[strongSwan] Tunnels established but no data decaspulated
Celine
celine.liste at free.fr
Thu Jan 5 17:48:06 CET 2012
Hello,
I'm trying to establish an IPsec tunnel betwenn an IPsec gateway
(appliance) and a roadwarrior client (Strongswan on Ubuntu Lucid).
I've successfully established tunnels between my host and the server but
I didn't manage to have the data decapsulated.
For example, when I ping from an external client (classical host on the
LAN) to my client (roadwarrior with strongswan), an ESP packet arrives
at the public address, but it is never decapsulated : I've never seen
the ICMP request.
The server is working well with other clients (not strongswan).
Any suggestions will be very appreciated. I've tried all sorts of debug
options without finding any clue.
configuration files following :
ipsec.conf
==========
config setup
nat_traversal=yes
plutostart=yes
# VPN connections
conn vpntest ## TEST
left=%defaultroute
leftsubnet=10.1.2.2/32 ##IP TEST -
machine virtuelle
leftcert=xxxxxxx.pem
right=20.20.20.20
rightsubnet=0.0.0.0/0
rightid="C=..."
rightca="C=..."
ike=aes256-sha2_256-modp4096
esp=aes256-sha2_256-modp4096
pfs=yes
pfsgroup=modp4096
ikelifetime=21600
keylife=3600
dpdaction=restart
dpddelay=10
dpdtimeout=20
auto=start
#include /var/lib/strongswan/ipsec.conf.inc
ipsec statusall
===============
000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth1/eth1 192.168.1.110:4500
000 interface eth1/eth1 192.168.1.110:500
000 interface vnet0/vnet0 10.1.2.1:4500
000 interface vnet0/vnet0 10.1.2.1:500
000 %myid = (none)
000 loaded plugins: curl ldap random pubkey openssl hmac gmp
000 debug options: none
000
000 "vpntest":
10.1.2.2/32===192.168.1.110:4500[C=...]---192.168.1.1...20.20.20.20:4500[C=...]===0.0.0.0/0; erouted; eroute
owner: #2
000 "vpntest": CAs: 'C=...'
000 "vpntest": ike_life: 21600s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "vpntest": dpd_action: restart; dpd_delay: 10s; dpd_timeout: 20s;
000 "vpntest": policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 32,0;
interface: eth1;
000 "vpntest": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "vpntest": IKE proposal: AES_CBC_256/HMAC_SHA2_256/MODP_4096
000 "vpntest": ESP proposal: AES_CBC_256/HMAC_SHA2_256/MODP_4096
000
000 #2: "vpntest" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 528s; newest IPSEC; eroute owner
000 #2: "vpntest" esp.de57cb at 20.20.20.20 (26027 bytes, 101s ago)
esp.3c5efcac at 192.168.1.110 (0 bytes); tunnel
000 #1: "vpntest" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 18496s; newest ISAKMP; DPD active
000
Status of IKEv2 charon daemon (strongSwan 4.3.2):
uptime: 35 minutes, since Jan 05 16:58:47 2012
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac agent
gmp kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka
eapmschapv2
Listening IP addresses:
192.168.1.110
10.1.2.1
Connections:
Security Associations:
none
ip xfrm state
=============
src 192.168.1.110 dst 20.20.20.20
proto esp spi 0x00de57cb reqid 16385 mode tunnel
replay-window 32
auth hmac(sha256)
0x5496a9a2bdddf59aeebaea59ea0dc53be56957dbb6995a13a159c2550a9ef7cb
enc cbc(aes)
0x81b5a994ae408bd255c880b61371dd6cd60e41940d1e4297ac7b5d0597eb5d55
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 20.20.20.20 dst 192.168.1.110
proto esp spi 0x3c5efcac reqid 16385 mode tunnel
replay-window 32
auth hmac(sha256)
0x56fbaf59f972e7dab7c3fad3d6573323f757aa070106ee814ed026c458fe8a3e
enc cbc(aes)
0xfcb5e15209f7dd7bf5f686b5c6ce03ddff119f1f68278865088ef93761b3877c
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy
==============
src 192.168.1.110 dst 20.20.20.20
proto esp spi 0x00de57cb reqid 16385 mode tunnel
replay-window 32
auth hmac(sha256)
0x5496a9a2bdddf59aeebaea59ea0dc53be56957dbb6995a13a159c2550a9ef7cb
enc cbc(aes)
0x81b5a994ae408bd255c880b61371dd6cd60e41940d1e4297ac7b5d0597eb5d55
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 20.20.20.20 dst 192.168.1.110
proto esp spi 0x3c5efcac reqid 16385 mode tunnel
replay-window 32
auth hmac(sha256)
0x56fbaf59f972e7dab7c3fad3d6573323f757aa070106ee814ed026c458fe8a3e
enc cbc(aes)
0xfcb5e15209f7dd7bf5f686b5c6ce03ddff119f1f68278865088ef93761b3877c
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
sel src 0.0.0.0/0 dst 0.0.0.0/0
ip xfrm policy
==============
src 10.1.2.2/32 dst 0.0.0.0/0
dir out priority 2112
tmpl src 192.168.1.110 dst 20.20.20.20
proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 10.1.2.2/32
dir fwd priority 2112
tmpl src 20.20.20.20 dst 192.168.1.110
proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 10.1.2.2/32
dir in priority 2112
tmpl src 20.20.20.20 dst 192.168.1.110
proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src ::/0 dst ::/0
dir 3 priority 0
src ::/0 dst ::/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src ::/0 dst ::/0
dir 3 priority 0
src ::/0 dst ::/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
src ::/0 dst ::/0
dir 3 priority 0
src ::/0 dst ::/0
dir 4 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
and ip_forward set to 1.
More information about the Users
mailing list