Issue #2069
Updated by Tobias Brunner about 9 years ago
Hi Guys.
I am struggling for few days in order to understand why the ICMP packets from CPE's are passing unsecured and not via the ipsec tunnel.
My tunnel is:
GW right is Virtual machine with UBUNTU 14.04
GW left is our DUT.
Both GW's are with strongswan build 5.3.5.
Virtual machine connected to to both GW's LAN sides as CPE's.
ipsec tunnel between 2 GW's is up.
Ping between two peers CPE's works fine (static routing)
Ping is wrongly passing none encrypted.
GW right ipsec.conf file:
<pre>
config setup
conn %default
ikelifetime=600m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no
type=tunnel
conn net-net
left=20.161.23.22
leftsubnet=30.161.23.0
leftid=%any
right=20.161.23.11
rightsubnet=40.161.23.0
rightid=%any
auto=start
ike=aes128-sha256-modp1024!
esp=aes128-sha256-modp1024!
</pre>
GW left ipsec.conf file:
<pre>
config setup
conn %default
ikelifetime=600m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no
type=tunnel
conn net-net
left=20.161.23.22
leftsubnet=30.161.23.0
leftid=%any
right=20.161.23.11
rightsubnet=40.161.23.0
rightid=%any
auto=start
ike=aes128-sha256-modp1024!
esp=aes128-sha256-modp1024!
</pre>
When I am typing ipsec status it seems that there is a problem with my strongswan.conf file (even though I tried to fix it, the error seems not correct):
<pre>
ipsec statusall
/etc/strongswan.d/scepclient.conf:2: syntax error, unexpected NAME, expecting '{] [
invalid config file '/etc/strongswan.conf'
Status of IKE charon daemon (strongSwan 5.3.5, Linux 3.12.17-intelce-standard, i686):
uptime: 8 minutes, since Jul 06 22:13:24 2016
malloc: sbrk 172032, mmap 0, used 131696, free 40336
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
30.161.23.33
fc00::1
20.161.23.22
Connections:
net-net: 20.161.23.22...20.161.23.11 IKEv1
net-net: local: [20.161.23.22] uses pre-shared key authentication
net-net: remote: uses pre-shared key authentication
net-net: child: 30.161.23.0/32 === 40.161.23.0/32 TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 8 minutes ago, 20.161.23.22[20.161.23.22]...20.161.23.11[20.161.23.11]
net-net[1]: IKEv1 SPIs: 117151a1bab5d359_i* a30570e25457dd7b_r, pre-shared key reauthentication in 9 hours
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
net-net{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7d208dd_i ca977da2_o
net-net{1}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 6 minutes
net-net{1}: 30.161.23.0/32 === 40.161.23.0/32
</pre>
strongswan.conf file is:
<pre>
charon
{
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
</pre>
tcpdump on ipsec tunnel (no NAT because I see that source IP is not changing) while doing ping from 30.161.23.13 CPE to 40.161.23.113 CPE:
<pre>
30.161.23.13 > 40.161.23.113: ICMP echo request, id 5914, seq 5, length 64
22:25:38.481132 IP (tos 0x0, ttl 63, id 1053, offset 0, flags [none], proto ICMP (1), length 84)
40.161.23.113 > 30.161.23.13: ICMP echo reply, id 5914, seq 5, length 64
22:25:38.696980 IP (tos 0x0, ttl 63, id 1074, offset 0, flags [DF], proto ICMP (1), length 84)
</pre>
As you can see in the tcpdump all packets are not encrypted (I should have seen them as ESP and not ICMP) so they are not passing via the ipsec tunnel. can someone assist me with that please.
I am struggling for few days in order to understand why the ICMP packets from CPE's are passing unsecured and not via the ipsec tunnel.
My tunnel is:
GW right is Virtual machine with UBUNTU 14.04
GW left is our DUT.
Both GW's are with strongswan build 5.3.5.
Virtual machine connected to to both GW's LAN sides as CPE's.
ipsec tunnel between 2 GW's is up.
Ping between two peers CPE's works fine (static routing)
Ping is wrongly passing none encrypted.
GW right ipsec.conf file:
<pre>
config setup
conn %default
ikelifetime=600m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no
type=tunnel
conn net-net
left=20.161.23.22
leftsubnet=30.161.23.0
leftid=%any
right=20.161.23.11
rightsubnet=40.161.23.0
rightid=%any
auto=start
ike=aes128-sha256-modp1024!
esp=aes128-sha256-modp1024!
</pre>
GW left ipsec.conf file:
<pre>
config setup
conn %default
ikelifetime=600m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no
type=tunnel
conn net-net
left=20.161.23.22
leftsubnet=30.161.23.0
leftid=%any
right=20.161.23.11
rightsubnet=40.161.23.0
rightid=%any
auto=start
ike=aes128-sha256-modp1024!
esp=aes128-sha256-modp1024!
</pre>
When I am typing ipsec status it seems that there is a problem with my strongswan.conf file (even though I tried to fix it, the error seems not correct):
<pre>
ipsec statusall
/etc/strongswan.d/scepclient.conf:2: syntax error, unexpected NAME, expecting '{] [
invalid config file '/etc/strongswan.conf'
Status of IKE charon daemon (strongSwan 5.3.5, Linux 3.12.17-intelce-standard, i686):
uptime: 8 minutes, since Jul 06 22:13:24 2016
malloc: sbrk 172032, mmap 0, used 131696, free 40336
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
30.161.23.33
fc00::1
20.161.23.22
Connections:
net-net: 20.161.23.22...20.161.23.11 IKEv1
net-net: local: [20.161.23.22] uses pre-shared key authentication
net-net: remote: uses pre-shared key authentication
net-net: child: 30.161.23.0/32 === 40.161.23.0/32 TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 8 minutes ago, 20.161.23.22[20.161.23.22]...20.161.23.11[20.161.23.11]
net-net[1]: IKEv1 SPIs: 117151a1bab5d359_i* a30570e25457dd7b_r, pre-shared key reauthentication in 9 hours
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
net-net{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7d208dd_i ca977da2_o
net-net{1}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 6 minutes
net-net{1}: 30.161.23.0/32 === 40.161.23.0/32
</pre>
strongswan.conf file is:
<pre>
charon
{
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
</pre>
tcpdump on ipsec tunnel (no NAT because I see that source IP is not changing) while doing ping from 30.161.23.13 CPE to 40.161.23.113 CPE:
<pre>
30.161.23.13 > 40.161.23.113: ICMP echo request, id 5914, seq 5, length 64
22:25:38.481132 IP (tos 0x0, ttl 63, id 1053, offset 0, flags [none], proto ICMP (1), length 84)
40.161.23.113 > 30.161.23.13: ICMP echo reply, id 5914, seq 5, length 64
22:25:38.696980 IP (tos 0x0, ttl 63, id 1074, offset 0, flags [DF], proto ICMP (1), length 84)
</pre>
As you can see in the tcpdump all packets are not encrypted (I should have seen them as ESP and not ICMP) so they are not passing via the ipsec tunnel. can someone assist me with that please.