<div dir="auto"><div>Hi Ric,</div><div dir="auto"><br></div><div dir="auto">Is IP forwarding enabled on the router?</div><div dir="auto"><pre style="font-family:consolas,menlo,"liberation mono",courier,monospace;margin:1em 1em 1em 1.6em;padding:8px;background-color:rgb(250,250,250);border:1px solid rgb(226,226,226);border-radius:3px;width:auto;color:rgb(54,0,12);font-size:12.6px">sysctl net.ipv4.ip_forward=1</pre><div class="gmail_extra" dir="auto">Bas</div><div class="gmail_extra" dir="auto"><br><div class="gmail_quote" dir="auto">On 5 Sep 2017 12:53 AM, "Ric S" <<a href="mailto:burj-al-arab@gmx.de" target="_blank">burj-al-arab@gmx.de</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi folks,<br>
<br>
I have been ripping my hair out with this issue.<br>
<br>
I'm running strongswan 5.5.3 on a router. The routers lan subnet is<br>
<a href="http://192.168.0.1/24" rel="noreferrer" target="_blank">192.168.0.1/24</a>.<br>
I can successfully connect to it with an Ipad with ikev2 and surf the<br>
internet, but I cannot reach any internal machines.<br>
<br>
My config is the following:<br>
<br>
ipsec.conf:<br>
<br>
config setup<br>
charondebug="net 2, knl 2, cfg 2"<br>
<br>
conn ikev2<br>
keyexchange=ikev2<br>
ike=aes128-sha1-modp1024,aes1<wbr>28-sha1-modp1536,aes128-sha1-<wbr>modp2048,aes128-<br>
sha256-ecp256,aes128-sha256-mo<wbr>dp1024,aes128-sha256-modp1536,<wbr>aes1<br>
esp=aes128-aes256-sha1-<wbr>sha256-modp2048-modp4096-<wbr>modp1024,aes128-sha1,aes128-<br>
sha1-modp1024,aes128-sha1-modp<wbr>1536,aes128-sha1-modp2048,aes1<wbr>28<br>
dpdaction=clear<br>
dpddelay=60s<br>
left=%defaultroute<br>
leftfirewall=yes<br>
lefthostaccess=yes<br>
leftid=<a href="http://myname.ddns.net" rel="noreferrer" target="_blank">myname.ddns.net</a><br>
leftsubnet=<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a><br>
leftcert=host-vpn.der<br>
leftsendcert=always<br>
right=%any<br>
rightauth=eap-tls<br>
rightsourceip=%dhcp<br>
eap_identity=%any<br>
type=passthrough<br>
auto=add<br>
<br>
strongswanf.conf:<br>
<br>
charon {<br>
interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1<br>
plugins {<br>
dhcp {<br>
force_server_address = yes<br>
server = 192.168.0.1<br>
identity_lease = yes<br>
}<br>
farp {<br>
load = yes<br>
}<br>
}}<br>
<br>
threads = 8<br>
dns1 = 8.8.8.8<br>
dns1 = 8.8.8.4<br>
<br>
<br>
<br>
Status:<br>
<br>
Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l):<br>
uptime: 14 minutes, since Sep 05 00:09:53 2017<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,<br>
scheduled: 8<br>
loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5<br>
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp<br>
dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac sqlite<br>
attr kernel-pfkey kernel-netlink resolve socket-default farp stroke vici<br>
updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls xauth-<br>
generic xauth-eap dhcp whitelist led duplicheck<br>
Listening IP addresses:<br>
169.254.255.1<br>
192.168.0.1<br>
87.168.243.83<br>
Connections:<br>
ikev2: %any...%any IKEv2, dpddelay=60s<br>
ikev2: local: [<a href="http://myname.ddns.net" rel="noreferrer" target="_blank">myname.ddns.net</a>] uses public key authentication<br>
ikev2: cert: "C=DE, O=MYORG, CN=<a href="http://myname.ddns.net" rel="noreferrer" target="_blank">myname.ddns.net</a>"<br>
ikev2: remote: uses EAP_TLS authentication with EAP identity '%any'<br>
ikev2: child: <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> === dynamic PASS, dpdaction=clear<br>
Security Associations (1 up, 0 connecting):<br>
ikev2[6]: ESTABLISHED 11 seconds ago, 87.168.243.83[<a href="http://myname.ddns.net" rel="noreferrer" target="_blank">myname.ddns.net</a>]<wbr>...<br>
109.43.1.19[R6400]<br>
ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public<br>
key reauthentication in 2 hours<br>
ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_H<wbr>MAC_SHA1/<br>
MODP_1024<br>
ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i<br>
04eb0f50_o<br>
ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,<br>
rekeying in 48 minutes<br>
ikev2{4}: <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> === <a href="http://192.168.0.121/32" rel="noreferrer" target="_blank">192.168.0.121/32</a><br>
<br>
swanctl --list-sas<br>
ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r*<br>
local '<a href="http://myname.ddns.net" rel="noreferrer" target="_blank">myname.ddns.net</a>' @ 87.168.243.83[4500]<br>
remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]<br>
AES_CBC-128/HMAC_SHA1_96/PRF_H<wbr>MAC_SHA1/MODP_1024<br>
established 92s ago, reauth in 9765s<br>
ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/<br>
HMAC_SHA2_256_128<br>
installed 89s ago, rekeying in 2800s, expires in 3511s<br>
in c0983fe7, 0 bytes, 0 packets<br>
out 04eb0f50, 0 bytes, 0 packets<br>
local <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a><br>
remote <a href="http://192.168.0.121/32" rel="noreferrer" target="_blank">192.168.0.121/32</a><br>
<br>
ip route list table 220<br>
192.168.0.121 via 62.155.242.107 dev ppp0 proto static src 192.168.0.1<br>
<br>
FARP seems to work, this is a ping from one of the local machines:<br>
<br>
ping R6400<br>
PING R6400 (192.168.0.121) 56(84) bytes of data.<br>
>From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host Unreachable<br>
>From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host Unreachable<br>
<br>
<br>
Routers iptable output:<br>
<br>
iptables -vnL<br>
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
0 0 ACCEPT 0 -- ppp0 * 192.168.0.121<br>
<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> policy match dir in pol ipsec reqid 4 proto 50<br>
161 29398 ACCEPT udp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
udp dpt:4500<br>
8 4544 ACCEPT udp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
udp dpt:500<br>
0 0 log<br>
...<br>
<br>
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
0 0 ACCEPT 0 -- ppp0 * 192.168.0.121<br>
<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> policy match dir in pol ipsec reqid 4 proto 50<br>
0 0 ACCEPT 0 -- * ppp0 <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a><br>
192.168.0.121 policy match dir out pol ipsec reqid 4 proto 50<br>
...<br>
<br>
Chain OUTPUT (policy ACCEPT 480K packets, 377M bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
0 0 ACCEPT 0 -- * ppp0 <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a><br>
192.168.0.121 policy match dir out pol ipsec reqid 4 proto 50<br>
...<br>
<br>
<br>
iptables -vnL -t nat<br>
Chain PREROUTING (policy ACCEPT 38764 packets, 3219K bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
2 62 DNAT icmp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
87.168.243.83 to:192.168.0.1<br>
444 47552 TRIGGER 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
87.168.243.83 TRIGGER type:dnat match:0 relate:0<br>
<br>
Chain INPUT (policy ACCEPT 15994 packets, 934K bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain OUTPUT (policy ACCEPT 23271 packets, 1467K bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain POSTROUTING (policy ACCEPT 23270 packets, 1467K bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
0 0 MASQUERADE 0 -- * vlan2 <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
3023 165K SNAT 0 -- * ppp0 <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
to:87.168.243.83<br>
0 0 MASQUERADE 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
mark match 0x80000000/0x80000000<br>
<br>
<br>
iptables -vnL -t mangle<br>
Chain PREROUTING (policy ACCEPT 1209K packets, 733M bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
1209K 733M FILTER_IN 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
88 10536 MARK 0 -- !ppp0 * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
87.168.243.83 MARK or 0x80000000<br>
1209K 733M CONNMARK 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
CONNMARK save<br>
<br>
Chain INPUT (policy ACCEPT 682K packets, 386M bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
289K 351M IMQ 0 -- ppp0 * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
IMQ: todev 0<br>
<br>
Chain FORWARD (policy ACCEPT 522K packets, 346M bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
0 0 TCPMSS tcp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
policy match dir out pol ipsec tcp flags:0x06/0x02 tcpmss match 1361:1536<br>
TCPMSS set 1360<br>
0 0 TCPMSS tcp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
policy match dir in pol ipsec tcp flags:0x06/0x02 tcpmss match 1361:1536<br>
TCPMSS set 1360<br>
7654 415K TCPMSS tcp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
tcp flags:0x06/0x02 TCPMSS clamp to PMTU<br>
291K 294M IMQ 0 -- ppp0 * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
IMQ: todev 0<br>
<br>
Chain OUTPUT (policy ACCEPT 503K packets, 382M bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
<br>
Chain POSTROUTING (policy ACCEPT 1025K packets, 728M bytes)<br>
pkts bytes target prot opt in out source<br>
destination<br>
0 0 TCPMSS tcp -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
policy match dir out pol ipsec tcp flags:0x06/0x02 tcpmss match 1361:1536<br>
TCPMSS set 1360<br>
1025K 728M FILTER_OUT 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
7242 1346K DSCP 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
DSCP match !0x00 DSCP set 0x00<br>
<br>
Chain FILTER_IN (1 references)<br>
pkts bytes target prot opt in out source<br>
destination<br>
1209K 733M CONNMARK 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
CONNMARK restore<br>
1209K 733M SVQOS_SVCS 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
mark match 0x0/0x7ffc00<br>
1209K 733M CONNMARK 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
CONNMARK save<br>
1209K 733M RETURN 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain FILTER_OUT (1 references)<br>
pkts bytes target prot opt in out source<br>
destination<br>
1025K 728M CONNMARK 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
CONNMARK restore<br>
1025K 728M SVQOS_SVCS 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
mark match 0x0/0x7ffc00<br>
1025K 728M CONNMARK 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
CONNMARK save<br>
1025K 728M RETURN 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Chain SVQOS_SVCS (2 references)<br>
pkts bytes target prot opt in out source<br>
destination<br>
2234K 1461M RETURN 0 -- * * <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
<br>
I have tried so many thinsg, but still cannot ping from either side or access<br>
any local machines.<br>
Does anyone have a clue? Can I provide additional info?<br>
<br>
</blockquote></div></div>
</div></div>