<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<p class="default-style"><br><span style="font-family: "courier new", courier;">Good morning Noel,</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">Attached below are the various configurations you requested. At this point my config is pretty basic as I attempt to get this working.</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">The IP addresses of my Work and Home Routers are 192.168.126.254 and 192.168.127.254 respectively. Upon establishing a connection I cannot ping or ssh to either router from the other subnet.</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">If there's anything else I can provide to aid in diagnosing how I've set this up wrong let me know and I'll try to get it quickly.</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">Thank you for the assistance, </span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">Mike</span></p>
<p class="default-style"><br><span style="font-family: "courier new", courier;">----------------------------------------------------------------------</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">WorkRouter & HomeRouter /etc/sysctl.conf:</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">net.ipv4.ip_forward = 1</span><br><span style="font-family: "courier new", courier;">net.ipv6.conf.all.forwarding = 0</span><br><span style="font-family: "courier new", courier;">net.ipv6.conf.all.disable_ipv6 = 1</span><br><span style="font-family: "courier new", courier;">net.ipv6.conf.default.disable_ipv6 = 1</span><br><span style="font-family: "courier new", courier;">net.conf.lo.disable_ipv6 = 1</span><br><span style="font-family: "courier new", courier;">net.netfilter.nf_conntrack_helper = 1</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">----------------------------------------------------------------------</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">WorkRouter iptables pre-connection:</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022</span><br><span style="font-family: "courier new", courier;">*filter</span><br><span style="font-family: "courier new", courier;">:INPUT ACCEPT [0:0]</span><br><span style="font-family: "courier new", courier;">:FORWARD DROP [0:0]</span><br><span style="font-family: "courier new", courier;">:OUTPUT ACCEPT [0:0]</span><br><span style="font-family: "courier new", courier;">:f2b-sshd - [0:0]</span><br><span style="font-family: "courier new", courier;">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd</span><br><span style="font-family: "courier new", courier;">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p udp -m udp --dport 500 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p udp -m udp --dport 4500 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -i lo -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -i LAN -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -j DROP</span><br><span style="font-family: "courier new", courier;">-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -i lo -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -i LAN -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -j DROP</span><br><span style="font-family: "courier new", courier;">-A OUTPUT -o lo -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A OUTPUT -o LAN -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A OUTPUT -o Internet -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A f2b-sshd -j RETURN</span><br><span style="font-family: "courier new", courier;">COMMIT</span><br><span style="font-family: "courier new", courier;"># Completed on Tue Feb 1 07:34:10 2022</span><br><span style="font-family: "courier new", courier;"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:34:10 2022</span><br><span style="font-family: "courier new", courier;">*nat</span><br><span style="font-family: "courier new", courier;">:PREROUTING ACCEPT [30:3004]</span><br><span style="font-family: "courier new", courier;">:INPUT ACCEPT [0:0]</span><br><span style="font-family: "courier new", courier;">:POSTROUTING ACCEPT [0:0]</span><br><span style="font-family: "courier new", courier;">:OUTPUT ACCEPT [1:88]</span><br><span style="font-family: "courier new", courier;">-A POSTROUTING -s 192.168.126.0/24 -o Internet -m policy --dir out --pol ipsec -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A POSTROUTING -o Internet -j MASQUERADE</span><br><span style="font-family: "courier new", courier;">COMMIT</span><br><span style="font-family: "courier new", courier;"># Completed on Tue Feb 1 07:34:10 2022</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">----------------------------------------------------------------------</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">WorkRouter post-connection:</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022</span><br><span style="font-family: "courier new", courier;">*filter</span><br><span style="font-family: "courier new", courier;">:INPUT ACCEPT [0:0]</span><br><span style="font-family: "courier new", courier;">:FORWARD DROP [0:0]</span><br><span style="font-family: "courier new", courier;">:OUTPUT ACCEPT [0:0]</span><br><span style="font-family: "courier new", courier;">:LOGGING - [0:0]</span><br><span style="font-family: "courier new", courier;">:f2b-sshd - [0:0]</span><br><span style="font-family: "courier new", courier;">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd</span><br><span style="font-family: "courier new", courier;">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p udp -m udp --dport 500 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p udp -m udp --dport 4500 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -i lo -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -i LAN -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -j DROP</span><br><span style="font-family: "courier new", courier;">-A FORWARD -s 192.168.127.0/24 -d 192.168.126.0/24 -i Internet -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -s 192.168.126.0/24 -d 192.168.127.0/24 -o Internet -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -i lo -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -i LAN -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -j DROP</span><br><span style="font-family: "courier new", courier;">-A OUTPUT -o lo -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A OUTPUT -o LAN -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A OUTPUT -o wlp3s0 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A OUTPUT -o Internet -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A f2b-sshd -j RETURN</span><br><span style="font-family: "courier new", courier;">COMMIT</span><br><span style="font-family: "courier new", courier;"># Completed on Tue Feb 1 07:49:29 2022</span><br><span style="font-family: "courier new", courier;"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:49:29 2022</span><br><span style="font-family: "courier new", courier;">*nat</span><br><span style="font-family: "courier new", courier;">:PREROUTING ACCEPT [1431:142370]</span><br><span style="font-family: "courier new", courier;">:INPUT ACCEPT [1:364]</span><br><span style="font-family: "courier new", courier;">:POSTROUTING ACCEPT [0:0]</span><br><span style="font-family: "courier new", courier;">:OUTPUT ACCEPT [16:1124]</span><br><span style="font-family: "courier new", courier;">-A POSTROUTING -s 192.168.126.0/24 -o Internet -m policy --dir out --pol ipsec -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A POSTROUTING -o Internet -j MASQUERADE</span><br><span style="font-family: "courier new", courier;">COMMIT</span><br><span style="font-family: "courier new", courier;"># Completed on Tue Feb 1 07:49:29 2022</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">----------------------------------------------------------------------</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">HomeRouter iptables pre-connection:</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022</span><br><span style="font-family: "courier new", courier;">*filter</span><br><span style="font-family: "courier new", courier;">:INPUT ACCEPT [0:0]</span><br><span style="font-family: "courier new", courier;">:FORWARD DROP [0:0]</span><br><span style="font-family: "courier new", courier;">:OUTPUT ACCEPT [7573850:808120940]</span><br><span style="font-family: "courier new", courier;">:f2b-sshd - [0:0]</span><br><span style="font-family: "courier new", courier;">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd</span><br><span style="font-family: "courier new", courier;">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p udp -m udp --dport 500 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p udp -m udp --dport 4500 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -i lo -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -i LAN -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -j DROP</span><br><span style="font-family: "courier new", courier;">-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -i lo -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -i LAN -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -j DROP</span><br><span style="font-family: "courier new", courier;">-A f2b-sshd -j RETURN</span><br><span style="font-family: "courier new", courier;">COMMIT</span><br><span style="font-family: "courier new", courier;"># Completed on Tue Feb 1 07:36:55 2022</span><br><span style="font-family: "courier new", courier;"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:36:55 2022</span><br><span style="font-family: "courier new", courier;">*nat</span><br><span style="font-family: "courier new", courier;">:PREROUTING ACCEPT [201662:20100360]</span><br><span style="font-family: "courier new", courier;">:INPUT ACCEPT [130094:8522561]</span><br><span style="font-family: "courier new", courier;">:POSTROUTING ACCEPT [347066:26292253]</span><br><span style="font-family: "courier new", courier;">:OUTPUT ACCEPT [395652:30979041]</span><br><span style="font-family: "courier new", courier;">-A POSTROUTING -s 192.168.127.0/24 -o Internet -m policy --dir out --pol ipsec -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A POSTROUTING -o Internet -j MASQUERADE</span><br><span style="font-family: "courier new", courier;">COMMIT</span><br><span style="font-family: "courier new", courier;"># Completed on Tue Feb 1 07:36:55 2022</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">----------------------------------------------------------------------</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">HomeRouter iptables post-connection:</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022</span><br><span style="font-family: "courier new", courier;">*filter</span><br><span style="font-family: "courier new", courier;">:INPUT ACCEPT [0:0]</span><br><span style="font-family: "courier new", courier;">:FORWARD DROP [0:0]</span><br><span style="font-family: "courier new", courier;">:OUTPUT ACCEPT [7775544:830642656]</span><br><span style="font-family: "courier new", courier;">:f2b-sshd - [0:0]</span><br><span style="font-family: "courier new", courier;">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd</span><br><span style="font-family: "courier new", courier;">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p udp -m udp --dport 500 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -p udp -m udp --dport 4500 -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -i lo -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -i LAN -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A INPUT -j DROP</span><br><span style="font-family: "courier new", courier;">-A FORWARD -s 192.168.126.0/24 -d 192.168.127.0/24 -i Internet -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -s 192.168.127.0/24 -d 192.168.126.0/24 -o Internet -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -i lo -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -i LAN -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A FORWARD -j DROP</span><br><span style="font-family: "courier new", courier;">-A f2b-sshd -j RETURN</span><br><span style="font-family: "courier new", courier;">COMMIT</span><br><span style="font-family: "courier new", courier;"># Completed on Tue Feb 1 07:47:36 2022</span><br><span style="font-family: "courier new", courier;"># Generated by iptables-save v1.8.4 on Tue Feb 1 07:47:36 2022</span><br><span style="font-family: "courier new", courier;">*nat</span><br><span style="font-family: "courier new", courier;">:PREROUTING ACCEPT [205511:20493848]</span><br><span style="font-family: "courier new", courier;">:INPUT ACCEPT [132803:8703437]</span><br><span style="font-family: "courier new", courier;">:POSTROUTING ACCEPT [353122:26767112]</span><br><span style="font-family: "courier new", courier;">:OUTPUT ACCEPT [402834:31555865]</span><br><span style="font-family: "courier new", courier;">-A POSTROUTING -s 192.168.127.0/24 -o Internet -m policy --dir out --pol ipsec -j ACCEPT</span><br><span style="font-family: "courier new", courier;">-A POSTROUTING -o Internet -j MASQUERADE</span><br><span style="font-family: "courier new", courier;">COMMIT</span><br><span style="font-family: "courier new", courier;"># Completed on Tue Feb 1 07:47:36 2022</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">----------------------------------------------------------------------</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">WorkRouter swanctl.conf:</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">connections {</span><br><span style="font-family: "courier new", courier;"> homenet {</span><br><span style="font-family: "courier new", courier;"> version=2</span><br><span style="font-family: "courier new", courier;"> mobike=no</span><br><span style="font-family: "courier new", courier;"> fragmentation=yes</span><br><span style="font-family: "courier new", courier;"> local_addrs=Work.Public.IP.Address</span><br><span style="font-family: "courier new", courier;"> remote_addrs=Home.Public.IP.Address</span><br><span style="font-family: "courier new", courier;"> proposals=aes256-sha1-modp1024</span><br><span style="font-family: "courier new", courier;"> local {</span><br><span style="font-family: "courier new", courier;"> auth = psk</span><br><span style="font-family: "courier new", courier;"> }</span><br><span style="font-family: "courier new", courier;"> remote {</span><br><span style="font-family: "courier new", courier;"> auth = psk</span><br><span style="font-family: "courier new", courier;"> }</span><br><span style="font-family: "courier new", courier;"> children {</span><br><span style="font-family: "courier new", courier;"> homenet {</span><br><span style="font-family: "courier new", courier;"> esp_proposals=aes256-sha1</span><br><span style="font-family: "courier new", courier;"> remote_ts=192.168.127.0/24</span><br><span style="font-family: "courier new", courier;"> local_ts=192.168.126.0/24</span><br><span style="font-family: "courier new", courier;"> updown=/usr/libexec/strongswan/_updown iptables</span><br><span style="font-family: "courier new", courier;"> }</span><br><span style="font-family: "courier new", courier;"> }</span><br><span style="font-family: "courier new", courier;"> }</span><br><span style="font-family: "courier new", courier;">}</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">HomeRouter swanctl.conf:</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">worknet {</span><br><span style="font-family: "courier new", courier;"> version=2</span><br><span style="font-family: "courier new", courier;"> mobike=no</span><br><span style="font-family: "courier new", courier;"> fragmentation=yes</span><br><span style="font-family: "courier new", courier;"> local_addrs=Home.Public.IP.Address</span><br><span style="font-family: "courier new", courier;"> remote_addrs=Work.Public.IP.Address</span><br><span style="font-family: "courier new", courier;"> proposals=aes256-sha1-modp1024</span><br><span style="font-family: "courier new", courier;"> local {</span><br><span style="font-family: "courier new", courier;"> auth = psk</span><br><span style="font-family: "courier new", courier;"> }</span><br><span style="font-family: "courier new", courier;"> remote {</span><br><span style="font-family: "courier new", courier;"> auth = psk</span><br><span style="font-family: "courier new", courier;"> }</span><br><span style="font-family: "courier new", courier;"> children {</span><br><span style="font-family: "courier new", courier;"> worknet {</span><br><span style="font-family: "courier new", courier;"> esp_proposals=aes256-sha1</span><br><span style="font-family: "courier new", courier;"> local_ts=192.168.127.0/24</span><br><span style="font-family: "courier new", courier;"> remote_ts=192.168.126.0/24</span><br><span style="font-family: "courier new", courier;"> updown=/usr/libexec/strongswan/_updown iptables</span><br><span style="font-family: "courier new", courier;"> }</span><br><span style="font-family: "courier new", courier;"> }</span><br><span style="font-family: "courier new", courier;">}</span></p>
<p class="default-style"><br><span style="font-family: "courier new", courier;">Connection from HomeRouter to WorkRouter:</span></p>
<p class="default-style"><span style="font-family: "courier new", courier;">swanctl --initiate --ike worknet --child worknet</span><br><span style="font-family: "courier new", courier;">[IKE] initiating IKE_SA worknet[5] to Work.Public.IP.Address</span><br><span style="font-family: "courier new", courier;">[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]</span><br><span style="font-family: "courier new", courier;">[NET] sending packet: from Home.Public.IP.Address[500] to Work.Public.IP.Address[500] (336 bytes)</span><br><span style="font-family: "courier new", courier;">[NET] received packet: from Work.Public.IP.Address[500] to Home.Public.IP.Address[500] (344 bytes)</span><br><span style="font-family: "courier new", courier;">[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]</span><br><span style="font-family: "courier new", courier;">[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</span><br><span style="font-family: "courier new", courier;">[CFG] no IDi configured, fall back on IP address</span><br><span style="font-family: "courier new", courier;">[IKE] authentication of 'Home.Public.IP.Address' (myself) with pre-shared key</span><br><span style="font-family: "courier new", courier;">[IKE] establishing CHILD_SA worknet{1}</span><br><span style="font-family: "courier new", courier;">[ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]</span><br><span style="font-family: "courier new", courier;">[NET] sending packet: from Home.Public.IP.Address[500] to Work.Public.IP.Address[500] (220 bytes)</span><br><span style="font-family: "courier new", courier;">[NET] received packet: from Work.Public.IP.Address[500] to Home.Public.IP.Address[500] (204 bytes)</span><br><span style="font-family: "courier new", courier;">[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]</span><br><span style="font-family: "courier new", courier;">[IKE] authentication of 'Work.Public.IP.Address' with pre-shared key successful</span><br><span style="font-family: "courier new", courier;">[IKE] IKE_SA worknet[5] established between Home.Public.IP.Address[Home.Public.IP.Address]...Work.Public.IP.Address[Work.Public.IP.Address]</span><br><span style="font-family: "courier new", courier;">[IKE] scheduling rekeying in 14047s</span><br><span style="font-family: "courier new", courier;">[IKE] maximum IKE_SA lifetime 15487s</span><br><span style="font-family: "courier new", courier;">[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ</span><br><span style="font-family: "courier new", courier;">[IKE] CHILD_SA worknet{1} established with SPIs ca677689_i c43a2311_o and TS 192.168.127.0/24 === 192.168.126.0/24</span><br><span style="font-family: "courier new", courier;">initiate completed successfully</span><br></p>
</body>
</html>