<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Dear all,<br>
<br>
I have a question about a test-scenario i am setting up.<br>
I have two tunnels:<br>
"rw" - laptop with Shrewsoft VPN client<br>
ip: 192.168.2.1/32<br>
external-ip: yyy.yyy.yyy.yyy (behind NAT, internal ip: 10.1.2.39)<br>
<br>
"51" - Draytek Vigor 2910 (no pc's connected to Vigor yet)<br>
ip-range: 192.168.51.1/24<br>
external-ip: yyy.yyy.yyy.yyy (behind NAT, internal ip: 10.1.2.38)<br>
<br>
The central location is a linux server running Strongswan 5.0.0:<br>
ip-range: 192.168.0.1/24<br>
external ip: xxx.xxx.xxx.xxx<br>
<br>
When i ping from the "51" Draytek (itself) to 192.168.0.1
(Strongswan) it works.<br>
When i ping from the "rw" laptop to 192.168.0.1 (Strongswan) it
works<br>
When i ping from the "rw" laptop to 192.168.51.1 (tunnel "51") i get
no reply<br>
When i ping from the "51" Draytek to 192.168.2.1 (tunnel "rw") i get
no reply<br>
<br>
I have policies in the Draytek and Shrewsoft laptop for all subnets.
This can be seen in the tcpdump, where the packets for the remote
subnet of the other tunnel arrive at the Strongswan, but are not
forwarded.<br>
I have included as much information as possible. I hope someone can
help me with this problem.<br>
Thank you very much.<br>
Kind regards,<br>
<br>
Jeroen Hermans<br>
<br>
<br>
<b>$ sudo ip route list table 220</b><b><br>
</b>192.168.2.1 via <first-hop-router> dev eth0 proto static
src 192.168.0.1<br>
192.168.51.0/24 via <first-hop-router> dev eth0 proto static
src 192.168.0.1<br>
<br>
<b>$ sudo tcpdump -i eth0 not ip6 and not port 22 and not port
domain</b><b><br>
</b>tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode<br>
listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes<br>
<i>"rw" pings one time to 192.168.0.1</i><br>
11:11:40.410505 IP yyy.yyy.yyy.yyy.ipsec-nat-t >
xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap: ESP(spi=0xc8587ff2,seq=0x3),
length 100<br>
11:11:40.410572 IP 192.168.2.1 > 192.168.0.1: ICMP echo request,
id 1, seq 234, length 40<br>
11:11:40.410655 IP xxx.xxx.xxx.xxx.ipsec-nat-t >
yyy.yyy.yyy.yyy.ipsec-nat-t: UDP-encap: ESP(spi=0xba5fa761,seq=0x3),
length 100<br>
<i>"rw" pings one time to 192.168</i>.51.1<br>
11:11:43.377246 IP yyy.yyy.yyy.yyy.ipsec-nat-t >
xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap: ESP(spi=0xc04f2330,seq=0x2),
length 100<br>
11:11:43.377331 IP 192.168.2.1 > 192.168.51.1: ICMP echo request,
id 1, seq 236, length 40<br>
11:11:43.377367 IP 192.168.2.1 > 192.168.51.1: ICMP echo request,
id 1, seq 236, length 40<br>
<br>
<br>
<b>$ sudo ip xfrm policy</b><b><br>
</b>src 192.168.51.0/24 dst 192.168.0.0/24<br>
dir fwd priority 1859 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 393 mode tunnel<br>
src 192.168.51.0/24 dst 192.168.0.0/24<br>
dir in priority 1859 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 393 mode tunnel<br>
src 192.168.0.0/24 dst 192.168.51.0/24<br>
dir out priority 1859 ptype main<br>
tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy<br>
proto esp reqid 393 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.51.0/24<br>
dir fwd priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 391 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.51.0/24<br>
dir in priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 391 mode tunnel<br>
src 192.168.51.0/24 dst 192.168.2.1/32<br>
dir out priority 1827 ptype main<br>
tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy<br>
proto esp reqid 391 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.0.0/24<br>
dir fwd priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 390 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.0.0/24<br>
dir in priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br>
proto esp reqid 390 mode tunnel<br>
src 192.168.0.0/24 dst 192.168.2.1/32<br>
dir out priority 1827 ptype main<br>
tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy<br>
proto esp reqid 390 mode tunnel<br>
<br>
<br>
<b>$ sudo iptables-save</b><b><br>
</b>*filter<br>
:INPUT ACCEPT [0:0]<br>
:FORWARD ACCEPT [518:38392]<br>
:OUTPUT ACCEPT [39692:7545269]<br>
-A INPUT -p tcp -m tcp --dport 443:453 -j ACCEPT<br>
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT<br>
-A INPUT -p udp -m udp --dport 53 -j ACCEPT<br>
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT<br>
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT<br>
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br>
-A INPUT -p icmp -j ACCEPT<br>
-A INPUT -i lo -j ACCEPT<br>
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT<br>
-A INPUT -p udp -m udp --dport 500 -j ACCEPT<br>
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT<br>
-A INPUT -i eth0 -p esp -j ACCEPT<br>
-A INPUT -j REJECT --reject-with icmp-host-prohibited<br>
-A OUTPUT -o eth0 -p esp -j ACCEPT<br>
COMMIT<br>
*mangle<br>
:PREROUTING ACCEPT [34286:3954457]<br>
:INPUT ACCEPT [33100:3886019]<br>
:FORWARD ACCEPT [518:38392]<br>
:OUTPUT ACCEPT [39696:7546309]<br>
:POSTROUTING ACCEPT [40214:7584701]<br>
COMMIT<br>
*nat<br>
:PREROUTING ACCEPT [1646:110154]<br>
:POSTROUTING ACCEPT [2019:153411]<br>
:OUTPUT ACCEPT [1961:146461]<br>
COMMIT<br>
<br>
</body>
</html>