Project

General

Profile

Bug #2183

Updated by Tobias Brunner over 3 years ago


two problems will be described:

*

-
the bug appears to resemble issue #1189, but the kernel used here is much newer and in 30% of cases it works properly
*

-
'ipsec up' command ends in success regardless if the default gateway has been set or not in table 220. this can be confusing to users since they think the vpn connection is up and routing their packets

tested with strongswan-5.5.1, kernels 4.6.4 and 4.8.10 (on both endpoints)
configure arguments:
<pre>


./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --disable-dependency-tracking --disable-silent-rules --libdir=/usr/lib64 --disable-static --enable-ikev1 --enable-ikev2 --enable-swanctl --enable-socket-dynamic --with-capabilities=libcap --disable-curl --enable-constraints --disable-ldap --disable-leak-detective --disable-dhcp --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-sql --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-md4 --enable-eap-mschapv2 --enable-eap-radius --enable-eap-tls --enable-xauth-eap --enable-farp --enable-gmp --enable-gcrypt --disable-mysql --disable-nm --enable-openssl --disable-xauth-pam --disable-pkcs11 --disable-sqlite --with-systemdsystemunitdir=/usr/lib/systemd/system --disable-eap-gtc --enable-vici --enable-rdrand
</pre>



initiator ipsec.conf:
<pre>


config setup
uniqueids = no

conn %default

conn generic
leftfirewall=yes
leftauth=eap
eap_identity=CENSORED
rightauth=pubkey
right=2001:4d80:0:42:1501::1
rightid=@bucharest-s15-i01.cg-dialup.net
dpdaction=clear
dpddelay=5s
dpdtimeout=20s

conn v4
also=generic
left=%any
leftsourceip=%config
rightsubnet=0.0.0.0/0
auto=add

conn both
also=generic
left=%any
leftsourceip=%config,%config6
rightsubnet=::/0,0.0.0.0/0
auto=add

conn v6
also=generic
left=%any6
leftsourceip=%config6
rightsubnet=::/0
auto=add

conn pass
leftsubnet=192.168.1.121/32
rightsubnet=192.168.1.0/24
type=passthrough
authby=never
auto=route
</pre>


ipsec up v6 can end up in two ways:

*


-
in 70% of cases it ends up with:
<pre>


authentication of 'bucharest-s15-i01.cg-dialup.net' with EAP successful
IKE_SA v6[1] established between 2001:4d80:0:40:b889:86ff:fefb:fe51[2001:4d80:0:40:b889:86ff:fefb:fe51]...2001:4d80:0:42:1501::1[bucharest-s15-i01.cg-dialup.net]
scheduling reauthentication in 9884s
maximum IKE_SA lifetime 10424s
installing DNS server CENSORED to /etc/resolv.conf
installing new virtual IP 2001:4d80:0:42:1501:240:0:2
received netlink error: Invalid argument (22)
unable to install source route for 2001:4d80:0:42:1501:240:0:2
CHILD_SA v6{1} established with SPIs cb1a9bab_i c439f9ad_o and TS 2001:4d80:0:42:1501:240:0:2/128 === ::/0
connection 'v6' established successfully
~ # echo $?
0

~ # ip -6 a s eth0
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2001:4d80:0:42:1501:240:0:2/128 scope global tentative deprecated dadfailed
valid_lft forever preferred_lft 0sec
inet6 2001:4d80:0:40:b889:86ff:fefb:fe51/64 scope global mngtmpaddr dynamic
valid_lft 2337495sec preferred_lft 350295sec
inet6 2001:4d80:0:40:a001::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::b889:86ff:fefb:fe51/64 scope link
valid_lft forever preferred_lft forever
~ # ip -6 r show table 220
[empty]
</pre>

*


-
in 30% of cases it ends up with:
<pre>


authentication of 'bucharest-s15-i01.cg-dialup.net' with EAP successful
IKE_SA v6[6] established between 2001:4d80:0:40:b889:86ff:fefb:fe51[2001:4d80:0:40:b889:86ff:fefb:fe51]...2001:4d80:0:42:1501::1[bucharest-s15-i01.cg-dialup.net]
scheduling reauthentication in 9849s
maximum IKE_SA lifetime 10389s
installing DNS server CENSORED to /etc/resolv.conf
installing new virtual IP 2001:4d80:0:42:1501:240:0:2
CHILD_SA v6{6} established with SPIs ce41a7bc_i cf33d714_o and TS 2001:4d80:0:42:1501:240:0:2/128 === ::/0
received AUTH_LIFETIME of 10130s, scheduling reauthentication in 9590s
peer supports MOBIKE
connection 'v6' established successfully

~ # ip -6 a s eth0
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2001:4d80:0:42:1501:240:0:2/128 scope global deprecated
valid_lft forever preferred_lft 0sec
inet6 2001:4d80:0:40:b889:86ff:fefb:fe51/64 scope global mngtmpaddr dynamic
valid_lft 2337358sec preferred_lft 350158sec
inet6 2001:4d80:0:40:a001::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::b889:86ff:fefb:fe51/64 scope link
valid_lft forever preferred_lft forever
~ # ip -6 r show table 220
default via 2001:4d80:0:42:1501::1 dev eth0 proto static src 2001:4d80:0:42:1501:240:0:2 metric 1024 pref medium
</pre>


Back