search

xelerance / Openswan

Openswan
Other
853 stars 214 forks source link

[Connection established successfully but no traffic] Openswan U2.6.42/K3.4-3 < Site to Site > strongSwan U5.3.3/K3.18.23 #226

Open Bubelbub opened 7 years ago

Bubelbub commented 7 years ago

Hey guys,

I extended my tests from small internal test system with same environments to a real environment with real machines. On the one site I have a OpenWRT router with UMTS Dongle (strongSwan U5.3.3/K3.18.23) and on the other site a IPCop router (Openswan U2.6.42/K3.4-3).

The local test works after @letoams helped me. Thanks again. https://github.com/xelerance/Openswan/issues/225

And now the basic connection work but the difference between Openswan and strongSwan seems a bit big.

Server log

00:35:58    pluto[22991]    | found connection: Clubnetwork
00:35:58    pluto[22991]    "Clubnetwork" #1: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
00:35:58    pluto[22991]    "Clubnetwork" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=oakley_sha group=modp1536}
00:35:58    pluto[22991]    "Clubnetwork" #1: new NAT mapping for #1, was 89.138.138.138:500, now 89.138.138.138:36810
00:35:58    pluto[22991]    "Clubnetwork" #1: IKEv2 mode peer ID is ID_FQDN: '@club.dyndns.org'
00:35:58    pluto[22991]    | CHILD SA proposals received
00:35:58    pluto[22991]    "Clubnetwork" #1: PAUL: this is where we have to check the TSi/TSr
00:35:58    pluto[22991]    | printing contents struct traffic_selector
00:35:58    pluto[22991]    | ts_type: IKEv2_TS_IPV4_ADDR_RANGE
00:35:58    pluto[22991]    | ipprotoid: 0
00:35:58    pluto[22991]    | startport: 0
00:35:58    pluto[22991]    | endport: 65535
00:35:58    pluto[22991]    | ip low: 172.16.1.0
00:35:58    pluto[22991]    | ip high: 172.16.1.255
00:35:58    pluto[22991]    | printing contents struct traffic_selector
00:35:58    pluto[22991]    | ts_type: IKEv2_TS_IPV4_ADDR_RANGE
00:35:58    pluto[22991]    | ipprotoid: 0
00:35:58    pluto[22991]    | startport: 0
00:35:58    pluto[22991]    | endport: 65535
00:35:58    pluto[22991]    | ip low: 192.168.1.0
00:35:58    pluto[22991]    | ip high: 192.168.1.255
00:35:58    ipsec   up-client
00:35:58    ipsec   prepare-client
00:35:58    ipsec   route-client
00:35:58    pluto[22991]    "Clubnetwork" #2: transition from state STATE_PARENT_R1 to state STATE_PARENT_R2
00:35:58    pluto[22991]    "Clubnetwork" #2: negotiated tunnel [172.16.1.0,172.16.1.255:0-65535 0] -> [192.168.1.0,192.168.1.255:0-65535 0]
00:35:58    pluto[22991]    "Clubnetwork" #2: STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP=>0xc143ae5d <0x9f2e747b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=89.138.138.138:36810 DPD=none}
00:35:58    pluto[22991]    | releasing whack for #2 (sock=-1)
00:35:58    pluto[22991]    | releasing whack for #1 (sock=-1)
00:36:28    pluto[22991]    "Clubnetwork" #1: transition from state STATE_PARENT_R2 to state STATE_PARENT_R2
00:36:28    pluto[22991]    "Clubnetwork" #1: STATE_PARENT_R2: received v2I2, PARENT SA established
00:36:58    pluto[22991]    "Clubnetwork" #1: transition from state STATE_PARENT_R2 to state STATE_PARENT_R2
00:36:58    pluto[22991]    "Clubnetwork" #1: STATE_PARENT_R2: received v2I2, PARENT SA established
00:37:28    pluto[22991]    "Clubnetwork" #1: transition from state STATE_PARENT_R2 to state STATE_PARENT_R2
00:37:28    pluto[22991]    "Clubnetwork" #1: STATE_PARENT_R2: received v2I2, PARENT SA established
00:37:58    pluto[22991]    "Clubnetwork" #1: transition from state STATE_PARENT_R2 to state STATE_PARENT_R2
00:37:58    pluto[22991]    "Clubnetwork" #1: STATE_PARENT_R2: received v2I2, PARENT SA established
00:38:28    pluto[22991]    "Clubnetwork" #1: transition from state STATE_PARENT_R2 to state STATE_PARENT_R2
00:38:28    pluto[22991]    "Clubnetwork" #1: STATE_PARENT_R2: received v2I2, PARENT SA established
00:38:58    pluto[22991]    "Clubnetwork" #1: transition from state STATE_PARENT_R2 to state STATE_PARENT_R2
00:38:58    pluto[22991]    "Clubnetwork" #1: STATE_PARENT_R2: received v2I2, PARENT SA established
00:39:28    pluto[22991]    "Clubnetwork" #1: transition from state STATE_PARENT_R2 to state STATE_PARENT_R2
00:39:28    pluto[22991]    "Clubnetwork" #1: STATE_PARENT_R2: received v2I2, PARENT SA established
00:39:58    pluto[22991]    "Clubnetwork" #1: transition from state STATE_PARENT_R2 to state STATE_PARENT_R2
00:39:58    pluto[22991]    "Clubnetwork" #1: STATE_PARENT_R2: received v2I2, PARENT SA established

Client log

root@OpenWrt:~# ipsec start
no files found matching '/etc/strongswan.d/*.conf'
Starting strongSwan 5.3.3 IPsec [starter]...
root@OpenWrt:~# ipsec up Clubnetwork
no files found matching '/etc/strongswan.d/*.conf'
initiating IKE_SA Clubnetwork[1] to 144.76.76.76
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.1.1[500] to 144.76.76.76[500] (896 bytes)
received packet: from 144.76.76.76[500] to 192.168.1.1[500] (312 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V ]
received unknown vendor ID: 4f:53:57:51:62:4a:4a:4a:4a:4a:4a:4a
authentication of 'club.dyndns.org' (myself) with pre-shared key
establishing CHILD_SA Clubnetwork
generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.1.1[500] to 144.76.76.76[500] (508 bytes)
received packet: from 144.76.76.76[500] to 192.168.1.1[500] (220 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
authentication of 'server.dyndns.org' with pre-shared key successful
IKE_SA Clubnetwork[1] established between 192.168.1.1[club.dyndns.org]...144.76.76.76[server.dyndns.org]
scheduling reauthentication in 3011s
maximum IKE_SA lifetime 3551s
received netlink error: Network is unreachable (128)
unable to install source route for 192.168.1.1
received netlink error: Network is unreachable (128)
unable to install source route for 192.168.1.1
connection 'Clubnetwork' established successfully

As you can see: received netlink error: Network is unreachable (128)

Server status

root@router:~ # ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface wan-1/wan-1 144.76.76.76
000 interface wan-1/wan-1 144.76.76.76
000 interface lan-1/lan-1 172.16.1.254
000 interface lan-1/lan-1 172.16.1.254
000 interface tun0/tun0 10.45.158.1
000 interface tun0/tun0 10.45.158.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
000 - disallowed 2 subnets: 172.16.1.0/24, 192.168.1.0/24
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,36} trans={0,1,1176} attrs={0,1,1568}
000
000 "Clubnetwork": 172.16.1.0/24===144.76.76.76<server.dyndns.org>[@server.dyndns.org]...89.138.138.138<89.138.138.138>[@club.dyndns.org]===192.168.1.0/24; erouted; eroute owner: #2
000 "Clubnetwork":     myip=unset; hisip=unset; myup=/usr/local/bin/ipsecupdown.sh;
000 "Clubnetwork":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "Clubnetwork":   policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: wan-1;
000 "Clubnetwork":   dpd: action:hold; delay:30; timeout:120;
000 "Clubnetwork":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "Clubnetwork":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2), AES_CBC(7)_128-MD5(1)_000-MODP1536(5), AES_CBC(7)_128-MD5(1)_000-MODP1024(2), 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2), 3DES_CBC(5)_000-MD5(1)_000-MODP1536(5), 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict
000 "Clubnetwork":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5)AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)AES_CBC(7)_128-MD5(1)_128-MODP1536(5)AES_CBC(7)_128-MD5(1)_128-MODP1024(2)3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)3DES_CBC(5)_192-MD5(1)_128-MODP1536(5)3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "Clubnetwork":   IKE algorithm newest: _128-SHA1-MODP1536
000 "Clubnetwork":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000, AES(12)_128-MD5(1)_000, 3DES(3)_000-SHA1(2)_000, 3DES(3)_000-MD5(1)_000; flags=-strict
000 "Clubnetwork":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160, AES(12)_128-MD5(1)_128, 3DES(3)_192-SHA1(2)_160, 3DES(3)_192-MD5(1)_128
000 "Clubnetwork":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A>
000
000 #2: "Clubnetwork":36810 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 27594s; newest IPSEC; eroute owner; nodpd; idle; import:respond to stranger
000 #1: "Clubnetwork":36810 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_REPLACE in 2664s; newest ISAKMP; nodpd; idle; import:respond to stranger
000

Client status

root@OpenWrt:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.23, mips):
  uptime: 14 minutes, since Jan 31 23:39:04 2017
  malloc: sbrk 139264, mmap 0, used 119856, free 19408
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Virtual IP pools (size/online/offline):
  172.16.1.254: 1/0/0
Listening IP addresses:
  192.168.1.1
  fd2a:932d:396b::1
  192.168.0.100
Connections:
Clubnetwork:  192.168.1.1...server.dyndns.org  IKEv1/2, dpddelay=30s
Clubnetwork:   local:  [club.dyndns.org] uses pre-shared key authentication
Clubnetwork:   remote: [server.dyndns.org] uses pre-shared key authentication
Clubnetwork:   child:  192.168.1.0/24 === 172.16.1.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
Clubnetwork[1]: ESTABLISHED 13 minutes ago, 192.168.1.1[club.dyndns.org]...144.76.76.76[server.dyndns.org]
Clubnetwork[1]: IKEv2 SPIs: 592e2b75823f467e_i* ae4d1c0090f82f0b_r, pre-shared key reauthentication in 36 minutes
Clubnetwork[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Clubnetwork{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c143ae5d_i 9f2e747b_o
Clubnetwork{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
Clubnetwork{1}:   192.168.1.0/24 === 172.16.1.0/24

Server ipsec.conf

# Do not modify 'ipsec.conf' directly since any changes you make will be
# overwritten whenever you change IPsec settings using the web interface!
#

version 2.0

config setup
    protostack=netkey
    klipsdebug="none"
    plutodebug="none"
    uniqueids=yes
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.16.1.0/255.255.255.0,%v4:!192.168.1.0/24

conn %default
    keyingtries=0
    disablearrivalcheck=no
    leftupdown=/usr/local/bin/ipsecupdown.sh

#
# net-2-net to RED
conn Clubnetwork
    left=server.dyndns.org
    leftsubnet=172.16.1.0/24
    right=89.204.138.213
    rightsubnet=192.168.1.0/24
    leftid="@server.dyndns.org"
    rightid="@club.dyndns.org"
    ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
    esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
    ikelifetime=1h
    keylife=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=hold
    pfs=no
    authby=secret
    auto=add

Client ipsec.conf

version 2.0

config setup
    uniqueids=yes

conn %default
    keyingtries=0

conn Clubnetwork
    right=server.dyndns.org
    rightsubnet=172.16.1.0/24
    rightid="@server.dyndns.org"
    rightsourceip=172.16.1.254
    left=192.168.1.1
    leftsubnet=192.168.1.0/24
    leftsourceip=192.168.1.1
    leftid="@club.dyndns.org"
    ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
    esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
    ikelifetime=1h
    keylife=8h
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
    authby=secret
    auto=start

I copied the configuration from server to client and changed right and left. Then on start I got a few "deprecated" warnings which I removed from the client configuration.

Is this maybe a problem because I can't forward ports on the UMTS dongle site? The server have opened IPSec ports - but the LTE Stick / UMTS Dongle is not able to have opened ports. But why the client says he is connected and the server said the client isn't connected?

Bubelbub commented 7 years ago

Tried with Fritz!Box 7430, too and same result. 👎