[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute
From: Tiago Stoco <tmsblink () msn ! com>
Date: 2021-09-13 10:41:30
Message-ID: LO4P123MB512214EEF9609F818B95D41DCDD99 () LO4P123MB5122 ! GBRP123 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi Noel/Tobias/Everyone,
First of all, Thanks for your help !!!
Unfortunately, after more than a month submerged into my lab and countless forums and \
google articles researching about iptables, linux routing tables, strongswan ... I \
will give up and I decided to build a pfSense box and use the OpenWRT routers as \
layer2 switches.
I have analyzed the iptables captures and they do not reveal much.
The capture on the VTI interface shows the PING packet request and reply.
And on the iptables chains the PING reply is seen on
raw OUTPUT
mangle OUTPUT
filter OUTPUT
mangle POSTROUTING
and the PING reply with no response is seen on
raw PREROUTING
mangle PREROUTING
mangle INPUT
filter INPUT
The image below has a diagram flow for the iptables chains.
https://blog.infoitech.co.uk/content/images/2021/08/image-25.png
I am starting to believe that my problem could be a bug in the ipsec/strongswan \
implementation.
If someone else reading this thread find a solution, please update this thread cause \
it would be helpful to more people out there.
Best Regards,
Tiago Stoco.
________________________________
From: Users <users-bounces@lists.strongswan.org> on behalf of Tiago Stoco \
<tmsblink@msn.com>
Sent: Saturday, September 11, 2021 10:13 AM
To: Noel Kuntze <noel.kuntze@thermi.consulting>; Tobias Brunner \
<tobias@strongswan.org>; users@lists.strongswan.org \
<users@lists.strongswan.org>
Subject: Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute
Hi Noel,
Quick update to the thread.
I know that pfSense is not related with this mailing list, but as a proof of concept \
for the issues described here the pfSense LAB site-to-site was set up and it worked \
flawlessly 👉 https://blog.infoitech.co.uk/pfsense-ipsec-vpn-routed-vti-site-to-site/
I have switched one of the pfSense boxes used in the example above to stablish the \
tunnel with my Linux box and still the same issues as before.
I am writing a script to capture packets throughout all my iptables chains and I will \
then analyze the captures to see if I can spot something.
Best Regards,
Tiago.
________________________________
From: Users <users-bounces@lists.strongswan.org> on behalf of Tiago Stoco \
<tmsblink@msn.com>
Sent: Friday, September 10, 2021 7:31 AM
To: Noel Kuntze <noel.kuntze@thermi.consulting>; Noel Kuntze \
<noel.kuntze+strongswan-users-ml@thermi.consulting>; Tobias Brunner \
<tobias@strongswan.org>; users@lists.strongswan.org \
<users@lists.strongswan.org>
Subject: Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute
Hi Noel,
I did not give up on this yet. The last couple of days were quite busy at work and \
home.
However, I have managed to draw a diagram on how I believe the site-to-site VPN would \
work 👇
https://blog.infoitech.co.uk/content/images/2021/09/ipsec_diagram2.png
It is quite obvious how the traffic should flow through the VPN tunnel to allow the \
subnets to talk to each other.
I have managed to spin up a new VM running pfSence to test a pfSense to Pfsense setup \
and then I will spin another VM to replicate the example you have shared.
Finally, I will be able to verify if my idea will work and be able to identify where \
is the anomaly in my current setup.
Wish me luck,
Best Regards.
Tiago
________________________________
From: Noel Kuntze
Sent: Friday, September 3, 2021 6:22 PM
To: Tiago Stoco; Noel Kuntze; Tobias Brunner; users@lists.strongswan.org
Subject: Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors NoRoute
Hello Tiago,
It's more meant as a practical example on how to configure this and to look for \
anomalies in your setup.
Kind regards
Noel
Am 03.09.21 um 22:54 schrieb Tiago Stoco:
> Hi Noel,
>
> I will replicate the example below in my lab in the hopes to better understand the \
> concepts behind an IPSec VPN tunnel.
> Tiago Stoco.
>
>
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> Hi Noel/Tobias/Everyone,</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> First of all, Thanks for your help !!!<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> Unfortunately, after more than a month submerged into my lab and \
countless forums and google articles researching about iptables, linux routing \
tables, strongswan ... I will give up and I decided to build a pfSense box and use \
the OpenWRT routers as layer2 switches.</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> I have analyzed the iptables captures and they do not reveal much. \
<br> </div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> The capture on the VTI interface shows the PING packet request and \
reply.</div> <div style="font-family: Calibri, Helvetica, sans-serif; font-size: \
12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> And on the iptables chains the PING reply is seen on</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> raw OUTPUT</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> mangle OUTPUT<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> filter OUTPUT<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> mangle POSTROUTING</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> and the PING reply with no response is seen on</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> raw PREROUTING</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> mangle PREROUTING<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> mangle INPUT<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> filter INPUT<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> The image below has a diagram flow for the iptables chains.<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <a href="https://blog.infoitech.co.uk/content/images/2021/08/image-25.png" \
id="LPlnk">https://blog.infoitech.co.uk/content/images/2021/08/image-25.png</a><br> \
</div> <div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview \
_EReadonly_0"><br> </div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> I am starting to believe that my problem could be a bug in the \
ipsec/strongswan implementation.</div> <div style="font-family: Calibri, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> If someone else reading this thread find a solution, please update \
this thread cause it would be helpful to more people out there.</div> <div \
style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, \
0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> Best Regards,</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0);"> Tiago Stoco.<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> Users \
<users-bounces@lists.strongswan.org> on behalf of Tiago Stoco \
<tmsblink@msn.com><br> <b>Sent:</b> Saturday, September 11, 2021 10:13 AM<br>
<b>To:</b> Noel Kuntze <noel.kuntze@thermi.consulting>; Tobias Brunner \
<tobias@strongswan.org>; users@lists.strongswan.org \
<users@lists.strongswan.org><br> <b>Subject:</b> Re: [strongSwan] IPSec route \
based VPN - VTI interface TX Errors NoRoute</font> <div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> Hi Noel,</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> Quick update to the thread. <br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> I know that pfSense is not related with this mailing list, but as \
a proof of concept for the issues described here the pfSense LAB site-to-site was set \
up and it worked flawlessly <span id="x_👉">👉</span> <a \
href="https://blog.infoitech.co.uk/pfsense-ipsec-vpn-routed-vti-site-to-site/" \
id="LPlnk"> https://blog.infoitech.co.uk/pfsense-ipsec-vpn-routed-vti-site-to-site/</a><br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> I have switched one of the pfSense boxes used in the example above \
to stablish the tunnel with my Linux box and still the same issues as before.</div> \
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> I am writing a script to capture packets throughout all my \
iptables chains and I will then analyze the captures to see if I can spot \
something.</div> <div style="font-family:Calibri,Helvetica,sans-serif; \
font-size:12pt; color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> Best Regards,</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> Tiago.</div>
<div class="x__Entity x__EType_OWALinkPreview x__EId_OWALinkPreview x__EReadonly_1">
</div>
<br>
<div id="x_appendonsend"></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" \
style="font-size:11pt"><b>From:</b> Users <users-bounces@lists.strongswan.org> \
on behalf of Tiago Stoco <tmsblink@msn.com><br> <b>Sent:</b> Friday, September \
10, 2021 7:31 AM<br> <b>To:</b> Noel Kuntze <noel.kuntze@thermi.consulting>; \
Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting>; Tobias Brunner \
<tobias@strongswan.org>; users@lists.strongswan.org \
<users@lists.strongswan.org><br> <b>Subject:</b> Re: [strongSwan] IPSec route \
based VPN - VTI interface TX Errors NoRoute</font> <div> </div>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> Hi Noel,
<div><br>
</div>
<div>I did not give up on this yet. The last couple of days were quite busy at work \
and home.</div> <div><br>
</div>
<div>However, I have managed to draw a diagram on how I believe the site-to-site VPN \
would work 👇</div> <div><br>
</div>
<div><a href="https://blog.infoitech.co.uk/content/images/2021/09/ipsec_diagram2.png">https://blog.infoitech.co.uk/content/images/2021/09/ipsec_diagram2.png</a><br>
</div>
<br>
<div>It is quite obvious how the traffic should flow through the VPN tunnel to allow \
the subnets to talk to each other.</div> <div><br>
</div>
<div>I have managed to spin up a new VM running pfSence to test a pfSense to Pfsense \
setup and then I will spin another VM to replicate the example you have shared.</div> \
<div><br> </div>
<div>Finally, I will be able to verify if my idea will work and be able to identify \
where is the anomaly in my current setup.</div> <div><br>
</div>
<div>Wish me luck,</div>
<div><br>
</div>
<div>Best Regards.</div>
<div><br>
</div>
Tiago<br>
</div>
<div>
<div><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; \
color:rgb(0,0,0)"> <br>
<hr tabindex="-1" style="display:inline-block; width:98%">
<b>From:</b> Noel Kuntze<br>
<b>Sent:</b> Friday, September 3, 2021 6:22 PM<br>
<b>To:</b> Tiago Stoco; Noel Kuntze; Tobias Brunner; users@lists.strongswan.org<br>
<b>Subject:</b> Re: [strongSwan] IPSec route based VPN - VTI interface TX Errors \
NoRoute <div><br>
</div>
</div>
<div class="x_x_BodyFragment"><font size="2"><span style="font-size:11pt">
<div class="x_x_PlainText">Hello Tiago,<br>
<br>
It's more meant as a practical example on how to configure this and to look for \
anomalies in your setup.<br> <br>
Kind regards<br>
Noel<br>
<br>
Am 03.09.21 um 22:54 schrieb Tiago Stoco:<br>
> Hi Noel,<br>
><br>
> I will replicate the example below in my lab in the hopes to better understand \
the concepts behind an IPSec VPN tunnel.<br> ><br>
> Tiago Stoco.<br>
><br>
> <br>
</div>
</span></font></div>
</div>
</div>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic