thanks for replying. Here the command outputs:
$ systemctl --no-pager status systemd-resolved.service
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2020-09-11 20:05:32 -03; 46s ago
Docs: man:systemd-resolved.service(8)
https://www.freedesktop.org/wiki/Software/systemd/resolved
https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
Main PID: 7849 (systemd-resolve)
Status: "Processing requests..."
Tasks: 1 (limit: 38227)
Memory: 8.7M
CGroup: /system.slice/systemd-resolved.service
└─7849 /usr/lib/systemd/systemd-resolved
Sep 11 20:05:32 mw-lat5591.fritz.box systemd[1]: Starting Network Name Resolution...
Sep 11 20:05:32 mw-lat5591.fritz.box systemd-resolved[7849]: Positive Trust Anchors:
Sep 11 20:05:32 mw-lat5591.fritz.box systemd-resolved[7849]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Sep 11 20:05:32 mw-lat5591.fritz.box systemd-resolved[7849]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.a…
Sep 11 20:05:32 mw-lat5591.fritz.box systemd-resolved[7849]: Using system hostname 'mw-lat5591.fritz.box'.
Sep 11 20:05:32 mw-lat5591.fritz.box systemd[1]: Started Network Name Resolution.
Hint: Some lines were ellipsized, use -l to show in full.
$ ls -l /etc/resolv.conf
-rw-r--r--. 1 root root 38 Sep 11 09:07 /etc/resolv.conf
$ grep -v -e ^# -e ^$ /etc/resolv.conf
search fritz.box
nameserver 127.0.0.1
$ resolvectl --no-pager status
Global
LLMNR setting: yes
MulticastDNS setting: yes
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Current DNS Server: 127.0.0.1
DNS Servers: 127.0.0.1
Fallback DNS Servers: 1.1.1.1
8.8.8.8
1.0.0.1
8.8.4.4
2606:4700:4700::1111
2001:4860:4860::8888
2606:4700:4700::1001
2001:4860:4860::8844
DNS Domain: fritz.box
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 8 (br-cd1156217be9)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Link 7 (docker0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Link 6 (virbr0-nic)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Link 5 (virbr0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Link 4 (wlo1)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Link 3 (eno2)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Link 2 (enp0s20f0u5u2)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
Current DNS Server: 192.168.86.254
DNS Servers: 192.168.86.254
127.0.0.1
DNS Domain: ~.
fritz.box
$ getenforce
permissive
Some more details about the environment: 192.168.86.254
is my (Wifi-)Router, I’m connected through the USB-C dock’s Ethernet enp0s20f0u5u2
, neither wlo1
nor eno2
(onboard ethernet adapter) are connected. Docker is running, therefore docker0
. And kvm
as well, also providing some logical ethernet devices.
However, in the meantime I was able to connect. I enabled dnsmasq
on 127.0.0.1:53, having a static entry to force resolution of my.comp.any
via 192.168.0.132 (our DNS-Server at work). I configured strongswan to establish the tunnel on demand, as described here.
The value trap installs a trap policy, which triggers the tunnel as soon as matching traffic has been detected.
However, sometimes (especially after undocking and switching to wifi) I have to restart the strongswan service and initiate the connection manually like this:
$ swanctl --initiate --child companyvpn
initiating IKE_SA IKEv2PSK[1] to 81.81.81.81
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.86.154[500] to 81.81.81.81[500] (464 bytes)
[NET] received packet: from 81.81.81.81[500] to 192.168.86.154[500] (503 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(FRAG_SUP) CERTREQ V ]
[ENC] received unknown vendor ID: 81:75:2e:b5:91:4d:73:5c:df:cd:c8:58:c3:a8:ed:7c:1c:66:d1:42
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
[IKE] local host is behind NAT, sending keep alives
[IKE] received 1 cert requests for an unknown ca
[IKE] authentication of 'marcwittke@my.comp.any' (myself) with pre-shared key
[IKE] establishing CHILD_SA companyvpn{2}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 192.168.86.154[4500] to 81.81.81.81[4500] (352 bytes)
[NET] received packet: from 81.81.81.81[4500] to 192.168.86.154[4500] (272 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(DNS DNS ADDR) TSi TSr N(INIT_CONTACT) SA ]
[IKE] authentication of 'marcwittke@my.comp.any' with pre-shared key successful
[IKE] IKE_SA IKEv2PSK[1] established between 192.168.86.154[marcwittke@my.comp.any]...81.81.81.81[marcwittke@my.comp.any]
[IKE] scheduling rekeying in 13756s
[IKE] maximum IKE_SA lifetime 15196s
[IKE] installing DNS server 192.168.0.132 via resolvconf
[IKE]
[IKE] removing DNS server 192.168.0.132 via resolvconf
[IKE]
[IKE] adding DNS server failed
[IKE] installing DNS server 192.168.0.132 via resolvconf
[IKE]
[IKE] removing DNS server 192.168.0.132 via resolvconf
[IKE]
[IKE] adding DNS server failed
[CFG] handling INTERNAL_IP4_DNS attribute failed
[IKE] installing DNS server 192.168.0.133 via resolvconf
[IKE]
[IKE] removing DNS server 192.168.0.133 via resolvconf
[IKE]
[IKE] adding DNS server failed
[CFG] handling INTERNAL_IP4_DNS attribute failed
[IKE] installing new virtual IP 192.168.0.209
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
[IKE] CHILD_SA companyvpn{2} established with SPIs c8e1e976_i 50a2c8ef_o and TS 192.168.0.209/32 === 192.168.0.0/24
initiate completed successfully
The DNS error is still present, but is mitigated by my configuration of dnsmasq. BUT: after a reboot I was unable to establish the tunnel. It complained about some kernel module related stuff:
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
[KNL] received netlink error: Protocol not supported (93)
[KNL] unable to add SAD entry with SPI c3ced924 (FAILED)
[KNL] received netlink error: Protocol not supported (93)
[KNL] unable to add SAD entry with SPI bd0ca47e (FAILED)
[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
[IKE] failed to establish CHILD_SA, keeping IKE_SA
according to the strongswan wiki this is caused by missing kernel modules. I am very unsure about this, because when I ran the shell commands you requested (including switching to permissive mode) it suddenly worked! And: it still works when re-enabling the enforcing mode. What is going on here?