[strongSwan] net-net sample can not work on ubuntu14.04

Noel Kuntze noel at familie-kuntze.de
Mon May 4 12:39:58 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Zhuyj,

Please check that you enabled forwarding for the network devices
that are involved in the forwarding of the packages.
Also, please check the counters in the output of ipsec statusall to see,
if the packets get decrypted. The counters should increment, when you send
packets to the remote subnet.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 04.05.2015 um 12:34 schrieb zhuyj:
> Hi, Noel
> 
> Thanks for your reply.
> I read carefully this link: https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> 
> In this link, I think, the most important is: ip_forward and iptables.
> Now I show you the configurations on the sun:
> 
> root at strongswan2:~# cat /proc/sys/net/ipv4/ip_forward
> 1
> root at strongswan2:~# iptables-save
> # Generated by iptables-save v1.4.21 on Mon May  4 18:29:28 2015
> *nat
> :PREROUTING ACCEPT [93:14126]
> :INPUT ACCEPT [36:4578]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [1:84]
> -A POSTROUTING -s 10.0.0.0/8 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
> -A POSTROUTING -s 10.0.0.0/8 -o eth1 -j MASQUERADE
> COMMIT
> # Completed on Mon May  4 18:29:28 2015
> # Generated by iptables-save v1.4.21 on Mon May  4 18:29:28 2015
> *filter
> :INPUT ACCEPT [2033:256543]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [182:23858]
> -A FORWARD -s 10.1.0.0/16 -d 10.2.0.0/16 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 10.2.0.0/16 -d 10.1.0.0/16 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
> COMMIT
> # Completed on Mon May  4 18:29:28 2015
> 
> I think, ip forward feature is enabled in sun. And the iptables rules are inserted.
> But the result is the same.
> 
> Any reply is appreciated.
> 
> Thanks a lot.
> Zhu Yanjun
> 
> On 05/04/2015 06:01 PM, Noel Kuntze wrote:
> Hello,
> 
> Did you follow the guide for forwarding[1]?
> 
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 04.05.2015 um 11:25 schrieb zhuyj:
>>>> Hi,
>>>>
>>>> Are you using psk or certificate to auth?
>>>>
>>>> Best Regards!
>>>> Zhu Yanjun
>>>> On 05/04/2015 05:18 PM, zhuyj wrote:
>>>>> Hi, Bernhard
>>>>>
>>>>> Your problem is the same with mine.
>>>>>
>>>>> Best Regards!
>>>>> Zhu Yanjun
>>>>>
>>>>> On 05/04/2015 05:00 PM, Bernhard Marx wrote:
>>>>>> Hi Zhu,
>>>>>>
>>>>>> no problem. I wish I would have :-)
>>>>>> But moon and sun is connected via public networks?
>>>>>> This is my scenario:
>>>>>>
>>>>>> 192.168.2.0/24 <http://192.168.2.0/24> <=> 192.168.2.1 hardware router xx.xx.xx.xx (public IP from provider) <=> Internet <=> public IP on eth0 192.168.120.125 <=> 192.168.120.0/24 <http://192.168.120.0/24> on eth1
>>>>>>
>>>>>> I can ping from 192.168.120.125 to 192.168.2.1 and vice versa - but I can not reach any devices in the subnet...
>>>>>>
>>>>>> Regards
>>>>>> Bernhard
>>>>>>
>>>>>>
>>>>>> 2015-05-04 10:51 GMT+02:00 zhuyj <mounter625 at 163.com <mailto:mounter625 at 163.com>>:
>>>>>>
>>>>>>      Sorry. I thought your solve this problem already.
>>>>>>      Do you think that it is related with psk or pubkey? I mean that strongswan can support auth-based certificate very well.
>>>>>>      Maybe there is something wrong with psk auth?
>>>>>>
>>>>>>      Zhu Yanjun
>>>>>>
>>>>>>
>>>>>>      On 05/04/2015 04:45 PM, zhuyj wrote:
>>>>>>>      Hi, Marx
>>>>>>>
>>>>>>>      Please let me know how to solve this problem.
>>>>>>>
>>>>>>>      Thanks a lot.
>>>>>>>      Zhu Yanjun
>>>>>>>
>>>>>>>      On 05/04/2015 04:22 PM, Bernhard Marx wrote:
>>>>>>>>      Dear Zhu,
>>>>>>>>
>>>>>>>>      I think I have the issue... as send a request to mail list yesterday...
>>>>>>>>
>>>>>>>>      Feedback I received is to check the routing of packets... but I cant identify the issue...
>>>>>>>>
>>>>>>>>      Regards
>>>>>>>>      Bernhard
>>>>>>>>
>>>>>>>>      2015-05-04 10:17 GMT+02:00 zhuyj <mounter625 at 163.com <mailto:mounter625 at 163.com>>:
>>>>>>>>
>>>>>>>>          Hi, all
>>>>>>>>
>>>>>>>>          I followed this link: http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
>>>>>>>>
>>>>>>>>          I configured 4 vmare hosts. The hosts are ubuntu14.04.
>>>>>>>>
>>>>>>>>          The network topology is as below.
>>>>>>>>
>>>>>>>>          10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 10.2.0.1<---->10.2.0.10
>>>>>>>>
>>>>>>>>          strongswan is 5.1.2.
>>>>>>>>
>>>>>>>>          >From this link: http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, after a vpn tunnel is created,
>>>>>>>>          I ran "ping 10.2.0.10" on clinet 10.1.0.10. But I can not get any reply from 10.2.0.10.
>>>>>>>>
>>>>>>>>          I can find the icmp packets into moon. But moon will not forward these icmp packets.
>>>>>>>>
>>>>>>>>          I exactly followed this link http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, but I can not get
>>>>>>>>          the same test result with this link.
>>>>>>>>
>>>>>>>>          Does any one have the similar experience?
>>>>>>>>
>>>>>>>>          Any reply is appreciated.
>>>>>>>>
>>>>>>>>          Thanks a lot.
>>>>>>>>          Zhu Yanjun
>>>>>>>>
>>>>>>>>
>>>>>>>>          _______________________________________________
>>>>>>>>          Users mailing list
>>>>>>>>          Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>>>>>          https://lists.strongswan.org/mailman/listinfo/users
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>      _______________________________________________
>>>>>>>>      Users mailing list
>>>>>>>>      Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>>>>>      https://lists.strongswan.org/mailman/listinfo/users
>>>>>>>
>>>>>>>
>>>>>>>      _______________________________________________
>>>>>>>      Users mailing list
>>>>>>>      Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>>>>>>      https://lists.strongswan.org/mailman/listinfo/users
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
>>
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVR0x7AAoJEDg5KY9j7GZYdoEQAI7bJaY+Iy5volndjpsV4xol
3Sv2TPyVa/Fvo4BWYlFWtpLvAsyUkRDCOGycRV2iD3LVd6Y+WC8QeN2KXvcC6nvK
y0mS3bhxgonrMVDuJ/Qmrk3qmNIx5TkvqAjuxSxeKoKhoL9zigbUhCX4xRoLg+fq
83vPQ5tMw03+hWshfKd+f8VPbSy9P3YNQ+9fy4f69bFRKcHDwj/L2k45L7s5gRMG
shFL/VvIEWlZqzBRHbWGw3t7GUUDtsUjpy7M/1KJ5XelS97i7PBeU+JTQWpW64W5
HoVolQgqc9BarsG4pUTx+v5Q31YexUawEfNngzcp3WoDvYvhPe+8Dqq0rEsZYZV5
4cIBBEyKkCJ8caR5bdV+etvy80pDj/bnfM5RXNSGERB9pwTPF+WvsAHm6LpS1iiF
ATwqIcEwcsvwR50+twhRmH+yoV2bcNCqsOxrKLqp2H4nab1/q0+R0j1uMoCW6IHv
6v5ZAVanPLCgI0a+re61hndrCPVoXiPYMg3abLKZVFXmqcDgoL42Qc7F1XL+0csR
WsO3CGIe45g7PG9DZ3gjhs0PP2grIVy3LzsHUi6ONuB5Jhy7FTMkClaH36WPVD4+
zOi7lKPWiNWg+OqXzf7Fkb3FJCz3vjOBG1ieRrSsO05JBmqsReFmWR6F3J44gd17
F1t5/uhaSEb4435vTos7
=URb/
-----END PGP SIGNATURE-----

More information about the Users mailing list