Hello,
I am facing an issue by configuration Gre over ipsec tunnel on OpenwR T18.06.1 for x86_64 platform.
I used ipsec for the first time and I decide to use strongswan that seems to be best approach.
My network schema that I expect to have:
debian linux machine OpenWrt Platform
gre0 ipsec0 lan (eth0) (IPSEc tun) (eth0) lan gre0
192.168.60.10 ------------------- 192.168.93.254 ============= 192.168.93.1 ------------ 192.168.66.10
Currently I have the following configuration on the OpenWrt Platform:
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
strictcrlpolicy=no
uniqueids=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn peer1-peer3
#type=transport
left=192.168.93.1
leftcert=peer3Cert.der
leftid="C=FR, O=myCompany, CN=peer3"
leftprotoport=gre
leftsubnet=192.168.66.0/24
right=192.168.93.254
rightid="C=FR, O=myCompany, CN=peer1"
rightprotoport=gre
rightsubnet=192.168.60.0/24
rightfirewall=yes
auto=start
closeaction=restart
I did the provisioning of certificates and keys.
when I start ipsec by invoking '/etc/init.d/ipsec start' with this configuration I got the log below:
Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.14.80, x86_64):
uptime: 2 seconds, since Mar 27 14:13:06 2019
worker threads: 6 of 16 idle, 6/0/4/0 working, job queue: 0/0/0/0, scheduled: 11
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default connmark forecast farp stroke vici smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Listening IP addresses:
192.168.93.1
Connections:
peer1-peer3: 192.168.93.1...192.168.93.254 IKEv2
peer1-peer3: local: [C=FR, O=myCompany, CN=peer3] uses public key authentication
peer1-peer3: cert: "C=FR, O=myCompany, CN=peer3"
peer1-peer3: remote: [C=FR, O=myCompany, CN=peer1] uses public key authentication
peer1-peer3: child: 192.168.66.0/24[gre] === 192.168.60.0/24[gre] TUNNEL
Security Associations (1 up, 0 connecting):
peer1-peer3[1]: ESTABLISHED 2 seconds ago, 192.168.93.1[C=FR, O=myCompany, CN=peer3]...192.168.93.254[C=FR, O=myCompany, CN=peer1]
peer1-peer3[1]: IKEv2 SPIs: 3549a8778b799a0f_i* 1591ca3beb61f632_r, public key reauthentication in 51 minutes
peer1-peer3[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
The first issue (ISSUE1), I got is when I up the connection by typing "ipsec up peer1-peer3":
root@OpenWrt:/etc# ipsec up peer1-peer3
establishing CHILD_SA peer1-peer3{3}
generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
sending packet: from 192.168.93.1[4500] to 192.168.93.254[4500] (256 bytes)
received packet: from 192.168.93.254[4500] to 192.168.93.1[4500] (208 bytes)
parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ]
error installing route with policy 192.168.66.0/24[gre] === 192.168.60.0/24[gre] out
unable to install IPsec policies (SPD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
sending DELETE for ESP CHILD_SA with SPI ad8b4d48
generating INFORMATIONAL request 4 [ D ]
sending packet: from 192.168.93.1[4500] to 192.168.93.254[4500] (80 bytes)
received packet: from 192.168.93.254[4500] to 192.168.93.1[4500] (320 bytes)
parsed CREATE_CHILD_SA request 1 [ SA No TSi TSr ]
error installing route with policy 192.168.66.0/32[gre] === 192.168.60.0/32[gre] out
unable to install IPsec policies (SPD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
generating CREATE_CHILD_SA response 1 [ N(TS_UNACCEPT) ]
sending packet: from 192.168.93.1[4500] to 192.168.93.254[4500] (80 bytes)
establishing connection 'peer1-peer3' failed
I checked out that an ipsec0 device was created:
root@OpenWrt:/etc# ip addr
...
43: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
I solved it by creating gre0 interface with an ip on the same subnetwork than the parameter 'leftsubnet' and activate the peer1-peer3 connection:
root@OpenWrt:/etc# ip addr add 192.168.66.10/24 dev gre0
root@OpenWrt:/etc# ip link set gre0 up
root@OpenWrt:/etc# ipsec up peer1-peer3
establishing CHILD_SA peer1-peer3{2}
generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
sending packet: from 192.168.93.1[4500] to 192.168.93.254[4500] (256 bytes)
received packet: from 192.168.93.254[4500] to 192.168.93.1[4500] (208 bytes)
parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
CHILD_SA peer1-peer3{2} established with SPIs b84849d1_i cbd9621d_o and TS 192.168.66.0/24[gre] === 192.168.60.0/24[gre]
connection 'peer1-peer3' established successfully
The second problem (ISSUE2) I did not see any tunnel ipsec0:
root@OpenWrt:/etc# ip tunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
The third issue (ISSUE3) is that the ipsec0 has not the mode 'gre' set up:
root@OpenWrt:/etc# ip addr
51: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
If I compare the "Debian linux machine" :
root@debian-9-6-amd64:/home/bsa/ipsec# ip tunnel
ipsec0: gre/ip remote 192.168.93.1 local 192.168.93.254 ttl inherit
gre0: gre/ip remote any local any ttl inherit nopmtudisc
root@debian-9-6-amd64:/home/bsa/ipsec# ip addr
...
42: gre0@NONE: <NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1
link/gre 0.0.0.0 brd 0.0.0.0
inet 192.168.60.10/24 scope global gre0
valid_lft forever preferred_lft forever
...
44: ipsec0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1
link/gre 192.168.93.254 peer 192.168.93.1
My questions are :
- what could be wrong in my configuration ?
- how the solve ISSUE1 , ISSUE2 and ISSUE3?
Thanks in advance
Benoit