<div style="line-height:1.7;color:#000000;font-size:14px;font-family:arial"><DIV>Hi.</DIV>
<DIV> </DIV>
<DIV>===============================================================</DIV>
<DIV style="COLOR: #ff0000">our network topology diagram:</DIV>
<DIV>(refer to <A href="http://www.strongswan.org/uml/testresults/index.html">strongSwan KVM Tests</A> / <A href="http://www.strongswan.org/uml/testresults/ikev2/index.html">ikev2</A> / net2net-psk in <A href="http://www.strongswan.org/testresults.html">http://www.strongswan.org/testresults.html</A>)</DIV>
<DIV>===============================================================</DIV>
<DIV> </DIV>
<DIV> LAN WIRELESS LAN<BR> computerA ---------------------------- routeA¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬routeB---------------------------computerB</DIV>
<DIV> IP: 192.168.12.13(eth0) 192.168.12.1 (eth0) 192.168.11.1(eth2) 192.168.11.10(eth2) <BR> 10.93.4.74(ppp0) 10.96.61.8(ppp0) </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>THE BIG QUESTION: we want to ping 192.168.11.10(computerB) from computerA, but result is timeout.</DIV>
<DIV> </DIV>
<DIV>===============================================================<BR><SPAN style="COLOR: #ff0000">secrets and config file on computerA </SPAN><BR>===============================================================</DIV>
<DIV> </DIV>
<DIV># /etc/ipsec.secrets - strongSwan IPsec secrets file</DIV>
<DIV>@10.93.4.74 @10.96.61.8 : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL</DIV>
<DIV>@10.93.4.74 %any : PSK 0x45a30759df97dc26a15b88ff </DIV>
<DIV>@10.96.61.8 : PSK "This is a strong password" </DIV>
<DIV>: PSK 'My "home" is my "castle"!'</DIV>
<DIV>10.93.4.74 : PSK "Andi's home"</DIV>
<DIV># /etc/ipsec.conf - strongSwan IPsec configuration file</DIV>
<DIV>config setup</DIV>
<DIV>conn %default<BR> ikelifetime=60m<BR> keylife=20m<BR> rekeymargin=3m<BR> keyingtries=1<BR> authby=secret<BR> keyexchange=ikev2<BR> mobike=no<BR> esp=null-sha1!<BR> forceencaps=yes</DIV>
<DIV>conn net-net<BR> left=10.93.4.74<BR> leftsubnet=192.168.12.0/24<BR> <A href="mailto:leftid=@10.93.4.74">leftid=@10.93.4.74</A><BR> leftfirewall=yes<BR> right=10.96.61.8<BR> rightsubnet=192.168.11.0/24<BR> <A href="mailto:rightid=@10.96.61.8">rightid=@10.96.61.8</A><BR> auto=add</DIV>
<DIV><BR>===============================================================<BR><SPAN style="COLOR: #ff0000">secrets and config file on computerB </SPAN><BR>===============================================================</DIV>
<DIV># /etc/ipsec.secrets - strongSwan IPsec secrets file</DIV>
<DIV>@10.93.4.74 @10.96.61.8 : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL</DIV>
<DIV><BR># /etc/ipsec.conf - strongSwan IPsec configuration file</DIV>
<DIV>config setup</DIV>
<DIV>conn %default<BR> ikelifetime=60m<BR> keylife=20m<BR> rekeymargin=3m<BR> keyingtries=1<BR> authby=secret<BR> keyexchange=ikev2<BR> mobike=no<BR> esp=null-sha1!<BR> forceencaps=yes</DIV>
<DIV>conn net-net<BR> left=10.96.61.8<BR> leftsubnet=192.168.11.0/24<BR> <A href="mailto:leftid=@10.96.61.8">leftid=@10.96.61.8</A><BR> leftfirewall=yes<BR> right=10.93.4.74<BR> rightsubnet=192.168.12.0/24<BR> <A href="mailto:rightid=@10.93.4.74">rightid=@10.93.4.74</A><BR> auto=add</DIV>
<DIV><BR>=======================================================================<BR><SPAN style="COLOR: #ff0000">computerA status after 'ipsec up net-net' successfully</SPAN><BR>======================================================================</DIV>
<DIV><A href="mailto:root@freescale">root@freescale</A> ~$ ipsec status<BR>Security Associations (1 up, 0 connecting):<BR> net-net[1]: ESTABLISHED 20 seconds ago, 10.93.4.74[10.93.4.74]...10.96.61.8<BR>[10.96.61.8]<BR> net-net{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca552268_i c9a27b29_o<BR> net-net{1}: 192.168.12.0/24 === 192.168.11.0/24<BR><BR><A href="mailto:root@freescale">root@freescale</A> ~$ ipsec statusall<BR>Status of IKE charon daemon (strongSwan 5.1.0, Linux 2.6.35.3-571-gcca29a0-svn23<BR>48, armv5tejl):<BR> uptime: 4 minutes, since Dec 12 01:18:20 2012<BR> malloc: sbrk 253952, mmap 0, used 117024, free 136928<BR> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled:<BR> 2<BR> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation<BR>constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp x<BR>cbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-gen<BR>eric<BR>Listening IP addresses:<BR> 192.168.12.1<BR> 10.93.4.74<BR>Connections:<BR> net-net: 10.93.4.74...10.96.61.8 IKEv2<BR> net-net: local: [10.93.4.74] uses pre-shared key authentication<BR> net-net: remote: [10.96.61.8] uses pre-shared key authentication<BR> net-net: child: 192.168.12.0/24 === 192.168.11.0/24 TUNNEL<BR>Security Associations (1 up, 0 connecting):<BR> net-net[1]: ESTABLISHED 2 minutes ago, 10.93.4.74[10.93.4.74]...10.96.61.8[<BR>10.96.61.8]<BR> net-net[1]: IKEv2 SPIs: e91f69e169c3de05_i cc021435fd865b15_r*, pre-shared<BR>key reauthentication in 52 minutes<BR> net-net[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<BR> net-net{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: ca552268_i c9a27b29_o<BR> net-net{1}: NULL/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 12 minute<BR>s<BR> net-net{1}: 192.168.12.0/24 === 192.168.11.0/24</DIV>
<DIV><A href="mailto:root@freescale">root@freescale</A> ~$ ip route list table 220<BR>192.168.11.0/24 via 10.96.61.8 dev ppp0 src 192.168.12.1<BR></DIV>
<DIV> </DIV>
<DIV>======================================================================<BR><SPAN style="COLOR: #ff0000">computerA status after exeute 'ipsec down net-net'</SPAN><BR>======================================================================</DIV>
<DIV><BR><A href="mailto:root@freescale">root@freescale</A> ~$ ipsec down net-net<BR>deleting IKE_SA net-net[1] between 10.93.4.74[10.93.4.74]...10.96.61.8[10.96.61.<BR>8]<BR>sending DELETE for IKE_SA net-net[1]<BR>generating INFORMATIONAL request 0 [ D ]<BR>sending packet: from 10.93.4.74[4500] to 10.96.61.8[4500] (76 bytes)<BR>received packet: from 10.96.61.8[4500] to 10.93.4.74[4500] (76 bytes)<BR>parsed INFORMATIONAL response 0 [ ]<BR>IKE_SA deleted<BR>IKE_SA [1] closed successfully</DIV>
<DIV><BR><A href="mailto:root@freescale">root@freescale</A> ~$ ip route list table 220</DIV>
<DIV>(nothing exist)</DIV>
<DIV><A href="mailto:root@freescale">root@freescale</A> ~$ ipsec statusall<BR>Status of IKE charon daemon (strongSwan 5.1.0, Linux 2.6.35.3-571-gcca29a0-svn23<BR>48, armv5tejl):<BR> uptime: 9 minutes, since Dec 12 01:18:19 2012<BR> malloc: sbrk 253952, mmap 0, used 105816, free 148136<BR> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled:<BR> 2<BR> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation<BR>constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp x<BR>cbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-gen<BR>eric<BR>Listening IP addresses:<BR> 192.168.12.1<BR> 10.93.4.74<BR>Connections:<BR> net-net: 10.93.4.74...10.96.61.8 IKEv2<BR> net-net: local: [10.93.4.74] uses pre-shared key authentication<BR> net-net: remote: [10.96.61.8] uses pre-shared key authentication<BR> net-net: child: 192.168.12.0/24 === 192.168.11.0/24 TUNNEL<BR>Security Associations (0 up, 0 connecting):<BR> none<BR><BR><BR><BR>Those are all we set and get when we try to test the performance of strongswan.Pls tell me if you need any other information. </DIV>
<DIV>Thank you very much for your patience and quick answer.</DIV>
<DIV> </DIV>
<DIV>regards</DIV>
<DIV>xuxl<BR></DIV>
<DIV>
<DIV>
<DIV>
<DIV> </DIV></DIV></DIV></DIV>
<DIV id="divNeteaseMailCard"></DIV>
<DIV><BR></DIV><PRE><BR>At 2013-08-29 13:24:01,"Noel Kuntze" <noel@familie-kuntze.de> wrote:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Hello xuxl,
>
>if you try to ping exactly the VPN side IP of computerB from computerA, does that work?
>Also, you are talking about sourceips, but that doesn't appear in your ipsec.conf.
>I assume you can't ping the LAN side IP of computerB from computerA.
>You might want to take a look at the routing table of strongswan. It is in table 220.
>The command to see it is "ip route list table 220".
>I think it would be quite helpful at resolving your problem if you could send me the output of "ipsec status" for when you established the VPN connection,
>when you try to ping computerB and when you executed "ipsec down net-net".
>Also can you make a network topology diagram? It would be pretty handy in understanding the traffic flow.
>
>Regards,
>Noel Kuntze
>
>On 29.08.2013 06:22, lily wrote:
>> hi
>>
>> last mail may not send successfully ,send it again,sorry! :)
>>
>> we have set 'sysctl -w net.ipv4.ip_forward=1',but it is not useful.
>> the problem we met is as this:
>>
>> ENVIRONMENT:
>> routeA is connected with routeB on wireless.
>> computerA is connected to routeA , computerB is connected to routeB .
>>
>> their IP:
>> computerA: 192.168.11.10
>> routeA: 10.96.78.118(192.168.11.1)
>> routeB: 10.96.17.252(192.168.12.1)
>> computerB: 192.168.12.13
>>
>> computerA can successfully ping routeA and routeB.
>> computerB can successfully ping routeA and routeB.
>> routeA can successfully ping computerA and routeB.
>> routeB can successfully ping computerB and routeA.
>> BUT computerA cannot ping computerB.
>> We have put a datacatchtool in routeA to catch data when we try to ping computerB in computerA, and we got the data with its destination ip : 192.168.12.13(IP of computerB) and sourceIp is 10.96.78.118(routeA),
>> Actually here destination ip should be 10.96.17.252(ip of routeB) in a correct data transport ,(we have set a correct strongswan envionment in another virtural network in ubuntu system,and it proved this case. )
>> but if we set 'ipsec down net-net',its sourceIp changed to ip of computerA.so the route has changed data source correctly , but do not change destination correctly.
>>
>> so in my opinion, maybe there is still something wrong with the route ,short of any config with the kernel(we build it in ltib ) or something else ,which make it uncorrectly work.
>> what may the reasons?
>>
>> this is our ipsec.conf==========
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> authby=secret
>> keyexchange=ikev2
>> mobike=no
>> conn net-net
>> left=10.96.17.252
>> leftsubnet=192.168.12.0/24
>> leftid=@10.96.17.252 <mailto:leftid=@10.96.17.252>
>> leftfirewall=yes
>> right=10.96.78.118
>> rightsubnet=192.168.11.0/24
>> rightid=@10.96.78.118 <mailto:rightid=@10.96.78.118>
>> auto=add
>>
>>
>>
>>
>> =================================================
>> sometimes we got log as this :
>> Dec 12 01:20:15 freescale authpriv.info ipsec_starter[11166]: Starting strongSwan 5.1.0 IPsec [starter]...
>> Dec 12 01:20:15 freescale authpriv.info ipsec_starter[11166]: removing pidfile '/var/run/charon.pid', process not running
>> Dec 12 01:20:16 freescale user.info kernel: Initializing XFRM netlink socket
>> Dec 12 01:20:16 freescale authpriv.info ipsec_starter[11166]: removing pidfile '/var/run/starter.charon.pid', process not running
>> Dec 12 01:20:16 freescale daemon.info charon: 00[DMN] opening file var/log/charon.log for logging failed: No such file or directory
>> is there any problem for charon.pid? and the log cannot correctly be written because file is not exist?
>> and is there any way we can get a log in details show how it deal with the data we want to send out?
>>
>>
>> best regards
>> xuxl
>>
>>
>>
>>
>>
>>
>>
>> At 2013-08-28 17:46:00,"Noel Kuntze" <noel@familie-kuntze.de <mailto:noel@familie-kuntze.de>> wrote:
>> Hello xuxl,
>>
>> The last message wasn't properly signed. My mail client wraps the lines
>> after signing it, so it breaks the signature. I am sorry for this.
>> This message is prerly signed now.
>>
>> It might be, that ip_forwarding is not enabled.
>> To enable it temporarily, use "sysctl -w net.ipv4.ip_forward=1"
>> on both boxes.
>> If makes the kernel forward packets from one network interface to another.
>>
>> Another possible problem could be, that the computers on the remote
>> network don't have a route to your local network (neither themselves,
>> nor their default router) ,
>> so they can't send packets to your local network.
>> This can be solved on three ways:
>>
>> Either install a route to the respective foreign networks on all the PCs
>> on the network or install a route to the respective foreign network
>> on the default routers of the PCs on the network.
>>
>> To get a list of supported ciphers, use "ipsec listalgs".
>> It will list cipher-hmac-modp pairs.
>> The names that are displayed there can not be used in your ipsec.conf,
>> as the name formating in ipsec.conf is another one.
>> If your version of strongSwan is compiled with
>> the "aes" or "des" modules and those are loaded,
>> strongSwan should be capable of using those encription algorithms.
>>
>> As far as I know, each crypto module of strongSwan implements
>> the cipher in userland, so it is completely Kernel independent.
>>
>> There is, however, the "af-alg" module, that uses the Kernel API to
>> provide more ciphers to strongSwan to choose from and hence the
>> ciphers it provides, are Kernel dependant.
>>
>> It might be very useful to make strongSwan log to a file or syslog.
>> The following example will make strongSwan log to syslog
>> with the "daemon" facility, packet encoding set to no logging (-1),
>> config,
>> low-level en- and decoding set to generic control flow with errors (1)
>> and IKE network communication, as well as IKE_SA to basic auditing log
>> (0).
>> It also makes it log to a file with mostly raw dumps in hexadecimal form
>> (3).
>> You can take a look at the manpage for
>> strongswan.conf to see all the possible settings.
>>
>> Example:
>> charon {
>> syslog {
>> daemon {
>> enc=-1
>> cfg=1
>> esn=1
>> net=0
>> ike=0
>> }
>> }
>> filelog {
>> /var/log/charon.log {
>> default = 3
>> enc=2
>> cfg=3
>> asn=3
>> append=no
>> ike_name=no
>> }
>> }
>> }
>>
>> See the manpage for strongswan.conf for all the options.
>> With cfg set to 2, you can see the proposals of the two peers.
>>
>> Regards,
>> Noel Kuntze
>>
>>
>>
>>
>> -------- Original Message --------
>> Subject: Re:Re: [strongSwan] unable to add SAD entry with SPI
>> Date: Wed, 28 Aug 2013 16:59:37 +0800 (CST)
>> From: lily <xuxiaoli86@126.com <mailto:xuxiaoli86@126.com>>
>> To: Noel Kuntze <noel@familie-kuntze.de <mailto:noel@familie-kuntze.de>>, users@lists.strongswan.org <mailto:users@lists.strongswan.org>
>>
>>
>>
>>
>> Hi, Noel
>>
>> Thank you for all guides in detail very much.
>> At last, we found if set CONFIG_CRYPTO_NULL y, and set 'esp=null-sha1! '
>> in ipsec.conf file ,we can successfully establish the connection between
>> two routes.
>> but computers in subnets still can not ping the other side.
>> Two routes can ping each other very well. however, it can not ping
>> computers in other side too.
>> did you have some advice for this case?
>> is there still short of modules in kernel even it can establish
>> successfully ? or just some mistakes with config?
>> best regards and thank you for any help!
>> xuxl
>>
>>
>> At 2013-08-27 10:30:40,"Noel Kuntze" <noel@familie-kuntze.de <mailto:noel@familie-kuntze.de>> wrote:
>> > It seems my mail client mangled the message after it was signed by
>> > pgp. I'm sorry. I'll send one with a valid signature:
>>
>> > Hello,
>>
>> > To compile with "libipsec", you need to add "--enable-libipsec" to
>> > the arguments you give ./configure. It might end up looking like
>> > this: (This is taken from a script I wrote to build and package
>> > strongSwan on Arch Linux.)
>> >> ./configure --prefix=/usr --sbindir=/usr/bin --sysconfdir=/etc
>> >> --libexecdir=/usr/lib \ --with-ipsecdir=/usr/lib/strongswan
>> >> --enable-sqlite \ --enable-openssl --enable-curl --enable-sql
>> >> --enable-attr-sql \ --enable-farp --enable-dhcp --enable-eap-sim
>> >> --enable-eap-sim-file \ --enable-eap-simaka-pseudonym \
>> >> --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5
>> >> \ --enable-eap-gtc --enable-eap-aka --enable-eap-aka-3gpp2 \
>> >> --enable-eap-mschapv2 --enable-eap-radius --enable-xauth-eap \
>> >> --enable-ha --disable-mysql --disable-ldap --enable-libipsec
>> > After configuring, just run "make" to compile.
>>
>> > When you installed strongSwan, you can load "libipsec" with the
>> > "charon.load" statement. This will look like this:
>> >> charon { load=charon test-vectors curl sqlite random nonce x509
>> >> revocation \ constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
>> >> dnskey sshkey pem \ openssl af-alg gmp xcbc cmac hmac fips-pfr
>> >> ctr ccm gcm attr \ kernel-netlink socket-default >farp stroke
>> >> updown \ eap-identity eap-gtc eap-mschapv2 eap-radius
>> >> xauth-generic \ xauth-eap dhcp unity }
>>
>> > All the modules that are to be loaded need to be in the same line
>> > as the "load" statement! You also need to make sure to include all
>> > the modules you need in the "load" statement, as it will disable
>> > automatic loading.
>>
>> > Doing this will give you a warning as soon as you start
>> > strongSwan. To disable this, you need to set "starter.load_warning"
>> > to "no":
>> >> starter { load_warning = no }
>>
>> > Regards, Noel Kuntze
>>
>> > On 27.08.2013 04:12, ÐìóãÀò wrote:
>>
>> >> Hi, Noel
>>
>> >> Thanks for your reply. Would you pls explain the detail of how to
>> >> compile with libipsec and loading it with the "load" statement in
>> >> strongswan.conf?
>>
>> >> Sorry , I am a newbie to strongswan~~
>>
>> >> Br,
>>
>> >> At 2013-08-26 18:52:55,"Noel Kuntze" <noel@familie-kuntze.de <mailto:noel@familie-kuntze.de>>
>> >> wrote:
>> >>>
>> >> Hello xuxl,
>>
>> >> I've seen this behavious on systems virtualized with OpenVZ. On
>> >> such systems, it is not possible to insert xfrm policies into the
>> >> kernel or use netlink's functionality. The solution to this
>> >> problem is compiling with libipsec and loading it with the
>> >> "load" statement in strongswan.conf.
>>
>> >> Regards, Noel Kuntze
>>
>> >> On 26.08.2013 12:48, ??? wrote:
>>
>> >>> Dec 12 01:25:05 freescale daemon.info charon: 01[KNL] received
>> >>> netlink
>> >> error: Function not implemented (38)
>>
>> >>>
>>
>>
>>
>>
>>
>>
>>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2.0.21 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iQIcBAEBCAAGBQJSHtrxAAoJEDg5KY9j7GZYoGUP/30658RU0nPN/xsVk6dYpvgA
>IhS7EKMPStJWYwpkL/BKaHlVT+cpZERRVSNZ83QNb4zcq6528R4v500nTNOM+42S
>5v4vQEBa92bdV9zKaVKfKk9Eo9VHjv62KXO6JrnLJrr2BaQIlDULc1GMtIgi8oFL
>YrcecyFanToRZLI5L1xee+EWCwviBZikX75+crpRfZFtLWGwm45VPy9trUCKbEUs
>dqRxYsrnXjOK71yJFoRa/HbRcNVW8w6LL3R5mZoBEivRYAphLvKxU3nqyrgRPotx
>gYYMdNrksv68tkS3FawsXTvEt7BwRGwa5+hhEuqZCbpvXJecFNUeBiLdD6cmPU1A
>vPvek+5GQ0g8rAiPICcgtw2bZi9M+bbOLNdVejBqEdyFvljE6PLsHq4imt3CzCMD
>s/xNtRL6GWu6SPz+QXo4BgOWqAxxB2FBr1fys+we6I+vhww3SSbZqwfGjIhFD1yx
>c/4pv6yP7RjJXpy+gWRwGwOosecWeJw+p0XGrJKvAWi9pqDTtRKJjUc+qN5QrZJq
>Fbc611qW6t+4TLD/NuT0qfHzg/LZBXykqMof2AFjaTtaxjyyQOnCL2NhDghqwQEM
>CB2nhJcKy/01DM5OM8uNS5/BokRbtjSqhT00U5oqPGHlqXlcvf6LH+lctvJ46+EG
>eFx6+kmWPHzxJsufvwq0
>=tEnK
>-----END PGP SIGNATURE-----
>
</PRE></div><br><br><span title="neteasefooter"><span id="netease_mail_footer"></span></span>