Date: Sat, 14 Oct 2023 17:29:03 +0300 From: Victor Gamov <vitspec@gmail.com> To: freebsd-net <freebsd-net@freebsd.org> Subject: Re: Packet forwarding stooped when Strongswan install IPsec policy Message-ID: <CAPOOyvkamPVf-M5uPrABQJSbaSD%2BtbM14C7vv9MJX4cD17tu8w@mail.gmail.com> In-Reply-To: <CAPOOyvkH1WA0KMD1jBHPV_HiFpUZ-op9tjq-LtFOa6r2FtJhOA@mail.gmail.com> References: <CAPOOyvkH1WA0KMD1jBHPV_HiFpUZ-op9tjq-LtFOa6r2FtJhOA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
After more investigation tunnel up and worked:
etc/strongswan.d/charon.conf:
=====
install_routes = no
=====
This was disabled at first time but lost during configuration experiments.
etc/ipsec.conf:
=====
conn pop4-to-pop12-routed
installpolicy = no
=====
On Sat, 14 Oct 2023 at 13:25, Victor Gamov <vitspec@gmail.com> wrote:
> Hi All
>
> I have FreeBSD 13.2-STABLE stable/13-n255939-b9da47180fd6 GENERIC amd64
> machine with strongswan-5.9.11_2 installed by pkg.
>
> When routed ipsec is up all outgoing packets forwarded into ipsec-tunnel
> so networking is immediately fails.
>
> FreeBSD config:
> =====
> net.fibs=4
> net.inet.ip.forwarding=1
> =====
>
>
> ifconfig ipsec10121
> =====
> ipsec10121: flags=8050<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400
> description: PoP-12
> tunnel inet 1.1.1.2 --> 2.2.2.2
> inet 172.16.110.129 --> 172.16.110.130 netmask 0xfffffffc
> groups: ipsec
> reqid: 10121
> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
> =====
>
>
> strongswan etc/ipsec.conf:
> =====
> conn pop4-to-pop12-routed
> # also = tmpl_route_based
> left = 1.1.1.2
> right = 2.2.2.2
> leftsubnet = 0.0.0.0/0
> rightsubnet = 0.0.0.0/0
> reqid = 10121
> type = tunnel
> authby = psk
> keyexchange = ikev2
> ike = aes256-sha256-modp3072,aes256-sha256-modp3072
> esp = aes256-sha256-modp3072,aes256-sha256-modp3072
> ikelifetime = 28800
> mobike = no
> lifetime = 3600
> dpdaction = restart
> dpddelay = 30s
> auto = start
> =====
>
>
> strongswan etc/strongswan.d/charon/kernel-pfkey.conf:
> =====
> kernel-pfkey {
> load = yes
> # route_via_internal = no
> }
> =====
>
>
> route -n monitor
> =====
> got message of size 272 on Sat Oct 14 12:39:39 2023
> RTM_GET: Report Metrics: len 272, pid: 49695, seq 1, errno 0,
> flags:<UP,GATEWAY,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
> 0.0.0.0 1.1.1.1 0.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
>
> got message of size 200 on Sat Oct 14 12:39:39 2023
> RTM_GET: Report Metrics: len 200, pid: 49695, seq 2, errno 0,
> flags:<UP,GATEWAY,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK>
> 0.0.0.0 1.1.1.1 0.0.0.0
>
> got message of size 256 on Sat Oct 14 12:39:39 2023
> RTM_ADD: Add Route: len 256, pid: 49695, seq 3, errno 0,
> flags:<UP,GATEWAY,HOST,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,IFP,IFA>
> 2.2.2.2 1.1.1.1 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
>
> got message of size 272 on Sat Oct 14 12:39:39 2023
> RTM_ADD: Add Route: len 272, pid: 49695, seq 5, errno 0,
> flags:<UP,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
> 128.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
>
> got message of size 272 on Sat Oct 14 12:39:39 2023
> RTM_ADD: Add Route: len 272, pid: 49695, seq 4, errno 0,
> flags:<UP,DONE,STATIC>
> locks: inits:
> sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA>
> 0.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2
> =====
>
>
> netstat -r -nW4:
> =====
> Routing tables
>
> Internet:
> Destination Gateway Flags Nhop# Mtu Netif
> Expire
> 0.0.0.0/1 195.34.58.166 US 12 1500 vlan200
> default 195.34.58.166 UGS 6 1500 vlan200
> 10.4.102.128/31 link#8 U 8 1500 vlan22
> 10.4.102.129 link#8 UHS 7 16384 lo0
> 31.131.95.64/27 127.0.0.1 U1B 9 16384 lo0
> 46.243.226.103 195.34.58.166 UGHS 10 1500 vlan200
> 127.0.0.1 link#5 UHS 1 16384 lo0
> 128.0.0.0/1 195.34.58.166 US 12 1500 vlan200
> 172.16.110.12/31 link#4 U 2 1500 ixl3
> 172.16.110.13 link#4 UHS 3 16384 lo0
> 172.16.110.129 link#11 UHS 11 16384 lo0
> 195.34.58.166/31 link#7 U 4 1500 vlan200
> 195.34.58.167 link#7 UHS 5 16384 lo0
> =====
>
>
> netstat -o -nW4
> =====
> Nexthop data
>
> Internet:
> Idx Type IFA Gateway Flags Use
> Mtu Netif Addrif Refcnt Prepend
> 1 v4/resolve 127.0.0.1 lo0/resolve HS 1366
> 16384 lo0 2
> 2 v4/resolve 172.16.110.13 ixl3/resolve 0
> 1500 ixl3 2
> 3 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0 ixl3 2
> 4 v4/resolve 195.34.58.167 vlan200/resolve 51749
> 1500 vlan200 4
> 5 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0 vlan200 2
> 6 v4/gw 195.34.58.167 195.34.58.166 GS 37902
> 1500 vlan200 2
> 7 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0 vlan22 2
> 8 v4/resolve 10.4.102.129 vlan22/resolve 3
> 1500 vlan22 2
> 9 v4/resolve 127.0.0.1 lo0/resolve 1B 0
> 16384 lo0 2
> 10 v4/gw 195.34.58.167 195.34.58.166 GHS 0
> 1500 vlan200 2
> 11 v4/resolve 127.0.0.1 lo0/resolve HS 0
> 16384 lo0ipsec10121 2
> 12 v4/resolve 195.34.58.167 vlan200/resolve S 0
> 1500 vlan200 3
> =====
>
>
> If I changed "route_via_internal=yes" at
> etc/strongswan.d/charon/kernel-pfkey.conf then no route like 0.0.0.0/1 or
> 128.0.0.0/1 installed but network still fails
>
> The very same strongswan config works fine for many years on FreeBSD-11.
> FreeBSD-13 has many changes at network stack and strongswan changed too.
>
> Also I read https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678
> and https://github.com/strongswan/strongswan/issues/910 and its looks
> like strongswan/FreeBSD integration issue.
>
>
> I'll appreciate any advice. Thanks!
>
> --
> CU,
> Victor Gamov
>
--
CU,
Victor Gamov
[-- Attachment #2 --]
<div dir="ltr"><div>After more investigation tunnel up and worked:</div><div><br></div><div>etc/strongswan.d/charon.conf:</div><div>=====</div><div>install_routes = no</div><div>=====</div><div><br></div><div>This was disabled at first time but lost during configuration experiments.<br></div><div>etc/ipsec.conf:</div><div>=====</div><div>conn pop4-to-pop12-routed</div><div> installpolicy = no</div><div>=====</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 14 Oct 2023 at 13:25, Victor Gamov <<a href="mailto:vitspec@gmail.com">vitspec@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi All</div><div><br></div><div>I have FreeBSD 13.2-STABLE stable/13-n255939-b9da47180fd6 GENERIC amd64 machine with strongswan-5.9.11_2 installed by pkg.</div><div><br></div><div>When routed ipsec is up all outgoing packets forwarded into ipsec-tunnel so networking is immediately fails.<br></div><div><br></div><div>FreeBSD config:</div><div>=====</div><div>net.fibs=4<br>net.inet.ip.forwarding=1</div><div>=====</div><div><br></div><div><br></div><div>ifconfig ipsec10121</div><div>=====<br></div><div>ipsec10121: flags=8050<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1400<br> description: PoP-12<br> tunnel inet 1.1.1.2 --> 2.2.2.2<br> inet 172.16.110.129 --> 172.16.110.130 netmask 0xfffffffc<br> groups: ipsec<br> reqid: 10121<br> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL></div><div>=====<br></div><div><br></div><div><br></div><div>strongswan etc/ipsec.conf:</div><div>=====</div><div>conn pop4-to-pop12-routed<br>#  also = tmpl_route_based<br> left = 1.1.1.2<br> right = 2.2.2.2<br> leftsubnet = <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br> rightsubnet = <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br> reqid = 10121<br> type = tunnel<br> authby = psk<br> keyexchange = ikev2<br> ike = aes256-sha256-modp3072,aes256-sha256-modp3072<br> esp = aes256-sha256-modp3072,aes256-sha256-modp3072<br> ikelifetime = 28800<br> mobike = no<br> lifetime = 3600<br> dpdaction = restart<br> dpddelay = 30s<br> auto = start</div><div>=====</div><div><br></div><div><br></div><div>strongswan etc/strongswan.d/charon/kernel-pfkey.conf:</div><div>=====</div><div>kernel-pfkey {</div><div> load = yes</div><div># route_via_internal = no<br>}</div><div>=====<br></div><div><br></div><div><br></div><div>route -n monitor</div><div>=====</div><div>got message of size 272 on Sat Oct 14 12:39:39 2023<br>RTM_GET: Report Metrics: len 272, pid: 49695, seq 1, errno 0, flags:<UP,GATEWAY,DONE,STATIC><br>locks:  inits: <br>sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA><br> 0.0.0.0 1.1.1.1 0.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2<br><br>got message of size 200 on Sat Oct 14 12:39:39 2023<br>RTM_GET: Report Metrics: len 200, pid: 49695, seq 2, errno 0, flags:<UP,GATEWAY,DONE,STATIC><br>locks:  inits: <br>sockaddrs: <DST,GATEWAY,NETMASK><br> 0.0.0.0 1.1.1.1 0.0.0.0<br><br>got message of size 256 on Sat Oct 14 12:39:39 2023<br>RTM_ADD: Add Route: len 256, pid: 49695, seq 3, errno 0, flags:<UP,GATEWAY,HOST,DONE,STATIC><br>locks:  inits: <br>sockaddrs: <DST,GATEWAY,IFP,IFA><br> 2.2.2.2 1.1.1.1 vlan200:48.dc.2d.6.4f.f4 1.1.1.2<br><br>got message of size 272 on Sat Oct 14 12:39:39 2023<br>RTM_ADD: Add Route: len 272, pid: 49695, seq 5, errno 0, flags:<UP,DONE,STATIC><br>locks:  inits: <br>sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA><br> 128.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2<br><br>got message of size 272 on Sat Oct 14 12:39:39 2023<br>RTM_ADD: Add Route: len 272, pid: 49695, seq 4, errno 0, flags:<UP,DONE,STATIC><br>locks:  inits: <br>sockaddrs: <DST,GATEWAY,NETMASK,IFP,IFA><br> 0.0.0.0 1.1.1.1 128.0.0.0 vlan200:48.dc.2d.6.4f.f4 1.1.1.2<br></div><div>=====</div><div><br></div><div><br></div><div>netstat -r -nW4:<br></div><div>=====</div><div>Routing tables<br><br>Internet:<br>Destination     Gateway       Flags  Nhop#   Mtu    Netif Expire<br><a href="http://0.0.0.0/1" target="_blank">0.0.0.0/1</a>      195.34.58.166    US     12  1500   vlan200<br>default       195.34.58.166    UGS     6  1500   vlan200<br><a href="http://10.4.102.128/31" target="_blank">10.4.102.128/31</a>   link#8       U      8  1500   vlan22<br>10.4.102.129    link#8       UHS     7  16384     lo0<br><a href="http://31.131.95.64/27" target="_blank">31.131.95.64/27</a>   127.0.0.1      U1B     9  16384     lo0<br>46.243.226.103   195.34.58.166    UGHS    10  1500   vlan200<br>127.0.0.1      link#5       UHS     1  16384     lo0<br><a href="http://128.0.0.0/1" target="_blank">128.0.0.0/1</a>     195.34.58.166    US     12  1500   vlan200<br><a href="http://172.16.110.12/31" target="_blank">172.16.110.12/31</a>  link#4       U      2  1500    ixl3<br>172.16.110.13    link#4       UHS     3  16384     lo0<br>172.16.110.129   link#11       UHS     11  16384     lo0<br><a href="http://195.34.58.166/31" target="_blank">195.34.58.166/31</a>  link#7       U      4  1500   vlan200<br>195.34.58.167    link#7       UHS     5  16384     lo0</div><div>=====</div><div><br></div><div><br></div><div>netstat -o -nW4<br></div><div>=====</div><div>Nexthop data<br><br>Internet:<br>Idx  Type     IFA         Gateway       Flags    Use Mtu     Netif   Addrif Refcnt Prepend<br>1    v4/resolve 127.0.0.1      lo0/resolve     HS     1366  16384     lo0        2 <br>2    v4/resolve 172.16.110.13    ixl3/resolve           0  1500    ixl3        2 <br>3    v4/resolve 127.0.0.1      lo0/resolve     HS       0  16384     lo0    ixl3   2 <br>4    v4/resolve 195.34.58.167    vlan200/resolve        51749  1500   vlan200        4 <br>5    v4/resolve 127.0.0.1      lo0/resolve     HS       0  16384     lo0  vlan200   2 <br>6       v4/gw 195.34.58.167    195.34.58.166    GS     37902  1500   vlan200        2 <br>7    v4/resolve 127.0.0.1      lo0/resolve     HS       0  16384     lo0   vlan22   2 <br>8    v4/resolve 10.4.102.129    vlan22/resolve          3  1500   vlan22        2 <br>9    v4/resolve 127.0.0.1      lo0/resolve     1B       0  16384     lo0        2 <br>10      v4/gw 195.34.58.167    195.34.58.166    GHS      0  1500   vlan200        2 <br>11    v4/resolve 127.0.0.1      lo0/resolve     HS       0  16384     lo0ipsec10121   2 <br>12    v4/resolve 195.34.58.167    vlan200/resolve   S       0  1500   vlan200        3 <br></div><div>=====<br></div><div><br></div><div><br></div><div>If I changed "route_via_internal=yes" at etc/strongswan.d/charon/kernel-pfkey.conf then no route like <a href="http://0.0.0.0/1" target="_blank">0.0.0.0/1</a> or <a href="http://128.0.0.0/1" target="_blank">128.0.0.0/1</a> installed but network still fails</div><div><br></div><div>The very same strongswan config works fine for many years on FreeBSD-11.  FreeBSD-13 has many changes at network stack and strongswan changed too.</div><div><br></div><div>Also I read <a href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678" target="_blank">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255678</a> and <a href="https://github.com/strongswan/strongswan/issues/910" target="_blank">https://github.com/strongswan/strongswan/issues/910</a>; and its looks like strongswan/FreeBSD integration issue.</div><div><br></div><div><br></div><div>I'll appreciate any advice. Thanks!</div><div><br></div><div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">CU,<br>Victor Gamov</div></div></div>
</blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">CU,<br>Victor Gamov</div>
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPOOyvkamPVf-M5uPrABQJSbaSD%2BtbM14C7vv9MJX4cD17tu8w>