<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><br><div><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">I made a few changes after reading through the documents, though something is
still off. My goal is to have my blackberry client device (24.114.94.100)
connect to the server (99.234.220.200, LAN ip-192.168.16.50) via public key
authentication, and to have access to the LAN (192.168.16.0/24) behind the
server. I can connect to my server (now running strongswan 5.0.4), though
I cannot ping between the host and client, or reach the subnet behind the
host. There are no errors when connecting, and I am issued a virtual ip
(10.10.10.1):</span><div dir="ltr">
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";"> </span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[IKE] peer requested virtual IP %any</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] assigning new lease to 'C=CA, O=none, CN=z10'</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[IKE] assigning virtual IP 10.10.10.1 to peer 'C=CA, O=none, CN=z10'</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] looking for a child config for 0.0.0.0/0 === 0.0.0.0/0</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] proposing traffic selectors for us:</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] 192.168.16.0/24</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] proposing traffic selectors for other:</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] 10.10.10.1/32</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] candidate "z10" with prio 1+1</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] found matching child config "z10" with prio 2</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] selecting proposal:</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] proposal matches</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] configured proposals:
ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] selecting traffic selectors for us:</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] config: 192.168.16.0/24, received: 0.0.0.0/0 => match:
192.168.16.0/24</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] selecting traffic selectors for other:</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[CFG] config: 10.10.10.1/32, received: 0.0.0.0/0 => match:
10.10.10.1/32</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[IKE] CHILD_SA z10{1} established with SPIs cb969207_i 8607aedc_o and TS
192.168.16.0/24 === 10.10.10.1/32</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 unknown
authpriv.info syslog: 14[IKE] CHILD_SA z10{1} established with SPIs cb969207_i
8607aedc_o and TS 192.168.16.0/24 === 10.10.10.1/32</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 unknown
local0.notice vpn: + C=CA, O=none, CN=z10 10.10.10.1/32 == 24.114.94.100 --
99.234.220.200 == 192.168.16.0/24</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS) N(ESP_TFC_PAD_N)
SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Sep 15 15:59:19 daemon.info syslog:
14[NET] sending packet: from 99.234.220.200[4500] to 24.114.94.100[22744] (1360
bytes)</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";"><br>
ipsec statusall:<br style="">
<br style="">
</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Virtual IP pools
(size/online/offline):</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";"> 10.10.10.0/24: 254/1/0</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Listening IP addresses:</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";"> 99.234.220.200</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";"> 192.168.16.50</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Connections:</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">
z10: %any...%any IKEv2</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">
z10: local: [C=CA, O=none, CN=server] uses public key
authentication</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">
z10: cert: "C=CA, O=none, CN=server"</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">
z10: remote: [C=CA, O=none, CN=z10] uses public key authentication</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">
z10: child: 192.168.16.0/24 === dynamic TUNNEL</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">Security Associations (1 up, 0
connecting):</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">
z10[1]: ESTABLISHED 55 seconds ago, 99.234.220.200[C=CA, O=none,
CN=server]...24.114.94.100[C=CA, O=none, CN=z10]</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">
z10[1]: IKEv2 SPIs: a997fb46c85f4f05_i 3c5ff9b38c53e941_r*, public key
reauthentication in 54 minutes</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">
z10[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">
z10{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cf338bc9_i 9ac052ec_o</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">
z10{1}: AES_CBC_256/HMAC_SHA2_256_128, 438 bytes_i, 0 bytes_o, rekeying
in 15 minutes</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";">
z10{1}: 192.168.16.0/24 === 10.10.10.1/32</span></p>
<p class="ecxMsoNormal" style="line-height:normal;"><span style="font-size:12.0pt;font-family:"Times New Roman","serif";"><br>
<br>
new ipsec.conf on server:<br>
<br>
config setup<br>
strictcrlpolicy=no<br>
charondebug="cfg 4"<br>
uniqueids=yes<br>
<br>
conn %default<br>
ikelifetime=60m<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=1<br>
keyexchange=ikev2<br>
ike=aes256-sha256-sha256-modp2048!<br>
esp=aes256-sha256-modp2048!<br>
left=%defaultroute<br>
leftauth=pubkey<br>
leftcert=serverCert.pem<br>
leftid="C=CA, O=none,
CN=server"<br>
leftfirewall=yes<br>
leftsubnet=<b>(I have tried both
0.0.0.0/0 and 192.168.16.0/24)</b><br>
<br>
conn z10<br>
right=%any<br>
rightauth=pubkey<br>
rightsourceip=10.10.10.0/24<br>
rightdns=192.168.16.50<br>
rightid="C=CA, O=none,
CN=z10"<br>
auto=add<br>
<br>
<br>
I do not see the issue. There are new iptables rules being added, so I
know leftfirewall=yes is working on the server:<br>
<br>
Chain FORWARD (policy DROP)<br>
target prot opt
source
destination<br>
ACCEPT all --
10.10.10.1
192.168.16.0/24 policy match dir in pol ipsec
reqid 1 proto ipv6-crypt<br>
ACCEPT all --
192.168.16.0/24
10.10.10.1 policy match
dir out pol ipsec reqid 1 proto ipv6-crypt<br>
<br>
<br>
I can see the virtual ip address, and dns server address come up on my
blackberry, I am not certain what else is missing at this point.</span></p>
<p class="ecxMsoNormal"> </p>
</div></div> </div></body>
</html>