I am trying to set up an ipsec tunnel with strongswan, used some tutorials for that and all went so far but there is no actually communication going trough the tunnel. The tunnel is established, but there is nothing transfered between the two machines. Prior of saying the tunnel is established, there is this error message:
received netlink error: Network is unreachable (101)
unable to install source route for 172.16.50.1
After this error it says:
CHILD_SA thevpn{9} established with SPIs c7c22d4e_i ce2c5536_o and TS 172.16.50.0/24 === 192.168.220.0/24
connection 'thevpn' established successfully
My Setup (both Ubuntu 22.04 LTS)
Server A
IP: 167.235.x.x
PrivateIP: 172.16.50.1
Server B
IP: 138.201.x.x
PrivateIP: 192.168.220.1
Configuration on Server A (/etc/ipsec.conf) :
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn thevpn
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=167.235.x.x
leftsourceip=172.16.50.1
leftsubnet=172.16.50.0/24
right=138.201.x.x
rightsubnet=192.168.220.0/24
ike=3des-md5-modp2048!
esp=3des-md5-modp2048!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=15s
dpdtimeout=20s
dpdaction=restart
Configuration on Server B (/etc/ipsec.conf) :
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn thevpn2
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
right=167.235.x.x
rightsubnet=172.16.50.0/24
leftsourceip=192.168.220.1/24
left=138.201.x.x
leftsubnet=192.168.220.0/24
ike=3des-md5-modp2048!
esp=3des-md5-modp2048!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=15s
dpdtimeout=20s
dpdaction=restart
And when I bring up the connection on Server B, this happens:
stablishing CHILD_SA anode6{3}
generating CREATE_CHILD_SA request 3 [ SA No KE TSi TSr ]
sending packet: from 138.201.x.x[4500] to 167.235.x.x[4500] (452 bytes)
received packet: from 167.235.x.x[4500] to 138.201.x.x[4500] (452 bytes)
parsed CREATE_CHILD_SA response 3 [ SA No KE TSi TSr ]
selected proposal: ESP:3DES_CBC/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ
**received netlink error: Network is unreachable (101)
unable to install source route for 192.168.220.1**
CHILD_SA anode6{3} established with SPIs c5d3467d_i ca5f85dc_o and TS 192.168.220.0/24 === 172.16.50.0/24
connection 'thevpn2' established successfully
It's analogous on Server A, same error, just different local IP (the 172.16.50.1 one)
Nothing is established successfully. A PING to 172.16.50.1 returns nothing but vast emptiness..
The error you see in the log above and which I've copied here again is the same on Server A or Server B (just with different private IPs)
received netlink error: Network is unreachable (101)
unable to install source route for 192.168.220.1
I have configured my network on each server in a seperate file in /etc/netplan/50-my-network.yaml, this is the content of it:
network:
version: 2
ethernets:
enp0s31f6:
addresses:
- 192.168.220.1/24:
label: enp0s31f6:ipsec
dhcp4: no
dhcp6: no
Using PING on Server B for 192.168.220.1 works just fine. (Same on Server A for 172.16.50.1).. I just don't have any clue (ok the clue here is that the route doesn't get installed, but why I don't know). Why this is not working and why it gives the exact same error on two different machines.
My guess is, that the way I am installing the local IPs in netplan is somehow wrong? But why should it? It's pingable, services like NGINX can bind to that configured local IP (172.16.50.1) and also responsing correctly with serving a different website than when called with the external IP.
Does anybody have any clue? Thanks!
Edit:1
Changed netplan config to:
network:
version: 2
ethernets:
enp0s31f6:
addresses:
- 192.168.220.1/24:
label: enp0s31f6:ipsec
routes:
- on-link: false
from: 192.168.220.0/24
to: 172.16.50.0/24
dhcp4: no
dhcp6: no
but nothing changed. Still no luck.
Edit 2
This is the main netplan config /etc/netplan/01-netcfg.yaml
network:
version: 2
renderer: networkd
ethernets:
enp41s0:
addresses:
- 138.201.x.x/32
routes:
- on-link: true
to: 0.0.0.0/0
via: 138.201.x.y
- to: default
via: ipv6-address::1
nameservers:
addresses:
- w.x.y.z
- ipv6.x.y.z::add:2
- w.x.y.z2
- ipv6.x.y.z::add:1
Edit 3
After changing netplan to
network:
version: 2
ethernets:
enp41s0: # use the name of your current network interface here
addresses:
- 172.16.50.1/24 # replace with your desired private IP address and subnet mask
dhcp4: no
dhcp6: no
and changing ipsec.conf to
.
.
leftsourceip=172.16.50.1
leftsubnet=172.16.50.1/32
.
.
still the same error:
.
.
selected proposal: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
received netlink error: Network is unreachable (101)
unable to install source route for 172.16.50.1
CHILD_SA thevpn{2} established with SPIs c806e3a0_i 131c38e0_o and TS 172.16.50.1/32 === 192.168.220.0/24
connection 'actiovita-vpn' established successfully
Edit 4
The rule list:
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
and the other command:
@ip route show table 220
@
no output there at all.
Edit 5
I have installed Rocky Linux instead of Ubuntu 22.04 LTS and it works there without problems. Setting up the private ip with nmtuiseems to correctly install the private IP address along with the public IP address. So I strongly assume that the configuration of the network stack on Ubuntu (which I basically prefer to use) seems to be broken. Don't think at all that it's a strongswan problem anymore at all.
