Ubuntu
strongswan package

StrongSwan incorrectly generating esp packets

Bug #1357098 reported by Joe
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Invalid
Low
Unassigned

Bug Description

When pinging a remote node from my Ubuntu 14.04 LTS(GNU/Linux 3.8.13-bone59 armv7l) over an established StrongSwan VPN tunnel, the remote node sees the generated esp packets (via tcpdump), but does not respond. I think this is an armhf package issue, because I tested the configuration, certs and keys using Ubuntu on an x86 and using Raspian on a RaspberryPi, and the remote node responded as expected, and had esp packets going both directions. Leading me to guess that this is an ARMv7 specific issue.

Description: Ubuntu 14.04.1 LTS
Release: 14.04

strongswan:
  Installed: 5.1.2-0ubuntu2
  Candidate: 5.1.2-0ubuntu2
  Version table:
 *** 5.1.2-0ubuntu2 0
        500 http://ports.ubuntu.com/ubuntu-ports/ trusty/main armhf Packages
        100 /var/lib/dpkg/status

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Is it clear that this is a userspace issue, and not a kernel bug? ESP packets are generated by the kernel; strongswan just does the keying setup, right? And here I see that you're using a non-Ubuntu kernel.

Importance -> Low since this bug affects unusual end-user configurations or uncommon hardware.

Changed in strongswan (Ubuntu):
importance: Undecided → Low
Revision history for this message
Simon Déziel (sdeziel) wrote :

@Joe, as mentioned by Robie, the ESP packets are generated by your kernel using the key information provided and negociated by Strongswan. There can be many reasons for the remote node to not reply to your ESP packets. Most of the time, IPsec issues boil down to configuration/setup problems.

Assuming you are still affected by this problem, could you better describe your setup by including the IP addresses involved as well as the configuration files from both sides? If you obfuscate the IPs, please keep the first digits intact to ease debugging. Please also include "iptables -nvL" from both sides as this could well be a firewall issue.

Changed in strongswan (Ubuntu):
status: New → Incomplete
Revision history for this message
Joe (recklessgenius) wrote :

Thank you Simon and Robie. This is definitely a kernel issue. I didn't realize that I was using a non-standard kernel, and when I switched to hardware that used an Ubuntu supported kernel, everything worked fine.

Revision history for this message
Robie Basak (racb) wrote :

Thanks Joe. I'll set this to Invalid accordingly.

Changed in strongswan (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.