[ale] vpn set up fun (NOT!)

Sun Mar 1 13:29:04 EST 2015

Not specific to libre/openswan, but...
I haven't used a site-to site vpn lately, but I always got bit by dynamic routing creating a routing loop. Always had to make sure it was disabled...or figure it out all over again.
The symptom was that one packet would get through from one side, then nothing. 
Reset routes, and then one more packet.
May be nothing to do with your problem, but I thought I'd mention it.
-jt

James Taylor
678-697-9420
james.taylor at eastcobbgroup.com

>>> Jim Kinney <jim.kinney at gmail.com> 2/28/2015 3:19 PM >>> 
Setting up a libreswan (fork of OpenSwan - default in RHEL/CentOS7) between
two gateways for a net-to-net vpn.

The tunnel gives all indications of building properly but absolutely no
packets move between the gateways afterwards, no ping, nothing.

the connection conf file:

conn test
    type=tunnel
    rightid=@mostlyme
    right=70.88.18.24
    rightsourceip=192.168.0.1
    rightsubnet=192.168.0.0/24
    leftid=@otherme
    left=173.160.9.6
    leftsourceip=192.168.1.2
    leftsubnet=192.168.1.0/24
    esp=3des-md5-96
    keyexchange=ike
    pfs=no
    auth=esp
    authby=secret
    auto=start

secret is found and used.

Using netkey so the iptables stuff is very weird. Basically allow all
sources for protocol esp, ah (UDP) and udp port 4500 for NAT-T. Default
rules are to allow ANYTHING from either end, gateway or private network in
incoming, forward, outgoing.

ip xfrm state (same on both ends)
src 173.160.9.6 dst 70.88.18.24
    proto esp spi 0x0465e409 reqid 16385 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(md5) 0x934678d91da8c457f779aab661eefc7f 96
    enc cbc(des3_ede) 0x9bd95c9caac61d1c63586b4aa6b4c2966e35fea5ecc316b5
src 70.88.18.24 dst 173.160.9.6
    proto esp spi 0x4b4a9dc7 reqid 16385 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(md5) 0xaf5c69d32b81b49df203315fe8f0ea66 96
    enc cbc(des3_ede) 0xf6636ecda9d307f9d4e4b114746d6deb55f8d7f418b884e3

ipsec auto --status  (other gateway is similar)
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface enp3s0/enp3s0 2601:0:8781:700:6a05:caff:fe2e:5859
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface enp2s0/enp2s0 192.168.1.2
000 interface enp2s0/enp2s0 192.168.1.2
000 interface enp3s0/enp3s0 173.160.9.6
000 interface enp3s0/enp3s0 173.160.9.6
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets,
ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libdir=/usr/libexec/ipsec,
libexecdir=/usr/libexec/ipsec
000 pluto_version=3.8, pluto_vendorid=OE-Libreswan-3.8
000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
000 secctx_attr_value=32001
000 myid = (none)
000 debug none
000
000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500,
disable_port_floating=no
000 virtual_private (%priv):
000 - allowed 7 subnets: 10.0.0.0/8, 192.168.0.0/24, 172.16.0.0/12,
25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
000 - disallowed 1 subnet: 192.168.1.0/24
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=20, v2name=AES_GCM_C,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=19, v2name=AES_GCM_B,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=18, v2name=AES_GCM_A,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3,
v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12,
v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC,
v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC,
v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH,
v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
trans={0,2,3072} attrs={0,2,2048}
000
000 Connection list:
000
000 "test": 192.168.1.0/24===173.160.9.6
<173.160.9.6>[@otherme]...70.88.18.24<70.88.18.24>[@mostlyme]===
192.168.0.0/24; erouted; eroute owner: #4
000 "test":     oriented; my_ip=192.168.1.2; their_ip=192.168.0.1;
000 "test":   xauth info: us:none, them:none,  my_xauthuser=[any];
their_xauthuser=[any]; ;
000 "test":   modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "test":   labeled_ipsec:no, loopback:no;
000 "test":    policy_label:unset;
000 "test":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0;
000 "test":   sha2_truncbug:no; initial_contact:no; cisco_unity:no;
send_vendorid:no;
000 "test":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
000 "test":   conn_prio: 24,24; interface: enp3s0; metric: 0; mtu: unset;
sa_prio:auto;
000 "test":   newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "test":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 "test":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_096
000 "test":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
000 "test":   ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000
000 Total IPsec connections: loaded 1, active 1
000
000 State list:
000
000 #4: "test":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE
in 26351s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #4: "test" esp.465e409 at 70.88.18.24 esp.4b4a9dc7 at 173.160.9.6
tun.0 at 70.88.18.24 tun.0 at 173.160.9.6 ref=0 refhim=4294901761 Traffic:
ESPin=0B ESPout=0B! ESPmax=4194303B
000 #3: "test":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 1151s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:not set
000
000 Shunt list:
000

-- 
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain

*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*