Join Log in
Score:0
Ole K avatar Server

Simple Strongswan installation caused server to be unreachable through (Open)SSH

in flag
Ole K

While working on a remote machine (Debian 11.7 / Kernel 5.10.0-23-amd64) I have installed Strongswan to configure it as a VPN client.

apt install strongswan

after this, the service strongswan-starter.service is being started and the host becomes unreachable. Luckily I could physically disable the service via systemctl disable strongswan-starter.service and reboot.

But whenever I do run ``systemctl start strongswan-starter.service` my openssh connection get lost.

Only thing i noticed while starting the service was the following:

May 29 21:45:25 machinename charon: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 21:45:25 machinename charon: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 21:45:25 machinename charon: 08[KNL] received netlink error: Permission denied (13)
May 29 21:45:25 machinename charon: 08[KNL] installing route failed: 2a00:6020:4e2a:8000::/64 src 2a00:xxxx:4e2a:xxxx:6a1d:xxxx:xxxx:9579 dev ipsec0
May 29 21:45:25 machinename charon: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 21:45:25 machinename charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out

The IP 192.168.189.1 is the router address. But from the local physical console i am able to ping google, etc..

I was first focusing on the bypass-lan plugin due to the fact it only appears when the libcharon-extra-plugin package is installed.

UPDATED

As it is a default strongswan installation, no configuration has been made at this point. So these are the relevant configuration files

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

# strongswan.conf
charon {

    plugins {
        eap_dynamic {
            preferred = eap-mschapv2, eap-tls
        }
    }
}

# /etc/strongswan.d/starter.conf
starter {

    # Location of the ipsec.conf file
    # config_file = ${sysconfdir}/ipsec.conf

    # Disable charon plugin load option warning.
    # load_warning = yes

}

UPDATE 2

Below the complete log output once I started the service and remote connection to hostmachine through is broken

May 29 23:21:49 hostmachine systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
May 29 23:21:49 hostmachine ipsec[6423]: Starting strongSwan 5.9.1 IPsec [starter]...
May 29 23:21:49 hostmachine charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.0-23-amd64, x86_64)
May 29 23:21:49 hostmachine kernel: [ 3621.243706] NET: Registered protocol family 38
May 29 23:21:49 hostmachine kernel: [ 3621.282054] AVX or AES-NI instructions are not detected.
May 29 23:21:50 hostmachine kernel: [ 3621.332375] AVX or AES-NI instructions are not detected.
May 29 23:21:50 hostmachine kernel: [ 3621.394450] alg: No test for xcbc(camellia) (xcbc(camellia-asm))
May 29 23:21:50 hostmachine kernel: [ 3621.436211] alg: No test for rfc3686(ctr(camellia)) (rfc3686(ctr-camellia-asm))
May 29 23:21:50 hostmachine kernel: [ 3621.445352] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.559730] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.593517] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.682207] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.750485] tun: Universal TUN/TAP device driver, 1.6
May 29 23:21:50 hostmachine charon: 00[LIB] created TUN device: ipsec0
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Link UP
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Gained carrier
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Gained IPv6LL
May 29 23:21:50 hostmachine systemd-udevd[6556]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
May 29 23:21:50 hostmachine charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 29 23:21:50 hostmachine charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 29 23:21:50 hostmachine charon: 00[CFG] loaded 0 RADIUS server configurations
May 29 23:21:50 hostmachine charon: 00[CFG] HA config misses local/remote address
May 29 23:21:50 hostmachine charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-libipsec kernel-netlink resolve socket-default bypass-lan connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 29 23:21:50 hostmachine charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 29 23:21:50 hostmachine charon: 00[JOB] spawning 16 worker threads
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.17.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.18.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.25.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 192.168.189.0/24
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for ::1/128
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for fe80::/64
May 29 23:21:50 hostmachine charon: 08[IKE] interface change for bypass policy for fe80::/64 (from enp1s0 to ipsec0)
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:21:50 hostmachine ipsec[6423]: charon (6427) started after 580 ms
May 29 23:22:04 hostmachine charon: 00[DMN] SIGINT received, shutting down
May 29 23:22:04 hostmachine systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf...
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.17.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.18.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.25.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 192.168.189.0/24
May 29 23:22:04 hostmachine systemd-networkd[281]: ipsec0: Link DOWN
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 192.168.189.1/32
May 29 23:22:04 hostmachine systemd-networkd[281]: ipsec0: Lost carrier
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for ::1/128
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for fe80::/64
May 29 23:22:04 hostmachine ipsec[6427]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.0-23-amd64, x86_64)
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] created TUN device: ipsec0
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loaded 0 RADIUS server configurations
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] HA config misses local/remote address
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-libipsec kernel-netlink resolve socket-default bypass-lan connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 29 23:22:04 hostmachine ipsec[6427]: 00[JOB] spawning 16 worker threads
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.17.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.18.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.25.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 192.168.189.0/24
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for ::1/128
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for fe80::/64
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] interface change for bypass policy for fe80::/64 (from enp1s0 to ipsec0)
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out

Any Ideas highly appreciated.

106
0 + 2
Ginnungagap avatar
gu flag
Ginnungagap
Please add the strongswan configuration to the question since it appears to be related to the configured traffic selectors.
0
Reply
Ole K avatar
in flag
Ole K
It is a default strongswan installation no configuration has been made at this step. But I can update the question i a minute
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.