VPN IPSEC issue....

[nocte]

Hi there,

I have a probleme with 2 boxes under Debian Lenny :

g-star# dpkg -l | grep linux-image
ii linux-image-2.6-686 2.6.26+16 Linux 2.6 image on PPro/Celeron/PII/PIII/P4
ii linux-image-2.6.26-1-686 2.6.26-4 Linux 2.6.26 image on PPro/Celeron/PII/PIII/
g-star#

one of this boxes (I'll call it M2) is a Virtual Machine under Vmware, bridged with my network card.
The other one, M1, is a real PC.

- I installed a VPN IPSec strongswan between both.

- As I don't want use their IP Adress, I attribute them virtual ipv6 adress :

for M1 : ip -6 route add 2a01:e0b:1:1::/32 dev eth0
for M2 : ip -6 route add 2a01:e0b:2:2::/64 dev eth0

here is a part of ipsec.conf for M1 :
...
leftsourceip=2a01:e0b:1:1:1:1:1:1
leftsubnet=2a01:e0b:1:1::/32
rightfirewall=yes
right=%any
rightsubnetwithin=2a01:e0b:2:2::/64
rightsourceip=2a01:e0b:2:2:2:2:2:2
...

and for M2:
...
leftsubnet=2a01:e0b:2:2::/64
leftsourceip=2a01:e0b:2:2:2:2:2:2
right=10.194.3.173
rightfirewall=yes
rightsubnet=2a01:e0b:1:1::/32
...

Then I'm launchin the VPN : ipsec start --debug --nofork

The connexion is come up fine.

But when I come up the VPN and do a ping6 2a01:e0b:2:2:2:2:2:2 in M1,
ping does not work.
and if I do a tcpdump -ni eth0 in the same time, nothing happen.
Same if I do tcpdump -ni lo and I restart the VPN, I see no esp packet....

Here is the log of the VPN connexion during the initization, seems to be fine, but at the bottom I have a curious error message :

...
Using Linux 2.6 IPsec interface code
| pluto (22752) started
| Attempting to start charon...
01[DMN] starting charon (strongSwan Version 4.2.4)
01[KNL] listening on interfaces:
01[KNL] eth0
01[KNL] 10.194.3.173
01[KNL] 2a01:e0b:1:1:1:1:1:1
01[KNL] fe80::21a:64ff:fe99:6928
01[KNL] eth1
01[KNL] fe80::21a:64ff:fe99:692a
01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
01[LIB] loaded certificate file '/etc/ipsec.d/cacerts/cacert.pem'
01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
01[CFG] loading crls from '/etc/ipsec.d/crls'
01[CFG] loading secrets from '/etc/ipsec.secrets'
01[CFG] loaded private key file '/etc/ipsec.d/private/ims2.warly.org.key'
01[JOB] spawning 16 worker threads
| charon (22755) started
03[CFG] received stroke: add connection 'rw4'
03[LIB] loaded certificate file '/etc/ipsec.d/certs/ims2.warly.org.pem'
03[CFG] peerid C=FR, ST=France, O=Warly, OU=ims2, CN=ims2.warly.org, E=warly@warly.org not confirmed by certificate, defaulting to subject DN
03[CFG] added configuration 'rw4': 10.194.3.173[C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org]...0.0.0.0[C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org]
03[CFG] adding virtual IP address pool 'rw4': 2a01:e0b:2:2:2:2:2:2/128
Changing to directory '/etc/ipsec.d/cacerts'
loaded CA cert file 'cacert.pem' (3374 bytes)
Changing to directory '/etc/ipsec.d/aacerts'
Changing to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
Changing to directory '/etc/ipsec.d/acerts'
listening for IKE messages
adding interface eth0/eth0 10.194.3.173:500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo ::1:500
adding interface eth0/eth0 2a01:e0b:1:1:1:1:1:1:500
loading secrets from "/etc/ipsec.secrets"
loaded private key file '/etc/ipsec.d/private/ims2.warly.org.key' (891 bytes)
loaded host cert file '/etc/ipsec.d/certs/ims2.warly.org.pem' (3195 bytes)
added connection description "rw4"
08[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
08[AUD] 10.194.3.225 is initiating an IKE_SA
08[IKE] IKE_SA '(unnamed)' state change: CREATED => CONNECTING
08[IKE] sending cert request for "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
08[NET] sending packet: from 10.194.3.173[500] to 10.194.3.225[500]
09[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
09[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr ]
09[IKE] received cert request for "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
09[IKE] received end entity cert "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
09[CFG] using certificate "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
09[CFG] using trusted ca certificate "C=FR, ST=France, O=Warly, OU=admin, CN=Warly, E=warly@warly.org"
09[CFG] checking certificate status of "C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org"
09[CFG] certificate status is not available
09[IKE] authentication of 'C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org' with RSA signature successful
09[CFG] found matching config "rw4": C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org...C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org, prio 40
09[IKE] authentication of 'C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org' (myself) with RSA signature successful
09[IKE] IKE_SA 'rw4' state change: CONNECTING => ESTABLISHED
09[IKE] scheduling reauthentication in 9875s
09[IKE] maximum IKE_SA lifetime 10475s
09[AUD] IKE_SA 'rw4' established between 10.194.3.173[C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org]...[C=FR, ST=France, O=Warly, OU=ims5, CN=ims5.warly.org, E=warly@warly.org]10.194.3.225
09[IKE] sending end entity cert "C=FR, ST=France, O=Warly, OU=ims2, CN=warly.org, E=warly@warly.org"
09[IKE] peer requested virtual IP 2a01:e0b:2:2:2:2:2:2
09[IKE] assigning virtual IP 2a01:e0b:2:2:2:2:2:2 to peer
09[KNL] received netlink error: Numerical result out of range (34)
09[KNL] unable to install source route for 2a01:e0b:1:1:1:1:1:1
09[AUD] CHILD_SA 'rw4' established successfully
09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT) ]
09[NET] sending packet: from 10.194.3.173[500] to 10.194.3.225[500]
11[NET] received packet: from 10.194.3.225[500] to 10.194.3.173[500]
....

here :

09[IKE] assigning virtual IP 2a01:e0b:2:2:2:2:2:2 to peer
09[KNL] received netlink error: Numerical result out of range (34)
09[KNL] unable to install source route for 2a01:e0b:1:1:1:1:1:1

i do not understand where is the issue. I have the same message in both side.

dont know if i can help but I give you a route -6 :

g-star# route -6
Table de routage IPv6 du noyau
Destination Next Hop Flag Met Ref Use If
2a01:e0b:2:2::/64 :: U 1024 0 0 eth0
fe80::/64 :: U 256 0 0 eth1
::/0 :: !n -1 1 54825 lo
::1/128 :: Un 0 1 95 lo
2a01:e0b:1:1:1:1:1:1/128 :: Un 0 1 54232 lo
fe80::21a:64ff:fe99:6928/128 :: Un 0 1 2385 lo
fe80::21a:64ff:fe99:692a/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 eth1
ff00::/8 :: U 256 0 0 eth0
::/0 :: !n -1 1 54825 lo
g-star#

and I check but modules esp4 and xfrm4_tunnel are loaded :

g-star# lsmod | grep esp4
esp4 5600 0
aead 6400 2 authenc,esp4
g-orangepc# lsmod | grep xfrm4_tunnel
xfrm4_tunnel 2304 0
tunnel4 3016 1 xfrm4_tunnel
g-star#

if someone have any idea, this will be wonderful.

Thanks for your time.

[nocte]

so, I went deeper in the subject...
it seems there are bugs with esp4 && wfrm4 and some kernel version so I did :
modprobe esp6
modprobe xfrm6_tunnel
modprobe xfrm6_mode_tunnel

then I put my VPN up. ping still not works.

when i do a pingfrom client to srv and i check the esp packets on the server :

g-star# ip xfrm s
src 10.194.3.213 dst 10.194.3.136
proto esp spi 0xcbd74e69 reqid 1 mode tunnel
replay-window 32
auth hmac(sha1) 0x6e288f21e52a3d8f44bb3180663e55dc34ebfa55
enc cbc(aes) 0xd91d1dc5ac59361c3ebb906729562041
encap type espinudp sport 10246 dport 4500 addr 0.0.0.0
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 10.194.3.136 dst 10.194.3.213
proto esp spi 0xc97b32b7 reqid 1 mode tunnel
replay-window 32
auth hmac(sha1) 0x2bbe64ed3752b9464188eff49c82f37aeee1d10b
enc cbc(aes) 0x9a89264c14fbac012417bda5b458f0a7
encap type espinudp sport 4500 dport 10246 addr 0.0.0.0
sel src 0.0.0.0/0 dst 0.0.0.0/0
g-star#

and in monitor mode :

g-star# ip xfrm m
Async event (0x10) replay update
src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
Async event (0x20) timer expired
src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
Async event (0x20) timer expired
src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
Async event (0x20) timer expired
src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
Async event (0x20) timer expired
src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
Async event (0x20) timer expired
src 10.194.3.213 dst 10.194.3.136 reqid 0x1 protocol esp SPI 0xc147e7a4
^C
g-star#

so it seems the serv correctly receive crypted packets, but it seems to be unable to decrypt it...

i have no idea why ....

if someone can help....

thx

[nocte]

ok, i fixed the issue.

[demmel_s]

Hi Nocte,

I got the same error using Strongswan 4.2.6 on debain as you described in your thread:

07[KNL] received netlink error: Network is unreachable (12
07[KNL] unable to install source route for 10.0.8.10

You mentioned that you fixed this issue. Could you please tell me how?
Your help would really be appreciated.

Cheers,
Stefan

[nocte]

hi

does not take care about this error message

7[KNL] received netlink error: Network is unreachable (12
07[KNL] unable to install source route for 10.0.8.10


does not matter

i fix the sisue by using strognswan 4.2.7-1
i was unable to make it work with earlier version
maybe a bug...

[demmel_s]

hi,

thank you for your response. Just today I found a way how to get rid of this error message:

Just tell strongswan in strongswan.conf not to automatically install routes in table 220 using the command "install_routes=no".

Cheers,
Stefan