<div style="line-height:1.7;color:#000000;font-size:14px;font-family:arial"><DIV>
<DIV>hi</DIV>
<DIV>we have set 'sysctl -w net.ipv4.ip_forward=1',but it is not useful.</DIV>
<DIV>the problem we met is as this:</DIV>
<DIV> </DIV>
<DIV>ENVIRONMENT:</DIV>
<DIV>routeA is connected with routeB on wireless.</DIV>
<DIV>computerA is connected to routeA , computerB is connected to routeB .</DIV>
<DIV> </DIV>
<DIV>their IP:</DIV>
<DIV>computerA: 192.168.11.10</DIV>
<DIV>routeA: 10.96.78.118(192.168.11.1)</DIV>
<DIV>routeB: 10.96.17.252(192.168.12.1)</DIV>
<DIV>computerB: 192.168.12.13</DIV>
<DIV> </DIV>
<DIV>computerA can successfully ping routeA and routeB.</DIV>
<DIV>computerB can successfully ping routeA and routeB.</DIV>
<DIV>routeA can successfully ping computerA and routeB.</DIV>
<DIV>routeB can successfully ping computerB and routeA.</DIV>
<DIV>BUT computerA cannot ping computerB.<BR></DIV>
<DIV>We have put a datacatchtool in routeA to catch data when we try to ping computerB in computerA, and we got the data with its destination ip : 192.168.12.13(IP of computerB) and sourceIp is 10.96.78.118(routeA), </DIV>
<DIV>Actually here destination ip should be 10.96.17.252(ip of routeB) in a correct data transport ,(we have set a correct strongswan envionment in another virtural network in ubuntu system,and it proved this case. )</DIV>
<DIV>but if we set 'ipsec down net-net',its sourceIp changed to ip of computerA.so the route has changed data source correctly , but do not change destination correctly.</DIV>
<DIV> </DIV>
<DIV>so in my opinion, maybe there is still something wrong with the route ,short of any config with the kernel(we build it in ltib ) or something else ,which make it uncorrectly work.</DIV>
<DIV>what may the reasons?</DIV>
<DIV> </DIV>
<DIV>this is our ipsec.conf==========</DIV>
<DIV>conn %default<BR> ikelifetime=60m<BR> keylife=20m<BR> rekeymargin=3m<BR> keyingtries=1<BR> authby=secret<BR> keyexchange=ikev2<BR> mobike=no</DIV>
<DIV>conn net-net<BR> left=10.96.17.252<BR> leftsubnet=192.168.12.0/24<BR> <A href="mailto:leftid=@10.96.17.252">leftid=@10.96.17.252</A><BR> leftfirewall=yes<BR> right=10.96.78.118<BR> rightsubnet=192.168.11.0/24<BR> <A href="mailto:rightid=@10.96.78.118">rightid=@10.96.78.118</A><BR> auto=add</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>=================================================</DIV>
<DIV> sometimes we got log as this :</DIV>
<DIV>Dec 12 01:20:15 freescale authpriv.info ipsec_starter[11166]: Starting strongSwan 5.1.0 IPsec [starter]...<BR>Dec 12 01:20:15 freescale authpriv.info ipsec_starter[11166]: removing pidfile '/var/run/charon.pid', process not running<BR>Dec 12 01:20:16 freescale user.info kernel: Initializing XFRM netlink socket<BR>Dec 12 01:20:16 freescale authpriv.info ipsec_starter[11166]: removing pidfile '/var/run/starter.charon.pid', process not running<BR>Dec 12 01:20:16 freescale daemon.info charon: 00[DMN] opening file var/log/charon.log for logging failed: No such file or directory<BR>is there any problem for charon.pid? and the log cannot correctly be written because file is not exist?<BR>and is there any way we can get a log in details show how it deal with the data we want to send out?</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>best regards</DIV>
<DIV>xuxl<BR><BR><BR><BR><BR></DIV></DIV>
<DIV>
<DIV>
<DIV>
<DIV> </DIV></DIV></DIV></DIV>
<DIV id="divNeteaseMailCard"></DIV>
<DIV><BR></DIV><PRE><BR>At 2013-08-28 17:46:00,"Noel Kuntze" <noel@familie-kuntze.de> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Hello xuxl,
>
>The last message wasn't properly signed. My mail client wraps the lines
>after signing it, so it breaks the signature. I am sorry for this.
>This message is prerly signed now.
>
>It might be, that ip_forwarding is not enabled.
>To enable it temporarily, use "sysctl -w net.ipv4.ip_forward=1"
>on both boxes.
>If makes the kernel forward packets from one network interface to another.
>
>Another possible problem could be, that the computers on the remote
>network don't have a route to your local network (neither themselves,
>nor their default router) ,
>so they can't send packets to your local network.
>This can be solved on three ways:
>
>Either install a route to the respective foreign networks on all the PCs
>on the network or install a route to the respective foreign network
>on the default routers of the PCs on the network.
>
>To get a list of supported ciphers, use "ipsec listalgs".
>It will list cipher-hmac-modp pairs.
>The names that are displayed there can not be used in your ipsec.conf,
>as the name formating in ipsec.conf is another one.
>If your version of strongSwan is compiled with
>the "aes" or "des" modules and those are loaded,
>strongSwan should be capable of using those encription algorithms.
>
>As far as I know, each crypto module of strongSwan implements
>the cipher in userland, so it is completely Kernel independent.
>
>There is, however, the "af-alg" module, that uses the Kernel API to
>provide more ciphers to strongSwan to choose from and hence the
>ciphers it provides, are Kernel dependant.
>
>It might be very useful to make strongSwan log to a file or syslog.
>The following example will make strongSwan log to syslog
>with the "daemon" facility, packet encoding set to no logging (-1),
>config,
>low-level en- and decoding set to generic control flow with errors (1)
>and IKE network communication, as well as IKE_SA to basic auditing log
>(0).
>It also makes it log to a file with mostly raw dumps in hexadecimal form
>(3).
>You can take a look at the manpage for
>strongswan.conf to see all the possible settings.
>
>Example:
>charon {
> syslog {
> daemon {
> enc=-1
> cfg=1
> esn=1
> net=0
> ike=0
> }
> }
> filelog {
> /var/log/charon.log {
> default = 3
> enc=2
> cfg=3
> asn=3
> append=no
> ike_name=no
> }
> }
>}
>
>See the manpage for strongswan.conf for all the options.
>With cfg set to 2, you can see the proposals of the two peers.
>
>Regards,
>Noel Kuntze
>
>
>
>
>- -------- Original Message --------
>Subject: Re:Re: [strongSwan] unable to add SAD entry with SPI
>Date: Wed, 28 Aug 2013 16:59:37 +0800 (CST)
>From: lily <xuxiaoli86@126.com>
>To: Noel Kuntze <noel@familie-kuntze.de>, users@lists.strongswan.org
>
>
>
>
> Hi, Noel
>
>Thank you for all guides in detail very much.
>At last, we found if set CONFIG_CRYPTO_NULL y, and set 'esp=null-sha1! '
>in ipsec.conf file ,we can successfully establish the connection between
>two routes.
>but computers in subnets still can not ping the other side.
>Two routes can ping each other very well. however, it can not ping
>computers in other side too.
>did you have some advice for this case?
>is there still short of modules in kernel even it can establish
>successfully ? or just some mistakes with config?
> best regards and thank you for any help!
>xuxl
>
>
>At 2013-08-27 10:30:40,"Noel Kuntze" <noel@familie-kuntze.de> wrote:
>> It seems my mail client mangled the message after it was signed by
>> pgp. I'm sorry. I'll send one with a valid signature:
>>
>> Hello,
>>
>> To compile with "libipsec", you need to add "--enable-libipsec" to
>> the arguments you give ./configure. It might end up looking like
>> this: (This is taken from a script I wrote to build and package
>> strongSwan on Arch Linux.)
>>> ./configure --prefix=/usr --sbindir=/usr/bin --sysconfdir=/etc
>>> --libexecdir=/usr/lib \ --with-ipsecdir=/usr/lib/strongswan
>>> --enable-sqlite \ --enable-openssl --enable-curl --enable-sql
>>> --enable-attr-sql \ --enable-farp --enable-dhcp --enable-eap-sim
>>> --enable-eap-sim-file \ --enable-eap-simaka-pseudonym \
>>> --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5
>>> \ --enable-eap-gtc --enable-eap-aka --enable-eap-aka-3gpp2 \
>>> --enable-eap-mschapv2 --enable-eap-radius --enable-xauth-eap \
>>> --enable-ha --disable-mysql --disable-ldap --enable-libipsec
>> After configuring, just run "make" to compile.
>>
>> When you installed strongSwan, you can load "libipsec" with the
>> "charon.load" statement. This will look like this:
>>> charon { load=charon test-vectors curl sqlite random nonce x509
>>> revocation \ constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
>>> dnskey sshkey pem \ openssl af-alg gmp xcbc cmac hmac fips-pfr
>>> ctr ccm gcm attr \ kernel-netlink socket-default >farp stroke
>>> updown \ eap-identity eap-gtc eap-mschapv2 eap-radius
>>> xauth-generic \ xauth-eap dhcp unity }
>>
>> All the modules that are to be loaded need to be in the same line
>> as the "load" statement! You also need to make sure to include all
>> the modules you need in the "load" statement, as it will disable
>> automatic loading.
>>
>> Doing this will give you a warning as soon as you start
>> strongSwan. To disable this, you need to set "starter.load_warning"
>> to "no":
>>> starter { load_warning = no }
>>
>> Regards, Noel Kuntze
>>
>> On 27.08.2013 04:12, ÐìóãÀò wrote:
>>
>>> Hi, Noel
>>
>>> Thanks for your reply. Would you pls explain the detail of how to
>>> compile with libipsec and loading it with the "load" statement in
>>> strongswan.conf?
>>
>>> Sorry , I am a newbie to strongswan~~
>>
>>> Br,
>>
>>> At 2013-08-26 18:52:55,"Noel Kuntze" <noel@familie-kuntze.de>
>>> wrote:
>>>>
>>> Hello xuxl,
>>
>>> I've seen this behavious on systems virtualized with OpenVZ. On
>>> such systems, it is not possible to insert xfrm policies into the
>>> kernel or use netlink's functionality. The solution to this
>>> problem is compiling with libipsec and loading it with the
>>> "load" statement in strongswan.conf.
>>
>>> Regards, Noel Kuntze
>>
>>> On 26.08.2013 12:48, ??? wrote:
>>
>>>> Dec 12 01:25:05 freescale daemon.info charon: 01[KNL] received
>>>> netlink
>>> error: Function not implemented (38)
>>
>>>>
>>
>>
>>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2.0.21 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iQIcBAEBCAAGBQJSHcbYAAoJEDg5KY9j7GZYU1MQAISuks0ni0BwXlUcrpbgypMg
>auxWZJnxw9YPt8Ex9duY5wGQKg+TD7sJQtgNw2xOZ3bkk9+RNJdg9v1lvnQ2AbjH
>3v4P4LrgQhK3iDzOXVVwWx+/K56cTM4mGET6Uv/EixsB2HY+hmKwUSYkVRECSPZF
>1+l1ONUkBPSR3dCVo2twWCcGvgM4xoGNDyKv72KU+MPb2QBcC7xUSP4nLxDXB6AH
>2GGuQDRxyTXj/WPz/8VHP8BjzvXU8gC53Vva2oJh2sta2PQgEU34ScJ6+aGsjjJF
>vduPAOI3mMCmZBfuLajFkn9zDaQbC+rFuq5nuiVtb+TY05twQ0kPTKB2p6CC2b+t
>GH6aWixY6scSNxZtesFGzfw1GaoycXp6dafjJF4FbWakc/SdfHtyVMHbpXjZmkaq
>SBOZ+Qh/iJYthOcizmKj1g6B6ve9AEbmfJZsjLjXuztAs1+iOcaswA+70yueNKzd
>fOPQrXshO++qvv6IoQbLqXBmheMN5Gcg6+GZJRnDMyg/DbPO00aQSwB4TGc2K+th
>tFIwN7Owey5FQaso+NlZWZXV1ar2Y2Rgv4FhCtoDVyh7XabtcGzx3UR9Uk14+Eqf
>pDpI6b8n1Pk/JidLjkn7EWybF2PkS1VTM5Jkf6UjHUGB2Hdo6vR9jU0H9SGaHVVN
>V1N2Nar6Xiyn+AmA726v
>=nJg0
>-----END PGP SIGNATURE-----
</PRE></div><br><br><span title="neteasefooter"><span id="netease_mail_footer"></span></span>