Hello,
I have a situation. ;)
It looks like the following:
(SRV-01) ----------- (IPFIRE) -------orange------- (SRV-02)
public-IP 192.168.0.100
SRV-01 is hooked up to the ipfire via a roadwarrior IPsec connection. Establishment of the tunnel works as one would expect it.
ping from SRV-02 to SRV-01 works fine and passes through the tunnel. So far, so good.
ping from SRV-01 to SRV-02 does not.
Iptables is blocking ? No, I did check that. Nothing.
IPS ? No, neither.
So what's the matter ? When watching the interface using tcpdump I can see ESP packets and afterwards its unencrypted icmp echo request content (both on ppp0). That is the end.
And the packet has never been seen any after.
Anyone an idea?
(Yes the SRV-02 accepts incoming icmp type 8 and outgoing type 0)
Best regards,
Stephan
Hi Stephan,
What is the output of “ipsec statusall” on both systems?
Best, -Michael
On 30 Apr 2020, at 22:28, Stephan Mending list@md5collisions.eu wrote:
Hello,
I have a situation. ;)
It looks like the following:
(SRV-01) ----------- (IPFIRE) -------orange------- (SRV-02)
public-IP 192.168.0.100
SRV-01 is hooked up to the ipfire via a roadwarrior IPsec connection. Establishment of the tunnel works as one would expect it.
ping from SRV-02 to SRV-01 works fine and passes through the tunnel. So far, so good.
ping from SRV-01 to SRV-02 does not.
Iptables is blocking ? No, I did check that. Nothing.
IPS ? No, neither.
So what's the matter ? When watching the interface using tcpdump I can see ESP packets and afterwards its unencrypted icmp echo request content (both on ppp0). That is the end.
And the packet has never been seen any after.
Anyone an idea?
(Yes the SRV-02 accepts incoming icmp type 8 and outgoing type 0)
Best regards,
Stephan
On Mon, May 04, 2020 at 04:03:13PM +0100, Michael Tremer wrote:
Hi Stephan,
What is the output of “ipsec statusall” on both systems?
Best, -Michael
On 30 Apr 2020, at 22:28, Stephan Mending list@md5collisions.eu wrote:
Hello,
I have a situation. ;)
It looks like the following:
(SRV-01) ----------- (IPFIRE) -------orange------- (SRV-02)
public-IP 192.168.0.100
SRV-01 is hooked up to the ipfire via a roadwarrior IPsec connection. Establishment of the tunnel works as one would expect it.
ping from SRV-02 to SRV-01 works fine and passes through the tunnel. So far, so good.
ping from SRV-01 to SRV-02 does not.
Iptables is blocking ? No, I did check that. Nothing.
IPS ? No, neither.
So what's the matter ? When watching the interface using tcpdump I can see ESP packets and afterwards its unencrypted icmp echo request content (both on ppp0). That is the end.
And the packet has never been seen any after.
Anyone an idea?
(Yes the SRV-02 accepts incoming icmp type 8 and outgoing type 0)
Best regards,
Stephan
Hi Micheal, thanks for your reply. I have done some changes to the setup. Just out of logical issues it had. So the Situation changed but a Problem persists. Maybe this "Problem" is intentionally that way. I'll explain.
One has to know: The machine (SRV-01) in the datacenter is running OpenBSD using iked(8) to connect to the strongswan ipsec daemon.
That works for far pretty fine. DPD and rekeying is not a problem either.
But there seem to exist an issue on IPFire's site. Because from SRV-01 I cannot reach SRV-02 via icmp or tcp ...
So to make sure that this isn't an issue with the packet filter or routing table on SRV-01 I checked via tcpdump that the packets I am sending to SRV-02 really reach the firewall. They do.
Though as soon as I have pinged or reached out once to SRV-01 from SRV-02. It works the other way around as well.
That's one thing. There are way to work around it. (-> They're ugly but they exist)
***
Next issue I was granted to be witness. After a few hours of the connection being established (And being restablished due to rekeying etc) the strongswan just stops answering. Log on SRV-01 says: Retransmit 1 IKE_SA_INIT ... And it keeps trying to retransmit 'til eternity (and is unsuccesful at it). So again. I check if those retransmits reach the ipfire box. And yes they do. I can see the packets raining in on the ppp0 interface.
To resolve this issue I have to restart the connection from the ipfire webui (by clicking the restart button). Options for the connection on ipfire are: DPD -> clear and Connection type: Wait for initiation.
I really hope you can help me here. I'd really appreciate it alot.
Thanks !
Best regards, Stephan
-
Michael Tremer -
Stephan Mending