[strongSwan] Net to net PSK establishes, but does NOT route nor create ESP

Ricky Huang rhhuang at soe.ucsd.edu
Thu Jun 21 08:15:12 CEST 2012 

hi,


Long email, but in summary, ipsec shows I have 2 subnet connected, but I cannot ping into one another, nor tcpdump shows any ESP packets leaving the pinging machine.


Now in in gory details, I have a net2net-psk set up between two of my gateways as follows:

[ subnet 1 ] --- [ gateway1 ] === [ gateway 2] --- [ subnet 2 ]
[ 192.168.254.0/24] --- [br0 192.168.254.99 | eth2 99.33.170.155 ] ===== [ eth3 75.11.172.226 |  br0 192.168.250.99] --- [ 192.168.250.0/24 ]

Gateway 1 ipsec.conf:
> 
> config setup
>         charonstart=yes
> 
> conn %default
>        keyexchange=ikev2
>        ike=3des-md5-modp1024
>        esp=3des-md5-modp1024
>        mobike=no
>        ikelifetime=3600
>        keylife=3600
>        authby=secret
>        dpdaction=restart
> 
> conn myvpn
>        left=99.33.170.155
>        leftsubnet=192.168.254.0/24
>        leftfirewall=no
>        right=75.11.172.226
>        rightsubnet=192.168.250.0/24
>        auto=add

Gateway 2 ipsec.conf:
> 

> config setup
> 	charonstart=yes
> 
> conn %default
>        keyexchange=ikev2
>        ike=3des-md5-modp1024
>        esp=3des-md5-modp1024
>        mobike=no
>        ikelifetime=3600
>        keylife=3600
>        authby=secret
>        dpdaction=restart
> 
> conn myvpn
>        left=75.11.172.226
>        leftsubnet=192.168.250.0/24
>        leftfirewall=no
>        right=99.33.170.155
>        rightsubnet=192.168.254.0/24
>        auto=start

When I ipsec start the two gateways, the output looks like the tunnels have been established:

Gateway 1:
> 

> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth2/eth2 99.33.170.155:500
> 000 interface br0/br0 192.168.254.99:500
> 000 interface tun-eth2/tun-eth2 0.0.0.1:500
> 000 %myid = (none)
> 000 debug none
> 000 
> Performance:
>   uptime: 2 minutes, since Jun 20 23:05:33 2012
>   worker threads: 10 idle of 16, job queue load: 0, scheduled events: 4
>   loaded plugins: ldap gmp random x509 pubkey hmac xcbc openssl stroke 
> Listening IP addresses:
>   99.33.170.155
>   192.168.254.99
>   0.0.0.1
> Connections:
>      mushvpn:  99.33.170.155[99.33.170.155]...75.11.172.226[75.11.172.226]
>      mushvpn:    192.168.254.0/24 === 192.168.250.0/24 
> Security Associations:
>      mushvpn[1]: ESTABLISHED, 99.33.170.155[99.33.170.155]...75.11.172.226[75.11.172.226]
>      mushvpn[1]: IKE SPIs: db7a7cdf316496fa_i 030fb05fc4029661_r*, reauthentication in 47 minutes
>      mushvpn[1]: IKE proposal: 3DES/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024_BIT
>      mushvpn{1}:  INSTALLED, TUNNEL, ESP SPIs: c59b999a_i c871ae3b_o
>      mushvpn{1}:  3DES/HMAC_MD5_96, rekeying in 43 minutes, last use: no_i no_o 
>      mushvpn{1}:   192.168.254.0/24 === 192.168.250.0/24 

Gateway 2:
> 

> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth2/eth2 75.11.172.226:500
> 000 interface br0/br0 192.168.250.99:500
> 000 interface tun-eth2/tun-eth2 0.0.0.1:500
> 000 %myid = (none)
> 000 debug none
> 000 
> Performance:
>   uptime: 2 minutes, since Jun 20 23:06:20 2012
>   worker threads: 10 idle of 16, job queue load: 0, scheduled events: 4
>   loaded plugins: ldap gmp random x509 pubkey hmac xcbc openssl stroke 
> Listening IP addresses:
>   75.11.172.226
>   192.168.250.99
>   0.0.0.1
> Connections:
>      mushvpn:  75.11.172.226[75.11.172.226]...99.33.170.155[99.33.170.155]
>      mushvpn:    192.168.250.0/24 === 192.168.254.0/24 
> Security Associations:
>      mushvpn[1]: ESTABLISHED, 75.11.172.226[75.11.172.226]...99.33.170.155[99.33.170.155]
>      mushvpn[1]: IKE SPIs: db7a7cdf316496fa_i* 030fb05fc4029661_r, reauthentication in 38 minutes
>      mushvpn[1]: IKE proposal: 3DES/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024_BIT
>      mushvpn{1}:  INSTALLED, TUNNEL, ESP SPIs: c871ae3b_i c59b999a_o
>      mushvpn{1}:  3DES/HMAC_MD5_96, rekeying in 42 minutes, last use: no_i 10s_o 
>      mushvpn{1}:   192.168.250.0/24 === 192.168.254.0/24 


But when I try to ping one subnet to another, nothing happens.

Doing a tcpdump on the Gateway 1's public interface shows that pings are going out of the box to the INTERNAL address in subnet 2, e.g.
> 

> 23:10:23.806822 IP 99.33.170.155 > 192.168.250.99: ICMP echo request, id 63768, seq 1, length 64
> 23:10:24.815480 IP 99.33.170.155 > 192.168.250.99: ICMP echo request, id 63768, seq 2, length 64
> 23:10:25.823492 IP 99.33.170.155 > 192.168.250.99: ICMP echo request, id 63768, seq 3, length 64


tcpdump also does NOT reveal any ESP type outgoing packet on gateway.

More information about the Users mailing list