[strongSwan] Problems with vpn ipsec pfsense x strongswan

Ricardo Barbosa spiderslack at yahoo.com.br
Wed Aug 22 16:12:26 CEST 2012


Hi,

I have an environment with pfsense vpn strongSwan 2.0.1 and version 4.3.2. The vpn is closed as output commands below.

root at hc-fw-01:~# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 xxx.xxx.xxx.xxx:500
000 interface eth0:1/eth0:1 xxx.xxx.xxx.xxx:500
000 interface eth0:2/eth0:2 xxx.xxx.xxx.xxx:500
000 interface eth1/eth1 192.168.1.254:500
000 %myid = (none)
000 loaded plugins: curl ldap random pubkey openssl hmac gmp
000 debug options: raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore
000
000 "pfsense_ic": 192.168.1.0/24===xxx.xxx.xxx.xxx...yyy.yyy.yyy.yyy===192.168.2.0/24; erouted; eroute owner: #2
000 "pfsense_ic":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0
000 "pfsense_ic":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth0;
000 "pfsense_ic":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "pfsense_ic":   IKE proposal: 3DES_CBC/HMAC_MD5/MODP_1024
000 "pfsense_ic":   ESP proposal: 3DES_CBC/HMAC_SHA1/<Phase1>
000
000 #2: "pfsense_ic" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27315s; newest IPSEC; eroute owner
000 #2: "pfsense_ic" esp.ed55fa3 at yyy.yyy.yyy.yyy (17910 bytes, 5s ago) esp.5cfa7de3 at xxx.xxx.xxx.xxx (0 bytes); tunnel
000 #1: "pfsense_ic" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27314s; newest ISAKMP
000
root at hc-fw-01:~#


But when I try to run the command "ping" from the network 192.168.1.0/24 to 192.168.2.0/24 network not get connectivity. The following command output.

"ip -s xfrm policy list"

root at hc-fw-01:~# ip -s xfrm policy list
src 192.168.1.0/24 dst 192.168.2.0/24 uid 0
        dir out action allow index 6225 priority 2344 share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-08-22 09:10:07 use 2012-08-22 09:36:07
        tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy
                proto esp spi 0x00000000(0) reqid 16385(0x00004001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.2.0/24 dst 192.168.1.0/24 uid 0
        dir fwd action allow index 6218 priority 2344 share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-08-22 09:10:07 use -
        tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
                proto esp spi 0x00000000(0) reqid 16385(0x00004001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.2.0/24 dst 192.168.1.0/24 uid 0
        dir in action allow index 6208 priority 2344 share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-08-22 09:10:07 use -
        tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
                proto esp spi 0x00000000(0) reqid 16385(0x00004001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff


Another item I noticed in the command output was the following excerpt

src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
        dir 3 action allow index 6099 priority 0 share any flag  (0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-08-22 09:07:34 use -

Because I have such a connection to and from 0.0.0.0?

Another item that was analyzed in the value SPI 2 hosts


Source ▾ Destination Protocol SPI Enc. alg. Auth. alg. Data 
 
yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx ESP 5cfa7de3 3des-cbc hmac-sha1 111672 B    
xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ESP 0ed55fa3 3des-cbc hmac-sha1 111835 B    
xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy ESP 05fe6cf8 3des-cbc hmac-sha1 0 B    


root at hc-fw-01:~# ip xfrm monitor
Async event  (0x10)  replay update
        src 177.4.169.167 dst 189.31.140.211  reqid 0x4001 protocol esp  SPI 0x5cfa7de3
Async event  (0x10)  replay update
        src 189.31.140.211 dst 177.4.169.167  reqid 0x4001 protocol esp  SPI0xed55fa3
Async event  (0x20)  timer expired
        src 189.31.140.211 dst 177.4.169.167  reqid 0x4001 protocol esp  SPI 0xed55fa3
Async event  (0x20)  timer expired
        src 177.4.169.167 dst 189.31.140.211  reqid 0x4001 protocol esp  SPI 0x5cfa7de3
Async event  (0x10)  replay update
        src 189.31.140.211 dst 177.4.169.167  reqid 0x4001 protocol esp  SPI 0xed55fa3
Async event  (0x20)  timer expired
        src 177.4.169.167 dst 189.31.140.211  reqid 0x4001 protocol esp  SPI 0x5cfa7de3
Async event  (0x20)  timer expired
        src 189.31.140.211 dst 177.4.169.167  reqid 0x4001 protocol esp  SPI 0xed55fa3
Async event  (0x20)  timer expired
        src 177.4.169.167 dst 189.31.140.211  reqid 0x4001 protocol esp  SPI0x5cfa7de3
Async event  (0x20)  timer expired
        src 189.31.140.211 dst 177.4.169.167  reqid 0x4001 protocol esp  SPI 0xed55fa3
Async event  (0x20)  timer expired
        src 177.4.169.167 dst 189.31.140.211  reqid 0x4001 protocol esp  SPI 0x5cfa7de3
Async event  (0x20)  timer expired
        src 189.31.140.211 dst 177.4.169.167  reqid 0x4001 protocol esp  SPI 0xed55fa3
Async event  (0x20)  timer expired



Any Idea?

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120822/795dacab/attachment.html>


More information about the Users mailing list