<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>Hi,</p>
    <p>I solved this with mobike= no. <br>
    </p>
    <p>Best regards,<br>
      Valeri<br>
    </p>
    <div class="moz-cite-prefix">Am 25.11.19 um 07:38 schrieb Valeri
      Geiser:<br>
    </div>
    <blockquote type="cite"
      cite="mid:5bdeea18-d96b-50a5-acf4-12882d4e1ff0@km-logistik-service.de">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <p>Hi,</p>
      <p>I am new to strongswan and I just had to setup a connection to
        a Lancom router. So far, I worked through the documentation and
        the ikev2 tunnel gets established and policy-based routing
        installed. <br>
      </p>
      <p>Now I am trying to ping the vpn gateway using the internal
        network address. I can see the packet leaving in tcpdump, I can
        see in the Lancom traces the receipt and response created (to
        correct virtual address using correct tunnel) and I can see in
        tcpdump on the client also that a package comes back. However,
        ping says it did not get anything. This is the same also when I
        shut down the firewall and set everything to accept, so it
        should not be a firewall issue.<br>
      </p>
      <p>Here is my swanctl.conf<br>
        <tt>connections {</tt><tt><br>
        </tt><tt>  home {</tt><tt><br>
        </tt><tt>      version = 2</tt><tt><br>
        </tt><tt>      local_addrs  = A.A.A.A (external IP of client, no
          NAT involved)</tt><tt><br>
        </tt><tt>      remote_addrs = B.B.B.B</tt><tt> (external IP of
          lancom, no NAT involved)<br>
        </tt><tt><br>
        </tt><tt>      local {</tt><tt><br>
        </tt><tt>         auth = psk</tt><tt><br>
        </tt><tt>         id = <a class="moz-txt-link-abbreviated"
            href="mailto:clst01@km-logistik-service.de"
            moz-do-not-send="true">clst01@km-logistik-service.de</a></tt><tt><br>
        </tt><tt>      }</tt><tt><br>
        </tt><tt>      remote {</tt><tt><br>
        </tt><tt>         auth = psk</tt><tt><br>
        </tt><tt>         id = B.B.B.B</tt><tt><br>
        </tt><tt>      }</tt><tt><br>
        </tt><tt>      children {</tt><tt><br>
        </tt><tt>         home {</tt><tt><br>
        </tt><tt>            remote_ts = 10.131.208.0/24,10.166.47.8/29</tt><tt><br>
        </tt><tt><br>
        </tt><tt>            updown = /usr/lib/ipsec/_updown iptables</tt><tt><br>
        </tt><tt>         }</tt><tt><br>
        </tt><tt>      }        <br>
        </tt></p>
      <p><tt>      vips = 0.0.0.0</tt><tt><br>
        </tt><tt>   }</tt><tt><br>
        </tt><tt>}</tt><tt><br>
        </tt><tt><br>
        </tt><tt>secrets {</tt><tt><br>
        </tt><tt>   ike {</tt><tt><br>
        </tt><tt>      secret = *****</tt><tt><br>
        </tt><tt>      id = </tt><tt>B.B.B.B</tt><tt><br>
        </tt><tt>   }</tt><tt><br>
        </tt><tt>}</tt></p>
      <p>Here is connection start with swanctl<br>
        <tt>swanctl --initiate --child home</tt><tt><br>
        </tt><tt>[IKE] initiating IKE_SA home[1] to B.B.B.B</tt><tt><br>
        </tt><tt>[ENC] generating IKE_SA_INIT request 0 [ SA KE No
          N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
          ]</tt><tt><br>
        </tt><tt>[NET] sending packet: from A.A.A.A[500] to B.B.B.B[500]
          (760 bytes)</tt><tt><br>
        </tt><tt>[NET] received packet: from B.B.B.B[500] to [500] (38
          bytes)</tt><tt><br>
        </tt><tt>[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]</tt><tt><br>
        </tt><tt>[IKE] peer didn't accept DH group ECP_256, it requested
          MODP_2048</tt><tt><br>
        </tt><tt>[IKE] initiating IKE_SA home[1] to B.B.B.B</tt><tt><br>
        </tt><tt>[ENC] generating IKE_SA_INIT request 0 [ SA KE No
          N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP)
          ]</tt><tt><br>
        </tt><tt>[NET] sending packet: from A.A.A.A[500] to B.B.B.B[500]
          (952 bytes)</tt><tt><br>
        </tt><tt>[NET] received packet: from B.B.B.B[500] to
          A.A.A.A[500] (464 bytes)</tt><tt><br>
        </tt><tt>[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
          N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ]</tt><tt><br>
        </tt><tt>[ENC] received unknown vendor ID:
          81:75:2e:b5:91:4d:73:5c:df:cd:c8:58:c3:a8:ed:7c:1c:66:d1:42</tt><tt><br>
        </tt><tt>[CFG] selected proposal:
          IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048</tt><tt><br>
        </tt><tt>[IKE] authentication of '<a
            class="moz-txt-link-abbreviated"
            href="mailto:clst01@km-logistik-service.de"
            moz-do-not-send="true">clst01@km-logistik-service.de</a>'
          (myself) with pre-shared key</tt><tt><br>
        </tt><tt>[IKE] establishing CHILD_SA home{1}</tt><tt><br>
        </tt><tt>[ENC] generating IKE_AUTH request 1 [ IDi
          N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr
          N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]</tt><tt><br>
        </tt><tt>[NET] sending packet: from A.A.A.A[4500] to
          B.B.B.B[4500] (384 bytes)</tt><tt><br>
        </tt><tt>[NET] received packet: from B.B.B.B[4500] to
          A.A.A.A[4500] (256 bytes)</tt><tt><br>
        </tt><tt>[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(DNS
          ADDR) TSi TSr N(INIT_CONTACT) SA ]</tt><tt><br>
        </tt><tt>[IKE] authentication of 'B.B.B.B' with pre-shared key
          successful</tt><tt><br>
        </tt><tt>[IKE] IKE_SA home[1] established between A.A.A.A[<a
            class="moz-txt-link-abbreviated"
            href="mailto:clst01@km-logistik-service.de"
            moz-do-not-send="true">clst01@km-logistik-service.de</a>]...B.B.B.B[B.B.B.B]</tt><tt><br>
        </tt><tt>[IKE] scheduling rekeying in 14018s</tt><tt><br>
        </tt><tt>[IKE] maximum IKE_SA lifetime 15458s</tt><tt><br>
        </tt><tt>[IKE] installing DNS server 10.166.47.12 to
          /etc/resolv.conf</tt><tt><br>
        </tt><tt>[IKE] installing new virtual IP 172.16.103.12</tt><tt><br>
        </tt><tt>[CFG] selected proposal:
          ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ</tt><tt><br>
        </tt><tt>[IKE] CHILD_SA home{1} established with SPIs ca7ea316_i
          efb49814_o and TS 172.16.103.12/32 === 10.166.47.8/29</tt><tt><br>
        </tt><tt>initiate completed successfully</tt><br>
      </p>
      <p>Here is policies for routing (relevant parts):<br>
        <tt>ip -s xfrm policy</tt><tt><br>
        </tt><tt>src 172.16.103.12/32 dst 10.166.47.8/29 uid 0</tt><tt><br>
        </tt><tt>    dir out action allow index 1217 priority 368767
          ptype main share any flag  (0x00000000)</tt><tt><br>
        </tt><tt>    lifetime config:</tt><tt><br>
        </tt><tt>      limit: soft (INF)(bytes), hard (INF)(bytes)</tt><tt><br>
        </tt><tt>      limit: soft (INF)(packets), hard (INF)(packets)</tt><tt><br>
        </tt><tt>      expire add: soft 0(sec), hard 0(sec)</tt><tt><br>
        </tt><tt>      expire use: soft 0(sec), hard 0(sec)</tt><tt><br>
        </tt><tt>    lifetime current:</tt><tt><br>
        </tt><tt>      0(bytes), 0(packets)</tt><tt><br>
        </tt><tt>      add 2019-11-23 22:15:04 use 2019-11-23 22:16:46</tt><tt><br>
        </tt><tt>    tmpl src A.A.A.A dst B.B.B.B</tt><tt><br>
        </tt><tt>        proto esp spi 0xefb49814(4021590036) reqid
          1(0x00000001) mode tunnel</tt><tt><br>
        </tt><tt>        level required share any </tt><tt><br>
        </tt><tt>        enc-mask ffffffff auth-mask ffffffff comp-mask
          ffffffff</tt><tt><br>
        </tt><tt>src 10.166.47.8/29 dst 172.16.103.12/32 uid 0</tt><tt><br>
        </tt><tt>    dir fwd action allow index 1210 priority 368767
          ptype main share any flag  (0x00000000)</tt><tt><br>
        </tt><tt>    lifetime config:</tt><tt><br>
        </tt><tt>      limit: soft (INF)(bytes), hard (INF)(bytes)</tt><tt><br>
        </tt><tt>      limit: soft (INF)(packets), hard (INF)(packets)</tt><tt><br>
        </tt><tt>      expire add: soft 0(sec), hard 0(sec)</tt><tt><br>
        </tt><tt>      expire use: soft 0(sec), hard 0(sec)</tt><tt><br>
        </tt><tt>    lifetime current:</tt><tt><br>
        </tt><tt>      0(bytes), 0(packets)</tt><tt><br>
        </tt><tt>      add 2019-11-23 22:15:04 use -</tt><tt><br>
        </tt><tt>    tmpl src B.B.B.B dst A.A.A.A</tt><tt><br>
        </tt><tt>        proto esp spi 0x00000000(0) reqid 1(0x00000001)
          mode tunnel</tt><tt><br>
        </tt><tt>        level required share any </tt><tt><br>
        </tt><tt>        enc-mask ffffffff auth-mask ffffffff comp-mask
          ffffffff</tt><tt><br>
        </tt><tt>src 10.166.47.8/29 dst 172.16.103.12/32 uid 0</tt><tt><br>
        </tt><tt>    dir in action allow index 1200 priority 368767
          ptype main share any flag  (0x00000000)</tt><tt><br>
        </tt><tt>    lifetime config:</tt><tt><br>
        </tt><tt>      limit: soft (INF)(bytes), hard (INF)(bytes)</tt><tt><br>
        </tt><tt>      limit: soft (INF)(packets), hard (INF)(packets)</tt><tt><br>
        </tt><tt>      expire add: soft 0(sec), hard 0(sec)</tt><tt><br>
        </tt><tt>      expire use: soft 0(sec), hard 0(sec)</tt><tt><br>
        </tt><tt>    lifetime current:</tt><tt><br>
        </tt><tt>      0(bytes), 0(packets)</tt><tt><br>
        </tt><tt>      add 2019-11-23 22:15:04 use -</tt><tt><br>
        </tt><tt>    tmpl src B.B.B.B dst A.A.A.A</tt><tt><br>
        </tt><tt>        proto esp spi 0x00000000(0) reqid 1(0x00000001)
          mode tunnel</tt><tt><br>
        </tt><tt>        level required share any </tt><tt><br>
        </tt><tt>        enc-mask ffffffff auth-mask ffffffff comp-mask
          ffffffff</tt><tt><br>
        </tt><br>
      </p>
      <p>Here is tcpdump from what I think is the ping and its response
        (pinging 10.166.47.12 which is assigned to Lancom on ethernet
        port 1):<br>
        <tt>22:03:20.304824 IP (tos 0x0, ttl 64, id 1894, offset 0,
          flags [DF], proto ESP (50), length 140)</tt><tt><br>
        </tt><tt>    A.A.A.A > B.B.B.B:
          ESP(spi=0xbf3e0bb5,seq=0x224), length 120</tt><tt><br>
        </tt><tt>22:03:20.320540 IP (tos 0x0, ttl 57, id 34530, offset
          0, flags [none], proto UDP (17), length 148)</tt><tt><br>
        </tt><tt>    B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [no
          cksum] UDP-encap: ESP(spi=0xc9012da8,seq=0x223), length 120</tt><tt><br>
        </tt><br>
      </p>
      <p>I am just clueless now and any help is appreciated. Let me know
        if any further information is required. <br>
      </p>
      <div class="moz-signature">-- <br>
        <title></title>
        <meta name="generator" content="LibreOffice 5.0.2.2 (Linux)">
        <meta name="author" content="Valeri Geiser">
        <meta name="created" content="2014-10-01T00:00:00">
        <meta name="changed" content="2016-01-26T08:42:12.054050047">
        <meta name="changedby" content="Valeri Geiser">
        <meta name="changedby" content="Valeri Geiser">
        <meta name="changedby" content="Valeri Geiser">
        <meta name="changedby" content="Valeri Geiser">
        <style type="text/css">
                @page { margin: 2cm }
                p { margin-bottom: 0.25cm; color: #000000; line-height: 120% }
                a:link { so-language: en-US }
        </style>
        <p><font color="#1f497d"><font face="Arial, sans-serif">Bei
              Fragen oder Unklarheiten stehen wir Ihnen gerne zur
              Verfügung.</font></font></p>
        <p><font color="#1f497d"><font face="Arial, sans-serif">MFG,
              Valeri Geiser</font></font></p>
        <p><font color="#1f497d"><font face="Arial, sans-serif"><b>KM
                Logistik - Service GmbH <br>
                Hauptstraße 2<br>
                <span lang="en-US">66459 Kirkel-Limbach</span></b></font></font></p>
        <p><font color="#1f497d"><font face="Arial, sans-serif"><span
                lang="en-US"><b><br>
                  Phone: </b></span></font></font><font color="#1f497d"><font
              face="Arial, sans-serif"><span lang="en-US">(+49) </span></font></font><font
            color="#1f497d"><font face="Arial, sans-serif"><span
                lang="en-US">6841</span></font></font><font
            color="#1f497d"><font face="Arial, sans-serif"><span
                lang="en-US"> </span></font></font><font
            color="#1f497d"><font face="Arial, sans-serif"><span
                lang="en-US">7567899</span></font></font><font
            color="#1f497d"><font face="Arial, sans-serif"><span
                lang="en-US"><br>
              </span></font></font><font color="#1f497d"><font
              face="Arial, sans-serif"><span lang="en-US"><b>Fax: </b></span></font></font><font
            color="#1f497d"><font face="Arial, sans-serif"><span
                lang="en-US">(+49) 6841 9933441</span></font></font></p>
        <p><font color="#1f497d"><font face="Arial, sans-serif"><span
                lang="en-US"><b>Email:</b></span></font></font><font
            color="#1f497d"> </font><font color="#1f497d"><font
              face="Arial, sans-serif"><span lang="en-US"><a
                  href="mailto:valeri.geiser@km-logistik-service.de"
                  moz-do-not-send="true">valeri.geiser@km-logistik-service.de</a><br>
              </span></font></font><font color="#1f497d"><font
              face="Arial, sans-serif"><b>Web:</b></font></font><font
            color="#1f497d"> </font><a
            href="http://km-logistik-service.de/" moz-do-not-send="true"><font
              color="#1f497d"><font face="Arial, sans-serif">http://km-logistik-service.de</font></font></a></p>
        <p><font color="#1f497d"><font face="Arial, sans-serif"><font
                style="font-size: 10pt" size="2">KM Logistik - Service
                Gesellschaft mit beschränkter Haftung<br>
                Sitz der Gesellschaft: 66459 Kirkel | Geschäftsführer:
                Klaus Miosga | Registergericht: Homburg HRB 17405 </font></font></font>
        </p>
        <p style="margin-bottom: 0cm; line-height: 100%"><br>
        </p>
      </div>
    </blockquote>
    <div class="moz-signature">-- <br>
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <title></title>
      <meta name="generator" content="LibreOffice 5.0.2.2 (Linux)">
      <meta name="author" content="Valeri Geiser">
      <meta name="created" content="2014-10-01T00:00:00">
      <meta name="changed" content="2016-01-26T08:42:12.054050047">
      <meta name="changedby" content="Valeri Geiser">
      <meta name="changedby" content="Valeri Geiser">
      <meta name="changedby" content="Valeri Geiser">
      <meta name="changedby" content="Valeri Geiser">
      <style type="text/css">
                @page { margin: 2cm }
                p { margin-bottom: 0.25cm; color: #000000; line-height: 120% }
                a:link { so-language: en-US }
        </style>
      <p><font color="#1f497d"><font face="Arial, sans-serif">Bei Fragen
            oder Unklarheiten stehen wir Ihnen gerne zur Verfügung.</font></font></p>
      <p><font color="#1f497d"><font face="Arial, sans-serif">MFG,
            Valeri
            Geiser</font></font></p>
      <p><font color="#1f497d"><font face="Arial, sans-serif"><b>KM
              Logistik - Service GmbH <br>
              Hauptstraße 2<br>
              <span lang="en-US">66459
                Kirkel-Limbach</span></b></font></font></p>
      <p><font color="#1f497d"><font face="Arial, sans-serif"><span
              lang="en-US"><b><br>
                Phone:
              </b></span></font></font><font color="#1f497d"><font
            face="Arial, sans-serif"><span lang="en-US">(+49)
            </span></font></font><font color="#1f497d"><font
            face="Arial, sans-serif"><span lang="en-US">6841</span></font></font><font
          color="#1f497d"><font face="Arial, sans-serif"><span
              lang="en-US">
            </span></font></font><font color="#1f497d"><font
            face="Arial, sans-serif"><span lang="en-US">7567899</span></font></font><font
          color="#1f497d"><font face="Arial, sans-serif"><span
              lang="en-US"><br>
            </span></font></font><font color="#1f497d"><font
            face="Arial, sans-serif"><span lang="en-US"><b>Fax:
              </b></span></font></font><font color="#1f497d"><font
            face="Arial, sans-serif"><span lang="en-US">(+49)
              6841 9933441</span></font></font></p>
      <p><font color="#1f497d"><font face="Arial, sans-serif"><span
              lang="en-US"><b>Email:</b></span></font></font><font
          color="#1f497d">
        </font><font color="#1f497d"><font face="Arial, sans-serif"><span
              lang="en-US"><a
                href="mailto:valeri.geiser@km-logistik-service.de">valeri.geiser@km-logistik-service.de</a><br>
            </span></font></font><font color="#1f497d"><font
            face="Arial, sans-serif"><b>Web:</b></font></font><font
          color="#1f497d">
        </font><a href="http://km-logistik-service.de/"><font
            color="#1f497d"><font face="Arial, sans-serif">http://km-logistik-service.de</font></font></a></p>
      <p><font color="#1f497d"><font face="Arial, sans-serif"><font
              style="font-size: 10pt" size="2">KM
              Logistik - Service Gesellschaft mit beschränkter Haftung<br>
              Sitz
              der Gesellschaft: 66459 Kirkel | Geschäftsführer: Klaus
              Miosga |
              Registergericht: Homburg HRB 17405 </font></font></font>
      </p>
      <p style="margin-bottom: 0cm; line-height: 100%"><br>
      </p>
    </div>
  </body>
</html>