
<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<meta name="Generator" content="Microsoft Word 15 (filtered medium)">


<style><!--


/* Font Definitions */


@font-face


        {font-family:Wingdings;


        panose-1:5 0 0 0 0 0 0 0 0 0;}


@font-face


        {font-family:"Cambria Math";


        panose-1:2 4 5 3 5 4 6 3 2 4;}


@font-face


        {font-family:Calibri;


        panose-1:2 15 5 2 2 2 4 3 2 4;}


@font-face


        {font-family:Menlo;


        panose-1:2 11 6 9 3 8 4 2 2 4;}


/* Style Definitions */


p.MsoNormal, li.MsoNormal, div.MsoNormal


        {margin:0cm;


        margin-bottom:.0001pt;


        font-size:12.0pt;


        font-family:"Calibri",sans-serif;


        mso-fareast-language:EN-US;}


a:link, span.MsoHyperlink


        {mso-style-priority:99;


        color:#0563C1;


        text-decoration:underline;}


a:visited, span.MsoHyperlinkFollowed


        {mso-style-priority:99;


        color:#954F72;


        text-decoration:underline;}


span.StileMessaggioDiPostaElettronica17


        {mso-style-type:personal-compose;


        font-family:"Calibri",sans-serif;


        color:windowtext;}


p.p1, li.p1, div.p1


        {mso-style-name:p1;


        margin:0cm;


        margin-bottom:.0001pt;


        background:#224FBC;


        font-size:8.5pt;


        font-family:Menlo;


        color:white;}


span.apple-tab-span


        {mso-style-name:apple-tab-span;}


span.s1


        {mso-style-name:s1;}


p.p2, li.p2, div.p2


        {mso-style-name:p2;


        margin:0cm;


        margin-bottom:.0001pt;


        background:#224FBC;


        font-size:8.5pt;


        font-family:Menlo;


        color:white;}


span.apple-converted-space


        {mso-style-name:apple-converted-space;}


span.s2


        {mso-style-name:s2;


        color:#FD9742;}


span.s3


        {mso-style-name:s3;


        color:#610001;}


span.s4


        {mso-style-name:s4;


        color:#610001;}


.MsoChpDefault


        {mso-style-type:export-only;


        font-family:"Calibri",sans-serif;


        mso-fareast-language:EN-US;}


@page WordSection1


        {size:612.0pt 792.0pt;


        margin:70.85pt 2.0cm 2.0cm 2.0cm;}


div.WordSection1


        {page:WordSection1;}


--></style>


</head>


<body lang="IT" link="#0563C1" vlink="#954F72">


<div class="WordSection1">


<p class="MsoNormal"><span style="font-size:11.0pt">Hello, i have a problem with a s2s VPN between StrongSwan and Cisco ASA.<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">Site A is the one with StrongSwan server and Site B is the one with ASA.<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">Site A is Ubuntu 19.10<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">Ipsec tunnel raises up and stays up nicely.<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">Site A internal network is 10.0.1.0/24 – external network is 10.0.0.0/24 adn the gateway router nats with YYY.YYY.YYY.YYY address.<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">Site B internal network is 192.168.0.0/23<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">This ping works:<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">192.168.1.XXX -</span><span style="font-size:11.0pt;font-family:Wingdings">à</span><span style="font-size:11.0pt"> 10.0.1.YYYY<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">This ping does not work:<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">10.0.1.YYYY -</span><span style="font-size:11.0pt;font-family:Wingdings">à</span><span style="font-size:11.0pt"> 192.168.1.XXX<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">If i try a traceroute from 10.0.1 to 192.168.1, it seems that packets are routed through internet connection and not through tunnel.<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">These are configuration and system status of StrongSwan server.<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">==== sysctl.conf ====<o:p></o:p></span></p>


<p class="MsoNormal" style="background:#224FBC"><span style="font-size:8.5pt;font-family:Menlo;color:#56DBE9;mso-fareast-language:IT">net.ipv4.ip_forward</span><span style="font-size:8.5pt;font-family:Menlo;color:#FD9742;mso-fareast-language:IT">=</span><span style="font-size:8.5pt;font-family:Menlo;color:#610001;mso-fareast-language:IT">1</span><span style="font-size:8.5pt;font-family:Menlo;color:#56DBE9;mso-fareast-language:IT"><o:p></o:p></span></p>


<p class="MsoNormal" style="background:#224FBC"><span style="font-size:8.5pt;font-family:Menlo;color:#56DBE9;mso-fareast-language:IT">net.ipv4.conf.all.accept_redirects


</span><span style="font-size:8.5pt;font-family:Menlo;color:#FD9742;mso-fareast-language:IT">=</span><span style="font-size:8.5pt;font-family:Menlo;color:white;mso-fareast-language:IT">


</span><span style="font-size:8.5pt;font-family:Menlo;color:#610001;mso-fareast-language:IT">0</span><span style="font-size:8.5pt;font-family:Menlo;color:#56DBE9;mso-fareast-language:IT"><o:p></o:p></span></p>


<p class="MsoNormal" style="background:#224FBC"><span style="font-size:8.5pt;font-family:Menlo;color:#56DBE9;mso-fareast-language:IT">net.ipv4.conf.all.send_redirects


</span><span style="font-size:8.5pt;font-family:Menlo;color:#FD9742;mso-fareast-language:IT">=</span><span style="font-size:8.5pt;font-family:Menlo;color:white;mso-fareast-language:IT">


</span><span style="font-size:8.5pt;font-family:Menlo;color:#610001;mso-fareast-language:IT">0</span><span style="font-size:8.5pt;font-family:Menlo;color:#56DBE9;mso-fareast-language:IT"><o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">==== strongswan.conf ====<o:p></o:p></span></p>


<p class="p1"><span class="s1">charon {</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">load_modular = yes</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">#install_routes = no</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">plugins {</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">             </span><span class="s1">include strongswan.d/charon/*.conf</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">}</span><o:p></o:p></p>


<p class="p1"><span class="s1">}</span><o:p></o:p></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">==== ipsec.conf ====<o:p></o:p></span></p>


<p class="p1"><span class="s1">config setup</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">        </span><span class="s1">#charondebug="all 2"</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">        </span><span class="s1">charondebug="cfg 2"</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">        </span><span class="s1">uniqueids=yes</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">        </span><span class="s1">strictcrlpolicy=no</span><o:p></o:p></p>


<p class="p2"><o:p> </o:p></p>


<p class="p1"><span class="s1">conn %default</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">        </span><span class="s1">ikelifetime=1440m</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">        </span><span class="s1">keylife=60m</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">        </span><span class="s1">rekeymargin=3m</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">        </span><span class="s1">keyingtries=1</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">        </span><span class="s1">keyexchange=ikev1</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">        </span><span class="s1">authby=secret</span><o:p></o:p></p>


<p class="p2"><o:p> </o:p></p>


<p class="p1"><span class="s1">conn spc-to-varazze</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">left=10.0.0.100</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">#leftfirewall=yes</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">leftsubnet=10.0.1.0/24</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">right=XXX.XXX.XXX.XXX</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">rightsubnet=192.168.0.0/23</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">auto=start</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">   </span><span class="apple-tab-span">   


</span><span class="s1">ike=aes256-sha1-modp1024</span><o:p></o:p></p>


<p class="p1"><span class="apple-converted-space">   </span><span class="apple-tab-span">   


</span><span class="s1">esp=aes256-sha1-modp1024</span><o:p></o:p></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">==== xfrm status ====<o:p></o:p></span></p>


<p class="p1"><span class="s1">root@router:/etc# ip -s xfrm state</span><o:p></o:p></p>


<p class="p1"><span class="s1">src 10.0.0.100 dst XXX.XXX.XXX.XXX</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">proto esp spi 0x6a05615e(1778737502) reqid 1(0x00000001) mode tunnel</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">auth-trunc hmac(sha1) 0x687fd2cdd4dcf0bf14ef6c1655fb04af70010257 (160 bits) 96</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">enc cbc(aes) 0x270e6c31e071a3771eb0508e1805fd0e (128 bits)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">anti-replay context: seq 0x0, oseq 0x529, bitmap 0x00000000</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">lifetime config:</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">limit: soft (INF)(bytes), hard (INF)(bytes)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">limit: soft (INF)(packets), hard (INF)(packets)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">expire add: soft 3414(sec), hard 3600(sec)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">expire use: soft 0(sec), hard 0(sec)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">lifetime current:</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">79260(bytes), 1321(packets)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">add 2019-10-30 22:15:10 use 2019-10-30 22:15:15</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">stats:</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">replay-window 0 replay 0 failed 0</span><o:p></o:p></p>


<p class="p1"><span class="s1">src XXX.XXX.XXX.XXX dst 10.0.0.100</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">proto esp spi 0xcf6665c0(3479594432) reqid 1(0x00000001) mode tunnel</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">auth-trunc hmac(sha1) 0xa9c698de75653b442199eed162b8f653bbe159ca (160 bits) 96</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">enc cbc(aes) 0xfd9ef251dcaff2853e89cac211b53d19 (128 bits)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">anti-replay context: seq 0x529, oseq 0x0, bitmap 0xffffffff</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">lifetime config:</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">limit: soft (INF)(bytes), hard (INF)(bytes)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">limit: soft (INF)(packets), hard (INF)(packets)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">expire add: soft 3407(sec), hard 3600(sec)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">expire use: soft 0(sec), hard 0(sec)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">lifetime current:</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">79260(bytes), 1321(packets)</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">add 2019-10-30 22:15:10 use 2019-10-30 22:15:15</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="s1">stats:</span><o:p></o:p></p>


<p class="p1"><span class="apple-tab-span">       </span><span class="apple-converted-space"> 


</span><span class="s1">replay-window 0 replay 0 failed 0</span><o:p></o:p></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">==== iptables and ufw status ====<o:p></o:p></span></p>


<p class="p1"><span class="s1">root@router:/etc# iptables -L</span><o:p></o:p></p>


<p class="p1"><span class="s1">Chain INPUT (policy ACCEPT)</span><o:p></o:p></p>


<p class="p1"><span class="s1">target </span><span class="apple-converted-space">   


</span><span class="s1">prot opt source </span><span class="apple-converted-space">             


</span><span class="s1">destination</span><span class="apple-converted-space">         </span><o:p></o:p></p>


<p class="p1"><span class="s1">ACCEPT </span><span class="apple-converted-space">   


</span><span class="s1">all</span><span class="apple-converted-space">  </span><span class="s1">--</span><span class="apple-converted-space"> 


</span><span class="s1">anywhere </span><span class="apple-converted-space">           


</span><span class="s1">anywhere </span><span class="apple-converted-space">           </span><o:p></o:p></p>


<p class="p1"><span class="s1">ACCEPT </span><span class="apple-converted-space">   


</span><span class="s1">all</span><span class="apple-converted-space">  </span><span class="s1">--</span><span class="apple-converted-space"> 


</span><span class="s1">anywhere </span><span class="apple-converted-space">           


</span><span class="s1">anywhere </span><span class="apple-converted-space">           </span><o:p></o:p></p>


<p class="p1"><span class="s1">ACCEPT </span><span class="apple-converted-space">   


</span><span class="s1">all</span><span class="apple-converted-space">  </span><span class="s1">--</span><span class="apple-converted-space"> 


</span><span class="s1">anywhere </span><span class="apple-converted-space">           


</span><span class="s1">anywhere </span><span class="apple-converted-space">           


</span><span class="s1">ctstate RELATED,ESTABLISHED</span><o:p></o:p></p>


<p class="p2"><o:p> </o:p></p>


<p class="p1"><span class="s1">Chain FORWARD (policy ACCEPT)</span><o:p></o:p></p>


<p class="p1"><span class="s1">target </span><span class="apple-converted-space">   


</span><span class="s1">prot opt source </span><span class="apple-converted-space">             


</span><span class="s1">destination</span><span class="apple-converted-space">         </span><o:p></o:p></p>


<p class="p1"><span class="s1">ACCEPT </span><span class="apple-converted-space">   


</span><span class="s1">all</span><span class="apple-converted-space">  </span><span class="s1">--</span><span class="apple-converted-space"> 


</span><span class="s1">anywhere </span><span class="apple-converted-space">           


</span><span class="s1">anywhere </span><span class="apple-converted-space">           </span><o:p></o:p></p>


<p class="p1"><span class="s1">ACCEPT </span><span class="apple-converted-space">   


</span><span class="s1">all</span><span class="apple-converted-space">  </span><span class="s1">--</span><span class="apple-converted-space"> 


</span><span class="s1">anywhere </span><span class="apple-converted-space">           


</span><span class="s1">anywhere </span><span class="apple-converted-space">           


</span><span class="s1">ctstate RELATED,ESTABLISHED</span><o:p></o:p></p>


<p class="p2"><o:p> </o:p></p>


<p class="p1"><span class="s1">Chain OUTPUT (policy ACCEPT)</span><o:p></o:p></p>


<p class="p1"><span class="s1">target </span><span class="apple-converted-space">   


</span><span class="s1">prot opt source </span><span class="apple-converted-space">             


</span><span class="s1">destination</span><span class="apple-converted-space">         </span><o:p></o:p></p>


<p class="p1"><span class="s1">root@router:/etc# ufw status</span><o:p></o:p></p>


<p class="p1"><span class="s1">Status: inactive</span><o:p></o:p></p>


<p class="p1"><span class="s1">r</span><o:p></o:p></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">I’ve done a lot of searches but no one of the aswers i found was useful.<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">Any help/suggestion will be welcome.<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt">RB<o:p></o:p></span></p>


<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>


</div>


</body>


</html>