<div dir="ltr">I am using Strongswan 5.6.1 on my OpenVZ servers<div>And strongswan 5.6.1 is compiled by myself. kernel-libipsec enabled by </div><div><span style="color:rgb(0,0,0);font-family:Consolas,Monaco,"Andale Mono",monospace;font-size:16px;white-space:pre"><br></span></div><div><span style="color:rgb(0,0,0);font-family:Consolas,Monaco,"Andale Mono",monospace;font-size:16px;white-space:pre">./configure --enable-eap-identity --enable-eap-md5 \
--enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap \
--enable-eap-tnc --enable-eap-</span><span class="gmail-hljs-keyword" style="box-sizing:border-box;color:rgb(170,13,145);font-family:Consolas,Monaco,"Andale Mono",monospace;font-size:16px;white-space:pre">dynamic</span><span style="color:rgb(0,0,0);font-family:Consolas,Monaco,"Andale Mono",monospace;font-size:16px;white-space:pre"> --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity \
--enable-certexpire --enable-radattr --enable-tools --enable-openssl --disable-gmp --enable-kernel-libipsec</span></div><div><font color="#000000" face="Consolas, Monaco, Andale Mono, monospace"><span style="font-size:16px;white-space:pre"><br></span></font></div>the strongswan.conf configuration modified as :<div><br><div><font color="#000000" face="Consolas, Monaco, Andale Mono, monospace"><div><span style="font-size:16px;white-space:pre">charon {</span></div><div><span style="font-size:16px;white-space:pre"> load_modular = yes</span></div><div><span style="font-size:16px;white-space:pre"> plugins {</span></div><div><span style="font-size:16px;white-space:pre"> include strongswan.d/charon/*.conf</span></div><div><span style="font-size:16px;white-space:pre"> kernel-netlink {</span></div><div><span style="font-size:16px;white-space:pre"> fwmark = !0x4</span></div><div><span style="font-size:16px;white-space:pre"> }</span></div><div><span style="font-size:16px;white-space:pre"> socket-default {</span></div><div><span style="font-size:16px;white-space:pre"> fwmark = 0x4</span></div><div><span style="font-size:16px;white-space:pre"> }</span></div><div><span style="font-size:16px;white-space:pre"> kernel-libipsec {</span></div><div><span style="font-size:16px;white-space:pre"> allow_peer_ts = yes</span></div><div><span style="font-size:16px;white-space:pre"> }</span></div><div><span style="font-size:16px;white-space:pre"> }</span></div><div><span style="font-size:16px;white-space:pre">}</span></div><div><span style="font-size:16px;white-space:pre"><br></span></div></font>I have created ipsec tunnel successfully between my OpenVZ server alpha and beta:</div><div>But the socket connection fails.</div><div>By investigate the problem, I tried tcpdump, found that</div><div>If I ping from alpha to beta</div><div>tcpdump could found </div><div>esp from alpha->beta</div><div>esp from beta->alpha</div><div>but ping timeout</div><div><br></div><div>If I ping from beta to alpha</div><div>tcpdump could found </div><div>esp from beta->alpha</div><div>and ping timeout</div><div><br></div><div>if using tcp, and answer is similar</div><div>alpha->beta</div><div>alpha SYN_SENT</div><div>beta SYN_RECV</div><div><br></div><div>beta->alpha</div><div>beta SYN_SENT</div><div>alpha NULL</div><div><br></div><div>I guess there should be some problem during esp to socket</div><div>anyone could tell me how to detect the problem, or some further information should I give.</div><div><br></div><div>alpha and beta belongs to different OpenVZ supplier, don't know the problem.</div><div>I have reinstalled alpha sometimes, but doesn't work.</div><div><br></div><div>beta:Linux beta 2.6.32-042stab125.5 #1 SMP Tue Oct 17 12:48:22 MSK 2017 x86_64 GNU/Linux</div><div><br></div><div>alpha: Linux alpha 2.6.32-042stab123.3 #1 SMP Fri May 5 12:29:05 MSK 2017 x86_64 GNU/Linux</div><div><br><div><div class="gmail_signature">Regards<br>Quaker</div></div>
</div></div></div>