LibreSWAN remote access connection not replacing source IP

Issues related to configuring your network
Post Reply
sawozny
Posts: 47
Joined: 2019/07/13 22:19:14

LibreSWAN remote access connection not replacing source IP

Post by sawozny » 2020/10/01 17:03:10

I posted this to the LibreSWAN list, but haven't heard anything back so I thought I'd see if anyone here has any suggestions.

--------------------------

In doing testing, I’ve got a successful site-to-site tunnel up and running and now I’m testing a remote access connection. I used the config examples from the wiki, but I’ve needed to make some modifications for my environment and it’s not working quite right. I’ve made a successful connection from the client to the remote access tunnel terminator, but the problem is my rightaddresspool addresses are not being applied to the remote access connection. I can see this by watching the external interface on the VPN server.

When I do a successful ping across the S2S tunnel, I can see the inbound encrypted packet and then after the ip transform I can see the inbound decrypted packet. I can’t see the cleartext return packet because I’m not watching the internal interface, but I can see the return encrypted packet.

Code: Select all

[sawozny@vpnnj ~]$ sudo tcpdump -n -i ens8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens8, link-type EN10MB (Ethernet), capture size 262144 bytes
01:52:23.529182 IP 172.16.1.10.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0x3ab6796e,seq=0x1), length 120
01:52:23.529182 IP 10.1.7.2 > 10.1.4.2: ICMP echo request, id 14891, seq 1, length 64
01:52:23.532210 IP 10.1.2.2.ipsecnatt > 172.16.1.10.ipsecnatt: UDP-encap: ESP(spi=0x1417f33a,seq=0x1), length 120
01:52:24.528970 IP 172.16.1.10.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0x3ab6796e,seq=0x2), length 120
01:52:24.528970 IP 10.1.7.2 > 10.1.4.2: ICMP echo request, id 14891, seq 2, length 64
01:52:24.531468 IP 10.1.2.2.ipsecnatt > 172.16.1.10.ipsecnatt: UDP-encap: ESP(spi=0x1417f33a,seq=0x2), length 120
01:52:25.530583 IP 172.16.1.10.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0x3ab6796e,seq=0x3), length 120
01:52:25.530583 IP 10.1.7.2 > 10.1.4.2: ICMP echo request, id 14891, seq 3, length 64
01:52:25.533075 IP 10.1.2.2.ipsecnatt > 172.16.1.10.ipsecnatt: UDP-encap: ESP(spi=0x1417f33a,seq=0x3), length 120
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel
However, when I try a ping from the remote access machine, I can see the encrypted packet come in but after the IP transform when it gets sent back through the stack, the SIP has not been changed to a pool address and that’s a problem because I need this remote access structure to use specific source IPs once the packets get into this environment (firewall purposes, etc...).

Code: Select all

[sawozny@vpnnj ~]$ sudo tcpdump -n -i ens8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens8, link-type EN10MB (Ethernet), capture size 262144 bytes
01:51:09.725555 IP 172.16.1.17.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0xfa8118fe,seq=0x7), length 120
01:51:09.725555 IP 172.16.1.17 > 10.1.4.2: ICMP echo request, id 3393, seq 1, length 64
01:51:10.723563 IP 172.16.1.17.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0xfa8118fe,seq=0x8), length 120
01:51:10.723563 IP 172.16.1.17 > 10.1.4.2: ICMP echo request, id 3393, seq 2, length 64
01:51:11.723351 IP 172.16.1.17.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0xfa8118fe,seq=0x9), length 120
01:51:11.723351 IP 172.16.1.17 > 10.1.4.2: ICMP echo request, id 3393, seq 3, length 64
01:51:12.723375 IP 172.16.1.17.ipsecnatt > 10.1.2.2.ipsecnatt: UDP-encap: ESP(spi=0xfa8118fe,seq=0xa), length 120
01:51:12.723375 IP 172.16.1.17 > 10.1.4.2: ICMP echo request, id 3393, seq 4, length 64
01:51:14.722554 ARP, Request who-has 10.1.2.2 tell 10.1.2.1, length 46
01:51:14.722615 ARP, Reply 10.1.2.2 is-at 52:54:00:08:e7:33, length 28
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
So can anyone suggest what I might have done wrong or how I can turn up logging to debug this?

Here is the ipsec status, connection config file and ip addressing output of the VPN server. I’ve not included the cert stuff because the tunnel is coming up OK (wanted to set the remote auto to start, but found out that’s a bug with the version I’m using and am bringing it up myself) so I don’t think this is a keying problem.

Code: Select all

[sawozny@vpnnj ~]$ sudo ipsec status
000 using kernel interface: netkey
000 interface ens8/ens8 10.1.2.2@4500
000 interface ens8/ens8 10.1.2.2@500
000
000
000 fips mode=disabled;
000 SElinux=enabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.25, pluto_vendorid=OE-Libreswan-3.25
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=10.1.2.2, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH22, bits=1024
000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "intersitetunnel": 10.1.4.0/24===10.1.2.2<10.1.2.2>[@vpnnj]...172.16.1.10<172.16.1.10>[@vpnca]===10.1.7.0/24; erouted; eroute owner: #2
000 "intersitetunnel": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "intersitetunnel": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "intersitetunnel": our auth:rsasig, their auth:rsasig
000 "intersitetunnel": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "intersitetunnel": labeled_ipsec:no;
000 "intersitetunnel": policy_label:unset;
000 "intersitetunnel": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "intersitetunnel": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "intersitetunnel": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "intersitetunnel": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "intersitetunnel": conn_prio: 24,24; interface: ens8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "intersitetunnel": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "intersitetunnel": our idtype: ID_FQDN; our id=@vpnnj; their idtype: ID_FQDN; their id=@vpnca
000 "intersitetunnel": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "intersitetunnel": newest ISAKMP SA: #9; newest IPsec SA: #2;
000 "intersitetunnel": IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048
000 "intersitetunnel": ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<Phase1>
000 "remoteaccess": 10.1.4.0/24===10.1.2.2<10.1.2.2>[@vpnnj,MS+XS+S=C]...%any[+MC+XC+S=C]; unrouted; eroute owner: #0
000 "remoteaccess": oriented; my_ip=unset; their_ip=unset; mycert=vpnnj; my_updown=ipsec _updown;
000 "remoteaccess": xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "remoteaccess": our auth:rsasig, their auth:rsasig
000 "remoteaccess": modecfg info: us:server, them:client, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "remoteaccess": labeled_ipsec:no;
000 "remoteaccess": policy_label:unset;
000 "remoteaccess": CAs: 'CN=vpnnj CA, O=CompanyName'...'%any'
000 "remoteaccess": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "remoteaccess": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "remoteaccess": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "remoteaccess": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+XAUTH+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "remoteaccess": conn_prio: 24,32; interface: ens8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "remoteaccess": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "remoteaccess": our idtype: ID_FQDN; our id=@vpnnj; their idtype: %none; their id=(none)
000 "remoteaccess": dpd: action:clear; delay:540; timeout:1200; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "remoteaccess": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "remoteaccess"[2]: 10.1.4.0/24===10.1.2.2<10.1.2.2>[@vpnnj,MS+XS+S=C]...172.16.1.17[CN=sawozny-nj.vpnnj, O=CompanyName,+MC+XC+S=C]; erouted; eroute owner: #4
000 "remoteaccess"[2]: oriented; my_ip=unset; their_ip=unset; mycert=vpnnj; my_updown=ipsec _updown;
000 "remoteaccess"[2]: xauth us:server, xauth them:client, xauthby:file; my_username=[any]; their_username=[any]
000 "remoteaccess"[2]: our auth:rsasig, their auth:rsasig
000 "remoteaccess"[2]: modecfg info: us:server, them:client, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "remoteaccess"[2]: labeled_ipsec:no;
000 "remoteaccess"[2]: policy_label:unset;
000 "remoteaccess"[2]: CAs: 'CN=vpnnj CA, O=CompanyName'...'%any'
000 "remoteaccess"[2]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "remoteaccess"[2]: retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "remoteaccess"[2]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "remoteaccess"[2]: policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+XAUTH+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "remoteaccess"[2]: conn_prio: 24,32; interface: ens8; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "remoteaccess"[2]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "remoteaccess"[2]: our idtype: ID_FQDN; our id=@vpnnj; their idtype: ID_DER_ASN1_DN; their id=CN=sawozny-nj.vpnnj, O=CompanyName
000 "remoteaccess"[2]: dpd: action:clear; delay:540; timeout:1200; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "remoteaccess"[2]: newest ISAKMP SA: #10; newest IPsec SA: #4;
000 "remoteaccess"[2]: IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048
000 "remoteaccess"[2]: ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 3, active 2
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0)
000 IPsec SAs: total(2), authenticated(2), anonymous(0)
000
000 #2: "intersitetunnel":4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REPLACE in 17843s; newest IPSEC; eroute owner; isakmp#9; idle; import:admin initiate
000 #2: "intersitetunnel" esp.1417f33a@172.16.1.10 esp.3ab6796e@10.1.2.2 tun.0@172.16.1.10 tun.0@10.1.2.2 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=0B
000 #9: "intersitetunnel":4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 1211s; newest ISAKMP; idle; import:admin initiate
000 #4: "remoteaccess"[2] 172.16.1.17:4500 STATE_V2_IPSEC_R (IPsec SA established); EVENT_SA_EXPIRE in 18544s; newest IPSEC; eroute owner; isakmp#10; idle; import:respond to stranger
000 #4: "remoteaccess"[2] 172.16.1.17 esp.40ae207@172.16.1.17 esp.fa8118fe@10.1.2.2 tun.0@172.16.1.17 tun.0@10.1.2.2 ref=0 refhim=0 Traffic: ESPin=336B ESPout=0B! ESPmax=0B
000 #10: "remoteaccess"[2] 172.16.1.17:4500 STATE_PARENT_R2 (received v2I2, PARENT SA established); EVENT_SA_EXPIRE in 1639s; newest ISAKMP; idle; import:respond to stranger
000
000 Bare Shunt list:
000
[sawozny@vpnnj ~]$ sudo cat /etc/ipsec.d/remoteaccess.conf
# /etc/ipsec.d/remoteaccess.conf

conn remoteaccess
        left=10.1.2.2
        leftid=@vpnnj
        leftsubnet=10.1.4.0/24
        leftcert=vpnnj
        leftrsasigkey=%cert
        leftsendcert=always
        leftxauthserver=yes
        right=%any
        rightaddresspool=10.1.3.64-10.1.3.127
        rightrsasigkey=%cert
        rightxauthclient=yes
        authby=rsasig
        ikev2=insist
        rekey=no
        dpddelay=9m
        dpdtimeout=20m
        dpdaction=clear
        auto=add
[sawozny@vpnnj ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:3a:21:54 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.214/24 brd 192.168.1.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
3: ens8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:08:e7:33 brd ff:ff:ff:ff:ff:ff
inet 10.1.2.2/24 brd 10.1.2.255 scope global noprefixroute ens8
valid_lft forever preferred_lft forever
4: ens9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:25:80:a5 brd ff:ff:ff:ff:ff:ff
inet 10.1.3.2/24 brd 10.1.3.255 scope global noprefixroute ens9
valid_lft forever preferred_lft forever
5: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
[sawozny@vpnnj ~]$
And the same for the client:

Code: Select all

[sawozny@ntp2 ~]$ sudo ipsec status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1@4500
000 interface lo/lo 127.0.0.1@500
000 interface eth0/eth0 172.16.1.17@4500
000 interface eth0/eth0 172.16.1.17@500
000
000
000 fips mode=disabled;
000 SElinux=enabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.25, pluto_vendorid=OE-Libreswan-3.25
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=32001
000 debug:
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH22, bits=1024
000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "vpnnj": 172.16.1.17[CN=sawozny-nj.vpnnj, O=CompanyName,+XC+S=C]---172.16.1.254...172.16.1.2<vpnnj>[@vpnnj,+XS+S=C]===10.1.4.0/24; erouted; eroute owner: #2
000 "vpnnj": oriented; my_ip=unset; their_ip=unset; mycert=sawozny-nj.vpnnj; my_updown=ipsec _updown;
000 "vpnnj": xauth us:client, xauth them:server, my_username=[any]; their_username=[any]
000 "vpnnj": our auth:rsasig, their auth:rsasig
000 "vpnnj": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "vpnnj": labeled_ipsec:no;
000 "vpnnj": policy_label:unset;
000 "vpnnj": CAs: 'CN=vpnnj CA, O=CompanyName'...'%any'
000 "vpnnj": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "vpnnj": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "vpnnj": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "vpnnj": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+XAUTH+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO;
000 "vpnnj": conn_prio: 32,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "vpnnj": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "vpnnj": our idtype: ID_DER_ASN1_DN; our id=CN=sawozny-nj.vpnnj, O=CompanyName; their idtype: ID_FQDN; their id=@vpnnj
000 "vpnnj": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "vpnnj": newest ISAKMP SA: #5; newest IPsec SA: #2;
000 "vpnnj": IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048
000 "vpnnj": ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=<Phase1>
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "vpnnj":4500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REPLACE in 17869s; newest IPSEC; eroute owner; isakmp#5; idle; import:admin initiate
000 #2: "vpnnj" esp.fa8118fe@172.16.1.2 esp.40ae207@172.16.1.17 tun.0@172.16.1.2 tun.0@172.16.1.17 ref=0 refhim=0 Traffic: ESPin=0B ESPout=336B! ESPmax=0B
000 #5: "vpnnj":4500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 1237s; newest ISAKMP; idle; import:admin initiate
000
000 Bare Shunt list:
000
[sawozny@ntp2 ~]$ sudo cat /etc/ipsec.d/vpnnj.conf
# /etc/ipsec.d/vpnnj.conf

conn vpnnj
        left=%defaultroute
        leftid=%fromcert
        leftcert=sawozny-nj.vpnnj
        leftrsasigkey=%cert
        leftxauthclient=yes
        right=vpnnj
        rightid=@vpnnj
        rightsubnet=10.1.4.0/24
        rightrsasigkey=%cert
        rightxauthserver=yes
        ikev2=insist
        rekey=yes
        mobike=yes
        auto=add
[sawozny@ntp2 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:d1:6e:ec brd ff:ff:ff:ff:ff:ff
inet 172.16.1.17/24 brd 172.16.1.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
[sawozny@ntp2 ~]$
Any suggestions on how to troubleshoot this (or if you can see I’ve done something obviously wrong) would be appreciated.

Thanks,

Scott

Post Reply

Return to “CentOS 7 - Networking Support”