Re: Packet forwarding stooped when Strongswan install IPsec policy
- In reply to: Victor Gamov : "Packet forwarding stooped when Strongswan install IPsec policy"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 14 Oct 2023 14:29:03 UTC
After more investigation tunnel up and worked:
etc/strongswan.d/charon.conf:
=====
install_routes = no
=====
This was disabled at first time but lost during configuration experiments.
etc/ipsec.conf:
=====
conn pop4-to-pop12-routed
installpolicy = no
=====
On Sat, 14 Oct 2023 at 13:25, Victor Gamov <vitspec@gmail.com> wrote:
> Hi All
>
> I have FreeBSD 13.2-STABLE stable/13-n255939-b9da47180fd6 GENERIC amd64
> machine with strongswan-5.9.11_2 installed by pkg.
>
> When routed ipsec is up all outgoing packets forwarded into ipsec-tunnel
> so networking is immediately fails.
>
> FreeBSD config:
> =====
> net.fibs=4
> net.inet.ip.forwarding=1
> =====
>
>
> ifconfig ipsec10121
> =====
> ipsec10121: flags=8050<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
> description: PoP-12
> tunnel inet 1.1.1.2 --> 2.2.2.2
> inet 172.16.110.129 --> 172.16.110.130 netmask 0xfffffffc
> groups: ipsec
> reqid: 10121
> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> =====
>
>
> strongswan etc/ipsec.conf:
> =====
> conn pop4-to-pop12-routed
> # also = tmpl_route_based
> left = 1.1.1.2
> right = 2.2.2.2
> leftsubnet = 0.0.0.0/0
> rightsubnet = 0.0.0.0/0
> reqid = 10121
> type = tunnel
> authby = psk
> keyexchange = ikev2
> ike = aes256-sha256-modp3072,aes256-sha256-modp3072
> esp = aes256-sha256-modp3072,aes256-sha256-modp3072
> ikelifetime = 28800
> mobike = no
> lifetime = 3600
> dpdaction = restart
> dpddelay = 30s
> auto = start
> =====
>
>
> strongswan etc/strongswan.d/charon/kernel-pfkey.conf:
> =====
> kernel-pfkey {
> load = yes
> # route_via_internal = no
> }
> =====
>
>
> route -n monitor
> =====
> got message of size 272 on Sat Oct 14 12:39:39 2023
> RTM_GET: Report Metrics: len 272, pid: 49695, seq 1, errno 0,
> flags:<UP,GATEWAY,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
> 0.0.0.0 1.1.1.1 0.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
>
> got message of size 200 on Sat Oct 14 12:39:39 2023
> RTM_GET: Report Metrics: len 200, pid: 49695, seq 2, errno 0,
> flags:<UP,GATEWAY,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK>
> 0.0.0.0 1.1.1.1 0.0.0.0
>
> got message of size 256 on Sat Oct 14 12:39:39 2023
> RTM_ADD: Add Route: len 256, pid: 49695, seq 3, errno 0,
> flags:<UP,GATEWAY,HOST,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,IFP,IFA>
> 2.2.2.2 1.1.1.1 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
>
> got message of size 272 on Sat Oct 14 12:39:39 2023
> RTM_ADD: Add Route: len 272, pid: 49695, seq 5, errno 0,
> flags:<UP,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
> 128.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
>
> got message of size 272 on Sat Oct 14 12:39:39 2023
> RTM_ADD: Add Route: len 272, pid: 49695, seq 4, errno 0,
> flags:<UP,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
> 0.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
> =====
>
>
> netstat -r -nW4:
> =====
> Routing tables
>
> Internet:
> Destination Gateway Flags Nhop# Mtu Netif
> Expire
> 0.0.0.0/1 195.34.58.166 US 12 1500 vlan200
> default 195.34.58.166 UGS 6 1500 vlan200
> 10.4.102.128/31 link#8 U 8 1500 vlan22
> 10.4.102.129 link#8 UHS 7 16384 lo0
> 31.131.95.64/27 127.0.0.1 U1B 9 16384 lo0
> 46.243.226.103 195.34.58.166 UGHS 10 1500 vlan200
> 127.0.0.1 link#5 UHS 1 16384 lo0
> 128.0.0.0/1 195.34.58.166 US 12 1500 vlan200
> 172.16.110.12/31 link#4 U 2 1500 ixl3
> 172.16.110.13 link#4 UHS 3 16384 lo0
> 172.16.110.129 link#11 UHS 11 16384 lo0
> 195.34.58.166/31 link#7 U 4 1500 vlan200
> 195.34.58.167 link#7 UHS 5 16384 lo0
> =====
>
>
> netstat -o -nW4
> =====
> Nexthop data
>
> Internet:
> Idx Type IFA Gateway Flags Use
> Mtu Netif Addrif Refcnt Prepend
> 1 v4/resolve 127.0.0.1 lo0/resolve HS 1366
> 16384 lo0 2
> 2 v4/resolve 172.16.110.13 ixl3/resolve 0
> 1500 ixl3 2
> 3 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0 ixl3 2
> 4 v4/resolve 195.34.58.167 vlan200/resolve 51749
> 1500 vlan200 4
> 5 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0 vlan200 2
> 6 v4/gw 195.34.58.167 195.34.58.166 GS 37902
> 1500 vlan200 2
> 7 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0 vlan22 2
> 8 v4/resolve 10.4.102.129 vlan22/resolve 3
> 1500 vlan22 2
> 9 v4/resolve 127.0.0.1 lo0/resolve 1B 0
> 16384 lo0 2
> 10 v4/gw 195.34.58.167 195.34.58.166 GHS 0
> 1500 vlan200 2
> 11 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0ipsec10121 2
> 12 v4/resolve 195.34.58.167 vlan200/resolve S 0
> 1500 vlan200 3
> =====
>
>
> If I changed "route_via_internal=yes" at
> etc/strongswan.d/charon/kernel-pfkey.conf then no route like 0.0.0.0/1 or
> 128.0.0.0/1 installed but network still fails
>
> The very same strongswan config works fine for many years on FreeBSD-11.
> FreeBSD-13 has many changes at network stack and strongswan changed too.
>
> Also I read https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678
> and https://github.com/strongswan/strongswan/issues/910 and its looks
> like strongswan/FreeBSD integration issue.
>
>
> I'll appreciate any advice. Thanks!
>
> --
> CU,
> Victor Gamov
>
--
CU,
Victor Gamov