[strongSwan] VPN tunnel between server and client established but vpn clients unable to connect to the Internet

Andreas Steffen andreas.steffen at strongswan.org
Tue Jul 3 07:40:41 CEST 2012


Hi Ashwin,

you have to NAT the source address of the packets tunneled from the
iPhones to the IP address of the physical VPN gateway interface
because the private 10.2.0.0/16 address range of the assigned virtual
IPs will not be routed over the Internet:

  iptables -t nat -A POSTROUTING -s 10.2.0.0/16 -o eth1 -j MASQUERADE

Regards

Andreas

On 07/03/2012 06:05 AM, Ashwin Rao wrote:
> Hi,
> 
> I would like my mobile clients to connect to the Internet via my VPN
> server. My clients (an ipod touch and an android phone running android
> 4.0) are able to create a VPN tunnel between my server running
> strongswan 5.0.0 on ubuntu 12.04 (kernel 3.2.0-23-generic). I have
> disabled all the firewalls and flushed out all the rules in iptables
> on my server. I am not able to figure out why my clients are not able
> to connect to the Internet. Are there any specific rules that I must
> add in the routing tables to enable forwarding. I have enabled
> forwarding and the output of cat /proc/sys/net/ipv4/ip_forward  is 1.
> My clients show that the VPN tunnel is established however I am not
> able to access web pages from my mobile devices after the tunnel has
> been established. I am able to access webpages when I disable VPN.
> 
> My ipsec.conf is as follows
> # ipsec.conf - strongSwan IPsec configuration file
> config setup
> # Add connections here.
> conn mobile
> 	type=tunnel
> 	auto=add
> 	keyexchange=ikev1
> 	authby=xauthrsasig
> 	xauth=server
> 	left=%defaultroute
> 	leftid=@snowmane.mydomain.edu
> 	leftsourceip=%config
> 	leftsubnet=0.0.0.0/0
> 	leftcert=serverCert.pem
> 	leftrsasigkey=%cert	
> 	right=%any
> 	leftfirewall=yes
> 	rightsourceip=10.2.0.1/16
> 
> My strongswan.conf is as follows
> # strongswan.conf - strongSwan configuration file
> 
> charon {
> 	plugins {
> 		attr {
> 			dns = <dns1>, <dns2>
> 		}
> 	 }
> 	filelog {
> 		/var/log/charon.log {			
> 			time_format = %b %e %T			
> 			append = no			
> 			default = 1			
> 			flush_line = yes
> 		}
> 		stderr {			
> 			ike = 2
> 			knl = 3			
> 			ike_name = yes
> 		}
> 	}
> 	syslog {
> 		identifier = charon-custom
> 		daemon {
> 		}
> 		auth {
> 			default = -1
> 			ike = 0
> 		}
> 	}
> }
> 
> 
> The output of /home/arao/usr/sbin/ipsec start --nofork --debug-all  is
> as follows. This is followed by the output of ip route list table 0
> and  ipsec status all
> 
> Starting strongSwan 5.0.0 IPsec [starter]...
> Loading config setup
> Loading conn 'mobile'
>   type=tunnel
>   auto=add
>   keyexchange=ikev1
>   authby=xauthrsasig
>   xauth=server
>   left=%defaultroute
>   leftid=@snowmane.mydomain.edu
>   leftsourceip=%config
>   leftsubnet=0.0.0.0/0
>   leftcert=serverCert.pem
>   leftrsasigkey=%cert
>   right=%any
>   leftfirewall=yes
>   rightsourceip=10.2.0.1/16
> found netkey IPsec stack
> plugin 'kernel-netlink': loaded successfully
> listening on interfaces:
>   eth1
>     ppp.ppp.4.186
>    abcd::221:9abc:fecd:abcd
> Attempting to start charon...
> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux
> 3.2.0-23-generic, x86_64)
> 00[KNL] listening on interfaces:
> 00[KNL]   eth1
> 00[KNL]     ppp.ppp.4.186
> 00[KNL]     feaa::aaa:aaa:aaaa:aaaa
> 00[CFG] loaded 0 RADIUS server configurations
> 00[CFG] loading ca certificates from '/home/arao/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "C=US, O=snowmane, CN=snowmane CA"
> from '/home/arao/etc/ipsec.d/cacerts/caCert.pem'
> 00[CFG] loading aa certificates from '/home/arao/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/home/arao/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/home/arao/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/home/arao/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/home/arao/etc/ipsec.secrets'
> 00[CFG]   loaded RSA private key from
> '/home/arao/etc/ipsec.d/private/serverKey.pem'
> 00[CFG]   loaded EAP secret for test
> 00[DMN] loaded plugins: charon aes des sha1 sha2 md4 md5 random nonce
> x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
> gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve
> socket-default socket-raw socket-dynamic stroke updown eap-identity
> eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-radius
> xauth-generic
> 00[JOB] spawning 16 worker threads
> charon (2065) started after 40 ms
> 10[CFG] received stroke: add connection 'mobile'
> 10[KNL] getting interface name for %any
> 10[KNL] %any is not a local address
> 10[KNL] getting interface name for %any
> 10[KNL] %any is not a local address
> 10[CFG] left nor right host is our side, assuming left=local
> 10[CFG]   loaded certificate "C=US, O=snowmane,
> CN=snowmane.mydomain.edu" from 'serverCert.pem'
> 10[CFG] added configuration 'mobile'
> 10[CFG] adding virtual IP address pool 'mobile': 10.2.0.1/16
> 11[NET] <1> received packet: from sss.sss.202.73[500] to ppp.ppp.4.186[500]
> 11[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V ]
> 11[IKE] <1> received NAT-T (RFC 3947) vendor ID
> 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike vendor ID
> 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-08 vendor ID
> 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
> 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-06 vendor ID
> 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-05 vendor ID
> 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-04 vendor ID
> 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
> 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
> 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 11[IKE] <1> received XAuth vendor ID
> 11[IKE] <1> received Cisco Unity vendor ID
> 11[IKE] <1> received DPD vendor ID
> 11[IKE] <1> sss.sss.202.73 is initiating a Main Mode IKE_SA
> 11[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
> 11[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
> 11[NET] <1> sending packet: from ppp.ppp.4.186[500] to sss.sss.202.73[500]
> 12[NET] <1> received packet: from sss.sss.202.73[500] to ppp.ppp.4.186[500]
> 12[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> 12[IKE] <1> sending cert request for "C=US, O=snowmane, CN=snowmane CA"
> 12[ENC] <1> generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
> 12[NET] <1> sending packet: from ppp.ppp.4.186[500] to sss.sss.202.73[500]
> 13[NET] <1> received packet: from sss.sss.202.73[500] to ppp.ppp.4.186[500]
> 13[ENC] <1> parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
> 13[IKE] <1> ignoring certificate request without data
> 13[IKE] <1> received end entity cert "C=US, O=snowmane, CN=client"
> 13[CFG] <1> looking for XAuthInitRSA peer configs matching
> ppp.ppp.4.186...sss.sss.202.73[C=US, O=snowmane, CN=client]
> 13[CFG] <1> selected peer config "mobile"
> 13[CFG] <mobile|1>   using certificate "C=US, O=snowmane, CN=client"
> 13[CFG] <mobile|1>   using trusted ca certificate "C=US, O=snowmane,
> CN=snowmane CA"
> 13[CFG] <mobile|1> checking certificate status of "C=US, O=snowmane, CN=client"
> 13[CFG] <mobile|1> certificate status is not available
> 13[CFG] <mobile|1>   reached self-signed root ca with a path length of 0
> 13[IKE] <mobile|1> authentication of 'C=US, O=snowmane, CN=client'
> with RSA successful
> 13[IKE] <mobile|1> authentication of 'snowmane.mydomain.edu' (myself) successful
> 13[IKE] <mobile|1> queueing XAUTH task
> 13[IKE] <mobile|1> sending end entity cert "C=US, O=snowmane,
> CN=snowmane.mydomain.edu"
> 13[ENC] <mobile|1> generating ID_PROT response 0 [ ID CERT SIG ]
> 13[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
> sss.sss.202.73[500]
> 13[IKE] <mobile|1> activating new tasks
> 13[IKE] <mobile|1>   activating XAUTH task
> 13[ENC] <mobile|1> generating TRANSACTION request 697392116 [ HASH CP ]
> 13[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
> sss.sss.202.73[500]
> 14[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
> ppp.ppp.4.186[500]
> 14[ENC] <mobile|1> parsed TRANSACTION response 697392116 [ HASH CP ]
> 14[IKE] <mobile|1> XAuth authentication of 'test' successful
> 14[IKE] <mobile|1> reinitiating already active tasks
> 14[IKE] <mobile|1>   XAUTH task
> 14[ENC] <mobile|1> generating TRANSACTION request 1383976983 [ HASH CP ]
> 14[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
> sss.sss.202.73[500]
> 15[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
> ppp.ppp.4.186[500]
> 15[ENC] <mobile|1> parsed TRANSACTION response 1383976983 [ HASH CP ]
> 15[IKE] <mobile|1> IKE_SA mobile[1] established between
> ppp.ppp.4.186[snowmane.mydomain.edu]...sss.sss.202.73[C=US,
> O=snowmane, CN=client]
> 15[IKE] <mobile|1> IKE_SA mobile[1] state change: CONNECTING => ESTABLISHED
> 15[IKE] <mobile|1> scheduling reauthentication in 10185s
> 15[IKE] <mobile|1> maximum IKE_SA lifetime 10725s
> 15[IKE] <mobile|1> activating new tasks
> 15[IKE] <mobile|1> nothing to initiate
> 08[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
> ppp.ppp.4.186[500]
> 08[ENC] <mobile|1> unknown attribute type (28683)
> 08[ENC] <mobile|1> parsed TRANSACTION request 3638562725 [ HASH CP ]
> 08[IKE] <mobile|1> processing INTERNAL_IP4_ADDRESS attribute
> 08[IKE] <mobile|1> processing INTERNAL_IP4_NETMASK attribute
> 08[IKE] <mobile|1> processing INTERNAL_IP4_DNS attribute
> 08[IKE] <mobile|1> processing INTERNAL_IP4_NBNS attribute
> 08[IKE] <mobile|1> processing INTERNAL_ADDRESS_EXPIRY attribute
> 08[IKE] <mobile|1> processing APPLICATION_VERSION attribute
> 08[IKE] <mobile|1> processing UNITY_BANNER attribute
> 08[IKE] <mobile|1> processing UNITY_DEF_DOMAIN attribute
> 08[IKE] <mobile|1> processing UNITY_SPLITDNS_NAME attribute
> 08[IKE] <mobile|1> processing UNITY_SPLIT_INCLUDE attribute
> 08[IKE] <mobile|1> processing UNITY_LOCAL_LAN attribute
> 08[IKE] <mobile|1> processing UNITY_PFS attribute
> 08[IKE] <mobile|1> processing UNITY_SAVE_PASSWD attribute
> 08[IKE] <mobile|1> processing UNITY_FW_TYPE attribute
> 08[IKE] <mobile|1> processing UNITY_BACKUP_SERVERS attribute
> 08[IKE] <mobile|1> processing (28683) attribute
> 08[IKE] <mobile|1> peer requested virtual IP %any
> 08[CFG] <mobile|1> assigning new lease to 'test'
> 08[IKE] <mobile|1> assigning virtual IP 10.2.0.2 to peer 'test'
> 08[IKE] <mobile|1> building INTERNAL_IP4_DNS attribute
> 08[IKE] <mobile|1> building INTERNAL_IP4_DNS attribute
> 08[ENC] <mobile|1> generating TRANSACTION response 3638562725 [ HASH CP ]
> 08[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
> sss.sss.202.73[500]
> 09[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
> ppp.ppp.4.186[500]
> 09[ENC] <mobile|1> parsed QUICK_MODE request 3999904694 [ HASH SA No ID ID ]
> 09[KNL] <mobile|1> getting SPI for reqid {1}
> 09[KNL] <mobile|1> sending XFRM_MSG_ALLOCSPI: => 248 bytes @ 0x7ffd837ef760
> 09[KNL] <mobile|1>    0: F8 00 00 00 16 00 01 00 C9 00 00 00 11 08 00
> 00  ................
> ..................................
> 09[KNL] <mobile|1>  240: 00 00 00 C0 FF FF FF CF
>    ........
> 09[KNL] <mobile|1> got SPI c41566b6 for reqid {1}
> 09[ENC] <mobile|1> generating QUICK_MODE response 3999904694 [ HASH SA
> No ID ID ]
> 09[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
> sss.sss.202.73[500]
> 10[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
> ppp.ppp.4.186[500]
> 10[ENC] <mobile|1> parsed QUICK_MODE request 3999904694 [ HASH ]
> 10[KNL] <mobile|1> adding SAD entry with SPI c41566b6 and reqid {1}
> (mark 0/0x       0)
> 10[KNL] <mobile|1>   using encryption algorithm AES_CBC with key size 256
> 10[KNL] <mobile|1>   using integrity algorithm HMAC_SHA1_96 with key size 160
> 10[KNL] <mobile|1> sending XFRM_MSG_UPDSA: => 436 bytes @ 0x7ffd82fee570
> 10[KNL] <mobile|1>    0: B4 01 00 00 1A 00 05 00 CA 00 00 00 11 08 00
> 00  ................
> .................
> 10[KNL] <mobile|1>  432: DC D7 7C 4E                                      ..|N
> 10[KNL] <mobile|1> adding SAD entry with SPI 0de9adeb and reqid {1}
> (mark 0/0x       0)
> 10[KNL] <mobile|1>   using encryption algorithm AES_CBC with key size 256
> 10[KNL] <mobile|1>   using integrity algorithm HMAC_SHA1_96 with key size 160
> 10[KNL] <mobile|1> sending XFRM_MSG_NEWSA: => 436 bytes @ 0x7ffd82fee570
> 10[KNL] <mobile|1>    0: B4 01 00 00 10 00 05 00 CB 00 00 00 11 08 00
> 00  ................
> ...................
> 10[KNL] <mobile|1>  432: EF 2E 49 65                                      ..Ie
> 10[KNL] <mobile|1> adding policy 0.0.0.0/0 === 10.2.0.2/32 out  (mark
> 0/0x       0)
> 10[KNL] <mobile|1> sending XFRM_MSG_NEWPOLICY: => 184 bytes @ 0x7ffd82fee470
> 10[KNL] <mobile|1>    0: B8 00 00 00 13 00 05 00 CC 00 00 00 11 08 00
> 00  ................
> ........................
> 10[KNL] <mobile|1>  176: 01 01 00 00 00 00 00 00
>    ........
> 10[KNL] <mobile|1> adding policy 10.2.0.2/32 === 0.0.0.0/0 in  (mark
> 0/0x       0)
> 10[KNL] <mobile|1> sending XFRM_MSG_NEWPOLICY: => 184 bytes @ 0x7ffd82fee470
> 10[KNL] <mobile|1>    0: B8 00 00 00 13 00 05 00 CD 00 00 00 11 08 00
> 00  ................
> ......................
> 10[KNL] <mobile|1>  176: 00 01 00 00 00 00 00 00
>    ........
> 10[KNL] <mobile|1> adding policy 10.2.0.2/32 === 0.0.0.0/0 fwd  (mark
> 0/0x       0)
> 10[KNL] <mobile|1> sending XFRM_MSG_NEWPOLICY: => 184 bytes @ 0x7ffd82fee470
> 10[KNL] <mobile|1>    0: B8 00 00 00 13 00 05 00 CE 00 00 00 11 08 00
> 00  ................
> ........................
> 10[KNL] <mobile|1>  176: 02 01 00 00 00 00 00 00
>    ........
> 10[KNL] <mobile|1> getting a local address in traffic selector 0.0.0.0/0
> 10[KNL] <mobile|1> using host %any
> 10[KNL] <mobile|1> getting address to reach sss.sss.202.73
> 10[KNL] <mobile|1> getting interface name for ppp.ppp.4.186
> 10[KNL] <mobile|1> ppp.ppp.4.186 is on interface eth1
> 10[KNL] <mobile|1> installing route: 10.2.0.2/32 via ppp.ppp.4.100 src
> %any dev eth1
> 10[KNL] <mobile|1> getting iface index for eth1
> 10[KNL] <mobile|1> policy 0.0.0.0/0 === 10.2.0.2/32 out  (mark 0/0x
>    0) already exists, increasing refcount
> 10[KNL] <mobile|1> updating policy 0.0.0.0/0 === 10.2.0.2/32 out
> (mark 0/0x       0)
> 10[KNL] <mobile|1> sending XFRM_MSG_UPDPOLICY: => 252 bytes @ 0x7ffd82fee470
> 10[KNL] <mobile|1>    0: FC 00 00 00 19 00 05 00 CF 00 00 00 11 08 00
> 00  ................
> ............................
> 10[KNL] <mobile|1>  240: FF FF FF FF FF FF FF FF FF FF FF FF
>    ............
> 10[KNL] <mobile|1> policy 10.2.0.2/32 === 0.0.0.0/0 in  (mark 0/0x
>   0) already exists, increasing refcount
> 10[KNL] <mobile|1> updating policy 10.2.0.2/32 === 0.0.0.0/0 in  (mark
> 0/0x       0)
> 10[KNL] <mobile|1> sending XFRM_MSG_UPDPOLICY: => 252 bytes @ 0x7ffd82fee470
> 10[KNL] <mobile|1>    0: FC 00 00 00 19 00 05 00 D0 00 00 00 11 08 00
> 00  ................
> ...........................
> 10[KNL] <mobile|1>  224: 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00
> 00  ................
> 10[KNL] <mobile|1>  240: FF FF FF FF FF FF FF FF FF FF FF FF
>    ............
> 10[KNL] <mobile|1> policy 10.2.0.2/32 === 0.0.0.0/0 fwd  (mark 0/0x
>    0) already exists, increasing refcount
> 10[KNL] <mobile|1> updating policy 10.2.0.2/32 === 0.0.0.0/0 fwd
> (mark 0/0x       0)
> 10[KNL] <mobile|1> sending XFRM_MSG_UPDPOLICY: => 252 bytes @ 0x7ffd82fee470
> 10[KNL] <mobile|1>    0: FC 00 00 00 19 00 05 00 D1 00 00 00 11 08 00
> 00  ................
> ..........................
> 10[KNL] <mobile|1>  224: 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00
> 00  ................
> 10[KNL] <mobile|1>  240: FF FF FF FF FF FF FF FF FF FF FF FF
>    ............
> 10[KNL] <mobile|1> getting a local address in traffic selector 0.0.0.0/0
> 10[KNL] <mobile|1> using host %any
> 10[KNL] <mobile|1> getting address to reach sss.sss.202.73
> 10[KNL] <mobile|1> getting interface name for ppp.ppp.4.186
> 10[KNL] <mobile|1> ppp.ppp.4.186 is on interface eth1
> 10[IKE] <mobile|1> CHILD_SA mobile{1} established with SPIs c41566b6_i
> 0de9adeb_o and TS 0.0.0.0/0 === 10.2.0.2/32
> 10[KNL] <mobile|1> getting interface name for ppp.ppp.4.186
> 10[KNL] <mobile|1> ppp.ppp.4.186 is on interface eth1
> 14[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
> ppp.ppp.4.186[500]
> 14[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1460918583 [ HASH N(DPD) ]
> 14[IKE] <mobile|1> queueing ISAKMP_DPD task
> 14[IKE] <mobile|1> activating new tasks
> 14[IKE] <mobile|1>   activating ISAKMP_DPD task
> 14[ENC] <mobile|1> generating INFORMATIONAL_V1 request 364710107 [
> HASH N(DPD_ACK) ]
> 14[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
> sss.sss.202.73[500]
> 14[IKE] <mobile|1> activating new tasks
> 14[IKE] <mobile|1> nothing to initiate
> 01[KNL] <mobile|1> querying SAD entry with SPI c41566b6  (mark 0/0x       0)
> 01[KNL] <mobile|1> sending XFRM_MSG_GETSA: => 40 bytes @ 0x7ffd877f7260
> 01[KNL] <mobile|1>    0: 28 00 00 00 12 00 01 00 D2 00 00 00 11 08 00
> 00  (...............
> 01[KNL] <mobile|1>   16: 80 D0 04 BA 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
> 01[KNL] <mobile|1>   32: C4 15 66 B6 02 00 32 00
>    ..f...2.
> 01[KNL] <mobile|1> querying policy 10.2.0.2/32 === 0.0.0.0/0 in  (mark
> 0/0x       0)
> 01[KNL] <mobile|1> sending XFRM_MSG_GETPOLICY: => 80 bytes @ 0x7ffd877f7260
> 01[KNL] <mobile|1>    0: 50 00 00 00 15 00 01 00 D3 00 00 00 11 08 00
> 00  P...............
> .........................
> 01[KNL] <mobile|1>   64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00  ................
> 01[KNL] <mobile|1> querying policy 10.2.0.2/32 === 0.0.0.0/0 fwd
> (mark 0/0x       0)
> 01[KNL] <mobile|1> sending XFRM_MSG_GETPOLICY: => 80 bytes @ 0x7ffd877f7260
> 01[KNL] <mobile|1>    0: 50 00 00 00 15 00 01 00 D4 00 00 00 11 08 00
> 00  P...............
> ......................
> 01[KNL] <mobile|1>   64: 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00
> 00  ................
> 01[KNL] <mobile|1> querying SAD entry with SPI 0de9adeb  (mark 0/0x       0)
> 01[KNL] <mobile|1> sending XFRM_MSG_GETSA: => 40 bytes @ 0x7ffd877f7260
> 01[KNL] <mobile|1>    0: 28 00 00 00 12 00 01 00 D5 00 00 00 11 08 00
> 00  (...............
> 01[KNL] <mobile|1>   16: AD FA CA 49 00 00 00 00 00 00 00 00 00 00 00
> 00  ...I............
> 01[KNL] <mobile|1>   32: 0D E9 AD EB 02 00 32 00
>    ......2.
> 09[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
> ppp.ppp.4.186[500]
> 09[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1526651347 [ HASH N(DPD) ]
> 09[IKE] <mobile|1> queueing ISAKMP_DPD task
> 09[IKE] <mobile|1> activating new tasks
> 09[IKE] <mobile|1>   activating ISAKMP_DPD task
> 09[ENC] <mobile|1> generating INFORMATIONAL_V1 request 1249208433 [
> HASH N(DPD_ACK) ]
> 09[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
> sss.sss.202.73[500]
> 09[IKE] <mobile|1> activating new tasks
> 09[IKE] <mobile|1> nothing to initiate
> 10[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
> ppp.ppp.4.186[500]
> 10[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1940403548 [ HASH N(DPD) ]
> 10[IKE] <mobile|1> queueing ISAKMP_DPD task
> 10[IKE] <mobile|1> activating new tasks
> 10[IKE] <mobile|1>   activating ISAKMP_DPD task
> 10[ENC] <mobile|1> generating INFORMATIONAL_V1 request 1632913071 [
> HASH N(DPD_ACK) ]
> 10[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
> sss.sss.202.73[500]
> 10[IKE] <mobile|1> activating new tasks
> 10[IKE] <mobile|1> nothing to initiate
> 11[NET] <mobile|1> received packet: from sss.sss.202.73[500] to
> ppp.ppp.4.186[500]
> 11[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1847830875 [ HASH N(DPD) ]
> 11[IKE] <mobile|1> queueing ISAKMP_DPD task
> 11[IKE] <mobile|1> activating new tasks
> 11[IKE] <mobile|1>   activating ISAKMP_DPD task
> 11[ENC] <mobile|1> generating INFORMATIONAL_V1 request 3593142118 [
> HASH N(DPD_ACK) ]
> 11[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to
> sss.sss.202.73[500]
> 11[IKE] <mobile|1> activating new tasks
> 11[IKE] <mobile|1> nothing to initiate
> 
> 
> The output of  ip route list table 0 is as follows:
>  10.2.0.2 via ppp.ppp.4.100 dev eth1  table 220  proto static
> default via ppp.ppp.4.100 dev eth1  metric 100
> ppp.ppp.4.0/24 dev eth1  proto kernel  scope link  src ppp.ppp.4.186
> broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src
> 127.0.0.1
> local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1
> local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
> broadcast 127.255.255.255 dev lo  table local  proto kernel  scope
> link  src 127.0.0.1
> broadcast ppp.ppp.4.0 dev eth1  table local  proto kernel  scope link
> src ppp.ppp.4.186
> local ppp.ppp.4.186 dev eth1  table local  proto kernel  scope host
> src ppp.ppp.4.186
> broadcast ppp.ppp.4.255 dev eth1  table local  proto kernel  scope
> link  src ppp.ppp.4.186
> unreachable default dev lo  table unspec  proto kernel  metric -1
> error -101 hoplimit 255
> feab::/64 dev eth1  proto kernel  metric 256
> unreachable default dev lo  table unspec  proto kernel  metric -1
> error -101 hoplimit 255
> local ::1 via :: dev lo  table local  proto none  metric 0
> local feab:: via :: dev lo  table local  proto none  metric 0
> local feab::abc:def:fsd:dsdf via :: dev lo  table local  proto none  metric 0
> ff00::/8 dev eth1  table local  metric 256
> 
> The output of  ipsec statusall is as follows:
> Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-23-generic, x86_64):
>   uptime: 51 seconds, since Jul 02 20:34:51 2012
>   malloc: sbrk 401408, mmap 0, used 255600, free 145808
>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
> scheduled: 2
>   loaded plugins: charon aes des sha1 sha2 md4 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
> gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve
> socket-default socket-raw socket-dynamic stroke updown eap-identity
> eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-radius
> xauth-generic
> Virtual IP pools (size/online/offline):
>   mobile: 65535/1/0
> Listening IP addresses:
>   ppp.ppp.4.186
> Connections:
>       mobile:  %any...%any  IKEv1
>       mobile:   local:  [snowmane.mydomain.edu] uses public key authentication
>       mobile:    cert:  "C=US, O=snowmane, CN=snowmane.mydomain.edu"
>       mobile:   remote: [%any] uses public key authentication
>       mobile:   remote: [%any] uses XAuth authentication: any
>       mobile:   child:  0.0.0.0/0 === dynamic TUNNEL
> Security Associations (1 up, 0 connecting):
>       mobile[1]: ESTABLISHED 31 seconds ago,
> ppp.ppp.4.186[snowmane.mydomain.edu]...sss.sss.202.73[C=US,
> O=snowmane, CN=client]
>       mobile[1]: Remote XAuth identity: test
>       mobile[1]: IKEv1 SPIs: ae710ea7de69ab5e_i c1f98a8f2b5a7a44_r*,
> public key reauthentication in 2 hours
>       mobile[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>       mobile{1}:  INSTALLED, TUNNEL, ESP SPIs: c41566b6_i 0de9adeb_o
>       mobile{1}:  AES_CBC_256/HMAC_SHA1_96, 1199 bytes_i (0s ago), 0
> bytes_o, rekeying in 44 minutes
>       mobile{1}:   0.0.0.0/0 === 10.2.0.2/32
> 
> 
> Thanks and Regards,
> Ashwin
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==






More information about the Users mailing list