<div dir="ltr"><div dir="ltr"><div class="gmail_default"><div class="gmail_default"><div class="gmail_default" style="font-family:tahoma,sans-serif">Thanks a lot Noel. The connection is up and stable. Very helpful. </div><div class="gmail_default" style="font-family:tahoma,sans-serif">One more thing, the remote client is able to ping my private IP, but i am unable to ping his private IP address. I have checked and my routes seem OK. What do you suggest?</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div></div><div class="gmail_default"><font face="tahoma, sans-serif">Below is my status:</font></div><div class="gmail_default"><font face="tahoma, sans-serif"><br></font></div><div class="gmail_default"><font face="tahoma, sans-serif"><b><i>sudo ipsec statusall</i></b></font></div><div class="gmail_default"><font face="tahoma, sans-serif">Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.18.0-1008-gcp, x86_64):</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> uptime: 28 seconds, since Apr 08 12:14:39 2019</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> malloc: sbrk 1622016, mmap 0, used 629024, free 992992</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters</font></div><div class="gmail_default"><font face="tahoma, sans-serif">Listening IP addresses:</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> 10.138.0.4</font></div><div class="gmail_default"><font face="tahoma, sans-serif">Connections:</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> televida: 10.138.0.4...200.**.***.*** IKEv2, dpddelay=30s</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> televida: local: [35.1**.2**.***] uses pre-shared key authentication</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> televida: remote: [200.**.***.***] uses pre-shared key authentication</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> televida: child: <a href="http://10.138.0.0/20">10.138.0.0/20</a> === <a href="http://10.28.2.0/24">10.28.2.0/24</a> TUNNEL, dpdaction=clear</font></div><div class="gmail_default"><font face="tahoma, sans-serif"><br></font></div><div class="gmail_default"><font face="tahoma, sans-serif">Security Associations (1 up, 0 connecting):</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> televida[1]: ESTABLISHED 23 seconds ago, 10.138.0.4[35.1**.2**.***]...200.**.***.***[200.**.***.***]</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> televida[1]: IKEv2 SPIs: 055627d3eb22222f_i 081a1b696be14ad2_r*, pre-shared key reauthentication in 23 hours</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> televida[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> televida{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c5fb101f_i 82900426_o</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> televida{2}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> televida{2}: <a href="http://10.138.0.4/32">10.138.0.4/32</a> === <a href="http://10.28.2.0/24">10.28.2.0/24</a></font></div><div class="gmail_default"><font face="tahoma, sans-serif">kariukims@klick-001:~$ ping 10.28.2.9</font></div><div class="gmail_default"><font face="tahoma, sans-serif">PING 10.28.2.9 (10.28.2.9) 56(84) bytes of data.</font></div><div class="gmail_default"><font face="tahoma, sans-serif">^C</font></div><div class="gmail_default"><font face="tahoma, sans-serif">--- 10.28.2.9 ping statistics ---</font></div><div class="gmail_default"><font face="tahoma, sans-serif">3 packets transmitted, 0 received, 100% packet loss, time 56ms</font></div><div class="gmail_default"><font face="tahoma, sans-serif"><br></font></div><div class="gmail_default"><div class="gmail_default" style="font-family:tahoma,sans-serif"><br class="gmail-Apple-interchange-newline">Kind regards,</div><div class="gmail_default" style="font-family:tahoma,sans-serif">Moses K</div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 8, 2019 at 3:09 PM MOSES KARIUKI <<a href="mailto:kariukims@gmail.com">kariukims@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Thanks a lot Noel. The connection is up and stable. Very helpful. </div><div class="gmail_default" style="font-family:tahoma,sans-serif">One more thing, the remote client is able to ping my private IP, but i am unable to ping his private IP address. I have checked and my routes seem OK. What do you suggest?</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Kind regards,</div><div class="gmail_default" style="font-family:tahoma,sans-serif">Moses K</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 4, 2019 at 9:50 PM Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
You configured "rightsourceip=<a href="http://10.10.10.0/24" rel="noreferrer" target="_blank">10.10.10.0/24</a>" but that's supposed to be a site-to-site connection. Use rightsubnet instead.<br>
rightsourceip is for assigning and requesting virtual IPs. The best way for you would be to migrate to swanctl instead.<br>
Its configuration format is a lot clearer.<br>
<br>
Kind regards<br>
<br>
Noel<br>
<br>
Am 02.04.19 um 11:27 schrieb MOSES KARIUKI:<br>
> Dear Tobias,<br>
> <br>
> :) :)<br>
> I read the message. But I can't really interpret what setting is needed to make it work. I have listed my current configuration. I am still finding my way with Linux networking and Strongswan.<br>
> <br>
> Please assist. I will really appreciate and also offer assist others.<br>
> <br>
> regards,<br>
> Moses<br>
> <br>
> <br>
> <br>
> On Tue, Apr 2, 2019 at 11:23 AM Tobias Brunner <<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a> <mailto:<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>>> wrote:<br>
> <br>
> Hi Moses,<br>
> <br>
> > Apr 1 20:57:58 klick-001 charon: 11[IKE] expected a virtual IP<br>
> > request, sending FAILED_CP_REQUIRED<br>
> <br>
> I guess reading is hard. Or is that message (that you explicitly marked<br>
> in your email) really that unclear?<br>
> <br>
> Regards,<br>
> Tobias<br>
> <br>
<br>
</blockquote></div>
</blockquote></div>