Hi All, <br><br>I'm having a bit of a strange issue with a net-net vpn setup where packets bound for the remote subnet don't appear to be getting encapsulated on either gateway, I see no ESP packets other than those attributed with existing functional tunnels.<br>
<br>I've tried tcpdumping on both endpoints, and can see icmp packets coming in to the local gateway from hosts on both networks, but no ESP packets - and none of it seems to get across the tunnel.<br><br>Any help would be greatly appreciated - I've tried doing the same thing with IKEV2 (with a couple of required changes) and had exactly the same result.<br>
<br>Give me a shout if I can provide any additional information.<br><br>Thanks!<br><br>Russ<br><br>---------------------<br><br>Here's my setup<br><br>Rodney:<br>Debian lenny x86_64<br>Strongswan 4.2.4-5 - from repo<br>
A number of existing working ikev1 tunnels set up to other networks/hosts<br><br>Granville:<br>Debian Squeeze x86_64<br>Strongswan 4.4.1-5.1 - from repo<br><br>Iptables on both hosts:<br>udp 500 and 4500 + esp open<br><br>
<br><a href="http://192.168.0.0/24-----RODNEY----BRIGHTON_PUB_IP.........ESSEX_PUB_IP---NAT_ROUTER----GRANVILLE----192.168.6.0/24">192.168.0.0/24-----RODNEY----BRIGHTON_PUB_IP.........ESSEX_PUB_IP---NAT_ROUTER----GRANVILLE----192.168.6.0/24</a> <br>
<br>Essex router nats absolutely everything to Granville (it's on the netgear router's dmz)<br>--------------------------------------<br clear="all">ESSEX - IPSEC.CONF<br><br>config setup<br> plutodebug=control<br>
nat_traversal=yes<br> charonstart=no<br> plutostart=yes<br><br>conn essex_brighton<br> left=%defaultroute<br> leftid=ESSEX_PUB_IP<br> leftsubnet=<a href="http://192.168.6.0/24">192.168.6.0/24</a><br>
leftfirewall=yes<br> right=BRIGHTON_PUB_IP<br> rightsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br> forceencaps=yes<br> keyexchange=ikev1<br> authby=secret<br> auto=add<br>
--------------------------------------<br><br>BRIGHTON-IPSEC.CONF<br><br>config setup<br> plutodebug=control<br> nat_traversal=yes<br> charonstart=yes<br> plutostart=yes<br><br>conn essex_brighton<br>
left=BRIGHTON_PUB_IP<br> leftsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br> leftfirewall=yes<br> right=ESSEX_PUB_IP<br> rightsubnet=<a href="http://192.168.6.0/24">192.168.6.0/24</a><br>
forceencaps=yes<br> keyexchange=ikev1<br> authby=secret<br> auto=add<br><br>-----------------------------------<br><br>root@granville:~# ipsec status<br>000 "essex_brighton": <a href="http://192.168.6.0/24===192.168.16.2:4500[ESSEX_PUB_IP]---192.168.16.1...BRIGHTON_PUB_IP:4500[BRIGHTON_PUB_IP]===192.168.0.0/24">192.168.6.0/24===192.168.16.2:4500[ESSEX_PUB_IP]---192.168.16.1...BRIGHTON_PUB_IP:4500[BRIGHTON_PUB_IP]===192.168.0.0/24</a>; erouted; eroute owner: #2<br>
000 "essex_brighton": newest ISAKMP SA: #1; newest IPsec SA: #2;<br>000<br>000 #2: "essex_brighton" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 4s; newest IPSEC; eroute owner<br>
000 #2: "essex_brighton" esp.9c28ba55@BRIGHTON_PUB_IP (0 bytes) <a href="mailto:esp.c32b10a1@192.168.16.2">esp.c32b10a1@192.168.16.2</a> (0 bytes); tunnel<br>000 #1: "essex_brighton" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 6962s; newest ISAKMP<br>
000<br><br><br>rodney:~# ipsec status<br>000 "essex_brighton": <a href="http://192.168.0.0/24===BRIGHTON_PUB_IP:4500...ESSEX_PUB_IP:4500===192.168.6.0/24">192.168.0.0/24===BRIGHTON_PUB_IP:4500...ESSEX_PUB_IP:4500===192.168.6.0/24</a>; erouted; eroute owner: #3909<br>
000 "essex_brighton": newest ISAKMP SA: #3898; newest IPsec SA: #3909;<br>000<br>000 #3909: "essex_brighton" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3285s; newest IPSEC; eroute owner<br>
000 #3909: "essex_brighton" esp.360fcd9e@ESSEX_PUB_IP (0 bytes) esp.295edd15@BRIGHTON_PUB_IP (0 bytes); tunnel<br>000 #3899: "essex_brighton" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 446s<br>
000 #3899: "essex_brighton" esp.c32b10a1@ESSEX_PUB_IP (0 bytes) esp.9c28ba55@BRIGHTON_PUB_IP (0 bytes); tunnel<br>000 #3898: "essex_brighton" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7635s; newest ISAKMP<br>
000<br>Security Associations:<br> none<br><br>------------------------<br><br>root@granville:~# ip xfrm state<br>src 192.168.16.2 dst BRIGHTON_PUB_IP<br> proto esp spi 0x295edd15 reqid 16385 mode tunnel<br> replay-window 32 flag af-unspec<br>
auth hmac(sha1) 0x0ba38e23a79f79f7f96690d2d166b315f60b60bb<br> enc cbc(aes) 0xdf238a47bb128a41d94f60452411cd26<br> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>src BRIGHTON_PUB_IP dst 192.168.16.2<br>
proto esp spi 0x360fcd9e reqid 16385 mode tunnel<br> replay-window 32 flag af-unspec<br> auth hmac(sha1) 0x015ec50f83fc414a681902bd935cf8560da4cbb2<br> enc cbc(aes) 0x7e40d181e5c8ca5bfc35ed44b59c968d<br> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>
src 192.168.16.2 dst BRIGHTON_PUB_IP<br> proto esp spi 0x9c28ba55 reqid 16385 mode tunnel<br> replay-window 32 flag af-unspec<br> auth hmac(sha1) 0x2345729df63869ea9a6df60f50508cf746860b02<br> enc cbc(aes) 0xf90f83024f337ff85a8fc72392eaea8f<br>
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>src BRIGHTON_PUB_IP dst 192.168.16.2<br> proto esp spi 0xc32b10a1 reqid 16385 mode tunnel<br> replay-window 32 flag af-unspec<br> auth hmac(sha1) 0x7f16f51d63369bec30ac74e4eef27d9a8ff81958<br>
enc cbc(aes) 0x047271d81f3a0483c34c0790fcc098c8<br> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>root@granville:~# ip xfrm policy<br>src <a href="http://192.168.6.0/24">192.168.6.0/24</a> dst <a href="http://192.168.0.0/24">192.168.0.0/24</a><br>
dir out priority 2344 ptype main<br> tmpl src 192.168.16.2 dst BRIGHTON_PUB_IP<br> proto esp reqid 16385 mode tunnel<br>src <a href="http://192.168.0.0/24">192.168.0.0/24</a> dst <a href="http://192.168.6.0/24">192.168.6.0/24</a><br>
dir fwd priority 2344 ptype main<br> tmpl src BRIGHTON_PUB_IP dst 192.168.16.2<br> proto esp reqid 16385 mode tunnel<br>src <a href="http://192.168.0.0/24">192.168.0.0/24</a> dst <a href="http://192.168.6.0/24">192.168.6.0/24</a><br>
dir in priority 2344 ptype main<br> tmpl src BRIGHTON_PUB_IP dst 192.168.16.2<br> proto esp reqid 16385 mode tunnel<br>src ::/0 dst ::/0<br> dir 4 priority 0 ptype main<br>src ::/0 dst ::/0<br> dir 3 priority 0 ptype main<br>
src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br> dir 4 priority 0 ptype main<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>
dir 3 priority 0 ptype main<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br> dir 4 priority 0 ptype main<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>
dir 3 priority 0 ptype main<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br> dir 4 priority 0 ptype main<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>
dir 3 priority 0 ptype main<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br> dir 4 priority 0 ptype main<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>
dir 3 priority 0 ptype main<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br> dir 4 priority 0 ptype main<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>
dir 3 priority 0 ptype main<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br> dir 4 priority 0 ptype main<br>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a><br>
dir 3 priority 0 ptype main <br><br><br><br>