<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello all,<br>
<br>
I have been working on this for another day straight. I still have
exactly the same problem. I have attached my configuration. I have
highlighted the parts that i suspect to be the problem. Certificates
donnot seem to be a problem as the tunnels are up and can ping the
other tunnel endpoint.<br>
I would REALLY appreciate it if someone could help me with this.<br>
Trank you very much.<br>
Kind regards,<br>
<br>
Jeroen Hermans<br>
<br>
<br>
config setup<br>
uniqueids = no<br>
strictcrlpolicy=no<br>
<br>
conn %default<br>
rekeymargin=3m<br>
keyingtries=1<br>
<br>
conn rw<br>
authby=rsasig<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
leftcert=server.2048.crt<br>
leftfirewall=yes<br>
auto=add<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
<b> #left=%defaultroute<br>
leftsubnet=192.168.0.0/24 (also tried:
192.168.0.0/24,192.168.51.0/24)</b><b><br>
</b><b> leftsourceip=xxx.xxx.xxx.xxx (ext. ip)</b><b><br>
</b><b> right=%any</b><b><br>
</b><b> rightsourceip=192.168.2.0/24</b><b><br>
</b><b> rightsubnet=192.168.2.0/24</b><b><br>
</b> rightid="C=NL, ST=L, L=etcetc, O=etcetcetc,
CN=emailadres, E=emailadres"<br>
keyingtries=3<br>
<br>
conn 51<br>
type=tunnel<br>
authby=rsasig<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
leftcert=server.1024.crt<br>
leftfirewall=yes<br>
auto=add<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
<b> #left=%defaultroute<br>
leftsubnet=192.168.0.0/24 (also tried:
192.168.2.0/24,192.168.51.0/24)</b><b><br>
</b><b> leftsourceip=xxx.xxx.xxx.xxx (ext. ip)</b><b><br>
</b><b> right=%any</b><b><br>
</b><b> rightsubnet=192.168.51.0/24</b><b><br>
</b> keyingtries=3<br>
esp=aes256-sha1-modp2048<br>
<br>
<div class="moz-cite-prefix">On 26-6-2013 13:52, Noel Kuntze wrote:<br>
</div>
<blockquote
cite="mid:992e0bb3-c5db-450b-b76b-9bcd93df83a5@email.android.com"
type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Hello Jeroen,<br>
<br>
In Strongswan 5.0, IPs are installed on the physical interface
thus is no problem. I hope you find a solution. If you do, please
tell me about it.<br>
<br>
Regards,<br>
Noel<br>
<br>
<div class="gmail_quote"><br>
<br>
"Jeroen J.A.W. Hermans" <a class="moz-txt-link-rfc2396E" href="mailto:j.hermans@epsys.nl"><j.hermans@epsys.nl></a> schrieb:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;"> Hello Noel,<br>
<br>
The other peers ("51" and "rw") have routes to each other
indeed. "51" knows how to reach "rw", but i don't see the icmp
reply in the tcpdump. I also donnot see the icmp-request going
out to "51" in tcpdump, so i expect this to be a
Strongswan/routing problem.<br>
I have no ipsec* interfaces. Is this a problem or new in
Strongswan 5.0 ?<br>
<br>
Btw Andy: forwarding is indeed enabled. <br>
Thank you both for replying so fast.<br>
Kind regards,<br>
<br>
Jeroen Hermans<br>
<br>
<div class="moz-cite-prefix">On 26-6-2013 11:58, Noel Kuntze
wrote:<br>
</div>
<blockquote
cite="mid:fb492e90-61f5-483c-9068-5abf70989bab@email.android.com"
type="cite"> Ps: Do you actually give the other peers a
routw to the rest of it? If not, then please do so, so they
actually know where to send the packets to.<br>
<br>
Regards,<br>
Noel<br>
<div class="gmail_quote"> <br>
"Jeroen J.A.W. Hermans" <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:j.hermans@epsys.nl"><j.hermans@epsys.nl></a>
schrieb:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;"> Hello Noel,<br>
<br>
You are completely right. I did enable global
forwarding:<br>
<br>
<b>$ sysctl -a|grep forward</b><b><br>
</b>net.ipv4.conf.all.forwarding = 1<br>
net.ipv4.conf.all.mc_forwarding = 0<br>
net.ipv4.conf.default.forwarding = 1<br>
net.ipv4.conf.default.mc_forwarding = 0<br>
net.ipv4.conf.lo.forwarding = 1<br>
net.ipv4.conf.lo.mc_forwarding = 0<br>
net.ipv4.conf.eth0.forwarding = 1<br>
net.ipv4.conf.eth0.mc_forwarding = 0<br>
<b>net.ipv4.ip_forward = 1</b><b><br>
</b>net.ipv6.conf.all.forwarding = 0<br>
net.ipv6.conf.all.mc_forwarding = 0<br>
net.ipv6.conf.default.forwarding = 0<br>
net.ipv6.conf.default.mc_forwarding = 0<br>
net.ipv6.conf.lo.forwarding = 0<br>
net.ipv6.conf.lo.mc_forwarding = 0<br>
net.ipv6.conf.eth0.forwarding = 0<br>
net.ipv6.conf.eth0.mc_forwarding = 0<br>
<br>
I would expect this to enable routing between the
tunnels.<br>
I don't have virtual interfaces (except for the eth0:0
which is the "local" Strongswan interface):<br>
<br>
<b>$ ifconfig -a</b><b><br>
</b>eth0 Link encap:Ethernet HWaddr
00:1A:4A:15:F7:16<br>
inet addr:xxx.xxx.xxx.xxx
Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0<br>
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<br>
RX packets:1363008 errors:0 dropped:0
overruns:0 frame:0<br>
TX packets:463833 errors:0 dropped:0
overruns:0 carrier:0<br>
collisions:0 txqueuelen:1000<br>
RX bytes:402878767 (384.2 MiB) TX
bytes:74609564 (71.1 MiB)<br>
<br>
eth0:0 Link encap:Ethernet HWaddr 00:1A:4A:15:F7:16<br>
inet addr:192.168.0.1 Bcast:192.168.0.255
Mask:255.255.255.0<br>
UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1<br>
<br>
lo Link encap:Local Loopback<br>
inet addr:127.0.0.1 Mask:255.0.0.0<br>
inet6 addr: ::1/128 Scope:Host<br>
UP LOOPBACK RUNNING MTU:16436 Metric:1<br>
RX packets:1020 errors:0 dropped:0 overruns:0
frame:0<br>
TX packets:1020 errors:0 dropped:0 overruns:0
carrier:0<br>
collisions:0 txqueuelen:0<br>
RX bytes:112933 (110.2 KiB) TX bytes:112933
(110.2 KiB)<br>
<br>
Thank you for your fast reply!<br>
Kind regards,<br>
<br>
Jeroen Hermans<br>
<br>
<div class="moz-cite-prefix">On 26-6-2013 11:39, Noel
Kuntze wrote:<br>
</div>
<blockquote
cite="mid:785d2ec3-8f7e-42ca-a64c-bb0d5ba7545f@email.android.com"
type="cite"> Hello Jeroen,<br>
<br>
Did you enable forwarding on the strongswan host? If
not, then do so for your virtual interfaces, and if
that doesn't work, try to do it globally. <br>
<br>
Regards,<br>
Noel<br>
<br>
<div class="gmail_quote"><br>
<br>
"Jeroen J.A.W. Hermans" <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="mailto:j.hermans@epsys.nl"><j.hermans@epsys.nl></a>
schrieb:
<blockquote class="gmail_quote" style="margin: 0pt
0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
204, 204); padding-left: 1ex;"> Dear all,<br>
<br>
I have a question about a test-scenario i am
setting up.<br>
I have two tunnels:<br>
"rw" - laptop with Shrewsoft VPN client<br>
ip: 192.168.2.1/32<br>
external-ip: yyy.yyy.yyy.yyy (behind NAT, internal
ip: 10.1.2.39)<br>
<br>
"51" - Draytek Vigor 2910 (no pc's connected to
Vigor yet)<br>
ip-range: 192.168.51.1/24<br>
external-ip: yyy.yyy.yyy.yyy (behind NAT, internal
ip: 10.1.2.38)<br>
<br>
The central location is a linux server running
Strongswan 5.0.0:<br>
ip-range: 192.168.0.1/24<br>
external ip: xxx.xxx.xxx.xxx<br>
<br>
When i ping from the "51" Draytek (itself) to
192.168.0.1 (Strongswan) it works.<br>
When i ping from the "rw" laptop to 192.168.0.1
(Strongswan) it works<br>
When i ping from the "rw" laptop to 192.168.51.1
(tunnel "51") i get no reply<br>
When i ping from the "51" Draytek to 192.168.2.1
(tunnel "rw") i get no reply<br>
<br>
I have policies in the Draytek and Shrewsoft
laptop for all subnets. This can be seen in the
tcpdump, where the packets for the remote subnet
of the other tunnel arrive at the Strongswan, but
are not forwarded.<br>
I have included as much information as possible. I
hope someone can help me with this problem.<br>
Thank you very much.<br>
Kind regards,<br>
<br>
Jeroen Hermans<br>
<br>
<br>
<b>$ sudo ip route list table 220</b><b><br>
</b>192.168.2.1 via <first-hop-router> dev
eth0 proto static src 192.168.0.1<br>
192.168.51.0/24 via <first-hop-router> dev
eth0 proto static src 192.168.0.1<br>
<br>
<b>$ sudo tcpdump -i eth0 not ip6 and not port 22
and not port domain</b><b><br>
</b>tcpdump: verbose output suppressed, use -v or
-vv for full protocol decode<br>
listening on eth0, link-type EN10MB (Ethernet),
capture size 65535 bytes<br>
<i>"rw" pings one time to 192.168.0.1</i><br>
11:11:40.410505 IP yyy.yyy.yyy.yyy.ipsec-nat-t
> xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap:
ESP(spi=0xc8587ff2,seq=0x3), length 100<br>
11:11:40.410572 IP 192.168.2.1 > 192.168.0.1:
ICMP echo request, id 1, seq 234, length 40<br>
11:11:40.410655 IP xxx.xxx.xxx.xxx.ipsec-nat-t
> yyy.yyy.yyy.yyy.ipsec-nat-t: UDP-encap:
ESP(spi=0xba5fa761,seq=0x3), length 100<br>
<i>"rw" pings one time to 192.168</i>.51.1<br>
11:11:43.377246 IP yyy.yyy.yyy.yyy.ipsec-nat-t
> xxx.xxx.xxx.xxx.ipsec-nat-t: UDP-encap:
ESP(spi=0xc04f2330,seq=0x2), length 100<br>
11:11:43.377331 IP 192.168.2.1 > 192.168.51.1:
ICMP echo request, id 1, seq 236, length 40<br>
11:11:43.377367 IP 192.168.2.1 > 192.168.51.1:
ICMP echo request, id 1, seq 236, length 40<br>
<br>
<br>
<b>$ sudo ip xfrm policy</b><b><br>
</b>src 192.168.51.0/24 dst 192.168.0.0/24<br>
dir fwd priority 1859 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst
xxx.xxx.xxx.xxx<br>
proto esp reqid 393 mode tunnel<br>
src 192.168.51.0/24 dst 192.168.0.0/24<br>
dir in priority 1859 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst
xxx.xxx.xxx.xxx<br>
proto esp reqid 393 mode tunnel<br>
src 192.168.0.0/24 dst 192.168.51.0/24<br>
dir out priority 1859 ptype main<br>
tmpl src xxx.xxx.xxx.xxx dst
yyy.yyy.yyy.yyy<br>
proto esp reqid 393 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.51.0/24<br>
dir fwd priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst
xxx.xxx.xxx.xxx<br>
proto esp reqid 391 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.51.0/24<br>
dir in priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst
xxx.xxx.xxx.xxx<br>
proto esp reqid 391 mode tunnel<br>
src 192.168.51.0/24 dst 192.168.2.1/32<br>
dir out priority 1827 ptype main<br>
tmpl src xxx.xxx.xxx.xxx dst
yyy.yyy.yyy.yyy<br>
proto esp reqid 391 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.0.0/24<br>
dir fwd priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst
xxx.xxx.xxx.xxx<br>
proto esp reqid 390 mode tunnel<br>
src 192.168.2.1/32 dst 192.168.0.0/24<br>
dir in priority 1827 ptype main<br>
tmpl src yyy.yyy.yyy.yyy dst
xxx.xxx.xxx.xxx<br>
proto esp reqid 390 mode tunnel<br>
src 192.168.0.0/24 dst 192.168.2.1/32<br>
dir out priority 1827 ptype main<br>
tmpl src xxx.xxx.xxx.xxx dst
yyy.yyy.yyy.yyy<br>
proto esp reqid 390 mode tunnel<br>
<br>
<br>
<b>$ sudo iptables-save</b><b><br>
</b>*filter<br>
:INPUT ACCEPT [0:0]<br>
:FORWARD ACCEPT [518:38392]<br>
:OUTPUT ACCEPT [39692:7545269]<br>
-A INPUT -p tcp -m tcp --dport 443:453 -j ACCEPT<br>
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT<br>
-A INPUT -p udp -m udp --dport 53 -j ACCEPT<br>
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT<br>
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT<br>
-A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT<br>
-A INPUT -p icmp -j ACCEPT<br>
-A INPUT -i lo -j ACCEPT<br>
-A INPUT -p tcp -m state --state NEW -m tcp
--dport 22 -j ACCEPT<br>
-A INPUT -p udp -m udp --dport 500 -j ACCEPT<br>
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT<br>
-A INPUT -i eth0 -p esp -j ACCEPT<br>
-A INPUT -j REJECT --reject-with
icmp-host-prohibited<br>
-A OUTPUT -o eth0 -p esp -j ACCEPT<br>
COMMIT<br>
*mangle<br>
:PREROUTING ACCEPT [34286:3954457]<br>
:INPUT ACCEPT [33100:3886019]<br>
:FORWARD ACCEPT [518:38392]<br>
:OUTPUT ACCEPT [39696:7546309]<br>
:POSTROUTING ACCEPT [40214:7584701]<br>
COMMIT<br>
*nat<br>
:PREROUTING ACCEPT [1646:110154]<br>
:POSTROUTING ACCEPT [2019:153411]<br>
:OUTPUT ACCEPT [1961:146461]<br>
COMMIT<br>
<br>
<pre style="white-space: pre-wrap; word-wrap:break-word; font-family: sans-serif; margin-top: 0px"><hr>
Users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a moz-do-not-send="true" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
</div>
<br>
-- <br>
Diese Nachricht wurde von meinem Android-Mobiltelefon
mit K-9 Mail gesendet. </blockquote>
<br>
</blockquote>
</div>
<br>
-- <br>
Diese Nachricht wurde von meinem Android-Mobiltelefon mit
K-9 Mail gesendet. </blockquote>
<br>
</blockquote>
</div>
<br>
-- <br>
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail
gesendet.
</blockquote>
<br>
</body>
</html>