Hello,
I have just set up a vpn tunnel using this http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD and this http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/ site, compiled some options in the freebsd kernel, and used strongswan 5 which i compiled and installed from source, the tunnel itselfs works, but no traffic is routed between them, i want to find out why, but don't know where to start...
Here is my configuration, A = FreeBSD 9, B = Ubuntu Server (Kernel 3.2.0-34)
Server 'A'
I have just set up a vpn tunnel using this http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD and this http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/ site, compiled some options in the freebsd kernel, and used strongswan 5 which i compiled and installed from source, the tunnel itselfs works, but no traffic is routed between them, i want to find out why, but don't know where to start...
Here is my configuration, A = FreeBSD 9, B = Ubuntu Server (Kernel 3.2.0-34)
Server 'A'
Code:
[root@server /]# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=38db<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,POLLING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 00:23:cd:b0:f3:74
inet 213.126.*.114 netmask 0xfffffff8 broadcast 213.126.*.119
inet6 fe80::223:cdff:feb0:f374%re0 prefixlen 64 scopeid 0x2
inet 213.126.*.115 netmask 0xffffffff broadcast 213.126.*.115
inet 213.126.*.116 netmask 0xffffffff broadcast 213.126.*.116
inet 213.126.*.117 netmask 0xffffffff broadcast 213.126.*.117
inet 213.126.*.118 netmask 0xffffffff broadcast 213.126.*.118
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect <flowcontrol> (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
status: active
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=38db<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,POLLING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
ether 00:23:cd:b0:ba:d8
inet 192.168.0.1 netmask 0xffffffe0 broadcast 192.168.0.31
inet6 fe80::223:cdff:feb0:bad8%re1 prefixlen 64 scopeid 0x3
inet6 2001:838:*::1 prefixlen 64
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect <flowcontrol> (100baseTX <full-duplex,flowcontrol,rxpause,txpause>)
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33152
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 213.126.*.114 --> 213.197.*.252
inet6 fe80::223:cdff:feb0:f374%gif0 prefixlen 64 scopeid 0x8
inet6 2001:838:300:2fc::2 --> 2001:838:300:2fc::1 prefixlen 128
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
options=1<ACCEPT_REV_ETHIP_VER>
[root@server /]#
Code:
[root@server /usr/local/etc]# cat ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn net-net
left=*redacted*
leftsubnet=192.168.0.0/27
leftid=@*redacted*
right=*redacted*
rightid=@*redacted*
rightsubnet=10.0.0.0/27
auto=start
[root@server /usr/local/etc]#
Code:
[root@server /usr/local/etc]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.2dr3, FreeBSD 9.0-RELEASE-p4, amd64):
uptime: 42 minutes, since Dec 03 16:04:31 2012
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown xauth-generic
Listening IP addresses:
213.126.*.114
213.126.*.115
213.126.*.116
213.126.*.117
213.126.*.118
Connections:
net-net: *redacted*.. *redacted* IKEv2
net-net: local: [ uses pre-shared key authentication
net-net: remote: [backup.] uses pre-shared key authentication
net-net: child: 192.168.0.0/27 === 10.0.0.0/27 TUNNEL
Security Associations (1 up, 0 connecting):
net-net[1]: ESTABLISHED 42 minutes ago, 213.126.17.118[server....94.211.*.88[backup.]
net-net[1]: IKEv2 SPIs: 51662cb6e2d4aaf1_i* 76924e7538f4ead2_r, pre-shared key reauthentication in 10 minutes
net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c7465dd5_i c05e7ee0_o
net-net{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 2368 bytes_o (165s ago), rekeying in 63 seconds
net-net{1}: 192.168.0.0/27 === 10.0.0.0/27
[root@server /usr/local/etc]#
Code:
[root@server /usr/local/etc]# cat strongswan.conf
charon {
interfaces_use = re0
#load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke socket-default kernel-pfroute updown
multiple_authentication = no
}
[root@server /usr/local/etc]#
Code:
[root@server /usr/local/etc]# netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default router UGS 0 5077159 re0
localhost link#6 UH 0 325991 lo0
192.168.0.0/27 link#3 U 0 23826129 re1
mainserver link#3 UHS 0 2815 lo0
213.126.*.112/29 link#2 U 0 0 re0
server link#2 UHS 0 811 lo0
mail link#2 UHS 0 3962 lo0 =>
213.126.*.115/32 link#2 U 0 0 re0
ftp link#2 UHS 0 0 lo0 =>
213.126.*.116/32 link#2 U 0 0 re0
www link#2 UHS 0 1952 lo0 =>
213.126.*.117/32 link#2 U 0 0 re0
proxy link#2 UHS 0 3 lo0 =>
213.126.*.118/32 link#2 U 0 0 re0
Internet6:
Destination Gateway Flags Netif Expire
:: localhost.localdom UGRS lo0 =>
default gw-765.ams-01.nl.s UGS gif0
localhost.localdom localhost.localdom UH lo0
::ffff:0.0.0.0 localhost.localdom UGRS lo0
gw-765.ams-01.nl.s cl-765.ams-01.nl.s UH gif0
cl-765.ams-01.nl.s link#8 UHS lo0
2001:838:*:: link#3 U re1
ipv6int.redacted link#3 UHS lo0
fe80:: localhost.localdom UGRS lo0
fe80::%re0 link#2 U re0
fe80::223:cdff:feb link#2 UHS lo0
fe80::%re1 link#3 U re1
fe80::223:*:feb link#3 UHS lo0
fe80::%lo0 link#6 U lo0
fe80::1%lo0 link#6 UHS lo0
fe80::%gif0 link#8 U gif0
fe80::223:*:feb link#8 UHS lo0
ff01::%re0 fe80::223:*:feb U re0
ff01::%re1 fe80::223:*:feb U re1
ff01::%lo0 localhost.localdom U lo0
ff01::%gif0 fe80::223:*:feb U gif0
ff02:: localhost.localdom UGRS lo0
ff02::%re0 fe80::223:cdff:feb U re0
ff02::%re1 fe80::223:cdff:feb U re1
ff02::%lo0 localhost.localdom U lo0
ff02::%gif0 fe80::223:cdff:feb U gif0
[root@server /usr/local/etc]#
Code:
[root@server /]# ping -c 3 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
--- 10.0.0.1 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
[root@server /]#
Last edited: