Find the answer to your Linux question:
Results 1 to 6 of 6
Hi there, I have a probleme with 2 boxes under Debian Lenny : g-star# dpkg -l | grep linux-image ii linux-image-2.6-686 2.6.26+16 Linux 2.6 image on PPro/Celeron/PII/PIII/P4 ii linux-image-2.6.26-1-686 2.6.26-4 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2008
    Posts
    6

    VPN IPSEC issue....


    Hi there,

    I have a probleme with 2 boxes under Debian Lenny :

    g-star# dpkg -l | grep linux-image
    ii linux-image-2.6-686 2.6.26+16 Linux 2.6 image on PPro/Celeron/PII/PIII/P4
    ii linux-image-2.6.26-1-686 2.6.26-4 Linux 2.6.26 image on PPro/Celeron/PII/PIII/
    g-star#

    one of this boxes (I'll call it M2) is a Virtual Machine under Vmware, bridged with my network card.
    The other one, M1, is a real PC.

    - I installed a VPN IPSec strongswan between both.

    - As I don't want use their IP Adress, I attribute them virtual ipv6 adress :

    for M1 : ip -6 route add 2a01:e0b:1:1::/32 dev eth0
    for M2 : ip -6 route add 2a01:e0b:2:2::/64 dev eth0

    here is a part of ipsec.conf for M1 :
    ...
    leftsourceip=2a01:e0b:1:1:1:1:1:1
    leftsubnet=2a01:e0b:1:1::/32
    rightfirewall=yes
    right=%any
    rightsubnetwithin=2a01:e0b:2:2::/64
    rightsourceip=2a01:e0b:2:2:2:2:2:2
    ...

    and for M2:
    ...
    leftsubnet=2a01:e0b:2:2::/64
    leftsourceip=2a01:e0b:2:2:2:2:2:2
    right=10.194.3.173
    rightfirewall=yes
    rightsubnet=2a01:e0b:1:1::/32
    ...

    Then I'm launchin the VPN : ipsec start --debug --nofork

    The connexion is come up fine.

    But when I come up the VPN and do a ping6 2a01:e0b:2:2:2:2:2:2 in M1,
    ping does not work.
    and if I do a tcpdump -ni eth0 in the same time, nothing happen.
    Same if I do tcpdump -ni lo and I restart the VPN, I see no esp packet....

    Here is the log of the VPN connexion during the initization, seems to be fine, but at the bottom I have a curious error message :

    ...
    Using Linux 2.6 IPsec interface code
    | pluto (22752) started
    | Attempting to start charon...
    01[DMN] starting charon (strongSwan Version 4.2.4)
    01[KNL] listening on interfaces:
    01[KNL] eth0
    01[KNL] 10.194.3.173
    01[KNL] 2a01:e0b:1:1:1:1:1:1
    01[KNL] fe80::21a:64ff:fe99:6928
    01[KNL] eth1
    01[KNL] fe80::21a:64ff:fe99:692a
    01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
    01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/cacert.pem'
    01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
    01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
    01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
    01[CFG] loading crls from '/etc/ipsec.d/crls'
    01[CFG] loading secrets from '/etc/ipsec.secrets'
    01[CFG] loaded private key file '/etc/ipsec.d/private/ims2.warly.org.key'
    01[JOB] spawning 16 worker threads
    | charon (22755) started
    03[CFG] received stroke: add connection 'rw4'
    03[LIB] loaded certificate file '/etc/ipsec.d/certs/ims2.warly.org.pem'
    03[CFG] peerid C=FR, ST=France, O=Warly, OU=ims2, CN=ims2.warly.org, E=warly@warly.org not confirmed by certificate, defaulting to subject DN
    03[CFG] added configuration 'rw4': 10.194.3.173[C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org]...0.0.0.0[C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org]
    03[CFG] adding virtual IP address pool 'rw4': 2a01:e0b:2:2:2:2:2:2/128
    Changing to directory '/etc/ipsec.d/cacerts'
    loaded CA cert file 'cacert.pem' (3374 bytes)
    Changing to directory '/etc/ipsec.d/aacerts'
    Changing to directory '/etc/ipsec.d/ocspcerts'
    Changing to directory '/etc/ipsec.d/crls'
    Changing to directory '/etc/ipsec.d/acerts'
    listening for IKE messages
    adding interface eth0/eth0 10.194.3.173:500
    adding interface lo/lo 127.0.0.1:500
    adding interface lo/lo ::1:500
    adding interface eth0/eth0 2a01:e0b:1:1:1:1:1:1:500
    loading secrets from "/etc/ipsec.secrets"
    loaded private key file '/etc/ipsec.d/private/ims2.warly.org.key' (891 bytes)
    loaded host cert file '/etc/ipsec.d/certs/ims2.warly.org.pem' (3195 bytes)
    added connection description "rw4"
    08[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
    08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
    08[AUD] 10.194.3.225 is initiating an IKE_SA
    08[IKE] IKE_SA '(unnamed)' state change: CREATED => CONNECTING
    08[IKE] sending cert request for "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
    08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
    08[NET] sending packet: from 10.194.3.173[500] to 10.194.3.225[500]
    09[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
    09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr ]
    09[IKE] received cert request for "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
    09[IKE] received end entity cert "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
    09[CFG] using certificate "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
    09[CFG] using trusted ca certificate "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
    09[CFG] checking certificate status of "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
    09[CFG] certificate status is not available
    09[IKE] authentication of 'C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org' with RSA signature successful
    09[CFG] found matching config "rw4": C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org...C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org, prio 40
    09[IKE] authentication of 'C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org' (myself) with RSA signature successful
    09[IKE] IKE_SA 'rw4' state change: CONNECTING => ESTABLISHED
    09[IKE] scheduling reauthentication in 9875s
    09[IKE] maximum IKE_SA lifetime 10475s
    09[AUD] IKE_SA 'rw4' established between 10.194.3.173[C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org]...[C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org]10.194.3.225
    09[IKE] sending end entity cert "C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org"
    09[IKE] peer requested virtual IP 2a01:e0b:2:2:2:2:2:2
    09[IKE] assigning virtual IP 2a01:e0b:2:2:2:2:2:2 to peer
    09[KNL] received netlink error: Numerical result out of range (34)
    09[KNL] unable to install source route for 2a01:e0b:1:1:1:1:1:1
    09[AUD] CHILD_SA 'rw4' established successfully
    09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT) ]
    09[NET] sending packet: from 10.194.3.173[500] to 10.194.3.225[500]
    11[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
    ....

    here :

    09[IKE] assigning virtual IP 2a01:e0b:2:2:2:2:2:2 to peer
    09[KNL] received netlink error: Numerical result out of range (34)
    09[KNL] unable to install source route for 2a01:e0b:1:1:1:1:1:1

    i do not understand where is the issue. I have the same message in both side.

    dont know if i can help but I give you a route -6 :

    g-star# route -6
    Table de routage IPv6 du noyau
    Destination Next Hop Flag Met Ref Use If
    2a01:e0b:2:2::/64 :: U 1024 0 0 eth0
    fe80::/64 :: U 256 0 0 eth1
    ::/0 :: !n -1 1 54825 lo
    ::1/128 :: Un 0 1 95 lo
    2a01:e0b:1:1:1:1:1:1/128 :: Un 0 1 54232 lo
    fe80::21a:64ff:fe99:6928/128 :: Un 0 1 2385 lo
    fe80::21a:64ff:fe99:692a/128 :: Un 0 1 0 lo
    ff00::/8 :: U 256 0 0 eth1
    ff00::/8 :: U 256 0 0 eth0
    ::/0 :: !n -1 1 54825 lo
    g-star#

    and I check but modules esp4 and xfrm4_tunnel are loaded :

    g-star# lsmod | grep esp4
    esp4 5600 0
    aead 6400 2 authenc,esp4
    g-orangepc# lsmod | grep xfrm4_tunnel
    xfrm4_tunnel 2304 0
    tunnel4 3016 1 xfrm4_tunnel
    g-star#

    if someone have any idea, this will be wonderful.

    Thanks for your time.

  2. #2
    Just Joined!
    Join Date
    Sep 2008
    Posts
    6
    so, I went deeper in the subject...
    it seems there are bugs with esp4 && wfrm4 and some kernel version so I did :
    modprobe esp6
    modprobe xfrm6_tunnel
    modprobe xfrm6_mode_tunnel

    then I put my VPN up. ping still not works.

    when i do a pingfrom client to srv and i check the esp packets on the server :

    g-star# ip xfrm s
    src 10.194.3.213 dst 10.194.3.136
    proto esp spi 0xcbd74e69 reqid 1 mode tunnel
    replay-window 32
    auth hmac(sha1) 0x6e288f21e52a3d8f44bb3180663e55dc34ebfa55
    enc cbc(aes) 0xd91d1dc5ac59361c3ebb906729562041
    encap type espinudp sport 10246 dport 4500 addr 0.0.0.0
    sel src 0.0.0.0/0 dst 0.0.0.0/0
    src 10.194.3.136 dst 10.194.3.213
    proto esp spi 0xc97b32b7 reqid 1 mode tunnel
    replay-window 32
    auth hmac(sha1) 0x2bbe64ed3752b9464188eff49c82f37aeee1d10b
    enc cbc(aes) 0x9a89264c14fbac012417bda5b458f0a7
    encap type espinudp sport 4500 dport 10246 addr 0.0.0.0
    sel src 0.0.0.0/0 dst 0.0.0.0/0
    g-star#

    and in monitor mode :

    g-star# ip xfrm m
    Async event (0x10) replay update
    src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
    Async event (0x20) timer expired
    src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
    Async event (0x20) timer expired
    src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
    Async event (0x20) timer expired
    src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
    Async event (0x20) timer expired
    src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
    Async event (0x20) timer expired
    src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
    ^C
    g-star#

    so it seems the serv correctly receive crypted packets, but it seems to be unable to decrypt it...

    i have no idea why ....

    if someone can help....

    thx

  3. #3
    Just Joined!
    Join Date
    Sep 2008
    Posts
    6
    ok, i fixed the issue.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Oct 2008
    Posts
    2

    received netlink error

    Hi Nocte,

    I got the same error using Strongswan 4.2.6 on debain as you described in your thread:

    07[KNL] received netlink error: Network is unreachable (12
    07[KNL] unable to install source route for 10.0.8.10

    You mentioned that you fixed this issue. Could you please tell me how?
    Your help would really be appreciated.

    Cheers,
    Stefan

  6. #5
    Just Joined!
    Join Date
    Sep 2008
    Posts
    6
    hi

    does not take care about this error message

    7[KNL] received netlink error: Network is unreachable (12
    07[KNL] unable to install source route for 10.0.8.10


    does not matter

    i fix the sisue by using strognswan 4.2.7-1
    i was unable to make it work with earlier version
    maybe a bug...

  7. #6
    Just Joined!
    Join Date
    Oct 2008
    Posts
    2
    hi,

    thank you for your response. Just today I found a way how to get rid of this error message:

    Just tell strongswan in strongswan.conf not to automatically install routes in table 220 using the command "install_routes=no".

    Cheers,
    Stefan

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •