<div dir="ltr">Hello,<div><br></div><div>Please let me add one more idea - have you allowed IPv4 routing (packet forwarding) in kernel?</div><div>Enterprise Linux:<br></div><div><div>[centos@swan2 ~]$ cat /etc/sysctl.conf </div><div># Enable routing</div><div>net.ipv4.ip_forward=1<br></div><div># Do not send ICMP redirects, needed when VPN node is not default gateway of the subnet, e.g. AWS VPC environment</div><div>net.ipv4.conf.all.send_redirects=0</div><div>net.ipv4.conf.eth0.send_redirects=0</div><div>net.ipv4.conf.eth0.accept_redirects=0</div><div><br></div><div>BR,</div><div>Miroslav</div><br>On Thursday, April 30, 2015 at 12:18:54 AM UTC+2, Noel Kuntze wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;"><br>-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA256<p>Hello Florian,</p><p>Check your iptables rules if forwarding is allowed.<br>Also, do not use ifconfig or route. Use iproute2 (ip address, ip link, ip route, ...).</p><p>Mit freundlichen Grüßen/Kind Regards,<br>Noel Kuntze</p><p>GPG Key ID: 0x63EC6658<br>Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658</p><p>Am 29.04.2015 um 18:17 schrieb <a href="mailto:florian.rommel@datalounges.com" target="_blank" rel="nofollow" onmousedown="this.href='mailto:florian.rommel@datalounges.com';return true;" onclick="this.href='mailto:florian.rommel@datalounges.com';return true;">florian.rommel@datalounges.com</a><wbr>:<br>> Hi all... I have a somewhat peculiar problem.<br>><br>> I have 2 ubuntu machines, one VM in the cloud (openstack) and one at home<br>> (real machine)<br>><br>> I have strongswan configured and running.. the tunnel gets established and<br>> shows all good to go as shown here:<br>><br>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-49-generic,<br>> x86_64):<br>>   uptime: 18 minutes, since Apr 29 18:46:30 2015<br>>   malloc: sbrk 2568192, mmap 0, used 357408, free 2210784<br>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,<br>> scheduled: 4<br>>   loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random<br>> nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl<br>> xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default<br>> stroke updown eap-identity eap-mschapv2 addrblock<br>> Listening IP addresses:<br>>   X.X.X.243<br>>   10.0.1.200<br>> Connections:<br>>           DL:  X.X.X.243...Y.Y.Y.23  IKEv1<br>>           DL:   local:  [X.X.X.243] uses pre-shared key authentication<br>>           DL:   remote: [10.1.0.15] uses pre-shared key authentication<br>>           DL:   child:  <a href="http://10.0.1.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.1.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNF5eDsjS750KJ5INgJUT0vN0JyLuw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.1.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNF5eDsjS750KJ5INgJUT0vN0JyLuw';return true;">10.0.1.0/24</a> === <a href="http://10.1.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNEaCS5nZtlL1CmACi_bRt9jXJN44Q';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNEaCS5nZtlL1CmACi_bRt9jXJN44Q';return true;">10.1.0.0/24</a> TUNNEL<br>> Routed Connections:<br>>           DL{1}:  ROUTED, TUNNEL<br>>           DL{1}:   <a href="http://10.0.1.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.1.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNF5eDsjS750KJ5INgJUT0vN0JyLuw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.1.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNF5eDsjS750KJ5INgJUT0vN0JyLuw';return true;">10.0.1.0/24</a> === <a href="http://10.1.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNEaCS5nZtlL1CmACi_bRt9jXJN44Q';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNEaCS5nZtlL1CmACi_bRt9jXJN44Q';return true;">10.1.0.0/24</a><br>> Security Associations (1 up, 0 connecting):<br>>           DL[2]: ESTABLISHED 4 minutes ago,<br>> X.X.X.243[X.X.X.243]...Y.Y.Y.<wbr>23[10.1.0.15]<br>>           DL[2]: IKEv1 SPIs: d72df1afe7128b38_i e7b692b6c6ecc9d6_r*,<br>> pre-shared key reauthentication in 7 hours<br>>           DL[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_<wbr>HMAC_SHA1/MODP_1024<br>>           DL{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c29e6c6b_i c7ad645a_o<br>>           DL{1}:  3DES_CBC/HMAC_MD5_96, 7286 bytes_i (9 pkts, 260s ago),<br>> 2696 bytes_o (9 pkts, 260s ago), rekeying in 50 minutes<br>>           DL{1}:   <a href="http://10.0.1.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.1.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNF5eDsjS750KJ5INgJUT0vN0JyLuw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.1.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNF5eDsjS750KJ5INgJUT0vN0JyLuw';return true;">10.0.1.0/24</a> === <a href="http://10.1.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNEaCS5nZtlL1CmACi_bRt9jXJN44Q';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNEaCS5nZtlL1CmACi_bRt9jXJN44Q';return true;">10.1.0.0/24</a><br>><br>> Now, the interesting part is that on the gateway on the RIGHT side<br>> (10.1.0.15, I can ping ANY machine on the LEFT side (<a href="http://10.0.1.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.1.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNF5eDsjS750KJ5INgJUT0vN0JyLuw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.1.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNF5eDsjS750KJ5INgJUT0vN0JyLuw';return true;">10.0.1.0/24</a>) with no<br>> problem.<br>> BUT from any machine on the LEFT SIDE  i cannot ping anything on the RIGHT<br>> SIDE and form any OTHER machine on the RIGHT side, besides the gateway, I<br>> cannot ping the LEFT side.   This seems VERY VERY confusing.. and looks to<br>> be a multi part.. but.. I am stuck.<br>><br>> TCPDUMP on the LEFT side with destination 10.1.0.18 on the right side:<br>>  sudo tcpdump -v -i em1 -n dst net <a href="http://10.1.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNEaCS5nZtlL1CmACi_bRt9jXJN44Q';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNEaCS5nZtlL1CmACi_bRt9jXJN44Q';return true;">10.1.0.0/24</a><br>> tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535<br>> bytes<br>> 19:09:45.556977 IP (tos 0x0, ttl 63, id 10792, offset 0, flags [none],<br>> proto ICMP (1), length 84)<br>>     X.X.X.243 > <a href="http://10.1.0.18" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.18\46sa\75D\46sntz\0751\46usg\75AFQjCNEoMJdYGDpThWDbthF7v8vtwnJHOw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.18\46sa\75D\46sntz\0751\46usg\75AFQjCNEoMJdYGDpThWDbthF7v8vtwnJHOw';return true;">10.1.0.18</a>: ICMP echo request, id 13637, seq 0, length 64<br>> 19:09:46.535900 IP (tos 0x0, ttl 63, id 61548, offset 0, flags [none],<br>> proto ICMP (1), length 84)<br>>     X.X.X.243 > <a href="http://10.1.0.18" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.18\46sa\75D\46sntz\0751\46usg\75AFQjCNEoMJdYGDpThWDbthF7v8vtwnJHOw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.18\46sa\75D\46sntz\0751\46usg\75AFQjCNEoMJdYGDpThWDbthF7v8vtwnJHOw';return true;">10.1.0.18</a>: ICMP echo request, id 13637, seq 1, length 64<br>> 19:09:47.536998 IP (tos 0x0, ttl 63, id 11984, offset 0, flags [none],<br>> proto ICMP (1), length 84)<br>>     X.X.X.243 > <a href="http://10.1.0.18" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.18\46sa\75D\46sntz\0751\46usg\75AFQjCNEoMJdYGDpThWDbthF7v8vtwnJHOw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.18\46sa\75D\46sntz\0751\46usg\75AFQjCNEoMJdYGDpThWDbthF7v8vtwnJHOw';return true;">10.1.0.18</a>: ICMP echo request, id 13637, seq 2, length 64<br>><br>> On the right side nothing ever shows up.<br>><br>> There are IPTables rules on the LEFT side that NAT, since its also a<br>> gateway but...should that matter? What else can I set and where?? Here is<br>> the ipsec.conf file still from the LEFT side (same on the RIGHT just<br>> reversed)<br>><br>> config setup<br>><br>> conn %default<br>>     ikelifetime=8h<br>>     keylife=1h<br>>     rekeymargin=3m<br>>     keyingtries=%forever<br>>     keyexchange=ikev1<br>>     authby=psk<br>>     ike=3des-sha1-modp1024<br>>     esp=3des-md5-modp1536<br>><br>> conn DL<br>>     auto=route<br>>     left=X.X.X.243<br>>     leftsubnet=<a href="http://10.0.1.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.1.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNF5eDsjS750KJ5INgJUT0vN0JyLuw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.0.1.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNF5eDsjS750KJ5INgJUT0vN0JyLuw';return true;">10.0.1.0/24</a><br>>     leftid=X.X.X.243<br>>     leftfirewall=yes<br>>     right=Y.Y.Y.23<br>>     rightsubnet=<a href="http://10.1.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNEaCS5nZtlL1CmACi_bRt9jXJN44Q';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F10.1.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNEaCS5nZtlL1CmACi_bRt9jXJN44Q';return true;">10.1.0.0/24</a><br>>     rightid=10.1.0.15<br>>     keyexchange=ikev1<br>>     ike=3des-sha1-modp1024<br>>     esp=3des-md5-modp1536<br>><br>> Routing table on the LEFT side:<br>><br>> Kernel IP routing table<br>> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface<br>> default         noname.gateway 0.0.0.0         UG    0      0        0 em1<br>> 10.0.1.0        *               255.255.255.0   U     0      0        0 em2<br>> 10.1.0.0        10.0.1.200      255.255.255.0   UG    0      0        0 em2<br>> X.X.X.0    *               255.255.248.0   U     0      0        0 em1<br>><br>> ANY help would greatly appreciated.. if its something to do with IPTABLES?<br>> or routing??<br>><br>> Thanks already..<br>><br>> ______________________________<wbr>_________________<br>> Users mailing list<br>> <a href="mailto:Users@lists.strongswan.org" target="_blank" rel="nofollow" onmousedown="this.href='mailto:Users@lists.strongswan.org';return true;" onclick="this.href='mailto:Users@lists.strongswan.org';return true;">Users@lists.strongswan.org</a><br>> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a></p><p>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v2</p><p>iQIcBAEBCAAGBQJVQVjGAAoJEDg5KY<wbr>9j7GZYivEP/<wbr>21jIhIEODrshFzi4LoMlWMm<br>ZUtwQ5OxqDwx4U/<wbr>MQI8CNS3G7FxFrQ0jmkCo6esxXPecf<wbr>1NfACoSloYvn1kcIoPu<br>rNei0OYf39na1WuFzPwAzf1+<wbr>Z1gJi3UxTOdRCDXwCxDRvoL+i/<wbr>skTi66sz7dFLeh<br>b+<wbr>04mI7npn93vgfUkEh0yKp7HFCWyBgx<wbr>61OLhNmg2RHsBj171Ly24mSelzhr0V<wbr>n3<br>5YbmJ09Fgo7LSL3BITBb/<wbr>w9mfZwbTWiSJURNXgj5hkduJs7g1Y1<wbr>zEiGW73xC1Enz<br>OBPBw3qnligqpHWlBYgmCJeFpibFaO<wbr>+4u77/4CVYB+<wbr>SrhZORMGupaRpX5m9WgmsH<br>Nawk48bXfFbhnZOh3n53GLaIUR4DiZ<wbr>dCSbyaKf+<wbr>ksVmPXvm1iYJFbyalCaSk7NUe<br>/<wbr>mfwxcAI76dagaFRisx4qADE0afxskO<wbr>ZCvXIzcsKr7c2u3QhmLPCoODiuB9hU<wbr>oFZ<br>QN469c6qfszCqh6u1HsNEyApoxTuNc<wbr>Tkmht4KYb6DavQ4dgrD3P8ac4XEz/<wbr>bMBrg<br>VtGA+GbHXi++<wbr>7mOGtjKhGw4nqEyoaj+<wbr>5v3SwTmtv2EDqru+8u+km8i/KY/<wbr>Wszr7d<br>tXhFsqnQyqg3yPT7zIqqYPy83J9Pb+<wbr>YJmNTFzG0l4E6CroEn5m9FOeQjPnCN<wbr>4zeL<br>COaBLt+VpsJ9656nbyoe<br>=VD4I<br>-----END PGP SIGNATURE-----</p><p>______________________________<wbr>_________________<br>Users mailing list<br><a href="mailto:Users@lists.strongswan.org" target="_blank" rel="nofollow" onmousedown="this.href='mailto:Users@lists.strongswan.org';return true;" onclick="this.href='mailto:Users@lists.strongswan.org';return true;">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a></p><p></p><p></p><p></p><p></p><p></p><p></p><p></p></blockquote></div></div>