Solution Verified
— Updated 2021-12-21T05:22:15+00:00 —
Issue
- Upon running
ip route show table <value>where value is between 0-253 or default, the following error appears:
[root@rhel8 ~]# ip route list table 1
Error: ipv4: FIB table does not exist.
Dump terminated
- This did not happen with
iproute-4.11.0in RHEL 7.
Environment
- Red Hat Enterprise Linux 8
iproute-5.3.0
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
Current Customers and Partners
Log in for full access
Log In
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION=»Ubuntu 22.04.1 LTS»
I installed ifupdown and removed netplan.io
but the command systemctl start networking fails
systemctl status networking
x networking.service - Raise network interfaces
Loaded: loaded (/lib/systemd/system/networking.service; enabled; vendor preset: enabled)
Drop-In: /run/systemd/system/service.d
`-zzz-lxc-service.conf
Active: failed (Result: exit-code) since Fri 2022-09-09 15:09:22 UTC; 43s ago
Docs: man:interfaces(5)
Main PID: 164 (code=exited, status=1/FAILURE)
CPU: 195ms
Sep 09 15:09:21 test2 ifup[260]: Error: ipv4: FIB table does not exist.
Sep 09 15:09:21 test2 ifup[260]: Dump terminated
Sep 09 15:09:21 test2 ifup[164]: ifup: failed to bring up eth1
Sep 09 15:09:21 test2 ifup[269]: Setting up eth2
Sep 09 15:09:21 test2 ifup[277]: Error: ipv4: FIB table does not exist.
Sep 09 15:09:21 test2 ifup[277]: Dump terminated
Sep 09 15:09:21 test2 ifup[164]: ifup: failed to bring up eth2
it seems that iproute2 is blowing up when opening a table not offered by the kernel 5.15.53-1.
dpkg -l | grep iproute
ii iproute2 5.15.0-1ubuntu2
the question is: how do I fix this? it seems that a newer version of iproute2 is needed.
to be able to replace netplan (which does not support virtual devices)
I just got this situation resolved on my computer. My background was :
- I’m using WSL2
- Tried on Ubuntu 16.04 and Ubuntu 20.04
- I still can’t connect to the internet when on a VPN
Step 1 : Figure out your local Gateway address on Windows
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : home.sercomm
IPv4 Address. . . . . . . . . . . : 192.168.1.69
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254 <-- this is what we care about
Step 2 : create a /etc/wsl.conf file with the following content
cat /etc/wsl.conf
# Enable DNS – even though these are turned on by default, we’ll specify here just to be explicit.
[network]
generateResolvConf = false
Step 3 : delete the symlink to /run/resolvconf/resolv.conf on /etc/resolv.conf
cd /etc/
sudo rm resolv.conf
Step 4 : also delete /run/resolvconf/resolv.conf, why not?
cd /run
sudo rm resolvconf/resolv.conf
Step 5 : create a custom /etc/resolv.conf that will contain your Gateway address
sudo vi /etc/resolv.conf
and paste this (with your Gateway address as seen in step 1)
nameserver 192.168.1.254
Step 6 : Open powershell and restart wsl
wsl --shutdown
Step 7 : ping google.com
At this point, assuming your resolv.conf wasn’t wiped automatically by the system, and you still preserve the configurations we added on step 5, you should be able to reach the internet.
Thanks, and don’t hesitate on contacting me if you have an issue.
I am trying to setup a software router with the goal of routing packets to a proxy server on the router. The tutorial I am reading has the following routing rules:
ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100
and the following iptables rules:
iptables -t mangle -N V2RAY
iptables -t mangle -A V2RAY -d [Private Addresses] -j RETURN
iptables -t mangle -A V2RAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1
iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1
iptables -t mangle -A PREROUTING -j V2RAY
The whole thing works perfectly. But now I am moving to use systemd-networkd to avoid any startup scripts, and I am having trouble to convert ip route add local 0.0.0.0/0 dev lo table 100 to systemd-networkd language.
My first question is, what does this route do? My understanding so far is:
iptablesadd a firewall wall mark 1.- The rule selects all packets with mark 1 to use routing table 100.
- The route is added to table 100, so it only applies to packets with mark 1.
- The «0.0.0.0/0» part means it is a default route.
- But what does «local» mean here? Why
device lo? Why do we need a route here? Can’t iptables handle this directly?
My second question is how to do this in systemd-networkd.
For matching packets with mark 1, it seems easy (and worked on my router):
[Match]
Name = *
[RoutingPolicyRule]
FirewallMark = 1
Table = 100
I am not sure if Name = * is required though. Does this make sure that any packet from any device, as long as it has mark 1, will be routed using table 100? Or could I match some particular network device here?
I cannot, however, make the route in systemd-networkd. My attempt so far is:
[Match]
Name = lo
[Route]
Type = local
Destination = 0.0.0.0/0
Table = 100
But it seems that this has no effect: ip route show table 100 actually gives:
Error: ipv4: FIB table does not exist.
Dump terminated
How should I approach this?
Having trouble getting my vpn connection to give me a public ip address associated with the VPN gateway using netctl and swanctl.
Everything works fine if I use NetworkManager and its networkmanager-strongswan component.
I can successfully connect to the VPN using swanctl, while using netctl for my local wifi connection, but ipleak.org shows my ISP, not my university’s address.
VPN gateway is at my university, the instructions they have provided are for networkmanager on ubuntu, which I replicated in Arch, and it all works, as I said:
Install the following dependencies:
— network-manager-strongswan
— libstrongswan-extra-plugins
— libcharon-extra-pluginsConfiguration on Debian-based distributions
1. Open your desktop’s Network Manager application and edit it’s connections.
2. Add a new VPN connection using IPsec-based VPN (strongswan)
a. Set the Connection Name to schoolvpn
b. Set Gateway: to vpn.myuniversity.edu
c. Set Authentication to EAP
d. Enter your Username
e. Enter your Password (or leave blank to be prompted when you connect)
f. Under Options select only Request an inner IP address and Enforce UDP encapsulation
3. Click OK
I (presumably) only needed
and
networkmanager-strongswan on Arch.
The VPN worked with those two packages.
$ uname -a
Linux nemesis 5.6.3-arch1-1 #1 SMP PREEMPT Wed, 08 Apr 2020 07:47:16 +0000 x86_64 GNU/Linux
$ sudo swanctl --version
plugin 'mysql' failed to load: libmariadb.so.3: cannot open shared object file: No such file or directory
strongSwan swanctl 5.8.2
$ NetworkManager --version
1.22.10-1When I use NetworkManager, together with networkmanager-strongswan, I get the following ip addresses and tables:
fresh boot
# connected via network manager, pre vpn
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86372sec preferred_lft 86372sec
inet6 fe80::3dd6:f5f8:2922:156d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
----------------------------------------------------------------------------------------------
$ sudo ip route list table 220
Error: ipv4: FIB table does not exist.
Dump terminated
----------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
----------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
# ==========
# connected via network manager and vpn via nm-strongswan
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86246sec preferred_lft 86246sec
inet 10.9.143.79/32 scope global wls3
valid_lft forever preferred_lft forever
inet6 fe80::3dd6:f5f8:2922:156d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
----------------------------------------------------------------------------------------------
$ sudo ip route list table 220
default via 192.168.1.1 dev wls3 proto static src 10.9.143.79
192.168.1.0/24 dev wls3 proto static src 192.168.1.5
----------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
----------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600When I use netctl and swanctl, I get the following ip addresses and tables:
fresh boot
# ==========
# pre vpn up
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86357sec preferred_lft 75557sec
inet6 fe80::21f:3bff:fe7c:b403/64 scope link
valid_lft forever preferred_lft forever
-------------------------------------------------------------------------------------------
$ sudo ip route list table 220
Error: ipv4: FIB table does not exist.
Dump terminated
-------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
-------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
-------------------------------------------------------------------------------------------
# =======================
# post vpn up with swanctl
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86295sec preferred_lft 75495sec
inet 10.9.143.15/32 scope global wls3
valid_lft forever preferred_lft forever
inet6 fe80::21f:3bff:fe7c:b403/64 scope link
valid_lft forever preferred_lft forever
-------------------------------------------------------------------------------------------
$ sudo ip route list table 220
192.168.1.0/24 dev wls3 proto static src 192.168.1.5
124.213.93.73 via 192.168.1.1 dev wls3 proto static src 10.9.143.15
-------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
-------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303I understand that netctl probably isn’t part of any component that is breaking. I just want to be clear that I switched network tools as well.
Actually, now that I say that, I will test NetworkManager for my wifi connection, and swanctl for my vpn.
Here are results:
fresh boot
# connected via network manager, pre vpn
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86376sec preferred_lft 86376sec
inet6 fe80::3dd6:f5f8:2922:156d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
-------------------------------------------------------------------------------------------
$ sudo ip route list table 220
192.168.1.0/24 dev wls3 proto static src 192.168.1.5
-------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
-------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
# ============
# enabled swanctl connection profile
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86263sec preferred_lft 86263sec
inet 10.5.126.28/32 scope global wls3
valid_lft forever preferred_lft forever
inet6 fe80::3dd6:f5f8:2922:156d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
-------------------------------------------------------------------------------------------
$ sudo ip route list table 220
192.168.1.0/24 dev wls3 proto static src 192.168.1.5
124.213.93.73 via 192.168.1.1 dev wls3 proto static src 10.5.126.28
-------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
-------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600Just noticed that
only gets populated once I
systemctl start strongswan.service .
That is the difference between the two different «pre» sections of netctl with swanctl and NetworkManager with swanctl.
Here is my
I retrieved the server certificate by navigating to the address in the browser, then «inspecting» the security, and downloading it.
A friend of mine taught me that trick. He is on opensuse, and copied it into the ipsec.d/cacerts directory, so I figured it’s as good as any.
Though, I think strongswan defaults to using /etc/strongswan/x509 or something?
# Section defining IKE connection configurations.
connections {
# Section for an IKE connection named <conn>.
# <conn> {
ikev2profile {
# IKE major version to use for connection.
# version = 0
version = 2
# Remote address(es) to use for IKE communication, comma separated.
# remote_addrs = %any
remote_addrs = vpn.myuniversity.edu
# Virtual IPs to request in configuration payload / Mode Config.
# vips =
vips = 0.0.0.0
# Enforce UDP encapsulation by faking NAT-D payloads.
# encap = no
encap = yes
# Section for a local authentication round.
# local<suffix> {
local {
# Authentication to perform locally (pubkey, psk, xauth[-backend] or
# eap[-method]).
# auth = pubkey
auth = eap-mschapv2
# Client EAP-Identity to use in EAP-Identity exchange and the EAP
# method.
# eap_id = id
eap_id = my_username
}
# Section for a remote authentication round.
# remote<suffix> {
remote {
# cert<suffix> {
cert {
# Absolute path to the certificate to load.
# file =
file = /etc/ipsec.d/cacerts/university_vpn_cert.crt
}
}
# children {
children {
# CHILD_SA configuration sub-section.
# <child> {
ikev2profile {
# Whether to install outbound FWD IPsec policies or not.
# policies_fwd_out = no
policies_fwd_out = yes
}
}
}
}
# Section defining secrets for IKE/EAP/XAuth authentication and private key
# decryption.
# secrets {
secrets {
# EAP secret section for a specific secret.
# eap<suffix> {
eap {
# Value of the EAP/XAuth secret.
# secret =
secret = my_password
# Identity the EAP/XAuth secret belongs to.
# id<suffix> =
id = my_username
}
}
# Include config snippets
include conf.d/*.confI’ve tried
equal to «yes» and «no» but it doesn’t seem to make any difference.
Here is the output of running
sudo swanctl -i -c ikev2profile $ sudo swanctl -i -c ikev2profile
plugin 'mysql' failed to load: libmariadb.so.3: cannot open shared object file: No such file or directory
[IKE] initiating IKE_SA ikev2profile[1] to 124.213.93.73
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.1.5[500] to 124.213.93.73[500] (856 bytes)
[NET] received packet: from 124.213.93.73[500] to 192.168.1.5[500] (38 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
[IKE] initiating IKE_SA ikev2profile[1] to 124.213.93.73
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.1.5[500] to 124.213.93.73[500] (1048 bytes)
[NET] received packet: from 124.213.93.73[500] to 192.168.1.5[500] (424 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
[IKE] local host is behind NAT, sending keep alives
[CFG] no IDi configured, fall back on IP address
[IKE] establishing CHILD_SA ikev2profile{1}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 192.168.1.5[4500] to 124.213.93.73[4500] (400 bytes)
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (1124 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(1/5) ]
[ENC] received fragment #1 of 5, waiting for complete IKE message
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (1124 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(2/5) ]
[ENC] received fragment #2 of 5, waiting for complete IKE message
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (1124 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(3/5) ]
[ENC] received fragment #3 of 5, waiting for complete IKE message
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (1124 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(4/5) ]
[ENC] received fragment #4 of 5, waiting for complete IKE message
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (196 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(5/5) ]
[ENC] received fragment #5 of 5, reassembled fragmented IKE message (4416 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/ID ]
[IKE] received end entity cert "C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu"
[IKE] received issuer cert "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA"
[IKE] received issuer cert "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
[CFG] using untrusted intermediate certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA"
[CFG] checking certificate status of "C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu"
[CFG] requesting ocsp status from 'http://ocsp.digicert.com' ...
[CFG] nonce in ocsp response doesn't match
[CFG] ocsp check failed, fallback to crl
[CFG] fetching crl from 'http://crl3.digicert.com/sha2-ha-server-g6.crl' ...
[CFG] using certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA"
[CFG] using untrusted intermediate certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
[CFG] self-signed certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA" is not trusted
[CFG] crl response verification failed
[CFG] fetching crl from 'http://crl4.digicert.com/sha2-ha-server-g6.crl' ...
[CFG] using certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA"
[CFG] using untrusted intermediate certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
[CFG] self-signed certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA" is not trusted
[CFG] crl response verification failed
[CFG] certificate status is not available
[CFG] reached self-signed root ca with a path length of 0
[CFG] using trusted certificate "C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu"
[IKE] authentication of 'C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu' with RSA signature successful
[IKE] server requested EAP_IDENTITY (id 0x2E), sending 'my_username'
[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
[NET] sending packet: from 192.168.1.5[4500] to 124.213.93.73[4500] (96 bytes)
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (112 bytes)
[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
[IKE] server requested EAP_MSCHAPV2 authentication (id 0x2F)
[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
[NET] sending packet: from 192.168.1.5[4500] to 124.213.93.73[4500] (144 bytes)
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (128 bytes)
[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
[NET] sending packet: from 192.168.1.5[4500] to 124.213.93.73[4500] (80 bytes)
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
[IKE] authentication of '192.168.1.5' (myself) with EAP
[ENC] generating IKE_AUTH request 5 [ AUTH ]
[NET] sending packet: from 192.168.1.5[4500] to 124.213.93.73[4500] (112 bytes)
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (352 bytes)
[ENC] parsed IKE_AUTH response 5 [ IDr AUTH CPRP(ADDR DNS DNS) N(MSG_ID_SYN_SUP) SA TSi TSr ]
[IKE] authentication of 'C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu' with EAP successful
[IKE] IKE_SA ikev2profile[1] established between 192.168.1.5[192.168.1.5]...124.213.93.73[C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu]
[IKE] scheduling rekeying in 14035s
[IKE] maximum IKE_SA lifetime 15475s
[IKE] installing DNS server 124.213.93.2 via resolvconf
[IKE] installing DNS server 124.213.78.2 via resolvconf
[IKE] installing new virtual IP 10.9.143.15
[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
[IKE] CHILD_SA ikev2profile{1} established with SPIs cefefe38_i fbf5179d_o and TS 10.9.143.15/32 === 124.213.93.73/32
initiate completed successfullyMy thought is that my ip tables just aren’t configured correctly. On the strongswan site, I read somewhere that strongswan automatically sends/sets (?) the tables. I was looking at some of their example swanctl.conf files, and found an example that had:
updown = /usr/local/libexec/ipsec/_updown iptablesin the «children.connection» section. I wonder if I missed something somewhere on that I need a script to set my tables for the behavior I want. I’m not sure.
The output also says it installs DNS servers, so maybe the problem is there, but I’m inclined to think it is in the tables since NM and swanctl produce different tables.
Any ideas or suggestions on changes to make it so ipleak.org correctly only sees my university’s public IP?
As stated, the behavior is correct with NetworkManager and NM-strongswan. But I prefer to use netctl, and would like to learn swanctl more.
Reason this is important is academic journal websites aren’t letting me read papers if they don’t see my university’s ip address. As it stands, if I use my swanctl profile, they see my home public address, not that I’m vpn’ed into my school.
Thanks in advance
Note: I changed, methodically, the ip and mac addresses in the logs. Not sure if this is necessary, but I made sure to do it carefully, preserving the look of similar subnets, etc.
124.213.93.73 is analogous to my university’s public ip
10.9.143.15 ~ the ip address assigned to my computer when I’m physically on campus, and also the virtual ip assigned via VPN
192.168.1.5 ~ my computer’s ip on my home wifi network (I’ve set it static at the router)
Last edited by bbus (2020-04-10 08:51:23)
-
Summary
-
Files
-
Reviews
-
Support
-
Mailing Lists
-
News
-
Git ▾
- Contrib
- Debian
- Release
- Code
- Tools
- Web
- testing
-
Svn
Menu
▾
▴
-
shorewall-announce
-
shorewall-devel
-
shorewall-users
shorewall-users
|
From: Vieri Di Paola <vieri…@gm…> — 2020-01-29 08:08:15 |
Hi, The message is a bit scary at first, but it doesn't seem to affect my setup for now. It started showing up with kernel 5.x (I have 5.5.0). On shorewall reload or start: Adding Providers... Error: ipv4: FIB table does not exist. Dump terminated Also: # ip route show table default Error: ipv4: FIB table does not exist. Dump terminated I have iproute2-5.2.0. # shorewall status Shorewall-5.2.3.4 Status at gw2 - Wed Jan 29 09:06:56 CET 2020 Shorewall is running Should I panic or relax? Vieri |
|
From: Matt Darfeuille <ma…@sh…> — 2020-01-29 10:33:25 |
On 1/29/2020 9:07 AM, Vieri Di Paola wrote: > Hi, > > The message is a bit scary at first, but it doesn't seem to affect my > setup for now. > It started showing up with kernel 5.x (I have 5.5.0). > > On shorewall reload or start: > > Adding Providers... > Error: ipv4: FIB table does not exist. > Dump terminated > > Also: > # ip route show table default > Error: ipv4: FIB table does not exist. > Dump terminated > > I have iproute2-5.2.0. > Have a look at (1). HTH. 1) https://www.spinics.net/lists/netdev/msg559904.html -Matt -- Matt Darfeuille |