[strongSwan] VPN tunnel between server and client established but vpn clients unable to connect to the Internet
Ashwin Rao
ashwin.shirvanthe at gmail.com
Tue Jul 3 06:05:34 CEST 2012
Hi,
I would like my mobile clients to connect to the Internet via my VPN
server. My clients (an ipod touch and an android phone running android
4.0) are able to create a VPN tunnel between my server running
strongswan 5.0.0 on ubuntu 12.04 (kernel 3.2.0-23-generic). I have
disabled all the firewalls and flushed out all the rules in iptables
on my server. I am not able to figure out why my clients are not able
to connect to the Internet. Are there any specific rules that I must
add in the routing tables to enable forwarding. I have enabled
forwarding and the output of cat /proc/sys/net/ipv4/ip_forward is 1.
My clients show that the VPN tunnel is established however I am not
able to access web pages from my mobile devices after the tunnel has
been established. I am able to access webpages when I disable VPN.
My ipsec.conf is as follows
# ipsec.conf - strongSwan IPsec configuration file
config setup
# Add connections here.
conn mobile
type=tunnel
auto=add
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftid=@snowmane.mydomain.edu
leftsourceip=%config
leftsubnet=0.0.0.0/0
leftcert=serverCert.pem
leftrsasigkey=%cert
right=%any
leftfirewall=yes
rightsourceip=10.2.0.1/16
My strongswan.conf is as follows
# strongswan.conf - strongSwan configuration file
charon {
plugins {
attr {
dns = <dns1>, <dns2>
}
}
filelog {
/var/log/charon.log {
time_format = %b %e %T
append = no
default = 1
flush_line = yes
}
stderr {
ike = 2
knl = 3
ike_name = yes
}
}
syslog {
identifier = charon-custom
daemon {
}
auth {
default = -1
ike = 0
}
}
}
The output of /home/arao/usr/sbin/ipsec start --nofork --debug-all is
as follows. This is followed by the output of ip route list table 0
and ipsec status all
Starting strongSwan 5.0.0 IPsec [starter]...
Loading config setup
Loading conn 'mobile'
type=tunnel
auto=add
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftid=@snowmane.mydomain.edu
leftsourceip=%config
leftsubnet=0.0.0.0/0
leftcert=serverCert.pem
leftrsasigkey=%cert
right=%any
leftfirewall=yes
rightsourceip=10.2.0.1/16
found netkey IPsec stack
plugin 'kernel-netlink': loaded successfully
listening on interfaces:
eth1
ppp.ppp.4.186
abcd::221:9abc:fecd:abcd
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux
3.2.0-23-generic, x86_64)
00[KNL] listening on interfaces:
00[KNL] eth1
00[KNL] ppp.ppp.4.186
00[KNL] feaa::aaa:aaa:aaaa:aaaa
00[CFG] loaded 0 RADIUS server configurations
00[CFG] loading ca certificates from '/home/arao/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=US, O=snowmane, CN=snowmane CA"
from '/home/arao/etc/ipsec.d/cacerts/caCert.pem'
00[CFG] loading aa certificates from '/home/arao/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/home/arao/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/home/arao/etc/ipsec.d/acerts'
00[CFG] loading crls from '/home/arao/etc/ipsec.d/crls'
00[CFG] loading secrets from '/home/arao/etc/ipsec.secrets'
00[CFG] loaded RSA private key from
'/home/arao/etc/ipsec.d/private/serverKey.pem'
00[CFG] loaded EAP secret for test
00[DMN] loaded plugins: charon aes des sha1 sha2 md4 md5 random nonce
x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve
socket-default socket-raw socket-dynamic stroke updown eap-identity
eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-radius
xauth-generic
00[JOB] spawning 16 worker threads
charon (2065) started after 40 ms
10[CFG] received stroke: add connection 'mobile'
10[KNL] getting interface name for %any
10[KNL] %any is not a local address
10[KNL] getting interface name for %any
10[KNL] %any is not a local address
10[CFG] left nor right host is our side, assuming left=local
10[CFG] loaded certificate "C=US, O=snowmane,
CN=snowmane.mydomain.edu" from 'serverCert.pem'
10[CFG] added configuration 'mobile'
10[CFG] adding virtual IP address pool 'mobile': 10.2.0.1/16
11[NET] <1> received packet: from sss.sss.202.73[500] to ppp.ppp.4.186[500]
11[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V ]
11[IKE] <1> received NAT-T (RFC 3947) vendor ID
11[IKE] <1> received draft-ietf-ipsec-nat-t-ike vendor ID
11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
11[IKE] <1> received XAuth vendor ID
11[IKE] <1> received Cisco Unity vendor ID
11[IKE] <1> received DPD vendor ID
11[IKE] <1> sss.sss.202.73 is initiating a Main Mode IKE_SA
11[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
11[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
11[NET] <1> sending packet: from ppp.ppp.4.186[500] to sss.sss.202.73[500]
12[NET] <1> received packet: from sss.sss.202.73[500] to ppp.ppp.4.186[500]
12[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
12[IKE] <1> sending cert request for "C=US, O=snowmane, CN=snowmane CA"
12[ENC] <1> generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
12[NET] <1> sending packet: from ppp.ppp.4.186[500] to sss.sss.202.73[500]
13[NET] <1> received packet: from sss.sss.202.73[500] to ppp.ppp.4.186[500]
13[ENC] <1> parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
13[IKE] <1> ignoring certificate request without data
13[IKE] <1> received end entity cert "C=US, O=snowmane, CN=client"
13[CFG] <1> looking for XAuthInitRSA peer configs matching
ppp.ppp.4.186...sss.sss.202.73[C=US, O=snowmane, CN=client]
13[CFG] <1> selected peer config "mobile"
13[CFG] <mobile|1> using certificate "C=US, O=snowmane, CN=client"
13[CFG] <mobile|1> using trusted ca certificate "C=US, O=snowmane,
CN=snowmane CA"
13[CFG] <mobile|1> checking certificate status of "C=US, O=snowmane, CN=client"
13[CFG] <mobile|1> certificate status is not available
13[CFG] <mobile|1> reached self-signed root ca with a path length of 0
13[IKE] <mobile|1> authentication of 'C=US, O=snowmane, CN=client'
with RSA successful
13[IKE] <mobile|1> authentication of 'snowmane.mydomain.edu' (myself) successful
13[IKE] <mobile|1> queueing XAUTH task
13[IKE] <mobile|1> sending end entity cert "C=US, O=snowmane,
CN=snowmane.mydomain.edu"
13[ENC] <mobile|1> generating ID_PROT response 0 [ ID CERT SIG ]
13[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
sss.sss.202.73[500]
13[IKE] <mobile|1> activating new tasks
13[IKE] <mobile|1> activating XAUTH task
13[ENC] <mobile|1> generating TRANSACTION request 697392116 [ HASH CP ]
13[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
sss.sss.202.73[500]
14[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
ppp.ppp.4.186[500]
14[ENC] <mobile|1> parsed TRANSACTION response 697392116 [ HASH CP ]
14[IKE] <mobile|1> XAuth authentication of 'test' successful
14[IKE] <mobile|1> reinitiating already active tasks
14[IKE] <mobile|1> XAUTH task
14[ENC] <mobile|1> generating TRANSACTION request 1383976983 [ HASH CP ]
14[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
sss.sss.202.73[500]
15[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
ppp.ppp.4.186[500]
15[ENC] <mobile|1> parsed TRANSACTION response 1383976983 [ HASH CP ]
15[IKE] <mobile|1> IKE_SA mobile[1] established between
ppp.ppp.4.186[snowmane.mydomain.edu]...sss.sss.202.73[C=US,
O=snowmane, CN=client]
15[IKE] <mobile|1> IKE_SA mobile[1] state change: CONNECTING => ESTABLISHED
15[IKE] <mobile|1> scheduling reauthentication in 10185s
15[IKE] <mobile|1> maximum IKE_SA lifetime 10725s
15[IKE] <mobile|1> activating new tasks
15[IKE] <mobile|1> nothing to initiate
08[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
ppp.ppp.4.186[500]
08[ENC] <mobile|1> unknown attribute type (28683)
08[ENC] <mobile|1> parsed TRANSACTION request 3638562725 [ HASH CP ]
08[IKE] <mobile|1> processing INTERNAL_IP4_ADDRESS attribute
08[IKE] <mobile|1> processing INTERNAL_IP4_NETMASK attribute
08[IKE] <mobile|1> processing INTERNAL_IP4_DNS attribute
08[IKE] <mobile|1> processing INTERNAL_IP4_NBNS attribute
08[IKE] <mobile|1> processing INTERNAL_ADDRESS_EXPIRY attribute
08[IKE] <mobile|1> processing APPLICATION_VERSION attribute
08[IKE] <mobile|1> processing UNITY_BANNER attribute
08[IKE] <mobile|1> processing UNITY_DEF_DOMAIN attribute
08[IKE] <mobile|1> processing UNITY_SPLITDNS_NAME attribute
08[IKE] <mobile|1> processing UNITY_SPLIT_INCLUDE attribute
08[IKE] <mobile|1> processing UNITY_LOCAL_LAN attribute
08[IKE] <mobile|1> processing UNITY_PFS attribute
08[IKE] <mobile|1> processing UNITY_SAVE_PASSWD attribute
08[IKE] <mobile|1> processing UNITY_FW_TYPE attribute
08[IKE] <mobile|1> processing UNITY_BACKUP_SERVERS attribute
08[IKE] <mobile|1> processing (28683) attribute
08[IKE] <mobile|1> peer requested virtual IP %any
08[CFG] <mobile|1> assigning new lease to 'test'
08[IKE] <mobile|1> assigning virtual IP 10.2.0.2 to peer 'test'
08[IKE] <mobile|1> building INTERNAL_IP4_DNS attribute
08[IKE] <mobile|1> building INTERNAL_IP4_DNS attribute
08[ENC] <mobile|1> generating TRANSACTION response 3638562725 [ HASH CP ]
08[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
sss.sss.202.73[500]
09[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
ppp.ppp.4.186[500]
09[ENC] <mobile|1> parsed QUICK_MODE request 3999904694 [ HASH SA No ID ID ]
09[KNL] <mobile|1> getting SPI for reqid {1}
09[KNL] <mobile|1> sending XFRM_MSG_ALLOCSPI: => 248 bytes @ 0x7ffd837ef760
09[KNL] <mobile|1> 0: F8 00 00 00 16 00 01 00 C9 00 00 00 11 08 00
00 ................
..................................
09[KNL] <mobile|1> 240: 00 00 00 C0 FF FF FF CF
........
09[KNL] <mobile|1> got SPI c41566b6 for reqid {1}
09[ENC] <mobile|1> generating QUICK_MODE response 3999904694 [ HASH SA
No ID ID ]
09[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
sss.sss.202.73[500]
10[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
ppp.ppp.4.186[500]
10[ENC] <mobile|1> parsed QUICK_MODE request 3999904694 [ HASH ]
10[KNL] <mobile|1> adding SAD entry with SPI c41566b6 and reqid {1}
(mark 0/0x 0)
10[KNL] <mobile|1> using encryption algorithm AES_CBC with key size 256
10[KNL] <mobile|1> using integrity algorithm HMAC_SHA1_96 with key size 160
10[KNL] <mobile|1> sending XFRM_MSG_UPDSA: => 436 bytes @ 0x7ffd82fee570
10[KNL] <mobile|1> 0: B4 01 00 00 1A 00 05 00 CA 00 00 00 11 08 00
00 ................
.................
10[KNL] <mobile|1> 432: DC D7 7C 4E ..|N
10[KNL] <mobile|1> adding SAD entry with SPI 0de9adeb and reqid {1}
(mark 0/0x 0)
10[KNL] <mobile|1> using encryption algorithm AES_CBC with key size 256
10[KNL] <mobile|1> using integrity algorithm HMAC_SHA1_96 with key size 160
10[KNL] <mobile|1> sending XFRM_MSG_NEWSA: => 436 bytes @ 0x7ffd82fee570
10[KNL] <mobile|1> 0: B4 01 00 00 10 00 05 00 CB 00 00 00 11 08 00
00 ................
...................
10[KNL] <mobile|1> 432: EF 2E 49 65 ..Ie
10[KNL] <mobile|1> adding policy 0.0.0.0/0 === 10.2.0.2/32 out (mark
0/0x 0)
10[KNL] <mobile|1> sending XFRM_MSG_NEWPOLICY: => 184 bytes @ 0x7ffd82fee470
10[KNL] <mobile|1> 0: B8 00 00 00 13 00 05 00 CC 00 00 00 11 08 00
00 ................
........................
10[KNL] <mobile|1> 176: 01 01 00 00 00 00 00 00
........
10[KNL] <mobile|1> adding policy 10.2.0.2/32 === 0.0.0.0/0 in (mark
0/0x 0)
10[KNL] <mobile|1> sending XFRM_MSG_NEWPOLICY: => 184 bytes @ 0x7ffd82fee470
10[KNL] <mobile|1> 0: B8 00 00 00 13 00 05 00 CD 00 00 00 11 08 00
00 ................
......................
10[KNL] <mobile|1> 176: 00 01 00 00 00 00 00 00
........
10[KNL] <mobile|1> adding policy 10.2.0.2/32 === 0.0.0.0/0 fwd (mark
0/0x 0)
10[KNL] <mobile|1> sending XFRM_MSG_NEWPOLICY: => 184 bytes @ 0x7ffd82fee470
10[KNL] <mobile|1> 0: B8 00 00 00 13 00 05 00 CE 00 00 00 11 08 00
00 ................
........................
10[KNL] <mobile|1> 176: 02 01 00 00 00 00 00 00
........
10[KNL] <mobile|1> getting a local address in traffic selector 0.0.0.0/0
10[KNL] <mobile|1> using host %any
10[KNL] <mobile|1> getting address to reach sss.sss.202.73
10[KNL] <mobile|1> getting interface name for ppp.ppp.4.186
10[KNL] <mobile|1> ppp.ppp.4.186 is on interface eth1
10[KNL] <mobile|1> installing route: 10.2.0.2/32 via ppp.ppp.4.100 src
%any dev eth1
10[KNL] <mobile|1> getting iface index for eth1
10[KNL] <mobile|1> policy 0.0.0.0/0 === 10.2.0.2/32 out (mark 0/0x
0) already exists, increasing refcount
10[KNL] <mobile|1> updating policy 0.0.0.0/0 === 10.2.0.2/32 out
(mark 0/0x 0)
10[KNL] <mobile|1> sending XFRM_MSG_UPDPOLICY: => 252 bytes @ 0x7ffd82fee470
10[KNL] <mobile|1> 0: FC 00 00 00 19 00 05 00 CF 00 00 00 11 08 00
00 ................
............................
10[KNL] <mobile|1> 240: FF FF FF FF FF FF FF FF FF FF FF FF
............
10[KNL] <mobile|1> policy 10.2.0.2/32 === 0.0.0.0/0 in (mark 0/0x
0) already exists, increasing refcount
10[KNL] <mobile|1> updating policy 10.2.0.2/32 === 0.0.0.0/0 in (mark
0/0x 0)
10[KNL] <mobile|1> sending XFRM_MSG_UPDPOLICY: => 252 bytes @ 0x7ffd82fee470
10[KNL] <mobile|1> 0: FC 00 00 00 19 00 05 00 D0 00 00 00 11 08 00
00 ................
...........................
10[KNL] <mobile|1> 224: 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00
00 ................
10[KNL] <mobile|1> 240: FF FF FF FF FF FF FF FF FF FF FF FF
............
10[KNL] <mobile|1> policy 10.2.0.2/32 === 0.0.0.0/0 fwd (mark 0/0x
0) already exists, increasing refcount
10[KNL] <mobile|1> updating policy 10.2.0.2/32 === 0.0.0.0/0 fwd
(mark 0/0x 0)
10[KNL] <mobile|1> sending XFRM_MSG_UPDPOLICY: => 252 bytes @ 0x7ffd82fee470
10[KNL] <mobile|1> 0: FC 00 00 00 19 00 05 00 D1 00 00 00 11 08 00
00 ................
..........................
10[KNL] <mobile|1> 224: 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00
00 ................
10[KNL] <mobile|1> 240: FF FF FF FF FF FF FF FF FF FF FF FF
............
10[KNL] <mobile|1> getting a local address in traffic selector 0.0.0.0/0
10[KNL] <mobile|1> using host %any
10[KNL] <mobile|1> getting address to reach sss.sss.202.73
10[KNL] <mobile|1> getting interface name for ppp.ppp.4.186
10[KNL] <mobile|1> ppp.ppp.4.186 is on interface eth1
10[IKE] <mobile|1> CHILD_SA mobile{1} established with SPIs c41566b6_i
0de9adeb_o and TS 0.0.0.0/0 === 10.2.0.2/32
10[KNL] <mobile|1> getting interface name for ppp.ppp.4.186
10[KNL] <mobile|1> ppp.ppp.4.186 is on interface eth1
14[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
ppp.ppp.4.186[500]
14[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1460918583 [ HASH N(DPD) ]
14[IKE] <mobile|1> queueing ISAKMP_DPD task
14[IKE] <mobile|1> activating new tasks
14[IKE] <mobile|1> activating ISAKMP_DPD task
14[ENC] <mobile|1> generating INFORMATIONAL_V1 request 364710107 [
HASH N(DPD_ACK) ]
14[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
sss.sss.202.73[500]
14[IKE] <mobile|1> activating new tasks
14[IKE] <mobile|1> nothing to initiate
01[KNL] <mobile|1> querying SAD entry with SPI c41566b6 (mark 0/0x 0)
01[KNL] <mobile|1> sending XFRM_MSG_GETSA: => 40 bytes @ 0x7ffd877f7260
01[KNL] <mobile|1> 0: 28 00 00 00 12 00 01 00 D2 00 00 00 11 08 00
00 (...............
01[KNL] <mobile|1> 16: 80 D0 04 BA 00 00 00 00 00 00 00 00 00 00 00
00 ................
01[KNL] <mobile|1> 32: C4 15 66 B6 02 00 32 00
..f...2.
01[KNL] <mobile|1> querying policy 10.2.0.2/32 === 0.0.0.0/0 in (mark
0/0x 0)
01[KNL] <mobile|1> sending XFRM_MSG_GETPOLICY: => 80 bytes @ 0x7ffd877f7260
01[KNL] <mobile|1> 0: 50 00 00 00 15 00 01 00 D3 00 00 00 11 08 00
00 P...............
.........................
01[KNL] <mobile|1> 64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
01[KNL] <mobile|1> querying policy 10.2.0.2/32 === 0.0.0.0/0 fwd
(mark 0/0x 0)
01[KNL] <mobile|1> sending XFRM_MSG_GETPOLICY: => 80 bytes @ 0x7ffd877f7260
01[KNL] <mobile|1> 0: 50 00 00 00 15 00 01 00 D4 00 00 00 11 08 00
00 P...............
......................
01[KNL] <mobile|1> 64: 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00
00 ................
01[KNL] <mobile|1> querying SAD entry with SPI 0de9adeb (mark 0/0x 0)
01[KNL] <mobile|1> sending XFRM_MSG_GETSA: => 40 bytes @ 0x7ffd877f7260
01[KNL] <mobile|1> 0: 28 00 00 00 12 00 01 00 D5 00 00 00 11 08 00
00 (...............
01[KNL] <mobile|1> 16: AD FA CA 49 00 00 00 00 00 00 00 00 00 00 00
00 ...I............
01[KNL] <mobile|1> 32: 0D E9 AD EB 02 00 32 00
......2.
09[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
ppp.ppp.4.186[500]
09[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1526651347 [ HASH N(DPD) ]
09[IKE] <mobile|1> queueing ISAKMP_DPD task
09[IKE] <mobile|1> activating new tasks
09[IKE] <mobile|1> activating ISAKMP_DPD task
09[ENC] <mobile|1> generating INFORMATIONAL_V1 request 1249208433 [
HASH N(DPD_ACK) ]
09[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
sss.sss.202.73[500]
09[IKE] <mobile|1> activating new tasks
09[IKE] <mobile|1> nothing to initiate
10[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
ppp.ppp.4.186[500]
10[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1940403548 [ HASH N(DPD) ]
10[IKE] <mobile|1> queueing ISAKMP_DPD task
10[IKE] <mobile|1> activating new tasks
10[IKE] <mobile|1> activating ISAKMP_DPD task
10[ENC] <mobile|1> generating INFORMATIONAL_V1 request 1632913071 [
HASH N(DPD_ACK) ]
10[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
sss.sss.202.73[500]
10[IKE] <mobile|1> activating new tasks
10[IKE] <mobile|1> nothing to initiate
11[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
ppp.ppp.4.186[500]
11[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1847830875 [ HASH N(DPD) ]
11[IKE] <mobile|1> queueing ISAKMP_DPD task
11[IKE] <mobile|1> activating new tasks
11[IKE] <mobile|1> activating ISAKMP_DPD task
11[ENC] <mobile|1> generating INFORMATIONAL_V1 request 3593142118 [
HASH N(DPD_ACK) ]
11[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
sss.sss.202.73[500]
11[IKE] <mobile|1> activating new tasks
11[IKE] <mobile|1> nothing to initiate
The output of ip route list table 0 is as follows:
10.2.0.2 via ppp.ppp.4.100 dev eth1 table 220 proto static
default via ppp.ppp.4.100 dev eth1 metric 100
ppp.ppp.4.0/24 dev eth1 proto kernel scope link src ppp.ppp.4.186
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1
broadcast ppp.ppp.4.0 dev eth1 table local proto kernel scope link
src ppp.ppp.4.186
local ppp.ppp.4.186 dev eth1 table local proto kernel scope host
src ppp.ppp.4.186
broadcast ppp.ppp.4.255 dev eth1 table local proto kernel scope
link src ppp.ppp.4.186
unreachable default dev lo table unspec proto kernel metric -1
error -101 hoplimit 255
feab::/64 dev eth1 proto kernel metric 256
unreachable default dev lo table unspec proto kernel metric -1
error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0
local feab:: via :: dev lo table local proto none metric 0
local feab::abc:def:fsd:dsdf via :: dev lo table local proto none metric 0
ff00::/8 dev eth1 table local metric 256
The output of ipsec statusall is as follows:
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-23-generic, x86_64):
uptime: 51 seconds, since Jul 02 20:34:51 2012
malloc: sbrk 401408, mmap 0, used 255600, free 145808
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon aes des sha1 sha2 md4 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve
socket-default socket-raw socket-dynamic stroke updown eap-identity
eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-radius
xauth-generic
Virtual IP pools (size/online/offline):
mobile: 65535/1/0
Listening IP addresses:
ppp.ppp.4.186
Connections:
mobile: %any...%any IKEv1
mobile: local: [snowmane.mydomain.edu] uses public key authentication
mobile: cert: "C=US, O=snowmane, CN=snowmane.mydomain.edu"
mobile: remote: [%any] uses public key authentication
mobile: remote: [%any] uses XAuth authentication: any
mobile: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
mobile[1]: ESTABLISHED 31 seconds ago,
ppp.ppp.4.186[snowmane.mydomain.edu]...sss.sss.202.73[C=US,
O=snowmane, CN=client]
mobile[1]: Remote XAuth identity: test
mobile[1]: IKEv1 SPIs: ae710ea7de69ab5e_i c1f98a8f2b5a7a44_r*,
public key reauthentication in 2 hours
mobile[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
mobile{1}: INSTALLED, TUNNEL, ESP SPIs: c41566b6_i 0de9adeb_o
mobile{1}: AES_CBC_256/HMAC_SHA1_96, 1199 bytes_i (0s ago), 0
bytes_o, rekeying in 44 minutes
mobile{1}: 0.0.0.0/0 === 10.2.0.2/32
Thanks and Regards,
Ashwin
More information about the Users
mailing list