<div dir="ltr"><div><div><div>Hi,<br><br></div>I m using libipsec to do user space encryption/decryption. Strongswan version is 5.1.1<br></div><br></div><div>'ipsec up home' establishes the tunnel properly with the secgw. Secgw assigns a virtual ip.<br></div><div>Later, when I start pinging a valid ip which is behind secgw like below,<br>ping <ip-behind-secgw> -I virtual ip.<br><br></div><div>I see that the packets are going in plain text.I mean the packets are not encrypted. <br>But the incoming packets are in esp, which I guess are reaching the application properly after decryption.<br><br>Configuration details at the strongswan client asking virtual ip are given below.<br>Please let me know if I am miss something.<br><br></div><div><br><b># ipsec.conf - strongSwan IPsec configuration file<br>config setup<br>        charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1 dmn 1"<br><br>conn home<br>     left=10.x.x.x<br>     leftid=<a href="mailto:abc@xyz.com">abc@xyz.com</a><br>     leftauth=psk<br>     rightauth=psk<br>     leftsourceip=%config<br>     leftfirewall=yes<br>     ike=3des-sha1-prfsha1-modp1024!<br>     esp=aes128-sha1!<br>     right=10.x.x.x<br>     rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br>     rightid=%any<br>     auto=add<br>     mobike=no<br>     dpddelay=200s<br>     dpdaction=clear<br>     rekey=yes<br>     ikelifetime=86400s<br>     lifetime=36000s<br>     reauth=no<br>     rekeymargin=3m<br>     keyingtries=1<br>     keyexchange=ikev2<br><br># cat /etc/strongswan.conf<br># strongswan.conf - strongSwan configuration file<br><br>charon {<br><br>        # number of worker threads in charon<br>        threads = 16<br>        close_ike_on_child_failure = yes<br>        keep_alive = 20s<br>        # send strongswan vendor ID?<br>        # send_vendor_id = yes<br><br>        plugins {<br><br>                sql {<br>                        # loglevel to log into sql database<br>                        loglevel = -1<br>                        # URI to the database<br>                        # database = sqlite:///path/to/file.db<br>                        # database = mysql://user:password@localhost/database<br>                }<br>                resolve{<br>                       file = /etc/resolvtunnel.conf<br>                }<br>                kernel-netlink {<br>                      fwmark = !0x42<br>                }<br>                socket-default {<br>                      fwmark = 0x42<br>                }<br>                kernel-libipsec {<br>                      allow_peer_ts = yes<br>                }<br>        }<br>}<br>pluto {<br></b>}<br></div><b></b><div><b>libstrongswan {<br>        #  set to no, the DH exponent size is optimized<br>        #  dh_exponent_ansi_x9_42 = no<br>}</b><br><br>I see that the kernel-libipsec is loaded.<br><br># ipsec listall | more<br><br>List of registered IKE algorithms:<br><br>  encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des] TWOFISH_CBC[af-alg]<br>  integrity:  HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA1_160[hmac] AES_CMAC_96[cmac]<br>              HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac] HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac]<br>              HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_512[hmac]<br>  aead:<br>  hasher:     HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2]<br>  prf:        PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]<br>              PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1]<br>  dh-group:   MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp] MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]<br>              MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp] MODP_2048_256[gmp] MODP_CUSTOM[gmp]<br>  random-gen: RNG_STRONG[random] RNG_TRUE[random]<br>  nonce-gen:  [nonce]<br><br>List of loaded Plugins:<br><br>charon:<br>    CUSTOM:libcharon<br>        NONCE_GEN<br>        CUSTOM:libcharon-receiver<br>      <b>  CUSTOM:kernel-ipsec<br>        CUSTOM:kernel-net</b><br>    CUSTOM:libcharon-receiver<br>        HASHER:HASH_SHA1<br>        RNG:RNG_STRONG<br>        CUSTOM:socket<br><br>........<br>.........<br><b>kernel-libipsec:<br>    CUSTOM:kernel-ipsec<br>    CUSTOM:kernel-libipsec-router<br>        CUSTOM:libcharon-receiver<br>kernel-netlink:<br>    CUSTOM:kernel-ipsec<br>    CUSTOM:kernel-net<br><br></b></div><div><b># ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.1.1, Linux 3.10.49-perf, armv7l):<br>  uptime: 16 hours, since Apr 22 10:36:49 2015<br>  malloc: sbrk 266240, mmap 0, used 121200, free 145040<br>  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 23<br>  loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation cons                                                                                        l-libipsec kernel-netlink resolve socket-default stroke updown eap-identity eap-<br>Listening IP addresses:<br></b></div><div><b>  x.x.x.x<br></b></div><div><b>  192.168.16.1<br>  192.168.17.1<br>  192.168.18.1<br>  192.168.19.1<br>  192.168.20.1<br>  192.168.21.1<br>  192.168.22.1<br>Connections:<br>        home:  10.x.x.x...10.x.x.x  IKEv2, dpddelay=200s<br>        home:   local:  [<a href="mailto:abc@xyz.com">abc@xyz.com</a>] uses pre-shared key authentic<br>        home:   remote: uses pre-shared key authentication<br>        home:   child:  dynamic === <a href="http://0.0.0.0/0">0.0.0.0/0</a> TUNNEL, dpdaction=clear<br>Security Associations (1 up, 0 connecting):<br>        home[1]: ESTABLISHED 16 hours ago, 10.x.x.x[<a href="mailto:abc@xyz.com">abc@xyz.com</a><br>        home[1]: IKEv2 SPIs: 3bd67a82f229a91e_i* aeabbe99f737e72e_r, rekeying in<br>        home[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>        home{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c75311d3_i cb2a38b5_o<br>        home{1}:  AES_CBC_128/HMAC_SHA1_96, 134677 bytes_i (1720 pkts, 1s ago),<br>        home{1}:  x.x.x.1/32 === <a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br># cat /proc/sys/net/ipv4/conf/all/rp_filter<br>2<br><br><br></b></div><div>Any help is this regard is appreciated..<br></div><div><b><br></b></div><div>Regards,<br></div><div>Sriram<br></div><div><br><br><br><div><div><br><br></div></div></div></div>