All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Need someone to test IPsec on their boxes
Hello.
I'm trying to configure IPsec in OpenVZ containers. The tunnel itself works fine, but SNAT doesn't work at all. I need someone to test it on their boxes, especially with OpenVZ, because exactly the same configuration works fine on my dedicated server. It will take only 3-5 minutes of your time.
You need 64-bit Debian 7 or jessie.
% aptitude install strongswan libcharon-extra-plugins
Add to the bottom of /etc/ipsec.conf
conn rw
left=%any
leftsubnet=0.0.0.0/0
leftauth=psk
right=%any
rightsourceip=10.3.0.0/24
rightdns=8.8.8.8
rightauth=psk
rightauth2=xauth
auto=add
Add to the bottom of /etc/ipsec.secrets
: PSK "psk"
test : XAUTH "test"
% iptables -t nat -I POSTROUTING -s 10.3.0.0/24 -j MASQUERADE
% service ipsec restart
Now try to connect to your IPsec tunnel (I do this from my Android smartphone). Use "IPsec Xauth PSK" profile, "psk" as preshared key and test/test as username and password.
Expected result:
You can access internet on your smartphone with server IP address
Actual result:
You cannot access internet on your smartphone, while you can ping server ip address from smartphone and smartphone ip (10.3.0.1) from server.
I highly appreciate any testing results.
Comments
Here is exactly the same issue in StrongSWAN maillist
https://lists.strongswan.org/pipermail/users/2014-February/005822.html
And on bugtracker
https://wiki.strongswan.org/issues/592
I didn't test this, but what's the output of "ip x p s"?
With one packet to your host and one to the internet
I'll ask provider to load ipt_LOG, but I'm afraid it won't be loaded.
You can also add some ACCEPT in filter table and watch the packet counter. Does the packet go out? Can you check with tcpdump?
@agentsmith Can I do this with nfnetlink_log?
You need to know in which chain the packet is stopped. So having Trace would be ideal. Don't know whether you can log each chain with nfnetlink_log.
@agentsmith, asked hoster to load iptable_raw and xt_TRACE. Would this be sufficient?
would be a great help. whats with
when you ping an external host.
@agentsmith, everything just as in https://lists.strongswan.org/pipermail/users/2014-February/005822.html
@agentsmith, just built strongswan with kernel-libipsec, so now ipsec works in userspace, and nat works fine. I'll install Debian 7, since jessie doesn't have openswan, and will test with openswan. Maybe it's a strongswan issue.
Waiting for hoster. Thank you a lot for your effort.
31.220.5.43 is the server IP.
There is no response on ping
There is a response.
I suppose venet might be the culprit, but literally no hosters provide veth.
@ValdikSS
Really strange...packet seems to go out but doesn't. Do you see any unusual in
?
@agentsmith, i'm even not sure why the hell the first record in the first tcpdump listing is from 31.220.5.43 (server's IP), and THEN from roadwarrior IP. It's not buffering issue or like i've started tcpdump in the middle of the ping, i've double checked that. My dedicated box shows packet flow as you might expect (it works fine there):
By the way, it seems like tcpdump (or, more likely, kernel itself) can't capture non-encrypted traffic, which has ipsec tunnel destination.
http://seclists.org/tcpdump/2011/q1/107
No, nothing unusual. Can't test right now, I've reinstalled that test box. I'm setting up openswan for tests.
@agentsmith, installed and configured racoon, it's just the same. I can ping client from server and server from client, but can't access the internet.
I hope someone could try it on BuyVM VPS since BuyVM has all the modules loaded as their wiki states.
Can you use MASQUERADE on OpenVZ? I thought it had to be SNAT.
@ValdikSS
Very first packet is missing (seq 1). Does tcpdump tell you it dropped one when exiting?
Also interesting to see the other direction:
or any other service and try to access it from outside.
Routing cache would be interesting to see whether venet0 is listed there for all packets we use.
@bertan
I think that was true for 2.6.18 kernel, but anyway I prefer SNAT since venet0 has at least 2 IP addresses.
@agentsmith, yes, thanks for the clarification. I don't know why it is missing. I wait some seconds to make sure tcpdump started, but always get the same missing packet.
This is on ubuntu with racoon now.
@agentsmith, no, dnat doesn't work either.
It missed some packets again.
I get no packets from my side (from where i've tried to send data).
@ValdikSS
At least packets are reaching your client (it answers SYNACK), but packet disappears in egress :-( Can you show me routing cache and tables after trying to send a packet?
@agentsmith
this is after pinging 8.8.4.4 from client.
That's interesting. Using another OpenVZ VPS with strongSwan, I now get ICMP Destination Port Unreachable pinging 8.8.4.4 or any other public address from client.
EDIT: Sorry for misinformation, that was because of FORWARD rule. After deleting it it's just the same.
Just cancel all OpenVZ already, and forget it as a horrible nightmare.
@rm_, it't not like I can't manage it to work at all. strongSwan can be configured with kernel-libipsec, which is userspace ipsec implementation, and it works that way on openvz as I tested yesterday. Now it's just the matter of understanding how the hell the packet flow is going and what's the matter of this issue.
btw: "ip r" only shows main table.
It seems to be a bug...
http://forum.openvz.org/index.php?t=tree&goto=39937&&srch=ipsec#page_top
https://bugzilla.redhat.com/show_bug.cgi?id=1081804
Maybe you can try playing around in /proc/sys/net/ipv4/conf/
@agentsmith thanks for the links, although it's not very useful. I wrote a message to Pavel from Redhad, who wrote he's aware of IPsec problems in OpenVZ. Let's hope we'll get response from him.