Project

General

Profile

Bug #294

Updated by Tobias Brunner over 6 years ago

I can reproduce this on Ubuntu 12.04 (but with package backported from 12.10 since 12.04 strongswan is broken) 12.10 and gentoo clients, with version 4.5.2 and 5.0.2. First thing first: server configuration;

Debian wheezy with strongswan 4.5.2-1.5

ipsec.conf

<pre>
conn %default
leftid=@<hidden>
leftsubnet=<some private and public subnet>
leftauth=pubkey
leftcert=gwCert.der
rightsourceip=10.100.44.128/26
right=%any

conn linux-win7
keyexchange=ikev2
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
left=%any
# Windows 7 does not like a VPN gateway to take the initiative.
rekey=no
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
</pre>


Clients are using networkmanager strongswan plugin to connect. I checked "Request an inner IP address", otherwise the connection fails.

<pre>
ip addr show *before* connecting to the VPN
root@ubuntults-virt:~# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:3b:7b:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.187/24 brd 192.168.122.255 scope global eth0
inet6 fe80::5054:ff:fe3b:7b24/64 scope link
valid_lft forever preferred_lft forever
</pre>


I connect to the VPN and this is a snippet from the syslog, the part which looks suspect to me.

<pre>
Feb 22 11:30:36 ubuntults-virt NetworkManager[703]: <info> VPN Gateway: 0.0.0.0
Feb 22 11:30:36 ubuntults-virt NetworkManager[703]: <info> Tunnel Device: lo
Feb 22 11:30:36 ubuntults-virt NetworkManager[703]: <info> Internal IP4 Address: 192.168.122.187
Feb 22 11:30:36 ubuntults-virt NetworkManager[703]: <info> Internal IP4 Prefix: 32
Feb 22 11:30:36 ubuntults-virt NetworkManager[703]: <info> Internal IP4 Point-to-Point Address: 0.0.0.0
Feb 22 11:30:36 ubuntults-virt NetworkManager[703]: <info> Maximum Segment Size (MSS): 0
Feb 22 11:30:36 ubuntults-virt NetworkManager[703]: <info> Forbid Default Route: no
Feb 22 11:30:36 ubuntults-virt NetworkManager[703]: <info> Internal IP4 DNS: 10.100.2.254
Feb 22 11:30:36 ubuntults-virt NetworkManager[703]: <info> DNS Domain: '(none)'
Feb 22 11:30:36 ubuntults-virt charon: 14[IKE] peer supports MOBIKE
Feb 22 11:30:37 ubuntults-virt NetworkManager[703]: <info> DNS: starting dnsmasq...
Feb 22 11:30:37 ubuntults-virt dnsmasq[1077]: exiting on receipt of SIGTERM
Feb 22 11:30:37 ubuntults-virt NetworkManager[703]: <info> VPN connection 'cerbero enrico' (IP Config Get) complete.
</pre>


Those 0.0.0.0 looks no less then odd.

ip addr show after the connection

<pre>
root@ubuntults-virt:~# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 192.168.122.187/32 brd 192.168.122.187 scope global lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:3b:7b:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.187/24 brd 192.168.122.255 scope global eth0
inet 10.100.44.129/32 scope global eth0
inet6 fe80::5054:ff:fe3b:7b24/64 scope link
valid_lft forever preferred_lft forever
</pre>


the loopback interface IP is changed and all the service depending on the loopback interface are gone. This is a very major problem, and on Ubuntu the DNS is from 127.0.0.1 since dnsmasq dynamic dns networkmanager plugin is enabled by default.

When the VPN is disconnected the loopback IP is not restored:

<pre>
root@ubuntults-virt:~# ip addr show
1: lo: <LOOPBACK> mtu 16436 qdisc noqueue state DOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:3b:7b:24 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.187/24 brd 192.168.122.255 scope global eth0
inet6 fe80::5054:ff:fe3b:7b24/64 scope link
valid_lft forever preferred_lft forever
</pre>


If you need more log just ask.

Back