<div dir="ltr"><div><div><div>Hi Tobias,<br><br></div>Thanks for replying. Indeed, I didn't show the evidence that the tunnel is UP. Below are the output of ipsec status and ipsec statusall:<br><br></div>1- ipsec status<br><br>[root@vpn ~]# ipsec status<br>Security Associations (1 up, 0 connecting):<br> srv[2]: <b>ESTABLISHED </b>3 hours ago, xxx.xxx.xxx.xxx[172.16.12.1]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]<br><br><br>2- ipsec statusall<br><br>[root@vpn ~]# ipsec statusall<br>Status of IKE charon daemon (strongSwan 5.4.0, Linux 3.14.32-xxxx-grs-ipv6-64, x86_64):<br> uptime: 27 hours, since Apr 22 10:22:02 2016<br> malloc: sbrk 270496, mmap 0, used 235120, free 35376<br> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3<br> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic<br>Listening IP addresses:<br> xxx.xxx.xxx.xxx<br> xxxx:xxxx:xxxx:xxx::<br> 172.16.12.1<br>Connections:<br> srv: xxx.xxx.xxx.xxx...xxx.xxx.xxx.xxx IKEv1, dpddelay=100s<br> srv: local: [172.16.12.1] uses pre-shared key authentication<br> srv: remote: [xxx.xxx.xxx.xxx] uses pre-shared key authentication<br> srv: child: <a href="http://172.16.12.0/24">172.16.12.0/24</a> === <a href="http://10.112.13.0/24">10.112.13.0/24</a> TUNNEL, dpdaction=restart<br>Security Associations (1 up, 0 connecting):<br> srv[2]: <b>ESTABLISHED </b>3 hours ago, xxx.xxx.xxx.xxx[172.16.12.0]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]<br> srv[2]: IKEv1 SPIs: bd357fba554312da_i* 47a35df5a156dc95_r, pre-shared key reauthentication in 20 hours<br> srv[2]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024<br><br><br></div>You can also find the log generated while establishing the tunnel in the attached file.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 22, 2016 at 12:08 PM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<span class=""><br>
> In fact, the tunnel goes UP but no rules are added into iptables<br>
</span>> although I set *leftfirewall=yes*<br>
<br>
There is no evidence that any tunnel is up when looking at the output<br>
below. For instance, there are no policies for the connection defined<br>
in your config:<br>
<span class=""><br>
> [root@vpn etc]# ip xfrm policy<br>
> src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
> dir 3 priority 0<br>
> src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
> dir 4 priority 0<br>
> src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
> dir 3 priority 0<br>
> src <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
> dir 4 priority 0<br>
> src ::/0 dst ::/0<br>
> dir 3 priority 0<br>
> src ::/0 dst ::/0<br>
> dir 4 priority 0<br>
> src ::/0 dst ::/0<br>
> dir 3 priority 0<br>
> src ::/0 dst ::/0<br>
> dir 4 priority 0<br>
<br>
</span>So look for any errors in the log while establishing the tunnel (also<br>
check the log of the other peer).<br>
<br>
Regards,<br>
Tobias<br>
<br>
</blockquote></div><br></div>