<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">Hello Noel,</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Please see below as requested and advise. Thank you in advance</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 12, 2019 at 10:47 AM MOSES KARIUKI <<a href="mailto:kariukims@gmail.com">kariukims@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div style="font-family:tahoma,sans-serif">Thanks <span class="gmail_default" style="font-family:tahoma,sans-serif">Noel </span>as always.</div><div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif"><div># Generated by iptables-save v1.6.1 on Fri Apr 12 06:50:35 2019</div><div>*mangle</div><div>:PREROUTING ACCEPT [97346:21879529]</div><div>:INPUT ACCEPT [97344:21878509]</div><div>:FORWARD ACCEPT [0:0]</div><div>:OUTPUT ACCEPT [91143:10601255]</div><div>:POSTROUTING ACCEPT [91143:10601255]</div><div>-A FORWARD -s <a href="http://10.28.2.0/24" target="_blank">10.28.2.0/24</a> -o ens4 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360</div><div>COMMIT</div><div># Completed on Fri Apr 12 06:50:35 2019</div><div># Generated by iptables-save v1.6.1 on Fri Apr 12 06:50:35 2019</div><div>*nat</div><div>:PREROUTING ACCEPT [1357:77518]</div><div>:INPUT ACCEPT [1079:64346]</div><div>:OUTPUT ACCEPT [8044:522059]</div><div>:POSTROUTING ACCEPT [8044:522059]</div><div>-A POSTROUTING -s <a href="http://10.28.2.0/24" target="_blank">10.28.2.0/24</a> -o ens4 -m policy --dir out --pol ipsec -j ACCEPT</div><div>-A POSTROUTING -s <a href="http://10.28.2.0/24" target="_blank">10.28.2.0/24</a> -o ens4 -j MASQUERADE</div><div>COMMIT</div><div># Completed on Fri Apr 12 06:50:35 2019</div><div># Generated by iptables-save v1.6.1 on Fri Apr 12 06:50:35 2019</div><div>*filter</div><div>:INPUT DROP [2:104]</div><div>:FORWARD DROP [0:0]</div><div>:OUTPUT ACCEPT [0:0]</div><div>:sshguard - [0:0]</div><div>:ufw-after-forward - [0:0]</div><div>:ufw-after-input - [0:0]</div><div>:ufw-after-logging-forward - [0:0]</div><div>:ufw-after-logging-input - [0:0]</div><div>:ufw-after-logging-output - [0:0]</div><div>:ufw-after-output - [0:0]</div><div>:ufw-before-forward - [0:0]</div><div>:ufw-before-input - [0:0]</div><div>:ufw-before-logging-forward - [0:0]</div><div>:ufw-before-logging-input - [0:0]</div><div>:ufw-before-logging-output - [0:0]</div><div>:ufw-before-output - [0:0]</div><div>:ufw-logging-allow - [0:0]</div><div>:ufw-logging-deny - [0:0]</div><div>:ufw-not-local - [0:0]</div><div>:ufw-reject-forward - [0:0]</div><div>:ufw-reject-input - [0:0]</div><div>:ufw-reject-output - [0:0]</div><div>:ufw-skip-to-policy-forward - [0:0]</div><div>:ufw-skip-to-policy-input - [0:0]</div><div>:ufw-skip-to-policy-output - [0:0]</div><div>:ufw-track-forward - [0:0]</div><div>:ufw-track-input - [0:0]</div><div>:ufw-track-output - [0:0]</div><div>:ufw-user-forward - [0:0]</div><div>:ufw-user-input - [0:0]</div><div>:ufw-user-limit - [0:0]</div><div>:ufw-user-limit-accept - [0:0]</div><div>:ufw-user-logging-forward - [0:0]</div><div>:ufw-user-logging-input - [0:0]</div><div>:ufw-user-logging-output - [0:0]</div><div>:ufw-user-output - [0:0]</div><div>-A INPUT -s <a href="http://10.28.2.0/24" target="_blank">10.28.2.0/24</a> -d <a href="http://10.138.0.4/32" target="_blank">10.138.0.4/32</a> -i ens4 -m policy --dir in --pol ipsec --reqid 2 --proto esp -j ACCEPT</div><div>-A INPUT -j ufw-before-logging-input</div><div>-A INPUT -j ufw-before-input</div><div>-A INPUT -j ufw-after-input</div><div>-A INPUT -j ufw-after-logging-input</div><div>-A INPUT -j ufw-reject-input</div><div>-A INPUT -j ufw-track-input</div><div>-A FORWARD -j ufw-before-logging-forward</div><div>-A FORWARD -j ufw-before-forward</div><div>-A FORWARD -j ufw-after-forward</div><div>-A FORWARD -j ufw-after-logging-forward</div><div>-A FORWARD -j ufw-reject-forward</div><div>-A FORWARD -j ufw-track-forward</div><div>-A OUTPUT -s <a href="http://10.138.0.4/32" target="_blank">10.138.0.4/32</a> -d <a href="http://10.28.2.0/24" target="_blank">10.28.2.0/24</a> -o ens4 -m policy --dir out --pol ipsec --reqid 2 --proto esp -j ACCEPT</div><div>-A OUTPUT -j ufw-before-logging-output</div><div>-A OUTPUT -j ufw-before-output</div><div>-A OUTPUT -j ufw-after-output</div><div>-A OUTPUT -j ufw-after-logging-output</div><div>-A OUTPUT -j ufw-reject-output</div><div>-A OUTPUT -j ufw-track-output</div><div>-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input</div><div>-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input</div><div>-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input</div><div>-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input</div><div>-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input</div><div>-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input</div><div>-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input</div><div>-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "</div><div>-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "</div><div>-A ufw-before-forward -s <a href="http://10.28.2.0/24" target="_blank">10.28.2.0/24</a> -m policy --dir in --pol ipsec --proto esp -j ACCEPT</div><div>-A ufw-before-forward -d <a href="http://10.28.2.0/24" target="_blank">10.28.2.0/24</a> -m policy --dir out --pol ipsec --proto esp -j ACCEPT</div><div>-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</div><div>-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT</div><div>-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT</div><div>-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT</div><div>-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT</div><div>-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT</div><div>-A ufw-before-forward -j ufw-user-forward</div><div>-A ufw-before-input -i lo -j ACCEPT</div><div>-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</div><div>-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny</div><div>-A ufw-before-input -m conntrack --ctstate INVALID -j DROP</div><div>-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT</div><div>-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT</div><div>-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT</div><div>-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT</div><div>-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT</div><div>-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT</div><div>-A ufw-before-input -j ufw-not-local</div><div>-A ufw-before-input -d <a href="http://224.0.0.251/32" target="_blank">224.0.0.251/32</a> -p udp -m udp --dport 5353 -j ACCEPT</div><div>-A ufw-before-input -d <a href="http://239.255.255.250/32" target="_blank">239.255.255.250/32</a> -p udp -m udp --dport 1900 -j ACCEPT</div><div>-A ufw-before-input -j ufw-user-input</div><div>-A ufw-before-output -o lo -j ACCEPT</div><div>-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</div><div>-A ufw-before-output -j ufw-user-output</div><div>-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "</div><div>-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN</div><div>-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "</div><div>-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN</div><div>-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN</div><div>-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN</div><div>-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny</div><div>-A ufw-not-local -j DROP</div><div>-A ufw-skip-to-policy-forward -j DROP</div><div>-A ufw-skip-to-policy-input -j DROP</div><div>-A ufw-skip-to-policy-output -j ACCEPT</div><div>-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT</div><div>-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT</div><div>-A ufw-user-input -p udp -m multiport --dports 500,4500 -j ACCEPT</div><div>-A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_OpenSSH\'" -j ACCEPT</div><div>-A ufw-user-input -s 200.1*.1*3.*/32 -j ACCEPT</div><div>-A ufw-user-input -s 200.1*.1*3.*/32 -p esp -j ACCEPT</div><div>-A ufw-user-input -s 200.1*.1*3.*/32 -p ah -j ACCEPT</div><div>-A ufw-user-input -s 200.1*.1*3.*/32 -p gre -j ACCEPT</div><div>-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "</div><div>-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable</div><div>-A ufw-user-limit-accept -j ACCEPT</div><div>COMMIT</div><div># Completed on Fri Apr 12 06:50:35 2019</div><div><br></div><div>Thanks sir. </div><div><br></div><div>Regards,</div><div>Moses K</div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 11, 2019 at 7:36 PM Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
Provide your nat rules in iptables/nftables (whatever you're using) or provide the complete rule set, as shown with `iptables-save`.<br>
<br>
Am 11.04.19 um 09:04 schrieb MOSES KARIUKI:<br>
> Hello Noel, Team,<br>
> <br>
> Any kind souls out there?<br>
> Please assist with the below question.<br>
> <br>
> <br>
> On Mon, Apr 8, 2019 at 3:22 PM MOSES KARIUKI <<a href="mailto:kariukims@gmail.com" target="_blank">kariukims@gmail.com</a> <mailto:<a href="mailto:kariukims@gmail.com" target="_blank">kariukims@gmail.com</a>>> wrote:<br>
> <br>
> Thanks a lot Noel. The connection is up and stable. Very helpful. <br>
> One more thing, the remote client is able to ping my private IP, but i am unable to ping his private IP address. I have checked and my routes seem OK. What do you suggest?<br>
> <br>
> Below is my status:<br>
> <br>
> */sudo ipsec statusall/*<br>
> Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.18.0-1008-gcp, x86_64):<br>
> uptime: 28 seconds, since Apr 08 12:14:39 2019<br>
> malloc: sbrk 1622016, mmap 0, used 629024, free 992992<br>
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5<br>
> loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters<br>
> Listening IP addresses:<br>
> 10.138.0.4<br>
> Connections:<br>
> televida: 10.138.0.4...200.**.***.*** IKEv2, dpddelay=30s<br>
> televida: local: [35.1**.2**.***] uses pre-shared key authentication<br>
> televida: remote: [200.**.***.***] uses pre-shared key authentication<br>
> televida: child: <a href="http://10.138.0.0/20" rel="noreferrer" target="_blank">10.138.0.0/20</a> <<a href="http://10.138.0.0/20" rel="noreferrer" target="_blank">http://10.138.0.0/20</a>> === <a href="http://10.28.2.0/24" rel="noreferrer" target="_blank">10.28.2.0/24</a> <<a href="http://10.28.2.0/24" rel="noreferrer" target="_blank">http://10.28.2.0/24</a>> TUNNEL, dpdaction=clear<br>
> <br>
> Security Associations (1 up, 0 connecting):<br>
> televida[1]: ESTABLISHED 23 seconds ago, 10.138.0.4[35.1**.2**.***]...200.**.***.***[200.**.***.***]<br>
> televida[1]: IKEv2 SPIs: 055627d3eb22222f_i 081a1b696be14ad2_r*, pre-shared key reauthentication in 23 hours<br>
> televida[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521<br>
> televida{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c5fb101f_i 82900426_o<br>
> televida{2}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes<br>
> televida{2}: <a href="http://10.138.0.4/32" rel="noreferrer" target="_blank">10.138.0.4/32</a> <<a href="http://10.138.0.4/32" rel="noreferrer" target="_blank">http://10.138.0.4/32</a>> === <a href="http://10.28.2.0/24" rel="noreferrer" target="_blank">10.28.2.0/24</a> <<a href="http://10.28.2.0/24" rel="noreferrer" target="_blank">http://10.28.2.0/24</a>><br>
> kariukims@klick-001:~$ ping 10.28.2.9<br>
> PING 10.28.2.9 (10.28.2.9) 56(84) bytes of data.<br>
> ^C<br>
> --- 10.28.2.9 ping statistics ---<br>
> 3 packets transmitted, 0 received, 100% packet loss, time 56ms<br>
> <br>
> <br>
> Kind regards,<br>
> Moses K<br>
> <br>
> On Mon, Apr 8, 2019 at 3:09 PM MOSES KARIUKI <<a href="mailto:kariukims@gmail.com" target="_blank">kariukims@gmail.com</a> <mailto:<a href="mailto:kariukims@gmail.com" target="_blank">kariukims@gmail.com</a>>> wrote:<br>
> <br>
> Thanks a lot Noel. The connection is up and stable. Very helpful. <br>
> One more thing, the remote client is able to ping my private IP, but i am unable to ping his private IP address. I have checked and my routes seem OK. What do you suggest?<br>
> <br>
> Kind regards,<br>
> Moses K<br>
> <br>
> <br>
> On Thu, Apr 4, 2019 at 9:50 PM Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:<br>
> <br>
> Hi,<br>
> <br>
> You configured "rightsourceip=<a href="http://10.10.10.0/24" rel="noreferrer" target="_blank">10.10.10.0/24</a> <<a href="http://10.10.10.0/24" rel="noreferrer" target="_blank">http://10.10.10.0/24</a>>" but that's supposed to be a site-to-site connection. Use rightsubnet instead.<br>
> rightsourceip is for assigning and requesting virtual IPs. The best way for you would be to migrate to swanctl instead.<br>
> Its configuration format is a lot clearer.<br>
> <br>
> Kind regards<br>
> <br>
> Noel<br>
> <br>
> Am 02.04.19 um 11:27 schrieb MOSES KARIUKI:<br>
> > Dear Tobias,<br>
> ><br>
> > :) :)<br>
> > I read the message. But I can't really interpret what setting is needed to make it work. I have listed my current configuration. I am still finding my way with Linux networking and Strongswan.<br>
> ><br>
> > Please assist. I will really appreciate and also offer assist others.<br>
> ><br>
> > regards,<br>
> > Moses<br>
> ><br>
> ><br>
> ><br>
> > On Tue, Apr 2, 2019 at 11:23 AM Tobias Brunner <<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a> <mailto:<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>> <mailto:<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a> <mailto:<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>>>> wrote:<br>
> ><br>
> > Hi Moses,<br>
> ><br>
> > > Apr 1 20:57:58 klick-001 charon: 11[IKE] expected a virtual IP<br>
> > > request, sending FAILED_CP_REQUIRED<br>
> ><br>
> > I guess reading is hard. Or is that message (that you explicitly marked<br>
> > in your email) really that unclear?<br>
> ><br>
> > Regards,<br>
> > Tobias<br>
> ><br>
> <br>
<br>
</blockquote></div>
</blockquote></div></div>