[strongSwan] Tunnel seems to be established, but traffic does not flow through it.

Meera Sudhakar mira.sudhakar at gmail.com
Fri Oct 14 09:37:45 CEST 2011 

Hello,

I have established a tunnel between two end-points with ikev2, using psk. I
can see that the tunnel is established, but for some reason the traffic does
not flow through this tunnel. I do not have any blocking firewalls or
anything. I cannot use certificates as there is some bug in our IP-stack
code, and this is the first time I am trying to get it working using
pre-shared keys. Please find the details below.

*End-point 1:*
root at localhost:/root> cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # plutodebug=all
        # crlcheckinterval=600
        strictcrlpolicy=no
        # cachecrls=yes
        # nat_traversal=yes
        charonstart=yes
        plutostart=no
        charondebug=all
# Add connections here.
# Sample VPN connections
#ca strongswan
#        cacert=caCert.der
#        auto=add
conn sample-with-ca-cert
      left=169.254.3.75
      leftsubnet=169.254.3.0/32
      right=169.254.4.75
      rightsubnet=169.254.4.0/32
      authby=secret
      keyexchange=ikev2
      auto=add
root at localhost:/root> cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
 : PSK "strongSwan"
root at localhost:/root> /usr/local/6bin/ipsec status
Security Associations:
sample-with-ca-cert[1]: ESTABLISHED
169.254.3.75[169.254.3.75]...169.254.4.75[169.254.4.75]
sample-with-ca-cert[1]: IKE SPIs: 2df2f45dcd2f5b68_i a38bd0eeeaf49bff_r*
Creation time: 4 minutes ago
sample-with-ca-cert{1}:  INSTALLED, TUNNEL, ESP SPIs: c1c4e611_i cb7030e9_o
sample-with-ca-cert{1}:   169.254.3.0/32 === 169.254.4.0/32
root at localhost:/root>

*End-point 2:*
root at localhost:/root> cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # plutodebug=all
        # crlcheckinterval=600
        strictcrlpolicy=no
        # cachecrls=yes
        # nat_traversal=yes
        charonstart=yes
        plutostart=no
        charondebug=all
# Add connections here.
# Sample VPN connections
#ca strongswan
#        cacert=caCert.der
#        auto=add
conn sample-with-ca-cert
      left=169.254.4.75
      leftsubnet=169.254.4.0/32
      right=169.254.3.75
      rightsubnet=169.254.3.0/32
      authby=secret
      keyexchange=ikev2
      auto=start
root at localhost:/root> cat /etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
 : PSK "strongSwan"
root at localhost:/root> /usr/local/6bin/ipsec status
Security Associations:
sample-with-ca-cert[1]: ESTABLISHED
169.254.4.75[169.254.4.75]...169.254.3.75[169.254.3.75]
sample-with-ca-cert[1]: IKE SPIs: 2df2f45dcd2f5b68_i* a38bd0eeeaf49bff_r
Creation time: 5 minutes ago
sample-with-ca-cert{1}:  INSTALLED, TUNNEL, ESP SPIs: cb7030e9_i c1c4e611_o
sample-with-ca-cert{1}:   169.254.4.0/32 === 169.254.3.0/32
root at localhost:/root>

Now, pinging end-point 2 from end-point 1,

*End-point 1:*
root at localhost:/root> ping 169.254.4.75
PING 169.254.4.75 (169.254.4.75) 56(84) bytes of data.
64 bytes from 169.254.4.75: icmp_seq=1 ttl=64 time=3.84 ms
64 bytes from 169.254.4.75: icmp_seq=2 ttl=64 time=0.418 ms
64 bytes from 169.254.4.75: icmp_seq=3 ttl=64 time=0.436 ms
--- 169.254.4.75 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.418/1.567/3.847/1.612 ms

*End-point 2:*
root at localhost:/root> /usr/local/6bin/tcpdump -i eth3
listening on eth3, link-type EN10MB (Ethernet), capture size 96 bytes
21:46:51.700053 FPTUN (TAP(TAP)|port=0x0000000a|blade=1):
21:46:51.700224 arp who-has 169.254.4.75 tell 169.254.3.75
21:46:51.702247 (FP) arp who-has 169.254.4.75 tell 169.254.3.75
21:46:51.702294 arp reply 169.254.4.75 is-at 00:40:43:31:29:08
21:46:51.700277 FPTUN (TAP(TAP)|port=0x0000000a|blade=1):
21:46:51.700283 (FP) IP 169.254.3.75 > 169.254.4.75: icmp 64: echo request
seq 1
21:46:51.700289 IP 169.254.3.75 > 169.254.4.75: icmp 64: echo request seq 1
21:46:51.700416 IP 169.254.4.75 > 169.254.3.75: icmp 64: echo reply seq 1
21:46:52.696065 IP 169.254.3.75 > 169.254.4.75: icmp 64: echo request seq 2
21:46:52.696065 FPTUN (TAP(TAP)|port=0x0000000a|blade=1):
21:46:52.696086 (FP) IP 169.254.3.75 > 169.254.4.75: icmp 64: echo request
seq 2
21:46:52.696162 IP 169.254.4.75 > 169.254.3.75: icmp 64: echo reply seq 2
21:46:53.695418 FPTUN (TAP(TAP)|port=0x0000000a|blade=1):
21:46:53.695419 IP 169.254.3.75 > 169.254.4.75: icmp 64: echo request seq 3
21:46:53.695441 (FP) IP 169.254.3.75 > 169.254.4.75: icmp 64: echo request
seq 3
21:46:53.695529 IP 169.254.4.75 > 169.254.3.75: icmp 64: echo reply seq 3
16 packets captured
16 packets received by filter
0 packets dropped by kernel
root at localhost:/root>

So we see that even though the tunnel exists, traffic between the two
end-points does not travel through it. Could you please let me know if there
is anything I have missed?

Thanks and regards,
Meera
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111014/b32f4ca1/attachment.html>

More information about the Users mailing list