Problem for settings up a gre tunnel over strongswan ipsec configuration

Hello,

I am facing an issue by configuration Gre over ipsec tunnel on OpenwR T18.06.1 for x86_64 platform.
I used ipsec for the first time and I decide to use strongswan that seems to be best approach.
My network schema that I expect to have:

                              debian linux machine                                                           OpenWrt Platform
      gre0                      ipsec0       lan (eth0)           (IPSEc tun)         (eth0) lan                    gre0
 192.168.60.10 ------------------- 192.168.93.254 ============= 192.168.93.1 ------------ 192.168.66.10

Currently I have the following configuration on the OpenWrt Platform:

config setup
	charondebug="cfg 2, dmn 2, ike 2, net 2"
	strictcrlpolicy=no
	uniqueids=no

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev2
  mobike=no
 
conn peer1-peer3
  #type=transport
  left=192.168.93.1
  leftcert=peer3Cert.der
  leftid="C=FR, O=myCompany, CN=peer3"
  leftprotoport=gre
  leftsubnet=192.168.66.0/24
  right=192.168.93.254
  rightid="C=FR, O=myCompany, CN=peer1"
  rightprotoport=gre
  rightsubnet=192.168.60.0/24
  rightfirewall=yes
  auto=start
  closeaction=restart

I did the provisioning of certificates and keys.
when I start ipsec by invoking '/etc/init.d/ipsec start' with this configuration I got the log below:

Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.14.80, x86_64):
  uptime: 2 seconds, since Mar 27 14:13:06 2019
  worker threads: 6 of 16 idle, 6/0/4/0 working, job queue: 0/0/0/0, scheduled: 11
  loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
  192.168.93.1
Connections:
 peer1-peer3:  192.168.93.1...192.168.93.254  IKEv2
 peer1-peer3:   local:  [C=FR, O=myCompany, CN=peer3] uses public key authentication
 peer1-peer3:    cert:  "C=FR, O=myCompany, CN=peer3"
 peer1-peer3:   remote: [C=FR, O=myCompany, CN=peer1] uses public key authentication
 peer1-peer3:   child:  192.168.66.0/24[gre] === 192.168.60.0/24[gre] TUNNEL
Security Associations (1 up, 0 connecting):
 peer1-peer3[1]: ESTABLISHED 2 seconds ago, 192.168.93.1[C=FR, O=myCompany, CN=peer3]...192.168.93.254[C=FR, O=myCompany, CN=peer1]
 peer1-peer3[1]: IKEv2 SPIs: 3549a8778b799a0f_i* 1591ca3beb61f632_r, public key reauthentication in 51 minutes
 peer1-peer3[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072

The first issue (ISSUE1), I got is when I up the connection by typing "ipsec up peer1-peer3":

root@OpenWrt:/etc# ipsec up peer1-peer3
establishing CHILD_SA peer1-peer3{3}
generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
sending packet: from 192.168.93.1[4500] to 192.168.93.254[4500] (256 bytes)
received packet: from 192.168.93.254[4500] to 192.168.93.1[4500] (208 bytes)
parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ]
error installing route with policy 192.168.66.0/24[gre] === 192.168.60.0/24[gre] out
unable to install IPsec policies (SPD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
sending DELETE for ESP CHILD_SA with SPI ad8b4d48
generating INFORMATIONAL request 4 [ D ]
sending packet: from 192.168.93.1[4500] to 192.168.93.254[4500] (80 bytes)
received packet: from 192.168.93.254[4500] to 192.168.93.1[4500] (320 bytes)
parsed CREATE_CHILD_SA request 1 [ SA No TSi TSr ]
error installing route with policy 192.168.66.0/32[gre] === 192.168.60.0/32[gre] out
unable to install IPsec policies (SPD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
generating CREATE_CHILD_SA response 1 [ N(TS_UNACCEPT) ]
sending packet: from 192.168.93.1[4500] to 192.168.93.254[4500] (80 bytes)
establishing connection 'peer1-peer3' failed

I checked out that an ipsec0 device was created:

root@OpenWrt:/etc# ip addr
...
43: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 

I solved it by creating gre0 interface with an ip on the same subnetwork than the parameter 'leftsubnet' and activate the peer1-peer3 connection:

root@OpenWrt:/etc# ip addr add 192.168.66.10/24 dev gre0
root@OpenWrt:/etc# ip link set gre0 up
root@OpenWrt:/etc# ipsec up peer1-peer3
establishing CHILD_SA peer1-peer3{2}
generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
sending packet: from 192.168.93.1[4500] to 192.168.93.254[4500] (256 bytes)
received packet: from 192.168.93.254[4500] to 192.168.93.1[4500] (208 bytes)
parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
CHILD_SA peer1-peer3{2} established with SPIs b84849d1_i cbd9621d_o and TS 192.168.66.0/24[gre] === 192.168.60.0/24[gre]
connection 'peer1-peer3' established successfully

The second problem (ISSUE2) I did not see any tunnel ipsec0:

root@OpenWrt:/etc# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc

The third issue (ISSUE3) is that the ipsec0 has not the mode 'gre' set up:

root@OpenWrt:/etc# ip addr
51: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 

If I compare the "Debian linux machine" :

root@debian-9-6-amd64:/home/bsa/ipsec# ip tunnel
ipsec0: gre/ip remote 192.168.93.1 local 192.168.93.254 ttl inherit
gre0: gre/ip remote any local any ttl inherit nopmtudisc

root@debian-9-6-amd64:/home/bsa/ipsec# ip addr
...
42: gre0@NONE: <NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1
    link/gre 0.0.0.0 brd 0.0.0.0
    inet 192.168.60.10/24 scope global gre0
       valid_lft forever preferred_lft forever
...
44: ipsec0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1
    link/gre 192.168.93.254 peer 192.168.93.1

My questions are :

1. what could be wrong in my configuration ?
2. how the solve ISSUE1 , ISSUE2 and ISSUE3?

Thanks in advance
Benoit

Have you installed the needed IPSec and Gre-related kernel modules?

The first thing I noted was unable to install IPsec policies (SPD) in kernel

I've run GRE L2 tunnels and they can be configured with UCI, once the GRE tunnel package and its dependencies are installed.

I haven't set up IPSec on OpenWrt, but there might be additional modules required to handle IPSec with NAT.

Yep I think it could be the problem.
I installed the following packages :

strongswan-full 
strongswan-default 
strongswan-mod-kernel-libipsec 
iptables-mod-filter 
iptables-mod-nat-extra

I checked out that ther were present in my image:

root@OpenWrt:/etc# opkg list |grep strongswan-full
strongswan-full - 5.6.3-3
root@OpenWrt:/etc# opkg list |grep strongswan-default
strongswan-default - 5.6.3-3
root@OpenWrt:/etc# opkg list |grep strongswan-mod-kernel-libipsec
strongswan-mod-kernel-libipsec - 5.6.3-3
root@OpenWrt:/etc# opkg list |grep iptables-mod-filter 
iptables-mod-filter - 1.6.2-1
root@OpenWrt:/etc# opkg list |grep iptables-mod-nat-extra
iptables-mod-nat-extra - 1.6.2-1
root@OpenWrt:/etc# 

In addition I went through the strongswan website to verify that kernel config was good as mentionned athttps://wiki.strongswan.org/projects/strongswan/wiki/KernelModules by running this script:

#!/bin/sh
grep '\<CONFIG_XFRM_USER\>' .config
grep '\<CONFIG_NET_KEY\>' .config
grep '\<CONFIG_INET\>' .config
grep '\<CONFIG_IP_ADVANCED_ROUTER\>' .config
grep '\<CONFIG_IP_MULTIPLE_TABLES\>' .config
grep '\<CONFIG_INET_AH\>' .config
grep '\<CONFIG_INET_ESP\>' .config
grep '\<CONFIG_INET_IPCOMP\>' .config
grep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' .config
grep '\<CONFIG_INET_XFRM_MODE_TUNNEL\>' .config
grep '\<CONFIG_INET_XFRM_MODE_BEET\>' .config
grep '\<CONFIG_IPV6\>' .config
grep '\<CONFIG_INET6_AH\>' .config
grep '\<CONFIG_INET6_ESP\>' .config
grep '\<CONFIG_INET6_IPCOMP\>' .config
grep '\<CONFIG_INET6_XFRM_MODE_TRANSPORT\>' .config
grep '\<CONFIG_INET6_XFRM_MODE_TUNNEL\>' .config
grep '\<CONFIG_INET6_XFRM_MODE_BEET\>' .config
grep '\<CONFIG_IPV6_MULTIPLE_TABLES\>' .config
grep '\<CONFIG_NETFILTER\>' .config
grep '\<CONFIG_NETFILTER_XTABLES\>' .config
grep '\<CONFIG_NETFILTER_XT_MATCH_POLICY\>' .config

The result is :

bsa@debian-9-6-amd64:~/build_openwrt/openwrt/build_dir/target-x86_64_musl/linux-x86_64/linux-4.14.80$ ./testk.sh 
CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_IPV6=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m

It matches , looking for 22 kernel configs and 22 was found.

I am not aware if there is more package to install.

Thanks
Benoit

In addition to the gre packages:

root@OpenWrt:/etc# opkg list |grep gre
gre - 1-8
grep - 2.26-1
kmod-gre - 4.14.80-1
kmod-gre6 - 4.14.80-1
root@OpenWrt:/etc# opkg list |grep tun
kmod-ip6-tunnel - 4.14.80-1
kmod-iptunnel - 4.14.80-1
kmod-iptunnel4 - 4.14.80-1
kmod-iptunnel6 - 4.14.80-1
kmod-tun - 4.14.80-1

I think that the gre tunnel can be created but it is much more the ipsec aspect.
Because of when I remove the gre proto in my ipsec.conf configuration, I had the same problem.
My point of view it is not depend on 'gre'. I think so.

Anything with =m means it was built as a kernel module, but not installed in the image itself. Those are typically installed using opkg post-facto, or custom-built into the image.

Here's a list of packages matching "ipsec"

https://openwrt.org/packages/table/start?dataflt[Name_pkg-dependencies*~]=ipsec

And similarly for GRE

https://openwrt.org/packages/table/start?dataflt[Name_pkg-dependencies*~]=gre

For GRE, installing gre looks like it now provides both the configuration scripts, as well as the IPv4 and IPV6 kernel modules as dependencies.

Seems to be coherent for ipsec :

root@OpenWrt:/etc# opkg list |grep ipsec
iptables-mod-ipsec - 1.6.2-1
kmod-ipsec - 4.14.80-1
kmod-ipsec4 - 4.14.80-1
kmod-ipsec6 - 4.14.80-1
kmod-ipt-ipsec - 4.14.80-1
strongswan-ipsec - 5.6.3-3
strongswan-mod-kernel-libipsec - 5.6.3-3

I got 7 packages, and in you list you got 8. The 8th one is the ipsec tools that are replaced by strongswan.

What I provided in the CONFIG list is the list of CONFIg in the .config of the kernel in the "build_dir/target-x86_64_musl/linux-x86_64/linux-4.14.80" folder.
It is not the .config of the openwrt folder.
So it is part of modules built by the kernel when it is '=m' is a module, and when it '=y' it is included in the kernel.

I am going to check if those modules are transform as packages in the openwrt environment.

Is it what you mean ?

FYI, in general case it is not the same as:

opkg list-installed

Missed that subtle point!

lsmod is also helpful to determine what has actually been loaded as well.

No problem Jeff.
Yep vgaetera, this is the check :

root@OpenWrt:~# opkg list |wc -l
372
root@OpenWrt:~# opkg list-installed |wc -l
372

All package listed are installed.

Thanks

lsmod | grep -e gre -e ipsec -e tun

Good, but I hope you understand the difference.

I solved my problem by removing kernel-libipsec from my openwrt image.
I retrieved exactly the same behaviour that with the debian distro.
The ipsec connection was correctly created.

But in this configuration I need to create ipsec0 and gre0 by hand using the following commands once 'ipsec start' and 'ipsec up peer1-peer3' do not return any errors:

ip tunnel add ipsec0 local 192.168.93.1 remote 192.168.93.254 mode gre
ip link set ipsec0 up
ip addr add 192.168.66.10/24 dev gre0
ip link set gre0 up

It could be helpful for others who will face the same issue.

Thanks
Benoit

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.