeeded.
Mar 11 12:34:58 dev-jlj charon: 00[CFG]   loaded RSA private key from '/etc/strongswan/ipsec.d/private/server-key.pem'
Mar 11 12:34:58 dev-jlj charon: 00[CFG]   loaded EAP secret for toto
Mar 11 12:34:58 dev-jlj charon: 00[CFG] coupling file path unspecified
Mar 11 12:34:58 dev-jlj charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Mar 11 12:34:58 dev-jlj charon: 00[JOB] spawning 16 worker threads
Mar 11 12:34:58 dev-jlj charon: 08[CFG] received stroke: add connection 'ikev2-vpn'
Mar 11 12:34:58 dev-jlj charon: 08[CFG] adding virtual IP address pool 11.11.10.0/24
Mar 11 12:34:58 dev-jlj charon: 08[CFG]   loaded certificate "CN=192.168.0.24" from '/etc/strongswan/ipsec.d/certs/server-cert.pem'
Mar 11 12:34:58 dev-jlj charon: 08[CFG] added configuration 'ikev2-vpn'

Mar 11 12:35:09 dev-jlj charon: 09[NET] received packet: from 192.168.0.64[47719] to 224.0.1.150[500] (716 bytes)
Mar 11 12:35:09 dev-jlj charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 12:35:09 dev-jlj charon: 09[IKE] no IKE config found for 224.0.1.150...192.168.0.64, sending NO_PROPOSAL_CHOSEN
Mar 11 12:35:09 dev-jlj charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 11 12:35:09 dev-jlj charon: 09[NET] sending packet: from 224.0.1.150[500] to 192.168.0.64[47719] (36 bytes)
Mar 11 12:35:09 dev-jlj charon: 03[NET] error writing to socket: Invalid argument
Mar 11 12:35:11 dev-jlj charon: 12[NET] received packet: from 192.168.0.64[47719] to 224.0.1.150[500] (716 bytes)
Mar 11 12:35:11 dev-jlj charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 12:35:11 dev-jlj charon: 12[IKE] no IKE config found for 224.0.1.150...192.168.0.64, sending NO_PROPOSAL_CHOSEN
Mar 11 12:35:11 dev-jlj charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 11 12:35:11 dev-jlj charon: 12[NET] sending packet: from 224.0.1.150[500] to 192.168.0.64[47719] (36 bytes)
Mar 11 12:35:11 dev-jlj charon: 03[NET] error writing to socket: Invalid argument

sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64):
  uptime: 65 seconds, since Mar 11 12:34:59 2020
  malloc: sbrk 2449408, mmap 0, used 662656, free 1786752
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Virtual IP pools (size/online/offline):
  11.11.10.0/24: 254/0/0
Listening IP addresses:
  192.168.0.24
  11.11.11.1
  192.168.1.5
Connections:
   ikev2-vpn:  192.168.0.24...192.168.0.64  IKEv2, dpddelay=300s
   ikev2-vpn:   local:  [192.168.0.24] uses public key authentication
   ikev2-vpn:    cert:  "CN=192.168.0.24" 
   ikev2-vpn:   remote: [toto] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
   ikev2-vpn:   child:  11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
  none

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:4e:01:a2:e2:85 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.24/24 brd 192.168.0.255 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet 11.11.11.1/24 brd 11.11.11.255 scope global enp1s0:1
       valid_lft forever preferred_lft forever
    inet 192.168.1.5/24 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::24e:1ff:fea2:e285/64 scope link 
       valid_lft forever preferred_lft forever
32: pimreg@NONE: <NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state UNKNOWN group default qlen 1000
    link/pimreg 
57: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet6 fe80::7e03:9a63:f267:1e00/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

ip route
11.11.11.0/24 dev enp1s0 proto kernel scope link src 11.11.11.1 
33.33.33.0/24 via 192.168.0.24 dev enp1s0 
192.168.0.0/24 dev enp1s0 proto kernel scope link src 192.168.0.24 
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.1.5 

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
# Warning: iptables-legacy tables present, use iptables-legacy to see them

History

#1 Updated by Tobias Brunner 5 months ago

  • Description updated (diff)
  • Status changed from New to Feedback

rightsubnet=0.0.0.0/0

You don't don't want that if you assign virtual IP addresses (see VirtualIP for details).

server
224.0.1.250

Why would you expect that to work? (I mean, it might if only a single server is listening on that address, but what would you expect to happen if that's not the case?)

Mar 11 12:35:09 dev-jlj charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 12:35:09 dev-jlj charon: 09[IKE] no IKE config found for 224.0.1.150...192.168.0.64, sending NO_PROPOSAL_CHOSEN

You configured left=192.168.0.24, which obviously doesn't match that multicast address.

Was your intention actually to use multicast as tunnel endpoint address? Not for traffic inside the tunnel?

#2 Updated by Jean-Luc Jordan 5 months ago

Tobias Brunner wrote:

rightsubnet=0.0.0.0/0

You don't don't want that if you assign virtual IP addresses (see VirtualIP for details).

server
224.0.1.250

Why would you expect that to work? (I mean, it might if only a single server is listening on that address, but what would you expect to happen if that's not the case?)

Mar 11 12:35:09 dev-jlj charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 12:35:09 dev-jlj charon: 09[IKE] no IKE config found for 224.0.1.150...192.168.0.64, sending NO_PROPOSAL_CHOSEN

You configured left=192.168.0.24, which obviously doesn't match that multicast address.

Was your intention actually to use multicast as tunnel endpoint address? Not for traffic inside the tunnel?

Hi Tobias,

Thanks for your answer.
And sorry for my late.
It is ok for rightsubnet.
My intention was to use multicast address as tunnel endpoint address.
But now by reading that multicast example (https://www.strongswan.org/testing/testresults/ikev2/net2net-multicast/index.html),
I understood it was not possible.
The tunnel endpoint address must be an unicast address.
And the traffic could be filtered with multicast address provided in the subnet in the strongswan ipsec configuration file.

Kind regards,
Jean-Luc J

Also available in: Atom PDF