[strongSwan] IPSec Tunnel Up, But No Traffic

Joe Ryan jr at aphyt.com
Tue Jul 29 22:46:11 CEST 2014 

Thank you for the response Noel, The bytes_o goes up when I ping from 
either of the hosts, but the bytes_i remains at zero for both. Both 
machines have an iptables firewall, and when I do iptables -L -n I see 
that StrongSwan has inserted several rules (as shown below) matching 
ipsec traffic. From your response it seems I should open additional 
protocols, sources and destinations, but I'm not sure what I should open 
to get traffic, but stay secure. Any suggestions would be great.

Thank you,
Joe

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.128.0.0/16        192.168.250.0/24     policy 
match dir in pol ipsec reqid 1 proto 50

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.128.0.0/16        192.168.250.0/24     policy 
match dir in pol ipsec reqid 1 proto 50
ACCEPT     all  --  192.168.250.0/24     10.128.0.0/16        policy 
match dir out pol ipsec reqid 1 proto 50

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.250.0/24     10.128.0.0/16        policy 
match dir out pol ipsec reqid 1 proto 50

On 2014-07-29 13:27, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello Jose,
> 
> Is there a firewall active on either of the host? Do the traffic
> counters, which are shown in the output of "ipsec statusall",
> increment?
> 
> Regards,
> Noel Kuntze
> 
> GPG Key id: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 29.07.2014 um 22:24 schrieb Joe Ryan:
>> Hello Everyone,
>> 
>> I have a DigitalOcean VPS running Ubuntu 12.04 that I want to connect 
>> to with a BeagleBone running Debian so that I can access all of the 
>> devices on the same subnet as the BeagleBone, and not have to worry 
>> about an IT department opening ports. I have tried this with both 
>> StrongSwan 4.5.2 and 5.2.0 and have the same result, so I'm sure it's 
>> my configuration. After bringing up the the connection everything 
>> negotiates as expected, and the final line of ipsec status all is 
>> machinetun{1}:   10.128.0.0/16 === 192.168.250.0/24 where machinetun 
>> is the connection 10.128.0.0/16 is a private network on DigitalOcean 
>> and the 192.168.250.0/24 is a private network on my machine. My logs 
>> show the CHILD_SA being established and rekeyed as expected, with keep 
>> alive packets going out frequently, and nothing to suggest a problem.
>> 
>> At this point I would hope that I would be able to ping the gateway on 
>> my machine, 192.168.250.60 from the DigitalOcean VPS private IP 
>> address using one of the following:
>> 
>> #ping the BeagleBone gateway from DO
>> ping 192.168.250.60
>> #ping the BeagleBone gateway with an interface on the DO private 
>> network
>> ping -I 10.128.120.160 192.168.250.60
>> 
>> But get no results in this direction or the reverse.
>> 
>> I also have net.ipv4.ip_forward 1 on both machines.
>> 
>> My configurations are below, and I hope someone might have a good idea 
>> what direction I can look to in to figure out what I've done wrong.
>> 
>> # BeagleBone Conf
>> config setup
>>         strictcrlpolicy=no
>>         charondebug=1
>> conn %default
>>         ikelifetime=60m
>>         keylife=20m
>>         rekeymargin=3m
>>         keyingtries=%forever
>>         keyexchange=ikev2
>>         left=%any
>>         leftcert=beagleCert.der
>>         leftid=beagle at hostname.com
>>         lefthostaccess=yes
>>         leftfirewall=yes
>> 
>> conn machinetun
>>         leftsourceip=%config
>>     leftsubnet=192.168.250.0/24
>>         right=hostname.com
>>         rightid=@hostname.com
>>         rightsubnet=10.128.0.0/16
>>         auto=start
>> 
>> # DigitalOcean Conf
>> config setup
>>         strictcrlpolicy=no
>> conn %default
>>         ikelifetime=60m
>>         keylife=20m
>>         rekeymargin=3m
>>         keyingtries=1
>>         keyexchange=ikev2
>>         left=%any
>>         leftcert=svCert.der
>>         leftid=@hostname.com
>>         lefthostaccess=yes
>>         leftfirewall=yes
>> 
>> conn machinetun
>>         leftsubnet=10.128.0.0/16
>>         right=%any
>>         rightsubnet=192.168.250.0/24
>>         rightid=beagle at hostname.com
>>         rightsourceip=10.128.0.50
>>         auto=add
>> 
>> Thank you,
>> Joe
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBCAAGBQJT2AOaAAoJEDg5KY9j7GZYzIgP/jTC5ZAaxKPvowYe19v7LRca
> ySlHVvPKsf/Wcgsc/ouzzZ5wa/3zP+UrLf5hLedvkcyENtNu/U7i7xV917j83H5x
> kX9JdLXe1dLFVwLHzKTS870I1KByit0F0daI5y24TpcL5KF9eQ9jh+qRHcGvpApj
> 0Py9b2JuJi3z33moWqiqM9h9mD9Q9X0Maf2VmMx4hThCQN26FoZImB/tvtxv+8TM
> VqEuZcl/wzELnqvMi4c4P/5l/EzNV6v6eFHmnD018f4EbUyhdLHAv37B882q/Gwy
> D8LT6JYX/iRq2Nl16QOhaPlCC9cULyNLi9jqqXxDAaAmTS0PZrqUuTSxzj0pn1N1
> X3oG642tQXsRu1jb8ONO7okWFHC1nU3wxNYzACvNgiBqJ7BhA78SV/ABV/VOzouP
> I9ST7YjPli4yFvfrsN77y1ArGjEdEtvSAEZS4OdtwIqPa6EO9bWlSqXXMuOhFJ8o
> IaRYCfr2y/LnWzU/woW2H3Us/ed5TCWAI8pd4xUl5iU8DUrxiu0Q6IHqRKNrHO3g
> p+UUaW2ekoEgRGANee3vqubr6FhFemQB2cAXKLHWw7uz0+SWZCN+PaV54+ANJxWm
> JddffniFUee+QEM0JUWHEgiQE5l5K6qEu42eD2faxxfsB96fvVdZ8TBbdy60CVZZ
> D9FdPsnrxOmRYzx3hlLp
> =37c9
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
Joe Ryan
aphyt - open source tools for industrial automation
jr at aphyt.com

More information about the Users mailing list