[strongSwan] Can NOT Ping private client IP from Strongswan VPN server

MOSES KARIUKI kariukims at gmail.com
Thu Feb 21 15:45:04 CET 2019 

Hi All,

I have configured Strongswan on Ubuntu 18.04 as below:

*On the client side :*
*ipsec statusall*
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0, x86_64):
  uptime: 29 minutes, since Feb 20 17:55:09 2019
  malloc: sbrk 3256320, mmap 532480, used 1349136, free 1907184
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2
sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints
acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey
pem openssl gcrypt fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr
ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve
socket-default connmark farp stroke updown eap-identity eap-sim
eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth
eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls
eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs
tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify
certexpire led radattr addrblock unity counters
*Listening IP addresses:*
  185.135.*.**
  2a03:a960:5:42a:8000::
  ::2
*Connections*:
ipsec-ikev2-vpn-client:  %any...102.1*9.2**.***  IKEv1/2
ipsec-ikev2-vpn-client:   local:  [remoteprivate] uses EAP_MSCHAPV2
authentication with EAP identity '%any'
ipsec-ikev2-vpn-client:   remote: [102.1*9.2**.***] uses public key
authentication
ipsec-ikev2-vpn-client:   child:  dynamic === 0.0.0.0/0 TUNNEL
Security Associations (1 up, 0 connecting):
ipsec-ikev2-vpn-client[1]: ESTABLISHED 29 minutes ago,
185.135.9.62[remoteprivate]...102.1*9.2**.***[102.1*9.2**.***]
ipsec-ikev2-vpn-client[1]: IKEv2 SPIs: 0338f500edc84652_i*
1ae30618408f64a4_r, EAP reauthentication in 2 hours
ipsec-ikev2-vpn-client[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

*hostname -I*
127.0.0.1 185.135.*.** *10.10.10.1* 2a03:a960:5:42a:8000:: ::2

*On the server : *
ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-45-generic,
x86_64):
  uptime: 21 hours, since Feb 19 23:58:30 2019
  malloc: sbrk 3256320, mmap 532480, used 1645568, free 1610752
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2
sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints
acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey
pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac
hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink
resolve socket-default connmark farp stroke updown eap-identity eap-sim
eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth
eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls
eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs
tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify
certexpire led radattr addrblock unity counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/1/0
*Listening IP addresses:*
  102.1*9.2**.***
*Connections:*
   ikev2-vpn:  %any...%any  IKEv2, dpddelay=300s
   ikev2-vpn:   local:  [ 102.1*9.2**.*** ] uses public key authentication
   ikev2-vpn:    cert:  "CN= 102.1*9.2**.***"
   ikev2-vpn:   remote: uses EAP_MSCHAPV2 authentication with EAP identity
'%any'
   ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
   ikev2-vpn[21]: ESTABLISHED 41 minutes ago,  102.1*9.2**.***[
102.1*9.2**.***]... 185.135.*.** [remoteprivate]
   ikev2-vpn[21]: IKEv2 SPIs: 0338f500edc84652_i 1ae30618408f64a4_r*,
rekeying disabled
   ikev2-vpn[21]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048


I need assistance reaching the client's private IP 10.10.10.1 from my VPN
server. When I try, I get this response :
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
>From 38.32.**.1** icmp_seq=1 Destination Net Unreachable
>From 38.32.**.1** icmp_seq=5 Destination Net Unreachable
>From 38.32.**.1** icmp_seq=6 Destination Net Unreachable
>From 38.32.**.1** icmp_seq=8 Destination Net Unreachable
>From 38.32.**.1** icmp_seq=10 Destination Net Unreachable

Please assist.

Regards,
Moses
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190221/5b90e71f/attachment.html>

More information about the Users mailing list