<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12">
<TITLE>IKEv1 Routing Problem</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Greetings,<BR>
<BR>
I have problems to set up an ikev1 net2net connection. (It works fine with ikev2, but I have to get it working with ikev1.)<BR>
Both gateways create successfully an IPSEC connection, but have routing problems. I can ping from sun to moon. But not from moon to sun.<BR>
The reason is that moon pings not through the tunnel, but directly in Internet direction where the packets are rejected.<BR>
<BR>
There is a difference in the 'ipsec status' outputs. Sun seems to show only one connection 'client4', while moon seems to show two connections<BR>
'client4' and 'client4[1]'.<BR>
<BR>
Both gateways run Debian Squeeze 6.0.3 with strongswan 4.4.1 (moon 192.168.88.2, sun 192.168.19.114). The connection is initiated by sun via 'ipsec up client4'.<BR>
<BR>
Does anyone know what is wrong with the configuration?<BR>
<BR>
Thanks for your help,<BR>
Stephan<BR>
<BR>
--- start --- moon: ipsec.conf ----------------------------------------<BR>
config setup<BR>
plutodebug=all<BR>
nat_traversal=yes<BR>
charonstart=no<BR>
plutostart=yes<BR>
<BR>
ca myca<BR>
cacert=/srv/pki/cacert.pem<BR>
<BR>
conn client4<BR>
left=%defaultroute<BR>
leftid="C=DE,ST=XX,L=XXXXXXXX,O=XXXXXXXXXXXXXXXXXXXX,CN=router,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"<BR>
leftsubnet=192.168.88.2/24<BR>
leftcert=/srv/pki/router.pem<BR>
leftfirewall=yes<BR>
lefthostaccess=yes<BR>
right=%any<BR>
rightsubnet=192.168.19.114/24<BR>
rightid="C=DE,ST=XX,L=XXXXXXXX,O=XXXXXXXXXXXXXXXXXXXX,CN=client4,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"<BR>
rightcert=/srv/pki/client4.pem<BR>
auto=add<BR>
<BR>
include /var/lib/strongswan/ipsec.conf.inc<BR>
---- end ---- moon: ipsec.conf ----------------------------------------<BR>
--- start --- moon: iptables -L ---------------------------------------<BR>
Chain INPUT (policy ACCEPT)<BR>
target prot opt source destination <BR>
ACCEPT all -- localnet/24 192.168.88.0/24 policy match dir in pol ipsec reqid 16389 proto esp<BR>
ACCEPT esp -- anywhere anywhere <BR>
ACCEPT udp -- anywhere anywhere udp spt:isakmp<BR>
ACCEPT udp -- anywhere anywhere udp spt:4500<BR>
<BR>
Chain FORWARD (policy ACCEPT)<BR>
target prot opt source destination <BR>
ACCEPT all -- localnet/24 192.168.88.0/24 policy match dir in pol ipsec reqid 16389 proto esp<BR>
ACCEPT all -- 192.168.88.0/24 localnet/24 policy match dir out pol ipsec reqid 16389 proto esp<BR>
<BR>
Chain OUTPUT (policy ACCEPT)<BR>
target prot opt source destination <BR>
ACCEPT all -- 192.168.88.0/24 localnet/24 policy match dir out pol ipsec reqid 16389 proto esp<BR>
ACCEPT esp -- anywhere anywhere <BR>
ACCEPT udp -- anywhere anywhere udp dpt:isakmp<BR>
ACCEPT udp -- anywhere anywhere udp dpt:4500<BR>
---- end ---- moon: iptables -L ---------------------------------------<BR>
--- start --- moon: ipsec status --------------------------------------<BR>
000 "client4": 192.168.88.0/24===93.222.15.145[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=router, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]---217.0.119.78...%any[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=client4, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]===192.168.19.0/24; unrouted; eroute owner: #0<BR>
000 "client4": newest ISAKMP SA: #0; newest IPsec SA: #0;<BR>
000 "client4"[1]: 192.168.88.0/24===93.222.15.145:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=router, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]---217.0.119.78...217.92.154.243:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=client4, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]===192.168.19.0/24; erouted; eroute owner: #2<BR>
000 "client4"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2;<BR>
000<BR>
000 #2: "client4"[1] 217.92.154.243:4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3094s; newest IPSEC; eroute owner<BR>
000 #2: "client4"[1] 217.92.154.243:4500 esp.3db9e893@217.92.154.243 (1260 bytes, 208s ago) esp.fa4f7fce@93.222.15.145 (1260 bytes, 208s ago); tunnel<BR>
000 #1: "client4"[1] 217.92.154.243:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 10293s; newest ISAKMP<BR>
000<BR>
---- end ---- moon: ipsec status --------------------------------------<BR>
--- start --- moon: ip -s xfrm state ----------------------------------<BR>
src 93.222.15.145 dst 217.92.154.243<BR>
proto esp spi 0x3db9e893(1035593875) reqid 16389(0x00004005) mode tunnel<BR>
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<BR>
auth hmac(sha1) 0xe9e7b3d81d48695264508789b93e7dc0e70892dd (160 bits)<BR>
enc cbc(aes) 0xb3a82d3a3159229bc7d2dfc29e6fb638 (128 bits)<BR>
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<BR>
lifetime config:<BR>
limit: soft (INF)(bytes), hard (INF)(bytes)<BR>
limit: soft (INF)(packets), hard (INF)(packets)<BR>
expire add: soft 0(sec), hard 0(sec)<BR>
expire use: soft 0(sec), hard 0(sec)<BR>
lifetime current:<BR>
1260(bytes), 15(packets)<BR>
add 2011-11-09 16:46:06 use 2011-11-09 16:46:20<BR>
stats:<BR>
replay-window 0 replay 0 failed 0<BR>
src 217.92.154.243 dst 93.222.15.145<BR>
proto esp spi 0xfa4f7fce(4199514062) reqid 16389(0x00004005) mode tunnel<BR>
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<BR>
auth hmac(sha1) 0x8cdf75f409193832fe61c751edb2df1d3761ff32 (160 bits)<BR>
enc cbc(aes) 0x85b6e3417dc6fa2a8680d7f70c7c2d2c (128 bits)<BR>
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<BR>
lifetime config:<BR>
limit: soft (INF)(bytes), hard (INF)(bytes)<BR>
limit: soft (INF)(packets), hard (INF)(packets)<BR>
expire add: soft 0(sec), hard 0(sec)<BR>
expire use: soft 0(sec), hard 0(sec)<BR>
lifetime current:<BR>
1260(bytes), 15(packets)<BR>
add 2011-11-09 16:46:05 use 2011-11-09 16:46:20<BR>
stats:<BR>
replay-window 0 replay 0 failed 0<BR>
---- end ---- moon: ip -s xfrm state ---------------------------------------<BR>
--- start --- moon: ping 192.168.19.114 -c 2 -------------------------------<BR>
PING 192.168.19.114 (192.168.19.114) 56(84) bytes of data.<BR>
<BR>
--- 192.168.19.114 ping statistics ---<BR>
2 packets transmitted, 0 received, 100% packet loss, time 1006ms<BR>
---- end ---- moon: ping 192.168.19.114 -c 2 -------------------------------<BR>
--- start --- moon: tcpdump (from sun to moon) ------------------------------<BR>
17:01:35.328492 IP 192.168.19.114 > 192.168.88.2: ICMP echo request, id 1744, seq 1, length 64<BR>
---- end ---- moon: tcpdump (from sun to moon) ------------------------------<BR>
--- start --- moon: tcpdump (from moon to sun) ------------------------------<BR>
17:00:15.085651 IP p5DDE0F91.dip0.t-ipconnect.de > 192.168.19.114: ICMP echo request, id 12723, seq 70, length 64<BR>
---- end ---- moon: tcpdump (from moon to sun) -----------------------------<BR>
<BR>
<BR>
<BR>
<BR>
--- start ---- sun: ipsec.conf ----------------------------------------<BR>
config setup<BR>
plutodebug=all<BR>
nat_traversal=yes<BR>
charonstart=no<BR>
plutostart=yes<BR>
<BR>
conn client4<BR>
left=%defaultroute<BR>
leftsubnet=192.168.19.114/24<BR>
lefthostaccess=yes<BR>
leftid="C=DE,ST=XX,L=XXXXXXXn,O=XXXXXXXXXXXXXXXXXXXX,CN=client4,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"<BR>
leftcert=/srv/pki/client4.pem<BR>
leftfirewall=yes<BR>
right=XXXXXXXXX.dyndns.org<BR>
rightsubnet=192.168.88.2/24<BR>
rightid="C=DE,ST=XX,L=XXXXXXXX,O=XXXXXXXXXXXXXXXXXXXX,CN=router,E=XXXXXXXXXXXXXXXXXXXXXXXXXX"<BR>
rightcert=/srv/pki/router.pem<BR>
auto=add<BR>
<BR>
include /var/lib/strongswan/ipsec.conf.inc<BR>
---- end ----- sun: ipsec.conf ----------------------------------------<BR>
--- start ---- sun: iptables -L ---------------------------------------<BR>
Chain INPUT (policy ACCEPT)<BR>
target prot opt source destination <BR>
ACCEPT all -- 192.168.88.0/24 192.168.19.0/24 policy match dir in pol ipsec reqid 16385 proto esp<BR>
<BR>
Chain FORWARD (policy ACCEPT)<BR>
target prot opt source destination <BR>
ACCEPT all -- 192.168.88.0/24 192.168.19.0/24 policy match dir in pol ipsec reqid 16385 proto esp<BR>
ACCEPT all -- 192.168.19.0/24 192.168.88.0/24 policy match dir out pol ipsec reqid 16385 proto esp<BR>
<BR>
Chain OUTPUT (policy ACCEPT)<BR>
target prot opt source destination <BR>
ACCEPT all -- 192.168.19.0/24 192.168.88.0/24 policy match dir out pol ipsec reqid 16385 proto esp<BR>
---- end ----- sun: iptables -L ---------------------------------------<BR>
--- start ---- sun: ipsec status --------------------------------------<BR>
000 "client4": 192.168.19.0/24===192.168.19.114:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=client4, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]---192.168.19.1...93.222.15.145:4500[C=DE, ST=XX, L=XXXXXXXX, O=XXXXXXXXXXXXXXXXXXXX, CN=router, E=XXXXXXXXXXXXXXXXXXXXXXXXXX]===192.168.88.0/24; erouted; eroute owner: #7<BR>
000 "client4": newest ISAKMP SA: #6; newest IPsec SA: #7;<BR>
000<BR>
000 #7: "client4" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2337s; newest IPSEC; eroute owner<BR>
000 #7: "client4" esp.fa4f7fce@93.222.15.145 (1260 bytes, 514s ago) esp.3db9e893@192.168.19.114 (1260 bytes, 514s ago); tunnel<BR>
000 #6: "client4" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 9612s; newest ISAKMP<BR>
000<BR>
---- end ----- sun: ipsec status --------------------------------------<BR>
--- start ---- sun: ip -s xfrm state ----------------------------------<BR>
src 192.168.19.114 dst 93.222.15.145<BR>
proto esp spi 0xfa4f7fce(4199514062) reqid 16385(0x00004001) mode tunnel<BR>
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<BR>
auth hmac(sha1) 0x8cdf75f409193832fe61c751edb2df1d3761ff32 (160 bits)<BR>
enc cbc(aes) 0x85b6e3417dc6fa2a8680d7f70c7c2d2c (128 bits)<BR>
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<BR>
lifetime config:<BR>
limit: soft (INF)(bytes), hard (INF)(bytes)<BR>
limit: soft (INF)(packets), hard (INF)(packets)<BR>
expire add: soft 0(sec), hard 0(sec)<BR>
expire use: soft 0(sec), hard 0(sec)<BR>
lifetime current:<BR>
1260(bytes), 15(packets)<BR>
add 2011-11-09 16:46:05 use 2011-11-09 16:46:19<BR>
stats:<BR>
replay-window 0 replay 0 failed 0<BR>
src 93.222.15.145 dst 192.168.19.114<BR>
proto esp spi 0x3db9e893(1035593875) reqid 16385(0x00004001) mode tunnel<BR>
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<BR>
auth hmac(sha1) 0xe9e7b3d81d48695264508789b93e7dc0e70892dd (160 bits)<BR>
enc cbc(aes) 0xb3a82d3a3159229bc7d2dfc29e6fb638 (128 bits)<BR>
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<BR>
lifetime config:<BR>
limit: soft (INF)(bytes), hard (INF)(bytes)<BR>
limit: soft (INF)(packets), hard (INF)(packets)<BR>
expire add: soft 0(sec), hard 0(sec)<BR>
expire use: soft 0(sec), hard 0(sec)<BR>
lifetime current:<BR>
1260(bytes), 15(packets)<BR>
add 2011-11-09 16:46:05 use 2011-11-09 16:46:19<BR>
stats:<BR>
replay-window 0 replay 0 failed 0<BR>
---- end ----- sun: ip -s xfrm state ---------------------------------------<BR>
--- start ---- sun: ping 192.168.88.2 -c 2 ---------------------------------<BR>
PING 192.168.88.2 (192.168.88.2) 56(84) bytes of data.<BR>
64 bytes from 192.168.88.2: icmp_req=1 ttl=64 time=58.6 ms<BR>
64 bytes from 192.168.88.2: icmp_req=2 ttl=64 time=57.7 ms<BR>
<BR>
--- 192.168.88.2 ping statistics ---<BR>
2 packets transmitted, 2 received, 0% packet loss, time 1002ms<BR>
rtt min/avg/max/mdev = 57.775/58.197/58.620/0.486 ms<BR>
---- end ----- sun: ping 192.168.88.2 -c 2 ---------------------------------<BR>
</FONT>
</P>
</BODY>
</HTML>