<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p>I solved this with mobike= no. <br>
</p>
<p>Best regards,<br>
Valeri<br>
</p>
<div class="moz-cite-prefix">Am 25.11.19 um 07:38 schrieb Valeri
Geiser:<br>
</div>
<blockquote type="cite"
cite="mid:5bdeea18-d96b-50a5-acf4-12882d4e1ff0@km-logistik-service.de">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Hi,</p>
<p>I am new to strongswan and I just had to setup a connection to
a Lancom router. So far, I worked through the documentation and
the ikev2 tunnel gets established and policy-based routing
installed. <br>
</p>
<p>Now I am trying to ping the vpn gateway using the internal
network address. I can see the packet leaving in tcpdump, I can
see in the Lancom traces the receipt and response created (to
correct virtual address using correct tunnel) and I can see in
tcpdump on the client also that a package comes back. However,
ping says it did not get anything. This is the same also when I
shut down the firewall and set everything to accept, so it
should not be a firewall issue.<br>
</p>
<p>Here is my swanctl.conf<br>
<tt>connections {</tt><tt><br>
</tt><tt> home {</tt><tt><br>
</tt><tt> version = 2</tt><tt><br>
</tt><tt> local_addrs = A.A.A.A (external IP of client, no
NAT involved)</tt><tt><br>
</tt><tt> remote_addrs = B.B.B.B</tt><tt> (external IP of
lancom, no NAT involved)<br>
</tt><tt><br>
</tt><tt> local {</tt><tt><br>
</tt><tt> auth = psk</tt><tt><br>
</tt><tt> id = <a class="moz-txt-link-abbreviated"
href="mailto:clst01@km-logistik-service.de"
moz-do-not-send="true">clst01@km-logistik-service.de</a></tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> remote {</tt><tt><br>
</tt><tt> auth = psk</tt><tt><br>
</tt><tt> id = B.B.B.B</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> children {</tt><tt><br>
</tt><tt> home {</tt><tt><br>
</tt><tt> remote_ts = 10.131.208.0/24,10.166.47.8/29</tt><tt><br>
</tt><tt><br>
</tt><tt> updown = /usr/lib/ipsec/_updown iptables</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt> } <br>
</tt></p>
<p><tt> vips = 0.0.0.0</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt>}</tt><tt><br>
</tt><tt><br>
</tt><tt>secrets {</tt><tt><br>
</tt><tt> ike {</tt><tt><br>
</tt><tt> secret = *****</tt><tt><br>
</tt><tt> id = </tt><tt>B.B.B.B</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt>}</tt></p>
<p>Here is connection start with swanctl<br>
<tt>swanctl --initiate --child home</tt><tt><br>
</tt><tt>[IKE] initiating IKE_SA home[1] to B.B.B.B</tt><tt><br>
</tt><tt>[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
]</tt><tt><br>
</tt><tt>[NET] sending packet: from A.A.A.A[500] to B.B.B.B[500]
(760 bytes)</tt><tt><br>
</tt><tt>[NET] received packet: from B.B.B.B[500] to [500] (38
bytes)</tt><tt><br>
</tt><tt>[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]</tt><tt><br>
</tt><tt>[IKE] peer didn't accept DH group ECP_256, it requested
MODP_2048</tt><tt><br>
</tt><tt>[IKE] initiating IKE_SA home[1] to B.B.B.B</tt><tt><br>
</tt><tt>[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
]</tt><tt><br>
</tt><tt>[NET] sending packet: from A.A.A.A[500] to B.B.B.B[500]
(952 bytes)</tt><tt><br>
</tt><tt>[NET] received packet: from B.B.B.B[500] to
A.A.A.A[500] (464 bytes)</tt><tt><br>
</tt><tt>[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]</tt><tt><br>
</tt><tt>[ENC] received unknown vendor ID:
81:75:2e:b5:91:4d:73:5c:df:cd:c8:58:c3:a8:ed:7c:1c:66:d1:42</tt><tt><br>
</tt><tt>[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048</tt><tt><br>
</tt><tt>[IKE] authentication of '<a
class="moz-txt-link-abbreviated"
href="mailto:clst01@km-logistik-service.de"
moz-do-not-send="true">clst01@km-logistik-service.de</a>'
(myself) with pre-shared key</tt><tt><br>
</tt><tt>[IKE] establishing CHILD_SA home{1}</tt><tt><br>
</tt><tt>[ENC] generating IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]</tt><tt><br>
</tt><tt>[NET] sending packet: from A.A.A.A[4500] to
B.B.B.B[4500] (384 bytes)</tt><tt><br>
</tt><tt>[NET] received packet: from B.B.B.B[4500] to
A.A.A.A[4500] (256 bytes)</tt><tt><br>
</tt><tt>[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(DNS
ADDR) TSi TSr N(INIT_CONTACT) SA ]</tt><tt><br>
</tt><tt>[IKE] authentication of 'B.B.B.B' with pre-shared key
successful</tt><tt><br>
</tt><tt>[IKE] IKE_SA home[1] established between A.A.A.A[<a
class="moz-txt-link-abbreviated"
href="mailto:clst01@km-logistik-service.de"
moz-do-not-send="true">clst01@km-logistik-service.de</a>]...B.B.B.B[B.B.B.B]</tt><tt><br>
</tt><tt>[IKE] scheduling rekeying in 14018s</tt><tt><br>
</tt><tt>[IKE] maximum IKE_SA lifetime 15458s</tt><tt><br>
</tt><tt>[IKE] installing DNS server 10.166.47.12 to
/etc/resolv.conf</tt><tt><br>
</tt><tt>[IKE] installing new virtual IP 172.16.103.12</tt><tt><br>
</tt><tt>[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ</tt><tt><br>
</tt><tt>[IKE] CHILD_SA home{1} established with SPIs ca7ea316_i
efb49814_o and TS 172.16.103.12/32 === 10.166.47.8/29</tt><tt><br>
</tt><tt>initiate completed successfully</tt><br>
</p>
<p>Here is policies for routing (relevant parts):<br>
<tt>ip -s xfrm policy</tt><tt><br>
</tt><tt>src 172.16.103.12/32 dst 10.166.47.8/29 uid 0</tt><tt><br>
</tt><tt> dir out action allow index 1217 priority 368767
ptype main share any flag (0x00000000)</tt><tt><br>
</tt><tt> lifetime config:</tt><tt><br>
</tt><tt> limit: soft (INF)(bytes), hard (INF)(bytes)</tt><tt><br>
</tt><tt> limit: soft (INF)(packets), hard (INF)(packets)</tt><tt><br>
</tt><tt> expire add: soft 0(sec), hard 0(sec)</tt><tt><br>
</tt><tt> expire use: soft 0(sec), hard 0(sec)</tt><tt><br>
</tt><tt> lifetime current:</tt><tt><br>
</tt><tt> 0(bytes), 0(packets)</tt><tt><br>
</tt><tt> add 2019-11-23 22:15:04 use 2019-11-23 22:16:46</tt><tt><br>
</tt><tt> tmpl src A.A.A.A dst B.B.B.B</tt><tt><br>
</tt><tt> proto esp spi 0xefb49814(4021590036) reqid
1(0x00000001) mode tunnel</tt><tt><br>
</tt><tt> level required share any </tt><tt><br>
</tt><tt> enc-mask ffffffff auth-mask ffffffff comp-mask
ffffffff</tt><tt><br>
</tt><tt>src 10.166.47.8/29 dst 172.16.103.12/32 uid 0</tt><tt><br>
</tt><tt> dir fwd action allow index 1210 priority 368767
ptype main share any flag (0x00000000)</tt><tt><br>
</tt><tt> lifetime config:</tt><tt><br>
</tt><tt> limit: soft (INF)(bytes), hard (INF)(bytes)</tt><tt><br>
</tt><tt> limit: soft (INF)(packets), hard (INF)(packets)</tt><tt><br>
</tt><tt> expire add: soft 0(sec), hard 0(sec)</tt><tt><br>
</tt><tt> expire use: soft 0(sec), hard 0(sec)</tt><tt><br>
</tt><tt> lifetime current:</tt><tt><br>
</tt><tt> 0(bytes), 0(packets)</tt><tt><br>
</tt><tt> add 2019-11-23 22:15:04 use -</tt><tt><br>
</tt><tt> tmpl src B.B.B.B dst A.A.A.A</tt><tt><br>
</tt><tt> proto esp spi 0x00000000(0) reqid 1(0x00000001)
mode tunnel</tt><tt><br>
</tt><tt> level required share any </tt><tt><br>
</tt><tt> enc-mask ffffffff auth-mask ffffffff comp-mask
ffffffff</tt><tt><br>
</tt><tt>src 10.166.47.8/29 dst 172.16.103.12/32 uid 0</tt><tt><br>
</tt><tt> dir in action allow index 1200 priority 368767
ptype main share any flag (0x00000000)</tt><tt><br>
</tt><tt> lifetime config:</tt><tt><br>
</tt><tt> limit: soft (INF)(bytes), hard (INF)(bytes)</tt><tt><br>
</tt><tt> limit: soft (INF)(packets), hard (INF)(packets)</tt><tt><br>
</tt><tt> expire add: soft 0(sec), hard 0(sec)</tt><tt><br>
</tt><tt> expire use: soft 0(sec), hard 0(sec)</tt><tt><br>
</tt><tt> lifetime current:</tt><tt><br>
</tt><tt> 0(bytes), 0(packets)</tt><tt><br>
</tt><tt> add 2019-11-23 22:15:04 use -</tt><tt><br>
</tt><tt> tmpl src B.B.B.B dst A.A.A.A</tt><tt><br>
</tt><tt> proto esp spi 0x00000000(0) reqid 1(0x00000001)
mode tunnel</tt><tt><br>
</tt><tt> level required share any </tt><tt><br>
</tt><tt> enc-mask ffffffff auth-mask ffffffff comp-mask
ffffffff</tt><tt><br>
</tt><br>
</p>
<p>Here is tcpdump from what I think is the ping and its response
(pinging 10.166.47.12 which is assigned to Lancom on ethernet
port 1):<br>
<tt>22:03:20.304824 IP (tos 0x0, ttl 64, id 1894, offset 0,
flags [DF], proto ESP (50), length 140)</tt><tt><br>
</tt><tt> A.A.A.A > B.B.B.B:
ESP(spi=0xbf3e0bb5,seq=0x224), length 120</tt><tt><br>
</tt><tt>22:03:20.320540 IP (tos 0x0, ttl 57, id 34530, offset
0, flags [none], proto UDP (17), length 148)</tt><tt><br>
</tt><tt> B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [no
cksum] UDP-encap: ESP(spi=0xc9012da8,seq=0x223), length 120</tt><tt><br>
</tt><br>
</p>
<p>I am just clueless now and any help is appreciated. Let me know
if any further information is required. <br>
</p>
<div class="moz-signature">-- <br>
<title></title>
<meta name="generator" content="LibreOffice 5.0.2.2 (Linux)">
<meta name="author" content="Valeri Geiser">
<meta name="created" content="2014-10-01T00:00:00">
<meta name="changed" content="2016-01-26T08:42:12.054050047">
<meta name="changedby" content="Valeri Geiser">
<meta name="changedby" content="Valeri Geiser">
<meta name="changedby" content="Valeri Geiser">
<meta name="changedby" content="Valeri Geiser">
<style type="text/css">
@page { margin: 2cm }
p { margin-bottom: 0.25cm; color: #000000; line-height: 120% }
a:link { so-language: en-US }
</style>
<p><font color="#1f497d"><font face="Arial, sans-serif">Bei
Fragen oder Unklarheiten stehen wir Ihnen gerne zur
Verfügung.</font></font></p>
<p><font color="#1f497d"><font face="Arial, sans-serif">MFG,
Valeri Geiser</font></font></p>
<p><font color="#1f497d"><font face="Arial, sans-serif"><b>KM
Logistik - Service GmbH <br>
Hauptstraße 2<br>
<span lang="en-US">66459 Kirkel-Limbach</span></b></font></font></p>
<p><font color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US"><b><br>
Phone: </b></span></font></font><font color="#1f497d"><font
face="Arial, sans-serif"><span lang="en-US">(+49) </span></font></font><font
color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US">6841</span></font></font><font
color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US"> </span></font></font><font
color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US">7567899</span></font></font><font
color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US"><br>
</span></font></font><font color="#1f497d"><font
face="Arial, sans-serif"><span lang="en-US"><b>Fax: </b></span></font></font><font
color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US">(+49) 6841 9933441</span></font></font></p>
<p><font color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US"><b>Email:</b></span></font></font><font
color="#1f497d"> </font><font color="#1f497d"><font
face="Arial, sans-serif"><span lang="en-US"><a
href="mailto:valeri.geiser@km-logistik-service.de"
moz-do-not-send="true">valeri.geiser@km-logistik-service.de</a><br>
</span></font></font><font color="#1f497d"><font
face="Arial, sans-serif"><b>Web:</b></font></font><font
color="#1f497d"> </font><a
href="http://km-logistik-service.de/" moz-do-not-send="true"><font
color="#1f497d"><font face="Arial, sans-serif">http://km-logistik-service.de</font></font></a></p>
<p><font color="#1f497d"><font face="Arial, sans-serif"><font
style="font-size: 10pt" size="2">KM Logistik - Service
Gesellschaft mit beschränkter Haftung<br>
Sitz der Gesellschaft: 66459 Kirkel | Geschäftsführer:
Klaus Miosga | Registergericht: Homburg HRB 17405 </font></font></font>
</p>
<p style="margin-bottom: 0cm; line-height: 100%"><br>
</p>
</div>
</blockquote>
<div class="moz-signature">-- <br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title></title>
<meta name="generator" content="LibreOffice 5.0.2.2 (Linux)">
<meta name="author" content="Valeri Geiser">
<meta name="created" content="2014-10-01T00:00:00">
<meta name="changed" content="2016-01-26T08:42:12.054050047">
<meta name="changedby" content="Valeri Geiser">
<meta name="changedby" content="Valeri Geiser">
<meta name="changedby" content="Valeri Geiser">
<meta name="changedby" content="Valeri Geiser">
<style type="text/css">
@page { margin: 2cm }
p { margin-bottom: 0.25cm; color: #000000; line-height: 120% }
a:link { so-language: en-US }
</style>
<p><font color="#1f497d"><font face="Arial, sans-serif">Bei Fragen
oder Unklarheiten stehen wir Ihnen gerne zur Verfügung.</font></font></p>
<p><font color="#1f497d"><font face="Arial, sans-serif">MFG,
Valeri
Geiser</font></font></p>
<p><font color="#1f497d"><font face="Arial, sans-serif"><b>KM
Logistik - Service GmbH <br>
Hauptstraße 2<br>
<span lang="en-US">66459
Kirkel-Limbach</span></b></font></font></p>
<p><font color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US"><b><br>
Phone:
</b></span></font></font><font color="#1f497d"><font
face="Arial, sans-serif"><span lang="en-US">(+49)
</span></font></font><font color="#1f497d"><font
face="Arial, sans-serif"><span lang="en-US">6841</span></font></font><font
color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US">
</span></font></font><font color="#1f497d"><font
face="Arial, sans-serif"><span lang="en-US">7567899</span></font></font><font
color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US"><br>
</span></font></font><font color="#1f497d"><font
face="Arial, sans-serif"><span lang="en-US"><b>Fax:
</b></span></font></font><font color="#1f497d"><font
face="Arial, sans-serif"><span lang="en-US">(+49)
6841 9933441</span></font></font></p>
<p><font color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US"><b>Email:</b></span></font></font><font
color="#1f497d">
</font><font color="#1f497d"><font face="Arial, sans-serif"><span
lang="en-US"><a
href="mailto:valeri.geiser@km-logistik-service.de">valeri.geiser@km-logistik-service.de</a><br>
</span></font></font><font color="#1f497d"><font
face="Arial, sans-serif"><b>Web:</b></font></font><font
color="#1f497d">
</font><a href="http://km-logistik-service.de/"><font
color="#1f497d"><font face="Arial, sans-serif">http://km-logistik-service.de</font></font></a></p>
<p><font color="#1f497d"><font face="Arial, sans-serif"><font
style="font-size: 10pt" size="2">KM
Logistik - Service Gesellschaft mit beschränkter Haftung<br>
Sitz
der Gesellschaft: 66459 Kirkel | Geschäftsführer: Klaus
Miosga |
Registergericht: Homburg HRB 17405 </font></font></font>
</p>
<p style="margin-bottom: 0cm; line-height: 100%"><br>
</p>
</div>
</body>
</html>