[strongSwan] IKEv1 tunnel up but no packets going through.

Mohammady Mahdy mohammady.mahdy at getmo.com
Wed Feb 29 07:11:52 CET 2012 

Hi All,

 

I've gotten a tunnel established, though I can't ping the host from the
gateway. (I found out about leftsourceip) and when I added that an route add
command would be issued but for some reason it fails.

 

Here is my ipsec.conf:

 

# basic configuration

config setup

        plutostart=yes

        charonstart=no

        plutodebug="all"

        nat_traversal=yes

 

conn %default

        ikelifetime=60m

        keylife=29m

        rekeymargin=3m

        keyingtries=1

        keyexchange=ikev1

        auth=esp

        authby=secret

 

 

conn it-vpn-test

      ike=3des-md5-modp1024

      esp=3des-md5

      left=50.56.xxx.xxx

      leftsubnet=10.178.204.18/32

      leftid=50.56.xxx.xxx

      leftsourceip=10.178.204.18

      type=tunnel

      right=151.1.xxx.xxx

      rightid=151.1.xxx.xxx

      rightsubnet=10.2.31.119/32

      pfs=no

      auto=add

      leftfirewall=yes

 

For the purpose of this test I removed all my firewall rules on the test
machine (accept all).

Iproutes-save output is:

 

# Generated by iptables-save v1.4.2 on Wed Feb 29 05:54:23 2012

*filter

:INPUT ACCEPT [16460:1216434]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [6095:2190390]

-A INPUT -s 10.2.31.119/32 -d 10.178.204.18/32 -i eth0 -m policy --dir in
--pol ipsec --reqid 16385 --proto esp -j ACCEPT

-A FORWARD -s 10.2.31.119/32 -d 10.178.204.18/32 -i eth0 -m policy --dir in
--pol ipsec --reqid 16385 --proto esp -j ACCEPT

-A FORWARD -s 10.178.204.18/32 -d 10.2.31.119/32 -o eth0 -m policy --dir out
--pol ipsec --reqid 16385 --proto esp -j ACCEPT

-A OUTPUT -s 10.178.204.18/32 -d 10.2.31.119/32 -o eth0 -m policy --dir out
--pol ipsec --reqid 16385 --proto esp -j ACCEPT

COMMIT

# Completed on Wed Feb 29 05:54:23 2012

 

 

Output for ip -4 a s

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN

    inet 127.0.0.1/8 scope host lo

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000

    inet 50.56.xxx.xxx/24 brd 50.56.xxx.xxx scope global eth0

    inet 10.8.0.13/32 scope global eth0

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000

    inet 10.178.204.18/19 brd 10.178.223.255 scope global eth1

 

 

output for ip -4 r s t 0

50.56.xxx.0/24 dev eth0  proto kernel  scope link  src 50.56.xxx.xxx

10.178.192.0/19 dev eth1  proto kernel  scope link  src 10.178.204.18

10.191.192.0/18 via 10.178.192.1 dev eth1

10.176.0.0/12 via 10.178.192.1 dev eth1

default via 50.56.180.1 dev eth0

broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src
127.0.0.1

broadcast 50.56.xxx.0 dev eth0  table local  proto kernel  scope link  src
50.56.xxx.xxx

local 10.8.0.13 dev eth0  table local  proto kernel  scope host  src
10.8.0.13

local 50.56.xxx.xxx dev eth0  table local  proto kernel  scope host  src
50.56.xxx.xxx

local 10.178.204.18 dev eth1  table local  proto kernel  scope host  src
10.178.204.18

broadcast 10.178.192.0 dev eth1  table local  proto kernel  scope link  src
10.178.204.18

broadcast 10.178.223.255 dev eth1  table local  proto kernel  scope link
src 10.178.204.18

broadcast 50.56.xxx.xxx dev eth0  table local  proto kernel  scope link  src
50.56.xxx.xxx

broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src
127.0.0.1

local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1

local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src
127.0.0.1

 

up route produces the following output:

 

ipsec up it-vpn-test

002 "it-vpn-test" #1: initiating Main Mode

104 "it-vpn-test" #1: STATE_MAIN_I1: initiate

'003 "it-vpn-test" #1: ignoring Vendor ID payload
[5acb91f739425cb2c5c090da57e9ff4a6d2ad135000000160000060a]

003 "it-vpn-test" #1: received Vendor ID payload [Dead Peer Detection]

003 "it-vpn-test" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]

106 "it-vpn-test" #1: STATE_MAIN_I2: sent MI2, expecting MR2

108 "it-vpn-test" #1: STATE_MAIN_I3: sent MI3, expecting MR3

002 "it-vpn-test" #1: Peer ID is ID_IPV4_ADDR: '151.1.xxx.xxx'

002 "it-vpn-test" #1: ISAKMP SA established

004 "it-vpn-test" #1: STATE_MAIN_I4: ISAKMP SA established

002 "it-vpn-test" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#1}

112 "it-vpn-test" #2: STATE_QUICK_I1: initiate

002 "it-vpn-test" #2: route-client output: /usr/lib/ipsec/_updown: doroute
`ip route add 10.2.31.119/32 via 151.1.xxx.xxx dev eth0  src 10.178.204.18
table 220' failed (RTNETLINK answers: No such process)

002 "it-vpn-test" #2: sent QI2, IPsec SA established {ESP=>0x7deff7dc
<0x01d4a387}

004 "it-vpn-test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7deff7dc <0x01d4a387}

 

I've read a couple of posts that says the problem is with either using a
wrong shell version to run the _updown script or to missing the leftsourceip
parameter. I confirmed bash is used to run the first and added the second
(after which the ip route add line started appearing in the log). But no
luck after this.

 

Any idea where did I go wrong?

 

Thanks & Best Regards,

Mo

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120229/f8019cdf/attachment.html>

More information about the Users mailing list