Date: Sat, 14 Oct 2023 13:25:23 +0300 From: Victor Gamov <vitspec@gmail.com> To: freebsd-net <freebsd-net@freebsd.org> Subject: Packet forwarding stooped when Strongswan install IPsec policy Message-ID: <CAPOOyvkH1WA0KMD1jBHPV_HiFpUZ-op9tjq-LtFOa6r2FtJhOA@mail.gmail.com>
index | next in thread | raw e-mail
[-- Attachment #1 --]
Hi All
I have FreeBSD 13.2-STABLE stable/13-n255939-b9da47180fd6 GENERIC amd64
machine with strongswan-5.9.11_2 installed by pkg.
When routed ipsec is up all outgoing packets forwarded into ipsec-tunnel so
networking is immediately fails.
FreeBSD config:
=====
net.fibs=4
net.inet.ip.forwarding=1
=====
ifconfig ipsec10121
=====
ipsec10121: flags=8050<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
description: PoP-12
tunnel inet 1.1.1.2 --> 2.2.2.2
inet 172.16.110.129 --> 172.16.110.130 netmask 0xfffffffc
groups: ipsec
reqid: 10121
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
=====
strongswan etc/ipsec.conf:
=====
conn pop4-to-pop12-routed
# also = tmpl_route_based
left = 1.1.1.2
right = 2.2.2.2
leftsubnet = 0.0.0.0/0
rightsubnet = 0.0.0.0/0
reqid = 10121
type = tunnel
authby = psk
keyexchange = ikev2
ike = aes256-sha256-modp3072,aes256-sha256-modp3072
esp = aes256-sha256-modp3072,aes256-sha256-modp3072
ikelifetime = 28800
mobike = no
lifetime = 3600
dpdaction = restart
dpddelay = 30s
auto = start
=====
strongswan etc/strongswan.d/charon/kernel-pfkey.conf:
=====
kernel-pfkey {
load = yes
# route_via_internal = no
}
=====
route -n monitor
=====
got message of size 272 on Sat Oct 14 12:39:39 2023
RTM_GET: Report Metrics: len 272, pid: 49695, seq 1, errno 0,
flags:<UP,GATEWAY,DONE,STATIC>
locks: inits:
sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
0.0.0.0 1.1.1.1 0.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
got message of size 200 on Sat Oct 14 12:39:39 2023
RTM_GET: Report Metrics: len 200, pid: 49695, seq 2, errno 0,
flags:<UP,GATEWAY,DONE,STATIC>
locks: inits:
sockaddrs: <DST,GATEWAY,NETMASK>
0.0.0.0 1.1.1.1 0.0.0.0
got message of size 256 on Sat Oct 14 12:39:39 2023
RTM_ADD: Add Route: len 256, pid: 49695, seq 3, errno 0,
flags:<UP,GATEWAY,HOST,DONE,STATIC>
locks: inits:
sockaddrs: <DST,GATEWAY,IFP,IFA>
2.2.2.2 1.1.1.1 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
got message of size 272 on Sat Oct 14 12:39:39 2023
RTM_ADD: Add Route: len 272, pid: 49695, seq 5, errno 0,
flags:<UP,DONE,STATIC>
locks: inits:
sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
128.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
got message of size 272 on Sat Oct 14 12:39:39 2023
RTM_ADD: Add Route: len 272, pid: 49695, seq 4, errno 0,
flags:<UP,DONE,STATIC>
locks: inits:
sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
0.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
=====
netstat -r -nW4:
=====
Routing tables
Internet:
Destination Gateway Flags Nhop# Mtu Netif Expire
0.0.0.0/1 195.34.58.166 US 12 1500 vlan200
default 195.34.58.166 UGS 6 1500 vlan200
10.4.102.128/31 link#8 U 8 1500 vlan22
10.4.102.129 link#8 UHS 7 16384 lo0
31.131.95.64/27 127.0.0.1 U1B 9 16384 lo0
46.243.226.103 195.34.58.166 UGHS 10 1500 vlan200
127.0.0.1 link#5 UHS 1 16384 lo0
128.0.0.0/1 195.34.58.166 US 12 1500 vlan200
172.16.110.12/31 link#4 U 2 1500 ixl3
172.16.110.13 link#4 UHS 3 16384 lo0
172.16.110.129 link#11 UHS 11 16384 lo0
195.34.58.166/31 link#7 U 4 1500 vlan200
195.34.58.167 link#7 UHS 5 16384 lo0
=====
netstat -o -nW4
=====
Nexthop data
Internet:
Idx Type IFA Gateway Flags Use
Mtu Netif Addrif Refcnt Prepend
1 v4/resolve 127.0.0.1 lo0/resolve HS 1366
16384 lo0 2
2 v4/resolve 172.16.110.13 ixl3/resolve 0
1500 ixl3 2
3 v4/resolve 127.0.0.1 lo0/resolve HS 0
16384 lo0 ixl3 2
4 v4/resolve 195.34.58.167 vlan200/resolve 51749
1500 vlan200 4
5 v4/resolve 127.0.0.1 lo0/resolve HS 0
16384 lo0 vlan200 2
6 v4/gw 195.34.58.167 195.34.58.166 GS 37902
1500 vlan200 2
7 v4/resolve 127.0.0.1 lo0/resolve HS 0
16384 lo0 vlan22 2
8 v4/resolve 10.4.102.129 vlan22/resolve 3
1500 vlan22 2
9 v4/resolve 127.0.0.1 lo0/resolve 1B 0
16384 lo0 2
10 v4/gw 195.34.58.167 195.34.58.166 GHS 0
1500 vlan200 2
11 v4/resolve 127.0.0.1 lo0/resolve HS 0
16384 lo0ipsec10121 2
12 v4/resolve 195.34.58.167 vlan200/resolve S 0
1500 vlan200 3
=====
If I changed "route_via_internal=yes" at
etc/strongswan.d/charon/kernel-pfkey.conf then no route like 0.0.0.0/1 or
128.0.0.0/1 installed but network still fails
The very same strongswan config works fine for many years on FreeBSD-11.
FreeBSD-13 has many changes at network stack and strongswan changed too.
Also I read https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678 and
https://github.com/strongswan/strongswan/issues/910 and its looks like
strongswan/FreeBSD integration issue.
I'll appreciate any advice. Thanks!
--
CU,
Victor Gamov
[-- Attachment #2 --]
<div dir="ltr"><div>Hi All</div><div><br></div><div>I have FreeBSD 13.2-STABLE stable/13-n255939-b9da47180fd6 GENERIC amd64 machine with strongswan-5.9.11_2 installed by pkg.</div><div><br></div><div>When routed ipsec is up all outgoing packets forwarded into ipsec-tunnel so networking is immediately fails.<br></div><div><br></div><div>FreeBSD config:</div><div>=====</div><div>net.fibs=4<br>net.inet.ip.forwarding=1</div><div>=====</div><div><br></div><div><br></div><div>ifconfig ipsec10121</div><div>=====<br></div><div>ipsec10121: flags=8050<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400<br> description: PoP-12<br> tunnel inet 1.1.1.2 --> 2.2.2.2<br> inet 172.16.110.129 --> 172.16.110.130 netmask 0xfffffffc<br> groups: ipsec<br> reqid: 10121<br> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL></div><div>=====<br></div><div><br></div><div><br></div><div>strongswan etc/ipsec.conf:</div><div>=====</div><div>conn pop4-to-pop12-routed<br>#  also = tmpl_route_based<br> left = 1.1.1.2<br> right = 2.2.2.2<br> leftsubnet = <a href="http://0.0.0.0/0">0.0.0.0/0</a><br> rightsubnet = <a href="http://0.0.0.0/0">0.0.0.0/0</a><br> reqid = 10121<br> type = tunnel<br> authby = psk<br> keyexchange = ikev2<br> ike = aes256-sha256-modp3072,aes256-sha256-modp3072<br> esp = aes256-sha256-modp3072,aes256-sha256-modp3072<br> ikelifetime = 28800<br> mobike = no<br> lifetime = 3600<br> dpdaction = restart<br> dpddelay = 30s<br> auto = start</div><div>=====</div><div><br></div><div><br></div><div>strongswan etc/strongswan.d/charon/kernel-pfkey.conf:</div><div>=====</div><div>kernel-pfkey {</div><div> load = yes</div><div># route_via_internal = no<br>}</div><div>=====<br></div><div><br></div><div><br></div><div>route -n monitor</div><div>=====</div><div>got message of size 272 on Sat Oct 14 12:39:39 2023<br>RTM_GET: Report Metrics: len 272, pid: 49695, seq 1, errno 0, flags:<UP,GATEWAY,DONE,STATIC><br>locks:  inits: <br>sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA><br> 0.0.0.0 1.1.1.1 0.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2<br><br>got message of size 200 on Sat Oct 14 12:39:39 2023<br>RTM_GET: Report Metrics: len 200, pid: 49695, seq 2, errno 0, flags:<UP,GATEWAY,DONE,STATIC><br>locks:  inits: <br>sockaddrs: <DST,GATEWAY,NETMASK><br> 0.0.0.0 1.1.1.1 0.0.0.0<br><br>got message of size 256 on Sat Oct 14 12:39:39 2023<br>RTM_ADD: Add Route: len 256, pid: 49695, seq 3, errno 0, flags:<UP,GATEWAY,HOST,DONE,STATIC><br>locks:  inits: <br>sockaddrs: <DST,GATEWAY,IFP,IFA><br> 2.2.2.2 1.1.1.1 vlan200:48.dc.2d.6.4f.f4 1.1.1.2<br><br>got message of size 272 on Sat Oct 14 12:39:39 2023<br>RTM_ADD: Add Route: len 272, pid: 49695, seq 5, errno 0, flags:<UP,DONE,STATIC><br>locks:  inits: <br>sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA><br> 128.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2<br><br>got message of size 272 on Sat Oct 14 12:39:39 2023<br>RTM_ADD: Add Route: len 272, pid: 49695, seq 4, errno 0, flags:<UP,DONE,STATIC><br>locks:  inits: <br>sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA><br> 0.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2<br></div><div>=====</div><div><br></div><div><br></div><div>netstat -r -nW4:<br></div><div>=====</div><div>Routing tables<br><br>Internet:<br>Destination     Gateway       Flags  Nhop#   Mtu    Netif Expire<br><a href="http://0.0.0.0/1">0.0.0.0/1</a>;      195.34.58.166    US     12  1500   vlan200<br>default       195.34.58.166    UGS     6  1500   vlan200<br><a href="http://10.4.102.128/31">10.4.102.128/31</a>;   link#8       U      8  1500   vlan22<br>10.4.102.129    link#8       UHS     7  16384     lo0<br><a href="http://31.131.95.64/27">31.131.95.64/27</a>;   127.0.0.1      U1B     9  16384     lo0<br>46.243.226.103   195.34.58.166    UGHS    10  1500   vlan200<br>127.0.0.1      link#5       UHS     1  16384     lo0<br><a href="http://128.0.0.0/1">128.0.0.0/1</a>;     195.34.58.166    US     12  1500   vlan200<br><a href="http://172.16.110.12/31">172.16.110.12/31</a>;  link#4       U      2  1500    ixl3<br>172.16.110.13    link#4       UHS     3  16384     lo0<br>172.16.110.129   link#11       UHS     11  16384     lo0<br><a href="http://195.34.58.166/31">195.34.58.166/31</a>;  link#7       U      4  1500   vlan200<br>195.34.58.167    link#7       UHS     5  16384     lo0</div><div>=====</div><div><br></div><div><br></div><div>netstat -o -nW4<br></div><div>=====</div><div>Nexthop data<br><br>Internet:<br>Idx  Type     IFA         Gateway       Flags    Use Mtu     Netif   Addrif Refcnt Prepend<br>1    v4/resolve 127.0.0.1      lo0/resolve     HS     1366  16384     lo0        2 <br>2    v4/resolve 172.16.110.13    ixl3/resolve           0  1500    ixl3        2 <br>3    v4/resolve 127.0.0.1      lo0/resolve     HS       0  16384     lo0    ixl3   2 <br>4    v4/resolve 195.34.58.167    vlan200/resolve        51749  1500   vlan200        4 <br>5    v4/resolve 127.0.0.1      lo0/resolve     HS       0  16384     lo0  vlan200   2 <br>6       v4/gw 195.34.58.167    195.34.58.166    GS     37902  1500   vlan200        2 <br>7    v4/resolve 127.0.0.1      lo0/resolve     HS       0  16384     lo0   vlan22   2 <br>8    v4/resolve 10.4.102.129    vlan22/resolve          3  1500   vlan22        2 <br>9    v4/resolve 127.0.0.1      lo0/resolve     1B       0  16384     lo0        2 <br>10      v4/gw 195.34.58.167    195.34.58.166    GHS      0  1500   vlan200        2 <br>11    v4/resolve 127.0.0.1      lo0/resolve     HS       0  16384     lo0ipsec10121   2 <br>12    v4/resolve 195.34.58.167    vlan200/resolve   S       0  1500   vlan200        3 <br></div><div>=====<br></div><div><br></div><div><br></div><div>If I changed "route_via_internal=yes" at etc/strongswan.d/charon/kernel-pfkey.conf then no route like <a href="http://0.0.0.0/1">0.0.0.0/1</a>; or <a href="http://128.0.0.0/1">128.0.0.0/1</a>; installed but network still fails</div><div><br></div><div>The very same strongswan config works fine for many years on FreeBSD-11.  FreeBSD-13 has many changes at network stack and strongswan changed too.</div><div><br></div><div>Also I read <a href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678</a> and <a href="https://github.com/strongswan/strongswan/issues/910">https://github.com/strongswan/strongswan/issues/910</a>; and its looks like strongswan/FreeBSD integration issue.</div><div><br></div><div><br></div><div>I'll appreciate any advice. Thanks!</div><div><br></div><div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">CU,<br>Victor Gamov</div></div></div>
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPOOyvkH1WA0KMD1jBHPV_HiFpUZ-op9tjq-LtFOa6r2FtJhOA>