And again: IPsec up but no traffic from local network

rockojfonzo · January 18, 2021, 11:48pm

Dear readers,

I know it's been asked a zillion times because I read ALL threads touching that subject. But I've been trying now for severaly days and I'm running out of ideas.

Setup sounded like more or less "standard" (OpenWRT behind a DSL-Router contacting office network).

home LAN: 10.12.12.0/24 => WAN 192.168.2.118 => Internet => fixed IP 195.14.XXX.XXX => office LAN 192.168.0.0/24

Tunnel is up and running, I can ping from OpenWRT to office LAN. But no traffic gets routed thru from home LAN.

Konfiguration:
/etc/ipsec.conf:

conn Conn1
      keyexchange=ikev2
      right=195.14.XXX.XXX
      rightsubnet=192.168.0.0/24
      rightid=@office.domain.com
      rightauth=pubkey
      leftsourceip=%config
      leftid=@private.domain.com
      leftsubnet=10.12.12.0/24
      leftfirewall=yes
      ike=aes256-sha-modp1024
      esp=aes256-sha1-modp1024
      ikelifetime=4h
      keylife=1h
      auto=start
      type=tunnel
      forceencaps=yes
      leftauth=eap-mschapv2
      eap_identity=private.domain.com
      dpdaction=restart

/etc/config/network (only relevant parts)

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.12.12.1'

config interface 'ipsec'
        option proto 'none'
        option delegate '0'
        option ifname 'ipsec0'

config route
        option interface 'ipsec'
        option target '192.168.0.0'
        option netmask '255.255.255.0'

/etc/config/firewall

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'   ## I know.... it's just for testing
        option output 'ACCEPT'
        option forward 'ACCEPT'  ## I know... t's just for testing
        option extra_src   '-m policy --dir in --pol none'
        option extra_dest  '-m policy --dir out --pol none'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option extra_src   '-m policy --dir in --pol none'
        option extra_dest  '-m policy --dir out --pol none'

config zone
  option name        vpn
  list network 'ipsec'
  option input       ACCEPT
  option output      ACCEPT
  option forward     ACCEPT
  option subnet      192.168.0.0/24
  option extra_src   '-m policy --dir in --pol ipsec --proto esp'
  option extra_dest  '-m policy --dir out --pol ipsec --proto esp'
  option mtu_fix     1

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src              'vpn'
        option dest             'lan'

config forwarding
        option src              'lan'
        option dest             'vpn'

Routing:

root@OpenWrt:~# ip route show 
default via 192.168.2.1 dev eth0.2 proto static src 192.168.2.118 
10.12.12.0/24 dev br-lan proto kernel scope link src 10.12.12.1 
192.168.0.0/24 dev ipsec0 proto static scope link 
192.168.2.0/24 dev eth0.2 proto kernel scope link src 192.168.2.118 

root@OpenWrt:~# ip route show table 220
192.168.0.0/24 dev ipsec0 proto static src 10.12.12.1

ipsec statusall

Status of IKE charon daemon (strongSwan 5.9.1, Linux 5.4.89, mips):
  uptime: 69 minutes, since Jan 18 22:28:20 2021
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon des sha1 md4 random nonce x509 pem openssl kernel-libipsec kernel-netlink socket-default stroke eap-mschapv2
Listening IP addresses:
  10.12.12.1
  fdef:7de7:3bb::1
  192.168.2.118
  2003:dc:6f17:7700:e80:63ff:fe2e:dd93
Connections:
     Conn1:  %any...195.14.XXX.XXX  IKEv2, dpddelay=30s
     Conn1:   local:  [private.domain.com] uses EAP_MSCHAPV2 authentication with EAP identity 'private.domain.com'
     Conn1:   remote: [office.domain.com] uses public key authentication
     Conn1:   child:  10.12.12.0/24 === 192.168.0.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
     Conn1[1]: ESTABLISHED 69 minutes ago, 192.168.2.118[private.domain.com]...195.14.XXX.XXX[office.domain.com]
     Conn1[1]: IKEv2 SPIs: 0d005605c31ea051_i* d7c0992d94cbed9c_r, EAP reauthentication in 2 hours
     Conn1[1]: IKE proposal: CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519
     Conn1{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: d09eb5f1_i c3bca305_o
     Conn1{2}:  AES_CBC_256/HMAC_SHA2_256_128, 168 bytes_i (2 pkts, 1129s ago), 168 bytes_o (2 pkts, 1129s ago), rekeying in 17 minutes
     Conn1{2}:   10.12.12.0/24 === 192.168.0.0/24

As said, I can ping from OpenWRT to office network.
But pings from home network don't make it to the office router (checked with tcpdump -n -s0 -p -i eth1 esp or udp port 4500, eth1 is outbound interface)

But I can still see them when I insert a LOG rule into OpenWRT's zone_lan_forward rule:

Mon Jan 18 23:29:07 2021 kern.warn kernel: [ 4161.802876] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31590 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=0
Mon Jan 18 23:29:08 2021 kern.warn kernel: [ 4162.807779] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=1326 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=1
Mon Jan 18 23:29:09 2021 kern.warn kernel: [ 4163.808699] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=38685 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=2
Mon Jan 18 23:29:10 2021 kern.warn kernel: [ 4164.823740] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=60992 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=3
Mon Jan 18 23:29:11 2021 kern.warn kernel: [ 4165.815792] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=33133 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=4
Mon Jan 18 23:29:12 2021 kern.warn kernel: [ 4166.820890] IN=br-lan OUT=ipsec0 MAC=0c:80:63:2e:dd:92:b8:8d:12:53:65:2d:08:00 SRC=10.12.12.218 DST=192.168.0.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=29882 PROTO=ICMP TYPE=8 CODE=0 ID=30722 SEQ=5

10.12.12.218 = Computer on home LAN
192.168.0.254 = Local IP of office endpoint of VPN

Any help is greatly appreciated!

Tino

vgaetera · January 19, 2021, 12:04am

Try to enable masquerading on the VPN firewall zone.
Also since you use custom routing table, there should be some rules:

ip rule show

mpa · January 19, 2021, 10:00am

Packets were sent across the tunnel in both directions, but this could be the result of running the ping from the OpenWrt gateway.

Do the counters increase when you send the ping

from the LAN?
from the OpenWrt gateway?

I wonder why there is an ipsec0 interface at all.
Are you using strongSwan with the kernel-libipsec plugin? If so, I suggest to use the default kernel-netlink plugin instead.

I suspect this could make the situation worse because the masqueraded traffic would not match the policy anymore:

rockojfonzo · January 20, 2021, 8:27am

@vgaetera @mpa Guys, thank you so much for your hints!

I tried with and without masquerading in vpn zone.
(though option masq '1' always vanishes from /etc/config/firewall upon saving...)
Had to use iptables-command.

ip rule show

0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default

Looks ok/normal to me.

root@OpenWrt:~# opkg list-installed | grep ipsec
iptables-mod-ipsec - 1.8.6-1
kmod-ipsec - 5.4.89-1
kmod-ipsec4 - 5.4.89-1
kmod-ipsec6 - 5.4.89-1
kmod-ipt-ipsec - 5.4.89-1
strongswan-ipsec - 5.9.1-1
strongswan-mod-kernel-libipsec - 5.9.1-1

I removed strongswan-mod-kernel-libipsec, but now the tunnel complains about missing SAD.
I think I need to adjust ike and esp algos, and for this I need the other colleagues else to go to bed.

strongswan-mod-kernel-netlink is the one I want to use, right?

mpa · January 20, 2021, 9:54am

yes, along with the following configuration changes:

rockojfonzo:

config interface 'ipsec'
        option proto 'none'
        option delegate '0'
        option ifname 'ipsec0'

config route
        option interface 'ipsec'
        option target '192.168.0.0'
        option netmask '255.255.255.0'

Remove these sections.

Remove the reference to network ipsec. Traffic is assigned to this zone based on the subnet and the policy match.

Remove this.

modp1024 is insecure, use a larger modp DH group or elliptic curve DH, if supported by the peer.

rockojfonzo · January 22, 2021, 12:13am

Okay, some more hours of trying...
As soon as I remove strongswan-mod-kernel-libipsec the tunnel can't be established anymore.

Fri Jan 22 00:05:03 2021 authpriv.info : 16[IKE] IKE_SA IPKoeln[1] established between 192.168.2.119[private.domain.com]...XX.XX.XX.XX[office.domain.com]
Fri Jan 22 00:05:03 2021 daemon.info : 16[IKE] scheduling reauthentication in 13338s
Fri Jan 22 00:05:03 2021 daemon.info : 16[IKE] maximum IKE_SA lifetime 13878s
Fri Jan 22 00:05:03 2021 daemon.info : 16[CFG] handling INTERNAL_IP4_DNS attribute failed
Fri Jan 22 00:05:03 2021 daemon.info : 16[CFG] handling INTERNAL_IP4_DNS attribute failed
Fri Jan 22 00:05:03 2021 daemon.info : 16[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Fri Jan 22 00:05:03 2021 daemon.info : 16[KNL] received netlink error: Function not implemented (89)
Fri Jan 22 00:05:03 2021 daemon.info : 16[KNL] unable to add SAD entry with SPI c0ff17a7 (FAILED)
Fri Jan 22 00:05:03 2021 daemon.info : 16[KNL] received netlink error: Function not implemented (89)
Fri Jan 22 00:05:03 2021 daemon.info : 16[KNL] unable to add SAD entry with SPI ca87cae8 (FAILED)
Fri Jan 22 00:05:03 2021 daemon.info : 16[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Fri Jan 22 00:05:03 2021 daemon.info : 16[IKE] failed to establish CHILD_SA, keeping IKE_SA

Any idea which (kernel) module I'm missing?

root@OpenWrt:~# opkg list-installed|grep netlink
kmod-nfnetlink - 5.4.91-1
strongswan-mod-kernel-netlink - 5.9.1-1

Thanks again...

mpa · January 22, 2021, 10:48am

Perhaps kmod-crypto-sha256?

Otherwise, post a list of installed kernel module packages:

opkg list-installed "kmod-*"

rockojfonzo · January 22, 2021, 12:18pm

Hallelujah!
Mirko, thank you so much for helping me with this!

I'm "afraid" that kmod-cryptodev was also the missing link.
Now it works with ipsec.conf algos

ike=aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072
esp=aes256-sha256-modp2048!

and

config zone
  option name        vpn
  option input       ACCEPT
  option output      ACCEPT
  option forward     ACCEPT
  option subnet      192.168.0.0/24
  option extra_src   '-m policy --dir in --pol ipsec --proto esp'
  option extra_dest  '-m policy --dir out --pol ipsec --proto esp'
  option mtu_fix     1

config forwarding
	option src		'vpn'
	option dest		'lan'

config forwarding
	option src		'lan'
	option dest		'vpn'

Thank you so much!

eim · January 11, 2022, 5:14pm

Hi guys, I'm experiencing a similar issue, would like to allow nodes from my LAN to access nodes behind the ipsec tunnel.

home LAN: 192.168.140.0/24 -> WAN 192.168.1.147 -> Internet => fixed IP gateway.foo.com => office LANs 172.20.101.0/24 172.21.101.0/24 172.22.101.0/24

cat /etc/ipsec.conf 

config setup
	strictcrlpolicy=no
	uniqueids=no

conn vpn
    auto=start
    keyexchange=ikev2
    type=tunnel
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    mobike=no
    left=%defaultroute
    # leftsubnet=192.168.140.0/24   # <---- this can't be enabled, connection will fail
    leftsourceip=%config
    leftfirewall=no
    right=gateway.foo.com
    rightid=gateway.foo.com
    rightsubnet=172.20.101.0/24,172.21.101.0/24,172.22.101.0/24
    leftid=username
    leftauth=eap-mschapv2
    eap_identity=%identity
    ike=aes128-sha256-modp2048                                                                                                                                                      
    esp=aes128-sha256-modp2048

ipsec start --nofork:

...
11[IKE] authentication of 'gateway.foo.com' with EAP successful
11[IKE] IKE_SA vpn[1] established between 192.168.1.147[username]...xx.xx.xx.xx[gateway.foo.com]
11[IKE] installing new virtual IP 172.21.101.38
11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
11[IKE] CHILD_SA meteoblue{1} established with SPIs 3a0b8bfa_i c5ff4815_o and TS 172.21.101.38/32 === 172.20.101.0/24 172.21.101.0/24 172.22.101.0/24
...

Tables look good so far:

ip route show table 220

172.20.101.0/24 dev ipsec0 proto static src 172.21.101.38 
172.21.101.0/24 dev ipsec0 proto static src 172.21.101.38 
172.22.101.0/24 dev ipsec0 proto static src 172.21.101.38

Strongswan also creates an ipsec0 device:

ifconfig ipsec0
ipsec0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.21.101.38  P-t-P:172.21.101.38  Mask:255.255.255.255
          inet6 addr: fe80::5452:f0ac:9a0:bcfe/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:304 (304.0 B)

from the OpenWrt node I can ping the office LANs 172.20.101.0/24 172.21.101.0/24 172.22.101.0/24 but I can't do this from any node in my LAN )behind OpenWrt):

cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option extra_src '-m policy --dir in --pol ipsec --proto esp'
	option extra_dest '-m policy --dir out --pol ipsec --proto esp'
	option mtu_fix '1'
	option masq '1'
	list subnet '172.20.101.0/24'
	list subnet '172.21.101.0/24'
	list subnet '172.22.101.0/24'
	list subnet '172.23.101.0/24'
	list subnet '172.24.101.0/24'
	list subnet '172.25.101.0/24'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
    option extra_src   '-m policy --dir in --pol none'
    option extra_dest  '-m policy --dir out --pol none'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wana'
	list network 'wanb'
    option extra_src   '-m policy --dir in --pol none'
    option extra_dest  '-m policy --dir out --pol none'
	# list masq_dest '!172.20.101.0/24'
	# list masq_dest '!172.21.101.0/24'
	# list masq_dest '!172.22.101.0/24'
	# list masq_dest '!172.23.101.0/24'
	# list masq_dest '!172.24.101.0/24'
	# list masq_dest '!172.25.101.0/24'
...

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'vpn'
	option dest 'lan'

any ideas what the issue could be? Thanks

eim · January 12, 2022, 9:21am

Fixed by adding ipsec0 to wan:

config zone                  
        option name 'wan'     
        option input 'REJECT'  
        option output 'ACCEPT'     
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'   
        list network 'wan6'   
        list network 'wana'    
        list network 'wanb'                                          
        list device 'ipsec0'

like described here Destination Port Unreachable - #16 by mk24

tmomas · January 22, 2022, 9:21am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.