<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Dear list,</p>
<p>I'm new to IPSec and need a hand trying to set up a VPN with a
foreign institution. <br>
</p>
<p>Basically I have a single host offering some services that should
also act as the IPSec client / left side host. This is the only
left-side host that must be accessible from the right-side
network. <br>
</p>
<p>On this left-side server I installed SUSE SLES 12 SP 1 with
Strongswan 5.1.3. <br>
</p>
<p>The right side uses a commercial solution (Fotinet Fortigate). <br>
</p>
<p>Using this configuration I can establish the IPSec connection:</p>
<p><b>ipsec.conf</b></p>
<p>config setup<br>
charondebug="all"<br>
uniqueids=yes<br>
strictcrlpolicy=no<br>
<br>
conn %default<br>
conn tunnel <br>
left=141.a.b.c<br>
leftsubnet=192.168.66.0/24<br>
lefthostaccess=yes<br>
leftsourceip=%config<br>
right=193.d.e.f<br>
rightsubnet=192.168.19.0/24<br>
ike=aes256-sha256-prfsha256-ecp521!<br>
esp=aes256-sha256!<br>
keyingtries=0<br>
ikelifetime=28800s<br>
lifetime=14400s<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=restart<br>
authby=secret<br>
auto=start<br>
keyexchange=ikev2<br>
type=tunnel<br>
</p>
<p>The connection seems to be ok:<br>
<b></b></p>
<p><b>ipsec statusall</b><br>
</p>
<p>Status of IKE charon daemon (strongSwan 5.1.3, Linux
3.12.74-60.64.124-default, x86_64):<br>
uptime: 21 hours, since Feb 10 16:04:02 2020<br>
malloc: sbrk 2838528, mmap 0, used 671024, free 2167504<br>
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue:
0/0/0/0, scheduled: 5<br>
loaded plugins: charon ldap pkcs11 aes des blowfish rc2 sha1
sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg
fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl soup attr
kernel-netlink resolve socket-default farp stroke smp updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap
eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv
tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led
duplicheck radattr addrblock unity<br>
Listening IP addresses:<br>
141.a.b.c<br>
192.168.66.1<br>
Connections:<br>
tunnel: 141.a.b.c...193.d.e.f IKEv2, dpddelay=30s<br>
tunnel: local: [141.a.b.c] uses pre-shared key
authentication<br>
tunnel: remote: [193.d.e.f] uses pre-shared key
authentication<br>
tunnel: child: 192.168.66.0/24 === 192.168.19.0/24
TUNNEL, dpdaction=restart<br>
Security Associations (2 up, 0 connecting):<br>
tunnel[4]: ESTABLISHED 6 hours ago,
141.a.b.c[141.a.b.c]...193.d.e.f[193.d.e.f]<br>
tunnel[4]: IKEv2 SPIs: fd1ce3e19651ea83_i
b0e8873d947ad4e8_r*, pre-shared key reauthentication in 76 minutes<br>
tunnel[4]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521<br>
tunnel[1]: CONNECTING,
141.a.b.c[141.a.b.c]...193.d.e.f[193.d.e.f]<br>
tunnel[1]: IKEv2 SPIs: 38a8d3b8593af26a_i*
77f1ac5ed3598059_r<br>
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521<br>
tunnel[1]: Tasks active: IKE_CERT_PRE IKE_AUTH IKE_CERT_POST
IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE <br>
</p>
<p><br>
</p>
<p>However, there is some sort of routing problem. In either
direction, packets travel through the tunnel, are seen on the
other side, but the responses never come back.</p>
<p>The IP address of the left machine:<br>
</p>
<p><b>ip addr</b><br>
</p>
<p>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN group default <br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet 127.0.0.1/8 scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host <br>
valid_lft forever preferred_lft forever<br>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
state UP group default qlen 1000<br>
link/ether 00:x:x:x:x:x brd ff:ff:ff:ff:ff:ff<br>
inet 141.a.b.c/22 brd 141.a.b.255 scope global eth0<br>
valid_lft forever preferred_lft forever<br>
inet 192.168.66.1/24 brd 192.168.66.255 scope global eth0:1<br>
valid_lft forever preferred_lft forever<br>
inet6 fe::0:f:f7:b/64 scope link <br>
valid_lft forever preferred_lft forever<br>
</p>
<p>The routing tables:<br>
</p>
<p><b>ip route list table all</b><br>
</p>
<p>192.168.19.0/24 via 192.168.66.1 dev eth0 table 220 proto
static src 192.168.66.1 <br>
default via 141.a.b.1 dev eth0 <br>
141.a.b.0/22 dev eth0 proto kernel scope link src 141.a.b.c <br>
192.168.66.0/24 dev eth0 proto kernel scope link src
192.168.66.1 <br>
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1 <br>
local 127.0.0.0/8 dev lo table local proto kernel scope host
src 127.0.0.1 <br>
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1 <br>
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1 <br>
broadcast 141.a.b.0 dev eth0 table local proto kernel scope
link src 141.a.b.c <br>
local 141.a.b.c dev eth0 table local proto kernel scope host
src 141.a.b.c <br>
broadcast 141.a.b.255 dev eth0 table local proto kernel scope
link src 141.a.b.c <br>
broadcast 192.168.66.0 dev eth0 table local proto kernel scope
link src 192.168.66.1 <br>
local 192.168.66.1 dev eth0 table local proto kernel scope
host src 192.168.66.1 <br>
broadcast 192.168.66.255 dev eth0 table local proto kernel
scope link src 192.168.66.1 <br>
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101<br>
local ::1 dev lo proto kernel metric 256 <br>
fe80::/64 dev eth0 proto kernel metric 256 <br>
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101<br>
local ::1 dev lo table local proto none metric 0 <br>
local f::2:f:7:b8 dev lo table local proto none metric 0 <br>
ff00::/8 dev eth0 table local metric 256 <br>
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101<br>
</p>
<p><b>iptables -nL</b><br>
</p>
<p>Chain INPUT (policy ACCEPT)<br>
target prot opt source destination <br>
<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination <br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt source destination <br>
</p>
<p><br>
</p>
<p>I would really appreciate if someone could give a hint or two on
how to solve this issue!</p>
Kind regards<br>
Alvaro<br>
<pre class="moz-signature" cols="72">
--
Dipl.-Inf. Alvaro Aguilera
Wissenschaftlicher Mitarbeiter
Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen
Verteiltes und Datenintensives Rechnen
Büro: Falkenbrunnen, Raum 242
Chemnitzer Straße 46b
01187 Dresden
Tel: +49 (351) 463 33491
Email: <a class="moz-txt-link-abbreviated" href="mailto:alvaro.aguilera@tu-dresden.de">alvaro.aguilera@tu-dresden.de</a>
Web: <a class="moz-txt-link-freetext" href="http://www.tu-dresden.de/zih">http://www.tu-dresden.de/zih</a>
OTR-Fingerprint:
9CD3BC97 ACFB7430 D084BA9D 4BEB1775 4B0BA9F1</pre>
</body>
</html>