Hello!!<br><br>My first post to this list. This is quite long message, and I hope you have time to look it over. I am trying to make two gateway setup, where another gateway is behind DHCP and NAT and second one has static public ip without NAT, no success...<br>
<br>Here's my setup:<br><br><br>private-lan-192.168.1.0/24<br> |<br> |<br>--------------------<br> eth1-192.168.1.210<br> <br> public vpn-gw with<br> static address<br> Responder<br> <br> eth0-193.185.215.163<br>
--------------------<br> |<br> |<br> Internet<br> |<br> |<br>--------------------<br> NAT & DHCP device<br>--------------------<br> |<br> |<br>--------------------<br>
eth0-private-DHCP-addr<br><br>dynamic vpn-gw with<br>dhcp-address & behind nat<br>Initiator<br><br>eth1-192.168.2.1<br>--------------------<br> |<br> |<br>private-lan-192.168.2.0/24<br><br><br><br>Here is configurations for public, static vpn-gateway (waiting connections):<br>
<br>config setup<br> crlcheckinterval=600<br> strictcrlpolicy=no<br> nat_traversal=yes<br> cachecrls=yes<br> plutostart=no<br> plutodebug=none<br> uniqueids=yes<br> charondebug="dmn 0, mgr 1, ike 2, chd 0, job 0, cfg 1, knl 2, net 2, enc 1, lib 0"<br>
<br>conn %default<br> mobike=no<br> keyingtries=1<br> keyexchange=ikev2<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> pfs=yes<br> ike=aes256-sha2_512-modp4096,aes256-sha2_512-modp8192<br>
esp=aes256-aesxcbc-modp2048!<br><br>conn dynamic-vpn-gw<br> authby=secret<br> left=%defaultroute<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> leftid="me@static-vpn-gw"<br>
leftfirewall=yes<br> right=%any<br> rightid="me@dynamic-vpn-gw"<br> rightsubnet=<a href="http://192.168.2.0/24">192.168.2.0/24</a><br> rightsendcert=never<br> auto=add<br>
<br><br>...and here is configurations for dynamic, private vpn-gateway (initiates the connection):<br><br>config setup<br> crlcheckinterval=600<br> strictcrlpolicy=no<br> nat_traversal=yes<br> cachecrls=yes<br>
plutostart=no<br> plutodebug=none<br> uniqueids=yes<br> charondebug="dmn 0, mgr 1, ike 2, chd 0, job 0, cfg 1, knl 2, net 2, enc 1, lib 0"<br><br>conn %default<br> mobike=no<br>
keyingtries=1<br> keyexchange=ikev2<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> pfs=yes<br> ike=aes256-sha2_512-modp4096,aes256-sha2_512-modp8192<br> esp=aes256-aesxcbc-modp2048!<br>
<br>conn static-vpn-gw<br> authby=psk<br> left=%defaultroute<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> leftid="me@dynamic-vpn-gw"<br> leftfirewall=yes<br> right=193.185.215.163<br>
rightid="me@static-vpn-gw"<br> rightsubnet=<a href="http://192.168.1.0/24">192.168.1.0/24</a><br> rightsendcert=never<br> auto=start<br><br>...and both has same strongswan.conf:<br><br>
# strongswan.conf - strongSwan configuration file<br>charon {<br> threads = 16<br> install_routes=yes<br>}<br><br>It seems that IKE and TUNNEL is established as they should, here is capture from public vpn:<br><br><br>Mar 23 14:14:34 static-vpn-gw ipsec_starter[11377]: Starting strongSwan 4.5.1 IPsec [starter]...<br>
Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] listening on interfaces:<br>Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] eth0<br>Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] 193.185.215.163<br>Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] fe80::21c:25ff:fed8:f70<br>
Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] eth1<br>Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] 192.168.1.210<br>Mar 23 14:14:34 static-vpn-gw charon: 00[KNL] fe80::21b:21ff:fe30:4666<br>Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading ca certificates from '/opt/strongswan-4.5.1/etc/ipsec.d/cacerts'<br>
Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading aa certificates from '/opt/strongswan-4.5.1/etc/ipsec.d/aacerts'<br>Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading ocsp signer certificates from '/opt/strongswan-4.5.1/etc/ipsec.d/ocspcerts'<br>
Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading attribute certificates from '/opt/strongswan-4.5.1/etc/ipsec.d/acerts'<br>Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading crls from '/opt/strongswan-4.5.1/etc/ipsec.d/crls'<br>
Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loading secrets from '/opt/strongswan-4.5.1/etc/ipsec.secrets'<br>Mar 23 14:14:34 static-vpn-gw charon: 00[CFG] loaded IKE secret for me@static-vpn-gw me@dynamic-vpn-gw <br>
Mar 23 14:14:34 static-vpn-gw charon: 09[NET] waiting for data on raw sockets<br>Mar 23 14:14:34 static-vpn-gw ipsec_starter[11385]: charon (11386) started after 40 ms<br>Mar 23 14:14:34 static-vpn-gw charon: 07[CFG] crl caching to /opt/strongswan-4.5.1/etc/ipsec.d/crls enabled<br>
Mar 23 14:14:34 static-vpn-gw charon: 12[CFG] received stroke: add connection 'dynamic-vpn-gw'<br>Mar 23 14:14:34 static-vpn-gw charon: 12[KNL] getting interface name for %any<br>Mar 23 14:14:34 static-vpn-gw charon: 12[KNL] %any is not a local address<br>
Mar 23 14:14:34 static-vpn-gw charon: 12[KNL] getting interface name for 193.185.215.163<br>Mar 23 14:14:34 static-vpn-gw charon: 12[KNL] 193.185.215.163 is on interface eth0<br>Mar 23 14:14:34 static-vpn-gw charon: 12[CFG] added configuration 'dynamic-vpn-gw'<br>
Mar 23 14:14:40 static-vpn-gw charon: 09[NET] received packet: from 193.185.215.146[500] to 193.185.215.163[500]<br>Mar 23 14:14:40 static-vpn-gw charon: 09[NET] waiting for data on raw sockets<br>Mar 23 14:14:40 static-vpn-gw charon: 14[NET] received packet: from 193.185.215.146[500] to 193.185.215.163[500]<br>
Mar 23 14:14:40 static-vpn-gw charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>Mar 23 14:14:40 static-vpn-gw charon: 14[IKE] 193.185.215.146 is initiating an IKE_SA<br>Mar 23 14:14:40 static-vpn-gw charon: 14[IKE] 193.185.215.146 is initiating an IKE_SA<br>
Mar 23 14:14:40 static-vpn-gw charon: 14[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING<br>Mar 23 14:14:41 static-vpn-gw charon: 14[IKE] remote host is behind NAT<br>Mar 23 14:14:41 static-vpn-gw charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
Mar 23 14:14:41 static-vpn-gw charon: 14[NET] sending packet: from 193.185.215.163[500] to 193.185.215.146[500]<br>Mar 23 14:14:41 static-vpn-gw charon: 08[NET] sending packet: from 193.185.215.163[500] to 193.185.215.146[500]<br>
Mar 23 14:14:41 static-vpn-gw charon: 09[NET] received packet: from 193.185.215.146[4500] to 193.185.215.163[4500]<br>Mar 23 14:14:41 static-vpn-gw charon: 15[NET] received packet: from 193.185.215.146[4500] to 193.185.215.163[4500]<br>
Mar 23 14:14:41 static-vpn-gw charon: 09[NET] waiting for data on raw sockets<br>Mar 23 14:14:41 static-vpn-gw charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[CFG] looking for peer configs matching 193.185.215.163[me@static-vpn-gw]...193.185.215.146[me@dynamic-vpn-gw]<br>Mar 23 14:14:41 static-vpn-gw charon: 15[CFG] selected peer config 'dynamic-vpn-gw'<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] authentication of 'me@dynamic-vpn-gw' with pre-shared key successful<br>Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] authentication of 'me@static-vpn-gw' (myself) with pre-shared key<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] successfully created shared key MAC<br>Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] IKE_SA dynamic-vpn-gw[1] established between 193.185.215.163[me@static-vpn-gw]...193.185.215.146[me@dynamic-vpn-gw]<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] IKE_SA dynamic-vpn-gw[1] established between 193.185.215.163[me@static-vpn-gw]...193.185.215.146[me@dynamic-vpn-gw]<br>Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] IKE_SA dynamic-vpn-gw[1] state change: CONNECTING => ESTABLISHED<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] scheduling reauthentication in 3247s<br>Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] maximum IKE_SA lifetime 3427s<br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting SPI for reqid {1}<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] got SPI ceed53f3 for reqid {1}<br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] adding SAD entry with SPI ceed53f3 and reqid {1}<br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] using encryption algorithm AES_CBC with key size 256<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] using integrity algorithm AES_XCBC_96 with key size 128<br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] adding SAD entry with SPI cf06ca01 and reqid {1}<br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] using encryption algorithm AES_CBC with key size 256<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] using integrity algorithm AES_XCBC_96 with key size 128<br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] adding policy <a href="http://192.168.1.0/24">192.168.1.0/24</a> === <a href="http://192.168.2.0/24">192.168.2.0/24</a> out<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] adding policy <a href="http://192.168.2.0/24">192.168.2.0/24</a> === <a href="http://192.168.1.0/24">192.168.1.0/24</a> in<br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] adding policy <a href="http://192.168.2.0/24">192.168.2.0/24</a> === <a href="http://192.168.1.0/24">192.168.1.0/24</a> fwd<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting a local address in traffic selector <a href="http://192.168.1.0/24">192.168.1.0/24</a><br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] using host 192.168.1.210<br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting address to reach 193.185.215.146<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting interface name for 193.185.215.163<br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] 193.185.215.163 is on interface eth0<br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] installing route: <a href="http://192.168.2.0/24">192.168.2.0/24</a> via 193.185.215.161 src 192.168.1.210 dev eth0<br>
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting iface index for eth0<br>Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] CHILD_SA dynamic-vpn-gw{1} established with SPIs ceed53f3_i cf06ca01_o and TS <a href="http://192.168.1.0/24">192.168.1.0/24</a> === <a href="http://192.168.2.0/24">192.168.2.0/24</a> <br>
Mar 23 14:14:41 static-vpn-gw charon: 15[IKE] CHILD_SA dynamic-vpn-gw{1} established with SPIs ceed53f3_i cf06ca01_o and TS <a href="http://192.168.1.0/24">192.168.1.0/24</a> === <a href="http://192.168.2.0/24">192.168.2.0/24</a> <br>
Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] getting interface name for 193.185.215.163<br>Mar 23 14:14:41 static-vpn-gw charon: 15[KNL] 193.185.215.163 is on interface eth0<br>Mar 23 14:14:41 static-vpn-gw vpn: + me@dynamic-vpn-gw <a href="http://192.168.2.0/24">192.168.2.0/24</a> == 193.185.215.146 -- 193.185.215.163 == <a href="http://192.168.1.0/24">192.168.1.0/24</a><br>
Mar 23 14:14:41 static-vpn-gw charon: 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]<br>Mar 23 14:14:41 static-vpn-gw charon: 15[NET] sending packet: from 193.185.215.163[4500] to 193.185.215.146[4500]<br>
Mar 23 14:14:41 static-vpn-gw charon: 08[NET] sending packet: from 193.185.215.163[4500] to 193.185.215.146[4500]<br>Mar 23 14:16:19 static-vpn-gw charon: 02[KNL] querying SAD entry with SPI ceed53f3<br>Mar 23 14:16:19 static-vpn-gw charon: 02[KNL] querying SAD entry with SPI cf06ca01<br>
Mar 23 14:20:02 static-vpn-gw charon: 09[NET] received packet: from 193.185.215.146[4500] to 193.185.215.163[4500]<br>Mar 23 14:20:02 static-vpn-gw charon: 01[NET] received packet: from 193.185.215.146[4500] to 193.185.215.163[4500]<br>
Mar 23 14:20:02 static-vpn-gw charon: 09[NET] waiting for data on raw sockets<br><br>...and here is same dump from dynamic, private gateway (which initiates the connection):<br><br>Mar 23 14:14:59 dynamic-vpn-gw ipsec_starter[6072]: Starting strongSwan 4.5.1 IPsec [starter]...<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] listening on interfaces:<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] eth0<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] 192.168.171.219<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] fe80::21c:25ff:fed8:6180<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] eth1<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 00[KNL] 192.168.2.1<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading ca certificates from '/opt/strongswan-4.5.1/etc/ipsec.d/cacerts'<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading aa certificates from '/opt/strongswan-4.5.1/etc/ipsec.d/aacerts'<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading ocsp signer certificates from '/opt/strongswan-4.5.1/etc/ipsec.d/ocspcerts'<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading attribute certificates from '/opt/strongswan-4.5.1/etc/ipsec.d/acerts'<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading crls from '/opt/strongswan-4.5.1/etc/ipsec.d/crls'<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loading secrets from '/opt/strongswan-4.5.1/etc/ipsec.secrets'<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 00[CFG] loaded IKE secret for me@dynamic-vpn-gw me@static-vpn-gw <br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 09[NET] waiting for data on raw sockets<br>Mar 23 14:14:59 dynamic-vpn-gw ipsec_starter[6080]: charon (6081) started after 40 ms<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 07[CFG] crl caching to /opt/strongswan-4.5.1/etc/ipsec.d/crls enabled<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 12[CFG] received stroke: add connection 'static-vpn-gw'<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 12[KNL] getting interface name for 193.185.215.163<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 12[KNL] 193.185.215.163 is not a local address<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 12[KNL] getting interface name for 192.168.171.219<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 12[KNL] 192.168.171.219 is on interface eth0<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 12[CFG] added configuration 'static-vpn-gw'<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[CFG] received stroke: initiate 'static-vpn-gw'<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_VENDOR task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_INIT task<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_NATD task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_CERT_PRE task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_AUTHENTICATE task<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_CERT_POST task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_CONFIG task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing IKE_AUTH_LIFETIME task<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] queueing CHILD_CREATE task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating new tasks<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_VENDOR task<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_INIT task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_NATD task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_CERT_PRE task<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_AUTHENTICATE task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_CERT_POST task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_CONFIG task<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating CHILD_CREATE task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] activating IKE_AUTH_LIFETIME task<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] initiating IKE_SA static-vpn-gw[1] to 193.185.215.163<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] initiating IKE_SA static-vpn-gw[1] to 193.185.215.163<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[IKE] IKE_SA static-vpn-gw[1] state change: CREATED => CONNECTING<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
Mar 23 14:14:59 dynamic-vpn-gw charon: 14[NET] sending packet: from 192.168.171.219[500] to 193.185.215.163[500]<br>Mar 23 14:14:59 dynamic-vpn-gw charon: 08[NET] sending packet: from 192.168.171.219[500] to 193.185.215.163[500]<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 09[NET] received packet: from 193.185.215.163[500] to 192.168.171.219[500]<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 16[NET] received packet: from 193.185.215.163[500] to 192.168.171.219[500]<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 09[NET] waiting for data on raw sockets<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] local host is behind NAT, sending keep alives<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] reinitiating already active tasks<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] IKE_CERT_PRE task<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] IKE_AUTHENTICATE task<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] authentication of 'me@dynamic-vpn-gw' (myself) with pre-shared key<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] successfully created shared key MAC<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] establishing CHILD_SA static-vpn-gw<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[IKE] establishing CHILD_SA static-vpn-gw<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 16[KNL] getting SPI for reqid {1}<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 16[KNL] got SPI cf06ca01 for reqid {1}<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 16[NET] sending packet: from 192.168.171.219[4500] to 193.185.215.163[4500]<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 08[NET] sending packet: from 192.168.171.219[4500] to 193.185.215.163[4500]<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 09[NET] received packet: from 193.185.215.163[4500] to 192.168.171.219[4500]<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[NET] received packet: from 193.185.215.163[4500] to 192.168.171.219[4500]<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 09[NET] waiting for data on raw sockets<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] authentication of 'me@static-vpn-gw' with pre-shared key successful<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] IKE_SA static-vpn-gw[1] established between 192.168.171.219[me@dynamic-vpn-gw]...193.185.215.163[me@static-vpn-gw]<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] IKE_SA static-vpn-gw[1] established between 192.168.171.219[me@dynamic-vpn-gw]...193.185.215.163[me@static-vpn-gw]<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] IKE_SA static-vpn-gw[1] state change: CONNECTING => ESTABLISHED<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] scheduling reauthentication in 3332s<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] maximum IKE_SA lifetime 3512s<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] adding SAD entry with SPI cf06ca01 and reqid {1}<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] using encryption algorithm AES_CBC with key size 256<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] using integrity algorithm AES_XCBC_96 with key size 128<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] adding SAD entry with SPI ceed53f3 and reqid {1}<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] using encryption algorithm AES_CBC with key size 256<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] using integrity algorithm AES_XCBC_96 with key size 128<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] adding policy <a href="http://192.168.2.0/24">192.168.2.0/24</a> === <a href="http://192.168.1.0/24">192.168.1.0/24</a> out<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] adding policy <a href="http://192.168.1.0/24">192.168.1.0/24</a> === <a href="http://192.168.2.0/24">192.168.2.0/24</a> in<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] adding policy <a href="http://192.168.1.0/24">192.168.1.0/24</a> === <a href="http://192.168.2.0/24">192.168.2.0/24</a> fwd<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] getting a local address in traffic selector <a href="http://192.168.2.0/24">192.168.2.0/24</a><br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] using host 192.168.2.1<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] getting address to reach 193.185.215.163<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] getting interface name for 192.168.171.219<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] 192.168.171.219 is on interface eth0<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] installing route: <a href="http://192.168.1.0/24">192.168.1.0/24</a> via 192.168.171.1 src 192.168.2.1 dev eth0<br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] getting iface index for eth0<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] CHILD_SA static-vpn-gw{1} established with SPIs cf06ca01_i ceed53f3_o and TS <a href="http://192.168.2.0/24">192.168.2.0/24</a> === <a href="http://192.168.1.0/24">192.168.1.0/24</a> <br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] CHILD_SA static-vpn-gw{1} established with SPIs cf06ca01_i ceed53f3_o and TS <a href="http://192.168.2.0/24">192.168.2.0/24</a> === <a href="http://192.168.1.0/24">192.168.1.0/24</a> <br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] getting interface name for 192.168.171.219<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[KNL] 192.168.171.219 is on interface eth0<br>Mar 23 14:15:00 dynamic-vpn-gw vpn: + me@static-vpn-gw <a href="http://192.168.1.0/24">192.168.1.0/24</a> == 193.185.215.163 -- 192.168.171.219 == <a href="http://192.168.2.0/24">192.168.2.0/24</a><br>
Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] received AUTH_LIFETIME of 3247s, scheduling reauthentication in 3067s<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] activating new tasks<br>Mar 23 14:15:00 dynamic-vpn-gw charon: 03[IKE] nothing to initiate<br>
Mar 23 14:15:10 dynamic-vpn-gw charon: 11[KNL] querying SAD entry with SPI cf06ca01<br>Mar 23 14:15:10 dynamic-vpn-gw charon: 11[KNL] querying SAD entry with SPI ceed53f3<br>Mar 23 14:15:19 dynamic-vpn-gw charon: 07[KNL] querying SAD entry with SPI ceed53f3<br>
Mar 23 14:15:24 dynamic-vpn-gw charon: 13[KNL] querying SAD entry with SPI ceed53f3<br>Mar 23 14:15:24 dynamic-vpn-gw charon: 13[IKE] sending keep alive<br>Mar 23 14:15:24 dynamic-vpn-gw charon: 13[NET] sending packet: from 192.168.171.219[4500] to 193.185.215.163[4500]<br>
Mar 23 14:15:24 dynamic-vpn-gw charon: 08[NET] sending packet: from 192.168.171.219[4500] to 193.185.215.163[4500]<br>Mar 23 14:15:44 dynamic-vpn-gw charon: 12[KNL] querying SAD entry with SPI ceed53f3<br>Mar 23 14:15:44 dynamic-vpn-gw charon: 12[IKE] sending keep alive<br>
Mar 23 14:15:44 dynamic-vpn-gw charon: 12[NET] sending packet: from 192.168.171.219[4500] to 193.185.215.163[4500]<br>Mar 23 14:15:44 dynamic-vpn-gw charon: 08[NET] sending packet: from 192.168.171.219[4500] to 193.185.215.163[4500]<br>
Mar 23 14:16:04 dynamic-vpn-gw charon: 14[KNL] querying SAD entry with SPI ceed53f3<br><br><br>And here is "ipsec statusall" from public, static gateway:<br><br>[root@static-vpn-gw etc]# ipsec statusall<br>Status of IKEv2 charon daemon (strongSwan 4.5.1):<br>
uptime: 105 seconds, since Mar 23 14:14:34 2011<br> malloc: sbrk 270336, mmap 0, used 221392, free 48944<br> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 2<br> loaded plugins: aes des blowfish sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown <br>
Listening IP addresses:<br> 193.185.215.163<br> 192.168.1.210<br>Connections:<br>dynamic-vpn-gw: 193.185.215.163...%any<br>dynamic-vpn-gw: local: [me@static-vpn-gw] uses pre-shared key authentication<br>dynamic-vpn-gw: remote: [me@dynamic-vpn-gw] uses any authentication<br>
dynamic-vpn-gw: child: <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://192.168.2.0/24">192.168.2.0/24</a> <br>Security Associations:<br>dynamic-vpn-gw[1]: ESTABLISHED 98 seconds ago, 193.185.215.163[me@static-vpn-gw]...193.185.215.146[me@dynamic-vpn-gw]<br>
dynamic-vpn-gw[1]: IKE SPIs: 51a18d63de518894_i a2a7b5aee6c554b5_r*, pre-shared key reauthentication in 52 minutes<br>dynamic-vpn-gw[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096<br>dynamic-vpn-gw{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ceed53f3_i cf06ca01_o<br>
dynamic-vpn-gw{1}: AES_CBC_256/AES_XCBC_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes<br>dynamic-vpn-gw{1}: <a href="http://192.168.1.0/24">192.168.1.0/24</a> === <a href="http://192.168.2.0/24">192.168.2.0/24</a> <br>
No leaks detected, 1 suppressed by whitelist<br><br>...and same from private, dynamic gateway:<br><br>[root@dynamic-vpn-gw log]# ipsec statusall <br>
Status of IKEv2 charon daemon (strongSwan 4.5.1): <br> uptime: 11 seconds, since Mar 23 14:14:59 2011 <br>
malloc: sbrk 270336, mmap 0, used 208352, free 61984 <br> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 4 <br>
loaded plugins: aes des blowfish sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown <br>Listening IP addresses: <br>
192.168.171.219 <br> 192.168.2.1 <br>
Connections: <br>static-vpn-gw: 192.168.171.219...193.185.215.163 <br>
static-vpn-gw: local: [me@dynamic-vpn-gw] uses pre-shared key authentication <br>static-vpn-gw: remote: [me@static-vpn-gw] uses any authentication <br>
static-vpn-gw: child: <a href="http://0.0.0.0/0">0.0.0.0/0</a> === <a href="http://192.168.1.0/24">192.168.1.0/24</a> <br>
Security Associations: <br>static-vpn-gw[1]: ESTABLISHED 10 seconds ago, 192.168.171.219[me@dynamic-vpn-gw]...193.185.215.163[me@static-vpn-gw] <br>
static-vpn-gw[1]: IKE SPIs: 51a18d63de518894_i* a2a7b5aee6c554b5_r, pre-shared key reauthentication in 50 minutes <br>static-vpn-gw[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096 <br>
static-vpn-gw{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cf06ca01_i ceed53f3_o <br>static-vpn-gw{1}: AES_CBC_256/AES_XCBC_96, 0 bytes_i, 0 bytes_o, rekeying in 16 minutes <br>
static-vpn-gw{1}: <a href="http://192.168.2.0/24">192.168.2.0/24</a> === <a href="http://192.168.1.0/24">192.168.1.0/24</a> <br>
No leaks detected, 1 suppressed by whitelist<br><br><br><br>...and nothing works :) I can not ping from public to private, or from private to public, firewall rulebase(s) allows any icmp from any source.<br>Here is ip route output:<br>
<br>[root@static-vpn-gw etc]# ip route show table 220<br><a href="http://192.168.2.0/24">192.168.2.0/24</a> via 193.185.215.161 dev eth0 proto static src 192.168.1.210<br><br>[iddqd@dynamic-vpn-gw Desktop]$ ip route show table 220 <br>
<a href="http://192.168.1.0/24">192.168.1.0/24</a> via 192.168.171.1 dev eth0 proto static src 192.168.2.1<br><br><br>Any ideas? Is it even possible to setup lan--to--lan gateways where another one is behind DHCP and NAT using pre shared keys???<br>
<br><br>Best Regards,<br><br>Matti<br><br><br><br><br><br>