<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On 9 September 2017 at 16:34, Noel Kuntze <span dir="ltr"><<a href="mailto:noel.kuntze+strongswan-users-ml@thermi.consulting" target="_blank">noel.kuntze+strongswan-users-ml@thermi.consulting</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Well, you need to accept ESP packets obviously, if you don't use UDP encapsulation.<br></blockquote><div><br></div><div>Got it. I enabled it.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Other than that, make sure ip forwarding is enabled globally on moon and it is enabled for the involved interfaces.<br></blockquote><div><br></div><div>IP forwarding is enabled globally on moon and on eth1 which is connected to the same vlan that alice and carol are connected to:</div><div><br></div><div><div>[moon] $ sysctl -A | grep -E "ipv4.*(\.forwarding|ip_forward)"</div></div><div><div>net.ipv4.conf.all.forwarding = 1</div><div>net.ipv4.conf.default.forwarding = 1</div><div>net.ipv4.conf.eth0.forwarding = 1</div><div>net.ipv4.conf.eth1.forwarding = 1</div><div>net.ipv4.conf.lo.forwarding = 1</div><div>net.ipv4.ip_forward = 1</div><div>net.ipv4.ip_forward_use_pmtu = 0</div></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
On top of that, make sure the iptables rules in *filter FORWARD permit the traffic from Alice to Bob.<br></blockquote><div><br></div><div>These rules on moon that were automatically added by strongswan should permit that traffic right?</div><div><br></div><div><div>Chain FORWARD (policy ACCEPT)</div><div>target prot opt source destination </div><div>ACCEPT all -- 10.0.0.2 <a href="http://10.0.0.0/24">10.0.0.0/24</a> policy match dir in pol ipsec reqid 2 proto esp</div><div>ACCEPT all -- <a href="http://10.0.0.0/24">10.0.0.0/24</a> 10.0.0.2 policy match dir out pol ipsec reqid 2 proto esp</div><div>ACCEPT all -- 10.0.0.1 <a href="http://10.0.0.0/24">10.0.0.0/24</a> policy match dir in pol ipsec reqid 1 proto esp</div><div>ACCEPT all -- <a href="http://10.0.0.0/24">10.0.0.0/24</a> 10.0.0.1 policy match dir out pol ipsec reqid 1 proto esp</div></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Right now, you don't accept ESP packets, but it seems your tunnels use that. Check where the net unreachable comes from.<br></blockquote><div><br></div><div>After enabling ESP traffic and doing a ping from alice to 10.0.0.2 I see the following tcpdump on moon:</div><div><br></div><div><div>16:07:30.329243 IP 192.168.1.1 > <a href="http://192.168.1.3">192.168.1.3</a>: ESP(spi=0xc3ac1de0,seq=0x2), length 136</div><div>16:07:30.329287 IP 192.168.1.1 > <a href="http://10.0.0.2">10.0.0.2</a>: ICMP echo request, id 1072, seq 1, length 64</div></div><div><br></div><div>I understand the first packet but I'm surprised by the source address of the second packet. Shouldn't the source be 10.0.0.1?</div><div><br></div><div>If I compare routing table 220 of alice:</div><div><br></div><div>[alice] $ ip route list table 220</div><div><a href="http://10.0.0.0/24">10.0.0.0/24</a> via 192.168.1.3 dev eth1 proto static src 192.168.1.1<br></div><div> </div><div>with routing table 220 of my workstation (which is also using strongswan to connect to our company VPN) I see that on my workstation the src is set to the VPN assigned IP address and not the public IP address like on alice. I'm surprised by this difference. Could this explain the routing failure?</div><div><br></div><div>I'm clearly not a networking expert so thanks a lot with your help so far.</div><div><br></div><div>Bas</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Kind regards<br>
<br>
Noel<br>
<span class="gmail-"><br>
On <a href="tel:09.09.2017%2016" value="+31909201716">09.09.2017 16</a>:16, Bas van Dijk wrote:<br>
> (I removed the NFLOG rules)<br>
><br>
> [alice] $ iptables-save -c <br>
> # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:40 2017<br>
> *nat<br>
> :PREROUTING ACCEPT [4:256]<br>
> :INPUT ACCEPT [0:0]<br>
> :OUTPUT ACCEPT [4:2672]<br>
> :POSTROUTING ACCEPT [4:2672]<br>
> COMMIT<br>
> # Completed on Sat Sep 9 14:02:40 2017<br>
> # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:40 2017<br>
> *raw<br>
> :PREROUTING ACCEPT [18:6158]<br>
> :OUTPUT ACCEPT [16:8534]<br>
> :nixos-fw-rpfilter - [0:0]<br>
> [18:6158] -A PREROUTING -j nixos-fw-rpfilter<br>
> [18:6158] -A nixos-fw-rpfilter -m rpfilter -j RETURN<br>
</span>> [0:0] -A nixos-fw-rpfilter -s <a href="http://0.0.0.0/32" rel="noreferrer" target="_blank">0.0.0.0/32</a> <<a href="http://0.0.0.0/32" rel="noreferrer" target="_blank">http://0.0.0.0/32</a>> -d <a href="http://255.255.255.255/32" rel="noreferrer" target="_blank">255.255.255.255/32</a> <<a href="http://255.255.255.255/32" rel="noreferrer" target="_blank">http://255.255.255.255/32</a>> -p udp -m udp --sport 68 --dport 67 -j RETURN<br>
<span class="gmail-">> [0:0] -A nixos-fw-rpfilter -j DROP<br>
> COMMIT<br>
> # Completed on Sat Sep 9 14:02:40 2017<br>
> # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:40 2017<br>
> *filter<br>
> :INPUT ACCEPT [0:0]<br>
> :FORWARD ACCEPT [0:0]<br>
> :OUTPUT ACCEPT [0:0]<br>
> :nixos-fw - [0:0]<br>
> :nixos-fw-accept - [0:0]<br>
> :nixos-fw-log-refuse - [0:0]<br>
> :nixos-fw-refuse - [0:0]<br>
</span>> [0:0] -A INPUT -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
<span class="gmail-">> [18:6158] -A INPUT -j nixos-fw<br>
</span>> [0:0] -A FORWARD -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
> [0:0] -A FORWARD -s <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
> [0:0] -A OUTPUT -s <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
<div><div class="gmail-h5">> [2:1152] -A nixos-fw -i lo -j nixos-fw-accept<br>
> [10:4622] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept<br>
> [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept<br>
> [6:384] -A nixos-fw -j nixos-fw-log-refuse<br>
> [12:5774] -A nixos-fw-accept -j ACCEPT<br>
> [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6<br>
> [6:384] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse<br>
> [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse<br>
> [6:384] -A nixos-fw-refuse -j DROP<br>
> COMMIT<br>
> # Completed on Sat Sep 9 14:02:40 2017<br>
><br>
> [alice] $ sysctl -A | grep rp_filter <br>
> net.ipv4.conf.all.arp_filter = 0<br>
> net.ipv4.conf.all.rp_filter = 0<br>
> net.ipv4.conf.default.arp_<wbr>filter = 0<br>
> net.ipv4.conf.default.rp_<wbr>filter = 0<br>
> net.ipv4.conf.eth0.arp_filter = 0<br>
> net.ipv4.conf.eth0.rp_filter = 0<br>
> net.ipv4.conf.eth1.arp_filter = 0<br>
> net.ipv4.conf.eth1.rp_filter = 0<br>
> net.ipv4.conf.lo.arp_filter = 0<br>
> net.ipv4.conf.lo.rp_filter = 0<br>
><br>
> [carol] $ iptables-save -c <br>
> # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:56 2017<br>
> *nat<br>
> :PREROUTING ACCEPT [2:128]<br>
> :INPUT ACCEPT [0:0]<br>
> :OUTPUT ACCEPT [3:2002]<br>
> :POSTROUTING ACCEPT [3:2002]<br>
> COMMIT<br>
> # Completed on Sat Sep 9 14:02:56 2017<br>
> # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:56 2017<br>
> *raw<br>
> :PREROUTING ACCEPT [7:1983]<br>
> :OUTPUT ACCEPT [5:2374]<br>
> :nixos-fw-rpfilter - [0:0]<br>
> [7:1983] -A PREROUTING -j nixos-fw-rpfilter<br>
> [7:1983] -A nixos-fw-rpfilter -m rpfilter -j RETURN<br>
</div></div>> [0:0] -A nixos-fw-rpfilter -s <a href="http://0.0.0.0/32" rel="noreferrer" target="_blank">0.0.0.0/32</a> <<a href="http://0.0.0.0/32" rel="noreferrer" target="_blank">http://0.0.0.0/32</a>> -d <a href="http://255.255.255.255/32" rel="noreferrer" target="_blank">255.255.255.255/32</a> <<a href="http://255.255.255.255/32" rel="noreferrer" target="_blank">http://255.255.255.255/32</a>> -p udp -m udp --sport 68 --dport 67 -j RETURN<br>
<span class="gmail-">> [0:0] -A nixos-fw-rpfilter -j DROP<br>
> COMMIT<br>
> # Completed on Sat Sep 9 14:02:56 2017<br>
> # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:56 2017<br>
> *filter<br>
> :INPUT ACCEPT [0:0]<br>
> :FORWARD ACCEPT [0:0]<br>
> :OUTPUT ACCEPT [0:0]<br>
> :nixos-fw - [0:0]<br>
> :nixos-fw-accept - [0:0]<br>
> :nixos-fw-log-refuse - [0:0]<br>
> :nixos-fw-refuse - [0:0]<br>
</span>> [0:0] -A INPUT -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
<span class="gmail-">> [7:1983] -A INPUT -j nixos-fw<br>
</span>> [0:0] -A FORWARD -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
> [0:0] -A FORWARD -s <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
> [0:0] -A OUTPUT -s <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
<div><div class="gmail-h5">> [0:0] -A nixos-fw -i lo -j nixos-fw-accept<br>
> [3:1727] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept<br>
> [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept<br>
> [4:256] -A nixos-fw -j nixos-fw-log-refuse<br>
> [3:1727] -A nixos-fw-accept -j ACCEPT<br>
> [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6<br>
> [4:256] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse<br>
> [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse<br>
> [4:256] -A nixos-fw-refuse -j DROP<br>
> COMMIT<br>
> # Completed on Sat Sep 9 14:02:56 2017<br>
><br>
> [carol] $ sysctl -A | grep rp_filter <br>
> net.ipv4.conf.all.arp_filter = 0<br>
> net.ipv4.conf.all.rp_filter = 0<br>
> net.ipv4.conf.default.arp_<wbr>filter = 0<br>
> net.ipv4.conf.default.rp_<wbr>filter = 0<br>
> net.ipv4.conf.eth0.arp_filter = 0<br>
> net.ipv4.conf.eth0.rp_filter = 0<br>
> net.ipv4.conf.eth1.arp_filter = 0<br>
> net.ipv4.conf.eth1.rp_filter = 0<br>
> net.ipv4.conf.lo.arp_filter = 0<br>
> net.ipv4.conf.lo.rp_filter = 0<br>
><br>
> [moon] $ iptables-save -c <br>
> # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:37 2017<br>
> *nat<br>
> :PREROUTING ACCEPT [5:4546]<br>
> :INPUT ACCEPT [5:4546]<br>
> :OUTPUT ACCEPT [1:64]<br>
> :POSTROUTING ACCEPT [1:64]<br>
> COMMIT<br>
> # Completed on Sat Sep 9 14:02:37 2017<br>
> # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:37 2017<br>
> *raw<br>
> :PREROUTING ACCEPT [15:8288]<br>
> :OUTPUT ACCEPT [15:6477]<br>
> :nixos-fw-rpfilter - [0:0]<br>
> [15:8288] -A PREROUTING -j nixos-fw-rpfilter<br>
> [15:8288] -A nixos-fw-rpfilter -m rpfilter -j RETURN<br>
</div></div>> [0:0] -A nixos-fw-rpfilter -s <a href="http://0.0.0.0/32" rel="noreferrer" target="_blank">0.0.0.0/32</a> <<a href="http://0.0.0.0/32" rel="noreferrer" target="_blank">http://0.0.0.0/32</a>> -d <a href="http://255.255.255.255/32" rel="noreferrer" target="_blank">255.255.255.255/32</a> <<a href="http://255.255.255.255/32" rel="noreferrer" target="_blank">http://255.255.255.255/32</a>> -p udp -m udp --sport 68 --dport 67 -j RETURN<br>
<span class="gmail-">> [0:0] -A nixos-fw-rpfilter -j DROP<br>
> COMMIT<br>
> # Completed on Sat Sep 9 14:02:37 2017<br>
> # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:37 2017<br>
> *filter<br>
> :INPUT ACCEPT [0:0]<br>
> :FORWARD ACCEPT [0:0]<br>
> :OUTPUT ACCEPT [2:1432]<br>
> :nixos-fw - [0:0]<br>
> :nixos-fw-accept - [0:0]<br>
> :nixos-fw-log-refuse - [0:0]<br>
> :nixos-fw-refuse - [0:0]<br>
> [15:8288] -A INPUT -j nixos-fw<br>
</span>> [0:0] -A FORWARD -s <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 3 --proto esp -j ACCEPT<br>
> [0:0] -A FORWARD -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 3 --proto esp -j ACCEPT<br>
> [0:0] -A FORWARD -s <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 2 --proto esp -j ACCEPT<br>
> [0:0] -A FORWARD -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 2 --proto esp -j ACCEPT<br>
<div><div class="gmail-h5">> [0:0] -A nixos-fw -i lo -j nixos-fw-accept<br>
> [5:2328] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept<br>
> [4:3152] -A nixos-fw -p udp -m udp --dport 4500 -j nixos-fw-accept<br>
> [4:2680] -A nixos-fw -p udp -m udp --dport 500 -j nixos-fw-accept<br>
> [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept<br>
> [2:128] -A nixos-fw -j nixos-fw-log-refuse<br>
> [13:8160] -A nixos-fw-accept -j ACCEPT<br>
> [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6<br>
> [2:128] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse<br>
> [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse<br>
> [2:128] -A nixos-fw-refuse -j DROP<br>
> COMMIT<br>
> # Completed on Sat Sep 9 14:02:37 2017<br>
><br>
> [moon] $ sysctl -A | grep rp_filter <br>
> net.ipv4.conf.all.arp_filter = 0<br>
> net.ipv4.conf.all.rp_filter = 0<br>
> net.ipv4.conf.default.arp_<wbr>filter = 0<br>
> net.ipv4.conf.default.rp_<wbr>filter = 0<br>
> net.ipv4.conf.eth0.arp_filter = 0<br>
> net.ipv4.conf.eth0.rp_filter = 0<br>
> net.ipv4.conf.eth1.arp_filter = 0<br>
> net.ipv4.conf.eth1.rp_filter = 0<br>
> net.ipv4.conf.lo.arp_filter = 0<br>
> net.ipv4.conf.lo.rp_filter = 0<br>
><br>
> BTW note that if I execute the following on all hosts:<br>
><br>
> $ iptables --insert INPUT --protocol ESP --jump ACCEPT<br>
><br>
> pinging from alice to carol will actually give a "Destination Net Unreachable" error instead of not giving any output:<br>
><br>
> [alice] $ ping -c 10.0.0.2<br>
> PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.<br>
> From 192.168.1.3 icmp_seq=1 Destination Net Unreachable<br>
><br>
> --- 10.0.0.2 ping statistics ---<br>
> 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms<br>
><br>
><br>
</div></div><span class="gmail-">> On 9 September 2017 at 15:57, Noel Kuntze <noel.kuntze+strongswan-users-<wbr>ml@thermi.consulting <mailto:<a href="mailto:noel.kuntze%2Bstrongswan-users-ml@thermi.consulting">noel.kuntze+<wbr>strongswan-users-ml@thermi.<wbr>consulting</a>>> wrote:<br>
><br>
> Hi Bas,<br>
><br>
> Please provide the outputs of `iptables-save -c` on all hosts<br>
> and the output of `sysctl -A | grep rp_filter`. `iptables -S` is not useful.<br>
><br>
> Kind regards<br>
><br>
> Noel<br>
><br>
</span><span class="gmail-">> On <a href="tel:09.09.2017%2015" value="+31909201715">09.09.2017 15</a> <tel:09.09.2017%2015>:50, Bas van Dijk wrote:<br>
> > Hi Noel,<br>
> ><br>
> > These are the firewall rules of all hosts after establishing the tunnels (all the NFLOG rules will be removed eventually, they're currently used for debugging):<br>
> ><br>
> > [alice] $ iptables -S <br>
> > -P INPUT ACCEPT<br>
> > -P FORWARD ACCEPT<br>
> > -P OUTPUT ACCEPT<br>
> > -N nixos-fw<br>
> > -N nixos-fw-accept<br>
> > -N nixos-fw-log-refuse<br>
> > -N nixos-fw-refuse<br>
</span>> > -A INPUT -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
<span class="gmail-">> > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5<br>
> > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5<br>
> > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5<br>
> > -A INPUT -p ah -j NFLOG --nflog-group 5<br>
> > -A INPUT -p esp -j NFLOG --nflog-group 5<br>
> > -A INPUT -j nixos-fw<br>
</span>> > -A FORWARD -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
> > -A FORWARD -s <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
> > -A OUTPUT -s <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
<span class="gmail-">> > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5<br>
> > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5<br>
> > -A OUTPUT -p ah -j NFLOG --nflog-group 5<br>
> > -A OUTPUT -p esp -j NFLOG --nflog-group 5<br>
> > -A nixos-fw -i lo -j nixos-fw-accept<br>
> > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept<br>
> > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept<br>
> > -A nixos-fw -j nixos-fw-log-refuse<br>
> > -A nixos-fw-accept -j ACCEPT<br>
> > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6<br>
> > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse<br>
> > -A nixos-fw-log-refuse -j nixos-fw-refuse<br>
> > -A nixos-fw-refuse -j DROP<br>
> ><br>
> > [carol] $ iptables -S <br>
> > -P INPUT ACCEPT<br>
> > -P FORWARD ACCEPT<br>
> > -P OUTPUT ACCEPT<br>
> > -N nixos-fw<br>
> > -N nixos-fw-accept<br>
> > -N nixos-fw-log-refuse<br>
> > -N nixos-fw-refuse<br>
</span>> > -A INPUT -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
<span class="gmail-">> > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5<br>
> > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5<br>
> > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5<br>
> > -A INPUT -p ah -j NFLOG --nflog-group 5<br>
> > -A INPUT -p esp -j NFLOG --nflog-group 5<br>
> > -A INPUT -j nixos-fw<br>
</span>> > -A FORWARD -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
> > -A FORWARD -s <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
> > -A OUTPUT -s <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
<div><div class="gmail-h5">> > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5<br>
> > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5<br>
> > -A OUTPUT -p ah -j NFLOG --nflog-group 5<br>
> > -A OUTPUT -p esp -j NFLOG --nflog-group 5<br>
> > -A nixos-fw -i lo -j nixos-fw-accept<br>
> > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept<br>
> > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept<br>
> > -A nixos-fw -j nixos-fw-log-refuse<br>
> > -A nixos-fw-accept -j ACCEPT<br>
> > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6<br>
> > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse<br>
> > -A nixos-fw-log-refuse -j nixos-fw-refuse<br>
> > -A nixos-fw-refuse -j DROP<br>
> ><br>
> > [moon] $ iptables -S <br>
> > -P INPUT ACCEPT<br>
> > -P FORWARD ACCEPT<br>
> > -P OUTPUT ACCEPT<br>
> > -N nixos-fw<br>
> > -N nixos-fw-accept<br>
> > -N nixos-fw-log-refuse<br>
> > -N nixos-fw-refuse<br>
> > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5<br>
> > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j NFLOG --nflog-group 5<br>
> > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5<br>
> > -A INPUT -p ah -j NFLOG --nflog-group 5<br>
> > -A INPUT -p esp -j NFLOG --nflog-group 5<br>
> > -A INPUT -j nixos-fw<br>
</div></div>> > -A FORWARD -s <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 2 --proto esp -j ACCEPT<br>
> > -A FORWARD -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">10.0.0.2/32</a> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> <<a href="http://10.0.0.2/32" rel="noreferrer" target="_blank">http://10.0.0.2/32</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 2 --proto esp -j ACCEPT<br>
> > -A FORWARD -s <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -d <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
> > -A FORWARD -s <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> -d <a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">10.0.0.1/32</a> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> <<a href="http://10.0.0.1/32" rel="noreferrer" target="_blank">http://10.0.0.1/32</a>> -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT<br>
<span class="gmail-">> > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5<br>
> > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5<br>
> > -A OUTPUT -p ah -j NFLOG --nflog-group 5<br>
> > -A OUTPUT -p esp -j NFLOG --nflog-group 5<br>
> > -A nixos-fw -i lo -j nixos-fw-accept<br>
> > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept<br>
> > -A nixos-fw -p udp -m udp --dport 4500 -j nixos-fw-accept<br>
> > -A nixos-fw -p udp -m udp --dport 500 -j nixos-fw-accept<br>
> > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept<br>
> > -A nixos-fw -j nixos-fw-log-refuse<br>
> > -A nixos-fw-accept -j ACCEPT<br>
> > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6<br>
> > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse<br>
> > -A nixos-fw-log-refuse -j nixos-fw-refuse<br>
> > -A nixos-fw-refuse -j DROP<br>
> ><br>
> ><br>
</span><span class="gmail-">> > On 9 September 2017 at 15:34, Noel Kuntze <noel.kuntze+strongswan-users-<wbr>ml@thermi.consulting <mailto:<a href="mailto:noel.kuntze%2Bstrongswan-users-ml@thermi.consulting">noel.kuntze+<wbr>strongswan-users-ml@thermi.<wbr>consulting</a> <mailto:<a href="mailto:noel.kuntze%252Bstrongswan-users-ml@thermi.consulting">noel.kuntze%<wbr>2Bstrongswan-users-ml@thermi.<wbr>consulting</a>>>> wrote:<br>
> ><br>
> > Hi,<br>
> ><br>
> > Check your iptables rules.<br>
> ><br>
> > Kind regards<br>
> ><br>
> > Noel<br>
> ><br>
</span><span class="gmail-">> > On <a href="tel:09.09.2017%2014" value="+31909201714">09.09.2017 14</a> <tel:09.09.2017%2014> <tel:09.09.2017%2014>:06, Bas van Dijk wrote:<br>
> > > Dear list,<br>
> > ><br>
</span>> > > (I accidentally sent a previous message <<a href="https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA" rel="noreferrer" target="_blank">https://groups.google.com/<wbr>forum/#%21topic/strongswan-<wbr>users/2ytikPcg7jA</a> <<a href="https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA" rel="noreferrer" target="_blank">https://groups.google.com/<wbr>forum/#%21topic/strongswan-<wbr>users/2ytikPcg7jA</a>> <<a href="https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA" rel="noreferrer" target="_blank">https://groups.google.com/<wbr>forum/#%21topic/strongswan-<wbr>users/2ytikPcg7jA</a> <<a href="https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA" rel="noreferrer" target="_blank">https://groups.google.com/<wbr>forum/#%21topic/strongswan-<wbr>users/2ytikPcg7jA</a>>>> to the read-only <a href="mailto:strongswan-users@googlegroups.com">strongswan-users@googlegroups.<wbr>com</a> <mailto:<a href="mailto:strongswan-users@googlegroups.com">strongswan-users@<wbr>googlegroups.com</a>> <mailto:<a href="mailto:strongswan-users@googlegroups.com">strongswan-users@<wbr>googlegroups.com</a> <mailto:<a href="mailto:strongswan-users@googlegroups.com">strongswan-users@<wbr>googlegroups.com</a>>> <mailto:<a href="mailto:strongswan-users@googlegroups.com">strongswan-users@<wbr>googlegroups.com</a> <mailto:<a href="mailto:strongswan-users@googlegroups.com">strongswan-users@<wbr>googlegroups.com</a>> <mailto:<a href="mailto:strongswan-users@googlegroups.com">strongswan-users@<wbr>googlegroups.com</a> <mailto:<a href="mailto:strongswan-users@googlegroups.com">strongswan-users@<wbr>googlegroups.com</a>>>>. So let's try the real list.)<br>
<span class="gmail-">> > ><br>
> > > I'm working on another NixOS strongswan test. This time I have two roadwarriors alice and carol that set up a connection to gateway moon. They request a virtual IP. The gateway moon assigns virtual IP addresses from a pool per roadwarrior containing a single IP address. Authentication is based on X.509 certificates. In order to test the tunnel alice and carol ping each other. The test configuration can be found in:<br>
> > ><br>
</span>> > > <a href="https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix" rel="noreferrer" target="_blank">https://github.com/LumiGuide/<wbr>nixpkgs/blob/strongswan-<wbr>swanctl-pubkey-test/nixos/<wbr>tests/strongswan-swanctl-<wbr>pubkey.nix</a> <<a href="https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix" rel="noreferrer" target="_blank">https://github.com/LumiGuide/<wbr>nixpkgs/blob/strongswan-<wbr>swanctl-pubkey-test/nixos/<wbr>tests/strongswan-swanctl-<wbr>pubkey.nix</a>> <<a href="https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix" rel="noreferrer" target="_blank">https://github.com/LumiGuide/<wbr>nixpkgs/blob/strongswan-<wbr>swanctl-pubkey-test/nixos/<wbr>tests/strongswan-swanctl-<wbr>pubkey.nix</a> <<a href="https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix" rel="noreferrer" target="_blank">https://github.com/LumiGuide/<wbr>nixpkgs/blob/strongswan-<wbr>swanctl-pubkey-test/nixos/<wbr>tests/strongswan-swanctl-<wbr>pubkey.nix</a>>><br>
<div><div class="gmail-h5">> > ><br>
> > > The roadwarriors alice and carol can successfully establish a CHILD_SA with the gateway moon. The problem is that the roadwarriors can't ping eachother. <br>
> > ><br>
> > > This is a tcpdump on alice while initiating the CHILD_SA and trying to ping carol:<br>
> > ><br>
> > > [alice] $ tcpdump -s 0 -n -i nflog:5<br>
> > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
> > > listening on nflog:5, link-type NFLOG (Linux netfilter log messages), capture size 262144 bytes<br>
> > > # swanctl -i --child alice<br>
> > > 11:05:07.318185 IP 192.168.1.1.500 > 192.168.1.3.500: isakmp: parent_sa ikev2_init[I]<br>
> > > 11:05:07.318291 IP 192.168.1.3.500 > 192.168.1.1.500: isakmp: parent_sa ikev2_init[R]<br>
> > > 11:05:07.318296 IP 192.168.1.1.4500 > 192.168.1.3.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]<br>
> > > 11:05:07.318308 IP 192.168.1.1.4500 > 192.168.1.3.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]<br>
> > > 11:05:08.346181 IP 192.168.1.3.4500 > 192.168.1.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]<br>
> > > 11:05:08.346196 IP 192.168.1.3.4500 > 192.168.1.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]<br>
> > > # ping -c 1 10.0.0.2<br>
> > > 11:05:15.898172 IP 192.168.1.1 > 10.0.0.2 <<a href="http://10.0.0.2" rel="noreferrer" target="_blank">http://10.0.0.2</a>>: ICMP echo request, id 1120, seq 1, length 64<br>
> > > 11:05:15.898200 IP 192.168.1.1 > 10.0.0.2 <<a href="http://10.0.0.2" rel="noreferrer" target="_blank">http://10.0.0.2</a>>: ICMP echo request, id 1120, seq 1, length 64<br>
> > > 11:05:15.898205 IP 192.168.1.1 > 192.168.1.3 <<a href="http://192.168.1.3" rel="noreferrer" target="_blank">http://192.168.1.3</a>>: ESP(spi=0xc6877d56,seq=0x1), length 136<br>
> > ><br>
> > > So it looks like the ping packet gets encapsulated and send to moon. This is the dump on moon:<br>
> > ><br>
> > > [moon] $ tcpdump -s 0 -n -i nflog:5<br>
> > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
> > > listening on nflog:5, link-type NFLOG (Linux netfilter log messages), capture size 262144 bytes<br>
> > > 11:05:07.170190 IP 192.168.1.1.500 > 192.168.1.3.500: isakmp: parent_sa ikev2_init[I]<br>
> > > 11:05:07.170218 IP 192.168.1.3.500 > 192.168.1.1.500: isakmp: parent_sa ikev2_init[R]<br>
> > > 11:05:07.170221 IP 192.168.1.1.4500 > 192.168.1.3.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]<br>
> > > 11:05:07.170227 IP 192.168.1.1.4500 > 192.168.1.3.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]<br>
> > > 11:05:08.225827 IP 192.168.1.3.4500 > 192.168.1.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]<br>
> > > 11:05:08.225843 IP 192.168.1.3.4500 > 192.168.1.1.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]<br>
> > ><br>
> > > 11:05:15.777787 IP 192.168.1.1 > 192.168.1.3 <<a href="http://192.168.1.3" rel="noreferrer" target="_blank">http://192.168.1.3</a>>: ESP(spi=0xc6877d56,seq=0x1), length 136<br>
> > ><br>
> > > So moon receives the encapsulated ping message from alice but it never reroutes it to carol. Is this caused by a bad routing configuration? These are the routes on alice and her auto-generated swanctl configuration:<br>
> > ><br>
> > > [alice] $ ip route list table 220<br>
</div></div>> > > <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> via 192.168.1.3 dev eth1 proto static src 192.168.1.1 <br>
<span class="gmail-">> > ><br>
> > > [alice] $ cat /etc/swanctl/swanctl.conf<br>
> > > connections {<br>
> > > alice {<br>
> > > children {<br>
> > > alice {<br>
</span>> > > remote_ts = <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>><br>
<span class="gmail-">> > > start_action = trap<br>
> > > updown = /nix/store/<wbr>jdcviy5z25xamq35g8k9qbdpskkx3w<wbr>9g-strongswan-5.6.0/libexec/<wbr>ipsec/_updown iptables<br>
> > > }<br>
> > > }<br>
> > > local-main {<br>
> > > auth = pubkey<br>
> > > certs = aliceCert.der<br>
> > > id = alice<br>
> > > }<br>
> > > remote-main {<br>
> > > auth = pubkey<br>
> > > id = moon<br>
> > > }<br>
> > > remote_addrs = moon<br>
> > > version = 2<br>
> > > vips = 0.0.0.0<br>
> > > }<br>
> > > }<br>
> > ><br>
> > > Routing table 220 is empty on moon. Is that how it's supposed to be? This is its auto-generated swanctl configuration:<br>
> > ><br>
> > > [moon] $ cat /etc/swanctl/swanctl.conf <br>
> > > connections {<br>
> > > alice {<br>
> > > children {<br>
> > > alice {<br>
</span>> > > local_ts = <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>><br>
<span class="gmail-">> > > updown = /nix/store/<wbr>jdcviy5z25xamq35g8k9qbdpskkx3w<wbr>9g-strongswan-5.6.0/libexec/<wbr>ipsec/_updown iptables<br>
> > > }<br>
> > > }<br>
> > > local-main {<br>
> > > auth = pubkey<br>
> > > certs = moonCert.der<br>
> > > id = moon<br>
> > > }<br>
> > > pools = alice<br>
> > > remote-main {<br>
> > > auth = pubkey<br>
> > > id = alice<br>
> > > }<br>
> > > version = 2<br>
> > > }<br>
> > > carol {<br>
> > > children {<br>
> > > carol {<br>
</span>> > > local_ts = <a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>> <<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">http://10.0.0.0/24</a>><br>
<div class="gmail-HOEnZb"><div class="gmail-h5">> > > updown = /nix/store/<wbr>jdcviy5z25xamq35g8k9qbdpskkx3w<wbr>9g-strongswan-5.6.0/libexec/<wbr>ipsec/_updown iptables<br>
> > > }<br>
> > > }<br>
> > > local-main {<br>
> > > auth = pubkey<br>
> > > certs = moonCert.der<br>
> > > id = moon<br>
> > > }<br>
> > > pools = carol<br>
> > > remote-main {<br>
> > > auth = pubkey<br>
> > > id = carol<br>
> > > }<br>
> > > version = 2<br>
> > > }<br>
> > > }<br>
> > > pools {<br>
> > > alice {<br>
> > > addrs = 10.0.0.1<br>
> > > }<br>
> > > carol {<br>
> > > addrs = 10.0.0.2<br>
> > > }<br>
> > > }<br>
> > ><br>
> > > I'm sure I'm not configuring something correctly. Can somebody point me in the right direction to get this test succeeding?<br>
> > ><br>
> > > Regards,<br>
> > ><br>
> > > Bas<br>
> > ><br>
> > ><br>
> > ><br>
> ><br>
> ><br>
> ><br>
><br>
><br>
<br>
</div></div></blockquote></div><br></div></div>