Issue #3368
Updated by Tobias Brunner over 5 years ago
Hi,
The aim is to test the SA multicast between a strongswan client VPN on Android and a strongswan server on Linux.
"SA multicast" means that on client side, the tunnel source ip address is an unicast address and the tunnel destination ip address is a multicast address.
For that, a configuration is set, firstly SA unicast (tunnel source ip @ and destination ip @ are unicast @) is tested successfully.
Secondly SA multicast is executed but on server side the message "error writing to socket: Invalid argument" is displayed.
Could you help me please ?
Thanks in advance for your answer,
Kind Regards,
Jean-Luc J
The configuration is the following:
on left side, strongswan server on Linux with a subnet on local unicast network (11.11.11.1/24) and on multicast network (240.0.1.150/32);
on right side, client VPN on Android.
It communicates on WiFi thanks to a Netgear Wireless Access Point.
Please refer to the configuration files below.
SA UNICAST (all is ok)
==========
on client side, source tunnel ip addr = 192.168.0.64 and destination tunnel ip addr = 192.168.0.24
CLIENT SIDE
client VPN strongswan 5.8.2dr1, Android 9 - PQ3B.190705.003/2019-07-05, Pixel 3a - google/sargo/Google, Linux 4.9.124-gb3668ca20417-ab5599295, aarch64
loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
server
192.168.0.24
VPN type
IKEv2 EAP (Username/Password)
Username
toto
Paswword
123456
CA certificate
VPN root CA
Status: Connected
Profile: 192.168.0.24
SERVER SIDE
/etc/strongswan/ipsec.conf
<pre>
config setup
charondebug="all"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp2048,3des-sha1-modp2048!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=192.168.0.24
leftcert=/etc/strongswan/ipsec.d/certs/server-cert.pem
leftsendcert=always
leftsubnet=11.11.11.0/24
right=192.168.0.64
rightid=toto
rightsubnet=0.0.0.0/0
rightauth=eap-mschapv2
rightsourceip=11.11.10.0/24
rightsendcert=never
eap_identity=%identity
mark=%unique
</pre>
ipsec.secrets
<pre>
: RSA "/etc/strongswan/ipsec.d/private/server-key.pem"
toto : EAP "123456"
</pre>
strongswan.conf
<pre>
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
multiple_authentication = no
plugins {
include strongswan.d/charon/*.conf
forecast {
groups = 224.0.1.150
interface = enp1s0
}
}
}
include strongswan.d/*.conf
</pre>
<pre>
sudo tail -f -n 100 /var/log/daemon.log
Mar 11 11:47:11 dev-jlj charon: 00[DMN] signal of type SIGINT received. Shutting down
Mar 11 11:47:14 dev-jlj charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64)
Mar 11 11:47:14 dev-jlj systemd-udevd[18488]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Mar 11 11:47:14 dev-jlj charon: 00[LIB] created TUN device: ipsec0
Mar 11 11:47:14 dev-jlj charon: 00[NET] using forecast interface enp1s0
Mar 11 11:47:14 dev-jlj charon: 00[CFG] joining forecast multicast groups: 224.0.1.150
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loaded ca certificate "CN=VPN root CA" from '/etc/strongswan/ipsec.d/cacerts/ca-cert.pem'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/server-key.pem'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loaded EAP secret for toto
Mar 11 11:47:14 dev-jlj charon: 00[CFG] coupling file path unspecified
Mar 11 11:47:14 dev-jlj charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Mar 11 11:47:14 dev-jlj charon: 00[JOB] spawning 16 worker threads
Mar 11 11:47:14 dev-jlj charon: 09[CFG] received stroke: add connection 'ikev2-vpn'
Mar 11 11:47:14 dev-jlj charon: 09[CFG] adding virtual IP address pool 11.11.10.0/24
Mar 11 11:47:14 dev-jlj charon: 09[CFG] loaded certificate "CN=192.168.0.24" from '/etc/strongswan/ipsec.d/certs/server-cert.pem'
Mar 11 11:47:14 dev-jlj charon: 09[CFG] added configuration 'ikev2-vpn'
Mar 11 11:49:00 dev-jlj charon: 12[NET] received packet: from 192.168.0.64[37830] to 192.168.0.24[500] (716 bytes)
Mar 11 11:49:00 dev-jlj charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 12[IKE] 192.168.0.64 is initiating an IKE_SA
Mar 11 11:49:00 dev-jlj charon: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Mar 11 11:49:00 dev-jlj charon: 12[IKE] remote host is behind NAT
Mar 11 11:49:00 dev-jlj charon: 12[IKE] DH group ECP_256 unacceptable, requesting MODP_2048
Mar 11 11:49:00 dev-jlj charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Mar 11 11:49:00 dev-jlj charon: 12[NET] sending packet: from 192.168.0.24[500] to 192.168.0.64[37830] (38 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[NET] received packet: from 192.168.0.64[37830] to 192.168.0.24[500] (908 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 13[IKE] 192.168.0.64 is initiating an IKE_SA
Mar 11 11:49:00 dev-jlj charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Mar 11 11:49:00 dev-jlj charon: 13[IKE] remote host is behind NAT
Mar 11 11:49:00 dev-jlj charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 13[NET] sending packet: from 192.168.0.24[500] to 192.168.0.64[37830] (464 bytes)
Mar 11 11:49:00 dev-jlj charon: 14[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (444 bytes)
Mar 11 11:49:00 dev-jlj charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 14[IKE] received cert request for "CN=VPN root CA"
Mar 11 11:49:00 dev-jlj charon: 14[CFG] looking for peer configs matching 192.168.0.24[%any]...192.168.0.64[toto]
Mar 11 11:49:00 dev-jlj charon: 14[CFG] selected peer config 'ikev2-vpn'
Mar 11 11:49:00 dev-jlj charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 11 11:49:00 dev-jlj charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mar 11 11:49:00 dev-jlj charon: 14[IKE] peer supports MOBIKE
Mar 11 11:49:00 dev-jlj charon: 14[IKE] authentication of '192.168.0.24' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Mar 11 11:49:00 dev-jlj charon: 14[IKE] sending end entity cert "CN=192.168.0.24"
Mar 11 11:49:00 dev-jlj charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar 11 11:49:00 dev-jlj charon: 14[ENC] splitting IKE message (1916 bytes) into 2 fragments
Mar 11 11:49:00 dev-jlj charon: 14[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Mar 11 11:49:00 dev-jlj charon: 14[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Mar 11 11:49:00 dev-jlj charon: 14[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (1248 bytes)
Mar 11 11:49:00 dev-jlj charon: 14[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (736 bytes)
Mar 11 11:49:00 dev-jlj charon: 15[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar 11 11:49:00 dev-jlj charon: 15[IKE] received EAP identity 'toto'
Mar 11 11:49:00 dev-jlj charon: 15[IKE] initiating EAP_MSCHAPV2 method (id 0x7E)
Mar 11 11:49:00 dev-jlj charon: 15[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 15[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (108 bytes)
Mar 11 11:49:00 dev-jlj charon: 08[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (140 bytes)
Mar 11 11:49:00 dev-jlj charon: 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 08[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (140 bytes)
Mar 11 11:49:00 dev-jlj charon: 09[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 09[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 09[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar 11 11:49:00 dev-jlj charon: 09[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Mar 11 11:49:00 dev-jlj charon: 09[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 11[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (92 bytes)
Mar 11 11:49:00 dev-jlj charon: 11[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Mar 11 11:49:00 dev-jlj charon: 11[IKE] authentication of 'toto' with EAP successful
Mar 11 11:49:00 dev-jlj charon: 11[IKE] authentication of '192.168.0.24' (myself) with EAP
Mar 11 11:49:00 dev-jlj charon: 11[IKE] IKE_SA ikev2-vpn[2] established between 192.168.0.24[192.168.0.24]...192.168.0.64[toto]
Mar 11 11:49:00 dev-jlj charon: 11[IKE] peer requested virtual IP %any
Mar 11 11:49:00 dev-jlj charon: 11[CFG] assigning new lease to 'toto'
Mar 11 11:49:00 dev-jlj charon: 11[IKE] assigning virtual IP 11.11.10.1 to peer 'toto'
Mar 11 11:49:00 dev-jlj charon: 11[IKE] peer requested virtual IP %any6
Mar 11 11:49:00 dev-jlj charon: 11[IKE] no virtual IP found for %any6 requested by 'toto'
Mar 11 11:49:00 dev-jlj charon: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 11 11:49:00 dev-jlj charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs 630ae407_i a635e82a_o and TS 11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0
Mar 11 11:49:00 dev-jlj charon: 11[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Mar 11 11:49:00 dev-jlj charon: 11[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (252 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[ENC] parsed INFORMATIONAL request 6 [ N(NO_ADD_ADDR) ]
Mar 11 11:49:00 dev-jlj charon: 13[ENC] generating INFORMATIONAL response 6 [ ]
Mar 11 11:49:00 dev-jlj charon: 13[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (76 bytes)
</pre>
<pre>
sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64):
uptime: 3 minutes, since Mar 11 11:47:14 2020
malloc: sbrk 2854912, mmap 0, used 808480, free 2046432
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Virtual IP pools (size/online/offline):
11.11.10.0/24: 254/1/0
Listening IP addresses:
192.168.0.24
11.11.11.1
192.168.1.5
Connections:
ikev2-vpn: 192.168.0.24...192.168.0.64 IKEv2, dpddelay=300s
ikev2-vpn: local: [192.168.0.24] uses public key authentication
ikev2-vpn: cert: "CN=192.168.0.24"
ikev2-vpn: remote: [toto] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-vpn: child: 11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ikev2-vpn[2]: ESTABLISHED 78 seconds ago, 192.168.0.24[192.168.0.24]...192.168.0.64[toto]
ikev2-vpn[2]: IKEv2 SPIs: 1249916ca3001fe9_i b2d37a5ac8d9ade3_r*, rekeying disabled
ikev2-vpn[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
ikev2-vpn{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 630ae407_i a635e82a_o
ikev2-vpn{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 3097 bytes_o (41 pkts, 2s ago), rekeying disabled
ikev2-vpn{1}: 11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0
</pre>
<pre>
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:4e:01:a2:e2:85 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.24/24 brd 192.168.0.255 scope global enp1s0
valid_lft forever preferred_lft forever
inet 11.11.11.1/24 brd 11.11.11.255 scope global enp1s0:1
valid_lft forever preferred_lft forever
inet 192.168.1.5/24 scope global enp1s0
valid_lft forever preferred_lft forever
inet6 fe80::24e:1ff:fea2:e285/64 scope link
valid_lft forever preferred_lft forever
32: pimreg@NONE: <NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state UNKNOWN group default qlen 1000
link/pimreg
56: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet6 fe80::d9de:d1f:c8c8:7ba5/64 scope link stable-privacy
valid_lft forever preferred_lft forever
</pre>
<pre>
ip route
11.11.11.0/24 dev enp1s0 proto kernel scope link src 11.11.11.1
33.33.33.0/24 via 192.168.0.24 dev enp1s0
192.168.0.0/24 dev enp1s0 proto kernel scope link src 192.168.0.24
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.1.5
</pre>
<pre>
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
</pre>
SA MULTICAST (with the error)
============
on client side, source tunnel ip addr = 192.168.0.64, dest tunnel ip addr = 224.0.1.250
CLIENT SIDE
client VPN strongswan 5.8.2dr1, Android 9 - PQ3B.190705.003/2019-07-05, Pixel 3a - google/sargo/Google, Linux 4.9.124-gb3668ca20417-ab5599295, aarch64
loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
server
224.0.1.250
VPN type
IKEv2 EAP (Username/Password)
Username
toto
Paswword
123456
CA certificate
VPN root CA
SERVEUR SIDE
/etc/strongswan/ipsec.conf
ipsec.secrets
strongswan.conf
same configuration files as SA UNICAST
<pre>
sudo tail -f -n 100 /var/log/daemon.log
Mar 11 12:34:56 dev-jlj charon: 00[DMN] signal of type SIGINT received. Shutting down
Mar 11 12:34:58 dev-jlj charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64)
Mar 11 12:34:58 dev-jlj charon: 00[LIB] created TUN device: ipsec0
Mar 11 12:34:58 dev-jlj systemd-udevd[18723]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Mar 11 12:34:58 dev-jlj charon: 00[NET] using forecast interface enp1s0
Mar 11 12:34:58 dev-jlj charon: 00[CFG] joining forecast multicast groups: 224.0.1.150
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loaded ca certificate "CN=VPN root CA" from '/etc/strongswan/ipsec.d/cacerts/ca-cert.pem'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Mar 11 12:34:58 dev-jlj systemd[1]: Started Run anacron jobs.
Mar 11 12:34:58 dev-jlj systemd[1]: anacron.service: Succeeded.
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/server-key.pem'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loaded EAP secret for toto
Mar 11 12:34:58 dev-jlj charon: 00[CFG] coupling file path unspecified
Mar 11 12:34:58 dev-jlj charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Mar 11 12:34:58 dev-jlj charon: 00[JOB] spawning 16 worker threads
Mar 11 12:34:58 dev-jlj charon: 08[CFG] received stroke: add connection 'ikev2-vpn'
Mar 11 12:34:58 dev-jlj charon: 08[CFG] adding virtual IP address pool 11.11.10.0/24
Mar 11 12:34:58 dev-jlj charon: 08[CFG] loaded certificate "CN=192.168.0.24" from '/etc/strongswan/ipsec.d/certs/server-cert.pem'
Mar 11 12:34:58 dev-jlj charon: 08[CFG] added configuration 'ikev2-vpn'
Mar 11 12:35:09 dev-jlj charon: 09[NET] received packet: from 192.168.0.64[47719] to 224.0.1.150[500] (716 bytes)
Mar 11 12:35:09 dev-jlj charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 12:35:09 dev-jlj charon: 09[IKE] no IKE config found for 224.0.1.150...192.168.0.64, sending NO_PROPOSAL_CHOSEN
Mar 11 12:35:09 dev-jlj charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 11 12:35:09 dev-jlj charon: 09[NET] sending packet: from 224.0.1.150[500] to 192.168.0.64[47719] (36 bytes)
Mar 11 12:35:09 dev-jlj charon: 03[NET] error writing to socket: Invalid argument
Mar 11 12:35:11 dev-jlj charon: 12[NET] received packet: from 192.168.0.64[47719] to 224.0.1.150[500] (716 bytes)
Mar 11 12:35:11 dev-jlj charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 12:35:11 dev-jlj charon: 12[IKE] no IKE config found for 224.0.1.150...192.168.0.64, sending NO_PROPOSAL_CHOSEN
Mar 11 12:35:11 dev-jlj charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 11 12:35:11 dev-jlj charon: 12[NET] sending packet: from 224.0.1.150[500] to 192.168.0.64[47719] (36 bytes)
Mar 11 12:35:11 dev-jlj charon: 03[NET] error writing to socket: Invalid argument
</pre>
<pre>
sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64):
uptime: 65 seconds, since Mar 11 12:34:59 2020
malloc: sbrk 2449408, mmap 0, used 662656, free 1786752
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Virtual IP pools (size/online/offline):
11.11.10.0/24: 254/0/0
Listening IP addresses:
192.168.0.24
11.11.11.1
192.168.1.5
Connections:
ikev2-vpn: 192.168.0.24...192.168.0.64 IKEv2, dpddelay=300s
ikev2-vpn: local: [192.168.0.24] uses public key authentication
ikev2-vpn: cert: "CN=192.168.0.24"
ikev2-vpn: remote: [toto] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-vpn: child: 11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
none
</pre>
<pre>
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:4e:01:a2:e2:85 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.24/24 brd 192.168.0.255 scope global enp1s0
valid_lft forever preferred_lft forever
inet 11.11.11.1/24 brd 11.11.11.255 scope global enp1s0:1
valid_lft forever preferred_lft forever
inet 192.168.1.5/24 scope global enp1s0
valid_lft forever preferred_lft forever
inet6 fe80::24e:1ff:fea2:e285/64 scope link
valid_lft forever preferred_lft forever
32: pimreg@NONE: <NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state UNKNOWN group default qlen 1000
link/pimreg
57: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet6 fe80::7e03:9a63:f267:1e00/64 scope link stable-privacy
valid_lft forever preferred_lft forever
</pre>
<pre>
ip route
11.11.11.0/24 dev enp1s0 proto kernel scope link src 11.11.11.1
33.33.33.0/24 via 192.168.0.24 dev enp1s0
192.168.0.0/24 dev enp1s0 proto kernel scope link src 192.168.0.24
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.1.5
</pre>
<pre>
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
</pre>
The aim is to test the SA multicast between a strongswan client VPN on Android and a strongswan server on Linux.
"SA multicast" means that on client side, the tunnel source ip address is an unicast address and the tunnel destination ip address is a multicast address.
For that, a configuration is set, firstly SA unicast (tunnel source ip @ and destination ip @ are unicast @) is tested successfully.
Secondly SA multicast is executed but on server side the message "error writing to socket: Invalid argument" is displayed.
Could you help me please ?
Thanks in advance for your answer,
Kind Regards,
Jean-Luc J
The configuration is the following:
on left side, strongswan server on Linux with a subnet on local unicast network (11.11.11.1/24) and on multicast network (240.0.1.150/32);
on right side, client VPN on Android.
It communicates on WiFi thanks to a Netgear Wireless Access Point.
Please refer to the configuration files below.
SA UNICAST (all is ok)
==========
on client side, source tunnel ip addr = 192.168.0.64 and destination tunnel ip addr = 192.168.0.24
CLIENT SIDE
client VPN strongswan 5.8.2dr1, Android 9 - PQ3B.190705.003/2019-07-05, Pixel 3a - google/sargo/Google, Linux 4.9.124-gb3668ca20417-ab5599295, aarch64
loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
server
192.168.0.24
VPN type
IKEv2 EAP (Username/Password)
Username
toto
Paswword
123456
CA certificate
VPN root CA
Status: Connected
Profile: 192.168.0.24
SERVER SIDE
/etc/strongswan/ipsec.conf
<pre>
config setup
charondebug="all"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp2048,3des-sha1-modp2048!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=192.168.0.24
leftcert=/etc/strongswan/ipsec.d/certs/server-cert.pem
leftsendcert=always
leftsubnet=11.11.11.0/24
right=192.168.0.64
rightid=toto
rightsubnet=0.0.0.0/0
rightauth=eap-mschapv2
rightsourceip=11.11.10.0/24
rightsendcert=never
eap_identity=%identity
mark=%unique
</pre>
ipsec.secrets
<pre>
: RSA "/etc/strongswan/ipsec.d/private/server-key.pem"
toto : EAP "123456"
</pre>
strongswan.conf
<pre>
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
load_modular = yes
multiple_authentication = no
plugins {
include strongswan.d/charon/*.conf
forecast {
groups = 224.0.1.150
interface = enp1s0
}
}
}
include strongswan.d/*.conf
</pre>
<pre>
sudo tail -f -n 100 /var/log/daemon.log
Mar 11 11:47:11 dev-jlj charon: 00[DMN] signal of type SIGINT received. Shutting down
Mar 11 11:47:14 dev-jlj charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64)
Mar 11 11:47:14 dev-jlj systemd-udevd[18488]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Mar 11 11:47:14 dev-jlj charon: 00[LIB] created TUN device: ipsec0
Mar 11 11:47:14 dev-jlj charon: 00[NET] using forecast interface enp1s0
Mar 11 11:47:14 dev-jlj charon: 00[CFG] joining forecast multicast groups: 224.0.1.150
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loaded ca certificate "CN=VPN root CA" from '/etc/strongswan/ipsec.d/cacerts/ca-cert.pem'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/server-key.pem'
Mar 11 11:47:14 dev-jlj charon: 00[CFG] loaded EAP secret for toto
Mar 11 11:47:14 dev-jlj charon: 00[CFG] coupling file path unspecified
Mar 11 11:47:14 dev-jlj charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Mar 11 11:47:14 dev-jlj charon: 00[JOB] spawning 16 worker threads
Mar 11 11:47:14 dev-jlj charon: 09[CFG] received stroke: add connection 'ikev2-vpn'
Mar 11 11:47:14 dev-jlj charon: 09[CFG] adding virtual IP address pool 11.11.10.0/24
Mar 11 11:47:14 dev-jlj charon: 09[CFG] loaded certificate "CN=192.168.0.24" from '/etc/strongswan/ipsec.d/certs/server-cert.pem'
Mar 11 11:47:14 dev-jlj charon: 09[CFG] added configuration 'ikev2-vpn'
Mar 11 11:49:00 dev-jlj charon: 12[NET] received packet: from 192.168.0.64[37830] to 192.168.0.24[500] (716 bytes)
Mar 11 11:49:00 dev-jlj charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 12[IKE] 192.168.0.64 is initiating an IKE_SA
Mar 11 11:49:00 dev-jlj charon: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Mar 11 11:49:00 dev-jlj charon: 12[IKE] remote host is behind NAT
Mar 11 11:49:00 dev-jlj charon: 12[IKE] DH group ECP_256 unacceptable, requesting MODP_2048
Mar 11 11:49:00 dev-jlj charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Mar 11 11:49:00 dev-jlj charon: 12[NET] sending packet: from 192.168.0.24[500] to 192.168.0.64[37830] (38 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[NET] received packet: from 192.168.0.64[37830] to 192.168.0.24[500] (908 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 13[IKE] 192.168.0.64 is initiating an IKE_SA
Mar 11 11:49:00 dev-jlj charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Mar 11 11:49:00 dev-jlj charon: 13[IKE] remote host is behind NAT
Mar 11 11:49:00 dev-jlj charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 13[NET] sending packet: from 192.168.0.24[500] to 192.168.0.64[37830] (464 bytes)
Mar 11 11:49:00 dev-jlj charon: 14[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (444 bytes)
Mar 11 11:49:00 dev-jlj charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 11 11:49:00 dev-jlj charon: 14[IKE] received cert request for "CN=VPN root CA"
Mar 11 11:49:00 dev-jlj charon: 14[CFG] looking for peer configs matching 192.168.0.24[%any]...192.168.0.64[toto]
Mar 11 11:49:00 dev-jlj charon: 14[CFG] selected peer config 'ikev2-vpn'
Mar 11 11:49:00 dev-jlj charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 11 11:49:00 dev-jlj charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mar 11 11:49:00 dev-jlj charon: 14[IKE] peer supports MOBIKE
Mar 11 11:49:00 dev-jlj charon: 14[IKE] authentication of '192.168.0.24' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Mar 11 11:49:00 dev-jlj charon: 14[IKE] sending end entity cert "CN=192.168.0.24"
Mar 11 11:49:00 dev-jlj charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar 11 11:49:00 dev-jlj charon: 14[ENC] splitting IKE message (1916 bytes) into 2 fragments
Mar 11 11:49:00 dev-jlj charon: 14[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Mar 11 11:49:00 dev-jlj charon: 14[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Mar 11 11:49:00 dev-jlj charon: 14[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (1248 bytes)
Mar 11 11:49:00 dev-jlj charon: 14[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (736 bytes)
Mar 11 11:49:00 dev-jlj charon: 15[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar 11 11:49:00 dev-jlj charon: 15[IKE] received EAP identity 'toto'
Mar 11 11:49:00 dev-jlj charon: 15[IKE] initiating EAP_MSCHAPV2 method (id 0x7E)
Mar 11 11:49:00 dev-jlj charon: 15[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 15[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (108 bytes)
Mar 11 11:49:00 dev-jlj charon: 08[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (140 bytes)
Mar 11 11:49:00 dev-jlj charon: 08[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 08[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 08[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (140 bytes)
Mar 11 11:49:00 dev-jlj charon: 09[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 09[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Mar 11 11:49:00 dev-jlj charon: 09[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar 11 11:49:00 dev-jlj charon: 09[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Mar 11 11:49:00 dev-jlj charon: 09[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 11[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (92 bytes)
Mar 11 11:49:00 dev-jlj charon: 11[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Mar 11 11:49:00 dev-jlj charon: 11[IKE] authentication of 'toto' with EAP successful
Mar 11 11:49:00 dev-jlj charon: 11[IKE] authentication of '192.168.0.24' (myself) with EAP
Mar 11 11:49:00 dev-jlj charon: 11[IKE] IKE_SA ikev2-vpn[2] established between 192.168.0.24[192.168.0.24]...192.168.0.64[toto]
Mar 11 11:49:00 dev-jlj charon: 11[IKE] peer requested virtual IP %any
Mar 11 11:49:00 dev-jlj charon: 11[CFG] assigning new lease to 'toto'
Mar 11 11:49:00 dev-jlj charon: 11[IKE] assigning virtual IP 11.11.10.1 to peer 'toto'
Mar 11 11:49:00 dev-jlj charon: 11[IKE] peer requested virtual IP %any6
Mar 11 11:49:00 dev-jlj charon: 11[IKE] no virtual IP found for %any6 requested by 'toto'
Mar 11 11:49:00 dev-jlj charon: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 11 11:49:00 dev-jlj charon: 11[IKE] CHILD_SA ikev2-vpn{1} established with SPIs 630ae407_i a635e82a_o and TS 11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0
Mar 11 11:49:00 dev-jlj charon: 11[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Mar 11 11:49:00 dev-jlj charon: 11[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (252 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[NET] received packet: from 192.168.0.64[38941] to 192.168.0.24[4500] (76 bytes)
Mar 11 11:49:00 dev-jlj charon: 13[ENC] parsed INFORMATIONAL request 6 [ N(NO_ADD_ADDR) ]
Mar 11 11:49:00 dev-jlj charon: 13[ENC] generating INFORMATIONAL response 6 [ ]
Mar 11 11:49:00 dev-jlj charon: 13[NET] sending packet: from 192.168.0.24[4500] to 192.168.0.64[38941] (76 bytes)
</pre>
<pre>
sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64):
uptime: 3 minutes, since Mar 11 11:47:14 2020
malloc: sbrk 2854912, mmap 0, used 808480, free 2046432
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Virtual IP pools (size/online/offline):
11.11.10.0/24: 254/1/0
Listening IP addresses:
192.168.0.24
11.11.11.1
192.168.1.5
Connections:
ikev2-vpn: 192.168.0.24...192.168.0.64 IKEv2, dpddelay=300s
ikev2-vpn: local: [192.168.0.24] uses public key authentication
ikev2-vpn: cert: "CN=192.168.0.24"
ikev2-vpn: remote: [toto] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-vpn: child: 11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ikev2-vpn[2]: ESTABLISHED 78 seconds ago, 192.168.0.24[192.168.0.24]...192.168.0.64[toto]
ikev2-vpn[2]: IKEv2 SPIs: 1249916ca3001fe9_i b2d37a5ac8d9ade3_r*, rekeying disabled
ikev2-vpn[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
ikev2-vpn{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 630ae407_i a635e82a_o
ikev2-vpn{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 3097 bytes_o (41 pkts, 2s ago), rekeying disabled
ikev2-vpn{1}: 11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0
</pre>
<pre>
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:4e:01:a2:e2:85 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.24/24 brd 192.168.0.255 scope global enp1s0
valid_lft forever preferred_lft forever
inet 11.11.11.1/24 brd 11.11.11.255 scope global enp1s0:1
valid_lft forever preferred_lft forever
inet 192.168.1.5/24 scope global enp1s0
valid_lft forever preferred_lft forever
inet6 fe80::24e:1ff:fea2:e285/64 scope link
valid_lft forever preferred_lft forever
32: pimreg@NONE: <NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state UNKNOWN group default qlen 1000
link/pimreg
56: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet6 fe80::d9de:d1f:c8c8:7ba5/64 scope link stable-privacy
valid_lft forever preferred_lft forever
</pre>
<pre>
ip route
11.11.11.0/24 dev enp1s0 proto kernel scope link src 11.11.11.1
33.33.33.0/24 via 192.168.0.24 dev enp1s0
192.168.0.0/24 dev enp1s0 proto kernel scope link src 192.168.0.24
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.1.5
</pre>
<pre>
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
</pre>
SA MULTICAST (with the error)
============
on client side, source tunnel ip addr = 192.168.0.64, dest tunnel ip addr = 224.0.1.250
CLIENT SIDE
client VPN strongswan 5.8.2dr1, Android 9 - PQ3B.190705.003/2019-07-05, Pixel 3a - google/sargo/Google, Linux 4.9.124-gb3668ca20417-ab5599295, aarch64
loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
server
224.0.1.250
VPN type
IKEv2 EAP (Username/Password)
Username
toto
Paswword
123456
CA certificate
VPN root CA
SERVEUR SIDE
/etc/strongswan/ipsec.conf
ipsec.secrets
strongswan.conf
same configuration files as SA UNICAST
<pre>
sudo tail -f -n 100 /var/log/daemon.log
Mar 11 12:34:56 dev-jlj charon: 00[DMN] signal of type SIGINT received. Shutting down
Mar 11 12:34:58 dev-jlj charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64)
Mar 11 12:34:58 dev-jlj charon: 00[LIB] created TUN device: ipsec0
Mar 11 12:34:58 dev-jlj systemd-udevd[18723]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Mar 11 12:34:58 dev-jlj charon: 00[NET] using forecast interface enp1s0
Mar 11 12:34:58 dev-jlj charon: 00[CFG] joining forecast multicast groups: 224.0.1.150
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loaded ca certificate "CN=VPN root CA" from '/etc/strongswan/ipsec.d/cacerts/ca-cert.pem'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Mar 11 12:34:58 dev-jlj systemd[1]: Started Run anacron jobs.
Mar 11 12:34:58 dev-jlj systemd[1]: anacron.service: Succeeded.
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/server-key.pem'
Mar 11 12:34:58 dev-jlj charon: 00[CFG] loaded EAP secret for toto
Mar 11 12:34:58 dev-jlj charon: 00[CFG] coupling file path unspecified
Mar 11 12:34:58 dev-jlj charon: 00[LIB] loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Mar 11 12:34:58 dev-jlj charon: 00[JOB] spawning 16 worker threads
Mar 11 12:34:58 dev-jlj charon: 08[CFG] received stroke: add connection 'ikev2-vpn'
Mar 11 12:34:58 dev-jlj charon: 08[CFG] adding virtual IP address pool 11.11.10.0/24
Mar 11 12:34:58 dev-jlj charon: 08[CFG] loaded certificate "CN=192.168.0.24" from '/etc/strongswan/ipsec.d/certs/server-cert.pem'
Mar 11 12:34:58 dev-jlj charon: 08[CFG] added configuration 'ikev2-vpn'
Mar 11 12:35:09 dev-jlj charon: 09[NET] received packet: from 192.168.0.64[47719] to 224.0.1.150[500] (716 bytes)
Mar 11 12:35:09 dev-jlj charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 12:35:09 dev-jlj charon: 09[IKE] no IKE config found for 224.0.1.150...192.168.0.64, sending NO_PROPOSAL_CHOSEN
Mar 11 12:35:09 dev-jlj charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 11 12:35:09 dev-jlj charon: 09[NET] sending packet: from 224.0.1.150[500] to 192.168.0.64[47719] (36 bytes)
Mar 11 12:35:09 dev-jlj charon: 03[NET] error writing to socket: Invalid argument
Mar 11 12:35:11 dev-jlj charon: 12[NET] received packet: from 192.168.0.64[47719] to 224.0.1.150[500] (716 bytes)
Mar 11 12:35:11 dev-jlj charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 11 12:35:11 dev-jlj charon: 12[IKE] no IKE config found for 224.0.1.150...192.168.0.64, sending NO_PROPOSAL_CHOSEN
Mar 11 12:35:11 dev-jlj charon: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Mar 11 12:35:11 dev-jlj charon: 12[NET] sending packet: from 224.0.1.150[500] to 192.168.0.64[47719] (36 bytes)
Mar 11 12:35:11 dev-jlj charon: 03[NET] error writing to socket: Invalid argument
</pre>
<pre>
sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1+0.1.0, Linux 4.19.0-5-amd64, x86_64):
uptime: 65 seconds, since Mar 11 12:34:59 2020
malloc: sbrk 2449408, mmap 0, used 662656, free 1786752
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default forecast stroke vici updown eap-identity eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth error-notify counters
Virtual IP pools (size/online/offline):
11.11.10.0/24: 254/0/0
Listening IP addresses:
192.168.0.24
11.11.11.1
192.168.1.5
Connections:
ikev2-vpn: 192.168.0.24...192.168.0.64 IKEv2, dpddelay=300s
ikev2-vpn: local: [192.168.0.24] uses public key authentication
ikev2-vpn: cert: "CN=192.168.0.24"
ikev2-vpn: remote: [toto] uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-vpn: child: 11.11.11.0/24 224.0.1.150/32 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):
none
</pre>
<pre>
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:4e:01:a2:e2:85 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.24/24 brd 192.168.0.255 scope global enp1s0
valid_lft forever preferred_lft forever
inet 11.11.11.1/24 brd 11.11.11.255 scope global enp1s0:1
valid_lft forever preferred_lft forever
inet 192.168.1.5/24 scope global enp1s0
valid_lft forever preferred_lft forever
inet6 fe80::24e:1ff:fea2:e285/64 scope link
valid_lft forever preferred_lft forever
32: pimreg@NONE: <NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state UNKNOWN group default qlen 1000
link/pimreg
57: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 500
link/none
inet6 fe80::7e03:9a63:f267:1e00/64 scope link stable-privacy
valid_lft forever preferred_lft forever
</pre>
<pre>
ip route
11.11.11.0/24 dev enp1s0 proto kernel scope link src 11.11.11.1
33.33.33.0/24 via 192.168.0.24 dev enp1s0
192.168.0.0/24 dev enp1s0 proto kernel scope link src 192.168.0.24
192.168.1.0/24 dev enp1s0 proto kernel scope link src 192.168.1.5
</pre>
<pre>
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# Warning: iptables-legacy tables present, use iptables-legacy to see them
</pre>