<div>Hello,</div>
<div> </div>
<div>I have established a tunnel between two end-points with ikev2, using psk. I can see that the tunnel is established, but for some reason the traffic does not flow through this tunnel. I do not have any blocking firewalls or anything. I cannot use certificates as there is some bug in our IP-stack code, and this is the first time I am trying to get it working using pre-shared keys. Please find the details below. </div>
<div> </div>
<div><u>End-point 1:</u></div>
<div><a href="mailto:root@localhost:/root">root@localhost:/root</a>> cat /etc/ipsec.conf<br># ipsec.conf - strongSwan IPsec configuration file</div>
<div># basic configuration</div>
<div>config setup<br> # plutodebug=all<br> # crlcheckinterval=600<br> strictcrlpolicy=no<br> # cachecrls=yes<br> # nat_traversal=yes<br> charonstart=yes<br> plutostart=no<br>
charondebug=all</div>
<div># Add connections here.</div>
<div># Sample VPN connections</div>
<div>#ca strongswan<br># cacert=caCert.der<br># auto=add</div>
<div>conn sample-with-ca-cert<br> left=169.254.3.75<br> leftsubnet=<a href="http://169.254.3.0/32">169.254.3.0/32</a><br> right=169.254.4.75<br> rightsubnet=<a href="http://169.254.4.0/32">169.254.4.0/32</a><br>
authby=secret<br> keyexchange=ikev2<br> auto=add</div>
<div><a href="mailto:root@localhost:/root">root@localhost:/root</a>> cat /etc/ipsec.secrets<br># /etc/ipsec.secrets - strongSwan IPsec secrets file</div>
<div> : PSK "strongSwan"<br><a href="mailto:root@localhost:/root">root@localhost:/root</a>> /usr/local/6bin/ipsec status<br>Security Associations:<br>sample-with-ca-cert[1]: ESTABLISHED 169.254.3.75[169.254.3.75]...169.254.4.75[169.254.4.75]<br>
sample-with-ca-cert[1]: IKE SPIs: 2df2f45dcd2f5b68_i a38bd0eeeaf49bff_r* Creation time: 4 minutes ago<br>sample-with-ca-cert{1}: INSTALLED, TUNNEL, ESP SPIs: c1c4e611_i cb7030e9_o<br>sample-with-ca-cert{1}: <a href="http://169.254.3.0/32">169.254.3.0/32</a> === <a href="http://169.254.4.0/32">169.254.4.0/32</a><br>
<a href="mailto:root@localhost:/root">root@localhost:/root</a>><br></div>
<div> </div>
<div><u>End-point 2:</u></div>
<div><a href="mailto:root@localhost:/root">root@localhost:/root</a>> cat /etc/ipsec.conf<br># ipsec.conf - strongSwan IPsec configuration file</div>
<div># basic configuration</div>
<div>config setup<br> # plutodebug=all<br> # crlcheckinterval=600<br> strictcrlpolicy=no<br> # cachecrls=yes<br> # nat_traversal=yes<br> charonstart=yes<br> plutostart=no<br>
charondebug=all</div>
<div># Add connections here.</div>
<div># Sample VPN connections</div>
<div>#ca strongswan<br># cacert=caCert.der<br># auto=add</div>
<div>conn sample-with-ca-cert<br> left=169.254.4.75<br> leftsubnet=<a href="http://169.254.4.0/32">169.254.4.0/32</a><br> right=169.254.3.75<br> rightsubnet=<a href="http://169.254.3.0/32">169.254.3.0/32</a><br>
authby=secret<br> keyexchange=ikev2<br> auto=start</div>
<div><a href="mailto:root@localhost:/root">root@localhost:/root</a>> cat /etc/ipsec.secrets<br># /etc/ipsec.secrets - strongSwan IPsec secrets file</div>
<div> : PSK "strongSwan"<br><a href="mailto:root@localhost:/root">root@localhost:/root</a>> /usr/local/6bin/ipsec status<br>Security Associations:<br>sample-with-ca-cert[1]: ESTABLISHED 169.254.4.75[169.254.4.75]...169.254.3.75[169.254.3.75]<br>
sample-with-ca-cert[1]: IKE SPIs: 2df2f45dcd2f5b68_i* a38bd0eeeaf49bff_r Creation time: 5 minutes ago<br>sample-with-ca-cert{1}: INSTALLED, TUNNEL, ESP SPIs: cb7030e9_i c1c4e611_o<br>sample-with-ca-cert{1}: <a href="http://169.254.4.0/32">169.254.4.0/32</a> === <a href="http://169.254.3.0/32">169.254.3.0/32</a><br>
<a href="mailto:root@localhost:/root">root@localhost:/root</a>><br></div>
<div> </div>
<div>Now, pinging end-point 2 from end-point 1,</div>
<div> </div>
<div><u>End-point 1:</u></div>
<div><a href="mailto:root@localhost:/root">root@localhost:/root</a>> ping 169.254.4.75<br>PING 169.254.4.75 (169.254.4.75) 56(84) bytes of data.<br>64 bytes from <a href="http://169.254.4.75">169.254.4.75</a>: icmp_seq=1 ttl=64 time=3.84 ms<br>
64 bytes from <a href="http://169.254.4.75">169.254.4.75</a>: icmp_seq=2 ttl=64 time=0.418 ms<br>64 bytes from <a href="http://169.254.4.75">169.254.4.75</a>: icmp_seq=3 ttl=64 time=0.436 ms</div>
<div>--- 169.254.4.75 ping statistics ---<br>3 packets transmitted, 3 received, 0% packet loss, time 1998ms<br>rtt min/avg/max/mdev = 0.418/1.567/3.847/1.612 ms<br></div>
<div> </div>
<div><u>End-point 2:</u></div>
<div><a href="mailto:root@localhost:/root">root@localhost:/root</a>> /usr/local/6bin/tcpdump -i eth3<br>listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes<br>21:46:51.700053 FPTUN (TAP(TAP)|port=0x0000000a|blade=1):<br>
21:46:51.700224 arp who-has 169.254.4.75 tell 169.254.3.75<br>21:46:51.702247 (FP) arp who-has 169.254.4.75 tell 169.254.3.75<br>21:46:51.702294 arp reply 169.254.4.75 is-at 00:40:43:31:29:08<br>21:46:51.700277 FPTUN (TAP(TAP)|port=0x0000000a|blade=1):<br>
21:46:51.700283 (FP) IP 169.254.3.75 > <a href="http://169.254.4.75">169.254.4.75</a>: icmp 64: echo request seq 1<br>21:46:51.700289 IP 169.254.3.75 > <a href="http://169.254.4.75">169.254.4.75</a>: icmp 64: echo request seq 1<br>
21:46:51.700416 IP 169.254.4.75 > <a href="http://169.254.3.75">169.254.3.75</a>: icmp 64: echo reply seq 1<br>21:46:52.696065 IP 169.254.3.75 > <a href="http://169.254.4.75">169.254.4.75</a>: icmp 64: echo request seq 2<br>
21:46:52.696065 FPTUN (TAP(TAP)|port=0x0000000a|blade=1):<br>21:46:52.696086 (FP) IP 169.254.3.75 > <a href="http://169.254.4.75">169.254.4.75</a>: icmp 64: echo request seq 2<br>21:46:52.696162 IP 169.254.4.75 > <a href="http://169.254.3.75">169.254.3.75</a>: icmp 64: echo reply seq 2<br>
21:46:53.695418 FPTUN (TAP(TAP)|port=0x0000000a|blade=1):<br>21:46:53.695419 IP 169.254.3.75 > <a href="http://169.254.4.75">169.254.4.75</a>: icmp 64: echo request seq 3<br>21:46:53.695441 (FP) IP 169.254.3.75 > <a href="http://169.254.4.75">169.254.4.75</a>: icmp 64: echo request seq 3<br>
21:46:53.695529 IP 169.254.4.75 > <a href="http://169.254.3.75">169.254.3.75</a>: icmp 64: echo reply seq 3</div>
<div>16 packets captured<br>16 packets received by filter<br>0 packets dropped by kernel<br><a href="mailto:root@localhost:/root">root@localhost:/root</a>><br></div>
<div> </div>
<div>So we see that even though the tunnel exists, traffic between the two end-points does not travel through it. Could you please let me know if there is anything I have missed? </div>
<div> </div>
<div>Thanks and regards,</div>
<div>Meera </div>