[strongSwan] no ping the internal network

carachi diego carachi83 at gmail.com
Thu Apr 18 09:07:05 CEST 2013


hello Noel,
Thank you for your reply.
I tried but I am not enable to ping the other network of my server?
any suggestion?


Thank you very much


2013/4/18 carachi diego <carachi83 at gmail.com>

> hello Noel,
> Thank you for your reply.
> I tried but I am not enable to ping the other network of my server?
> any suggestion?
>
>
> Thank you very much
>
>
> 2013/4/17 Noel Kuntze <noel at familie-kuntze.de>
>
>> Hello,
>>
>> Can you ping one of the interfaces of the router? If yes, then you might
>> need to enable forwarding for the tunnel in the kernel settings. (sysctl
>> on linux, key net.ipv[46].conf.tunl[0123456789].forwarding = 1). The
>> latter made my setup work. You might also want to investigate the
>> decryption errors, which might be related to your problem.
>>
>> Regards,
>> Noel
>>
>> > Hello,
>> >
>> > I configure strongswan but the client (win XP) is connected to the
>> > server but I am not able from the client to ping the internal network.
>> >
>> > Where can be the problem??
>> > Thank you
>> >
>> >
>> > ---------------------------------------------------------------------
>> > root at debian:~# ipsec start --nofork --debug-all
>> > Starting strongSwan 5.0.2 IPsec [starter]...
>> > !! Your strongswan.conf contains manual plugin load options for charon.
>> > !! This is recommended for experts only, see
>> > !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>> > Loading config setup
>> > Loading conn %default
>> >   ikelifetime=60m
>> >   keylife=20m
>> >   rekeymargin=3m
>> >   keyingtries=1
>> >   keyexchange=ikev1
>> > Loading conn 'rw'
>> >   left=172.16.151.100
>> >   leftcert=server.crt
>> >   leftid=@ipsec.org <http://ipsec.org>
>> >   leftsubnet=192.168.7.0/24 <http://192.168.7.0/24>
>> >   leftfirewall=yes
>> >   right=%any
>> >   rightsourceip=192.168.7.0/24 <http://192.168.7.0/24>
>> >   auto=add
>> > found netkey IPsec stack
>> > Attempting to start charon...
>> > 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2, Linux
>> > 3.2.0-0.bpo.4-amd64, x86_64)
>> > 00[LIB] enabled  AES_CBC[aes]: passed 6 test vectors
>> > 00[LIB] enabled  AES_CBC[aes]: passed 6 test vectors
>> > 00[LIB] enabled  AES_CBC[aes]: passed 6 test vectors
>> > 00[LIB] enabled  3DES_CBC[des]: passed 2 test vectors
>> > 00[LIB] enabled  DES_CBC[des]: passed 2 test vectors
>> > 00[LIB] enabled  DES_ECB[des]: passed 2 test vectors
>> > 00[LIB] enabled  HASH_SHA1[sha1]: passed 4 test vectors
>> > 00[LIB] enabled  PRF_KEYED_SHA1[sha1]: no test vectors found
>> > 00[LIB] enabled  HASH_SHA224[sha2]: passed 3 test vectors
>> > 00[LIB] enabled  HASH_SHA256[sha2]: passed 3 test vectors
>> > 00[LIB] enabled  HASH_SHA384[sha2]: passed 3 test vectors
>> > 00[LIB] enabled  HASH_SHA512[sha2]: passed 3 test vectors
>> > 00[LIB] enabled  HASH_MD5[md5]: passed 7 test vectors
>> > 00[LIB] enabled  RNG_STRONG[random]: passed 3 test vectors
>> > 00[LIB] enabled  RNG_TRUE[random]: skipping test (disabled by config)
>> > 00[LIB] enabled  PRF_HMAC_SHA1[hmac]: passed 6 test vectors
>> > 00[LIB] enabled  PRF_HMAC_MD5[hmac]: passed 6 test vectors
>> > 00[LIB] enabled  PRF_HMAC_SHA2_256[hmac]: passed 6 test vectors
>> > 00[LIB] enabled  PRF_HMAC_SHA2_384[hmac]: passed 6 test vectors
>> > 00[LIB] enabled  PRF_HMAC_SHA2_512[hmac]: passed 6 test vectors
>> > 00[LIB] enabled  HMAC_SHA1_96[hmac]: passed 2 test vectors
>> > 00[LIB] enabled  HMAC_SHA1_128[hmac]: passed 2 test vectors
>> > 00[LIB] enabled  HMAC_SHA1_160[hmac]: passed 2 test vectors
>> > 00[LIB] enabled  HMAC_MD5_96[hmac]: passed 2 test vectors
>> > 00[LIB] enabled  HMAC_MD5_128[hmac]: passed 2 test vectors
>> > 00[LIB] enabled  HMAC_SHA2_256_128[hmac]: passed 3 test vectors
>> > 00[LIB] enabled  HMAC_SHA2_256_256[hmac]: no test vectors found
>> > 00[LIB] enabled  HMAC_SHA2_384_192[hmac]: passed 3 test vectors
>> > 00[LIB] enabled  HMAC_SHA2_384_384[hmac]: no test vectors found
>> > 00[LIB] enabled  HMAC_SHA2_512_256[hmac]: passed 3 test vectors
>> > 00[LIB] enabled  PRF_AES128_XCBC[xcbc]: passed 7 test vectors
>> > 00[LIB] enabled  AES_XCBC_96[xcbc]: passed 5 test vectors
>> > 00[LIB] enabled  PRF_AES128_CMAC[cmac]: passed 7 test vectors
>> > 00[LIB] enabled  AES_CMAC_96[cmac]: passed 4 test vectors
>> > 00[LIB] enabled  AES_CTR[ctr]: passed 9 test vectors
>> > 00[LIB] enabled  AES_CTR[ctr]: passed 9 test vectors
>> > 00[LIB] enabled  AES_CTR[ctr]: passed 9 test vectors
>> > 00[LIB] enabled  AES_CCM_8[ccm]: passed 5 test vectors
>> > 00[LIB] enabled  AES_CCM_8[ccm]: passed 5 test vectors
>> > 00[LIB] enabled  AES_CCM_8[ccm]: passed 5 test vectors
>> > 00[LIB] enabled  AES_CCM_12[ccm]: passed 1 test vectors
>> > 00[LIB] enabled  AES_CCM_12[ccm]: passed 1 test vectors
>> > 00[LIB] enabled  AES_CCM_12[ccm]: passed 1 test vectors
>> > 00[LIB] enabled  AES_CCM_16[ccm]: passed 5 test vectors
>> > 00[LIB] enabled  AES_CCM_16[ccm]: passed 5 test vectors
>> > 00[LIB] enabled  AES_CCM_16[ccm]: passed 5 test vectors
>> > 00[LIB] enabled  AES_GCM_8[gcm]: passed 1 test vectors
>> > 00[LIB] enabled  AES_GCM_8[gcm]: passed 1 test vectors
>> > 00[LIB] enabled  AES_GCM_8[gcm]: passed 1 test vectors
>> > 00[LIB] enabled  AES_GCM_12[gcm]: passed 1 test vectors
>> > 00[LIB] enabled  AES_GCM_12[gcm]: passed 1 test vectors
>> > 00[LIB] enabled  AES_GCM_12[gcm]: passed 1 test vectors
>> > 00[LIB] enabled  AES_GCM_16[gcm]: passed 5 test vectors
>> > 00[LIB] enabled  AES_GCM_16[gcm]: passed 5 test vectors
>> > 00[LIB] enabled  AES_GCM_16[gcm]: passed 5 test vectors
>> > 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>> > 00[CFG]   loaded ca certificate "C=UK, ST=Beds, L=Luton, O=Beds,
>> > OU=IT, CN=Beds CA, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>" from '/etc/ipsec.d/cacerts/ca.crt'
>> > 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>> > 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>> > 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>> > 00[CFG] loading crls from '/etc/ipsec.d/crls'
>> > 00[CFG] loading secrets from '/etc/ipsec.secrets'
>> > 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
>> > 00[DMN] loaded plugins: charon curl test-vectors aes des sha1 sha2 md5
>> > pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr
>> > ccm gcm stroke kernel-netlink socket-default updown
>> > 00[JOB] spawning 16 worker threads
>> > charon (2651) started after 40 ms
>> > 08[CFG] received stroke: add connection 'rw'
>> > 08[CFG] adding virtual IP address pool 192.168.7.0/24
>> > <http://192.168.7.0/24>
>> > 08[CFG]   loaded certificate "C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
>> > CN=server, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>" from 'server.crt'
>> > 08[CFG]   id 'ipsec.org <http://ipsec.org>' not confirmed by
>> > certificate, defaulting to 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
>> > CN=server, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>'
>> > 08[CFG] added configuration 'rw'
>> > 09[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (3756 bytes)
>> > 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V ]
>> > 09[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
>> > 09[ENC] received unknown vendor ID:
>> > 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
>> > 09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> > 09[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
>> > 09[IKE] received NAT-T (RFC 3947) vendor ID
>> > 09[IKE] received FRAGMENTATION vendor ID
>> > 09[IKE] received DPD vendor ID
>> > 09[ENC] received unknown vendor ID:
>> > f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
>> > 09[ENC] received unknown vendor ID:
>> > 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
>> > 09[ENC] received unknown vendor ID:
>> > 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
>> > 09[IKE] received Cisco Unity vendor ID
>> > 09[IKE] 172.16.151.131 is initiating a Main Mode IKE_SA
>> > 09[ENC] generating ID_PROT response 0 [ SA V V V ]
>> > 09[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (140 bytes)
>> > 10[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (365 bytes)
>> > 10[ENC] parsed ID_PROT request 0 [ KE No CERTREQ NAT-D NAT-D ]
>> > 10[IKE] ignoring certificate request without data
>> > 10[IKE] sending cert request for "C=UK, ST=Beds, L=Luton, O=Beds,
>> > OU=IT, CN=Beds CA, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>"
>> > 10[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
>> > 10[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (527 bytes)
>> > 11[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (1724 bytes)
>> > 11[ENC] parsed ID_PROT request 0 [ ID CERT SIG ]
>> > 11[IKE] received end entity cert "C=UK, ST=Beds, L=Luton, O=Beds,
>> > OU=IT, CN=client, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>"
>> > 11[CFG] looking for RSA signature peer configs matching
>> > 172.16.151.100...172.16.151.131[C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
>> > CN=client, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>]
>> > 11[CFG] selected peer config "rw"
>> > 11[CFG]   using certificate "C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
>> > CN=client, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>"
>> > 11[CFG]   using trusted ca certificate "C=UK, ST=Beds, L=Luton,
>> > O=Beds, OU=IT, CN=Beds CA, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>"
>> > 11[CFG] checking certificate status of "C=UK, ST=Beds, L=Luton,
>> > O=Beds, OU=IT, CN=client, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>"
>> > 11[CFG] certificate status is not available
>> > 11[CFG]   reached self-signed root ca with a path length of 0
>> > 11[IKE] authentication of 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
>> > CN=client, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>' with RSA successful
>> > 11[IKE] authentication of 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
>> > CN=server, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>' (myself) successful
>> > 11[IKE] IKE_SA rw[1] established between 172.16.151.100[C=UK, ST=Beds,
>> > L=Luton, O=Beds, OU=IT, CN=server, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>]...172.16.151.131[C=UK, ST=Beds, L=Luton,
>> > O=Beds, OU=IT, CN=client, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>]
>> > 11[IKE] scheduling reauthentication in 3297s
>> > 11[IKE] maximum IKE_SA lifetime 3477s
>> > 11[IKE] sending end entity cert "C=UK, ST=Beds, L=Luton, O=Beds,
>> > OU=IT, CN=server, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>"
>> > 11[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
>> > 11[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (1756 bytes)
>> > 13[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (92 bytes)
>> > 13[ENC] parsed INFORMATIONAL_V1 request 2720293503 [ HASH
>> > N(INITIAL_CONTACT) ]
>> > 13[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (92 bytes)
>> > 13[ENC] parsed TRANSACTION request 640267562 [ HASH CP ]
>> > 13[IKE] peer requested virtual IP %any
>> > 13[CFG] assigning new lease to 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
>> > CN=client, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>'
>> > 13[IKE] assigning virtual IP 192.168.7.1 to peer 'C=UK, ST=Beds,
>> > L=Luton, O=Beds, OU=IT, CN=client, N=Strongswan, E=root at ipsec.beds.com
>> > <mailto:root at ipsec.beds.com>'
>> > 13[ENC] generating TRANSACTION response 640267562 [ HASH CP ]
>> > 13[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (76 bytes)
>> > 15[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (684 bytes)
>> > 15[ENC] parsed QUICK_MODE request 2781654303 [ HASH SA No ID ID ]
>> > 15[IKE] received 3600s lifetime, configured 1200s
>> > 15[ENC] generating QUICK_MODE response 2781654303 [ HASH SA No ID ID ]
>> > 15[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (172 bytes)
>> > 07[IKE] sending retransmit 1 of response message ID 2781654303, seq 5
>> > 07[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (172 bytes)
>> > 08[IKE] sending retransmit 2 of response message ID 2781654303, seq 5
>> > 08[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (172 bytes)
>> > 09[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (92 bytes)
>> > 09[ENC] parsed INFORMATIONAL_V1 request 51255654 [ HASH N(DPD) ]
>> > 09[ENC] generating INFORMATIONAL_V1 request 2918765658 [ HASH
>> N(DPD_ACK) ]
>> > 09[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (92 bytes)
>> > 10[IKE] sending retransmit 3 of response message ID 2781654303, seq 5
>> > 10[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (172 bytes)
>> > 12[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (684 bytes)
>> > 12[ENC] parsed QUICK_MODE request 2439206719 [ HASH SA No ID ID ]
>> > 12[IKE] CHILD_SA rw{1} established with SPIs c8de18b3_i 6b57c330_o and
>> > TS 192.168.7.0/24 <http://192.168.7.0/24> === 192.168.7.1/32
>> > <http://192.168.7.1/32>
>> > 13[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (92 bytes)
>> > 13[ENC] parsed INFORMATIONAL_V1 request 959431080 [ HASH N(DPD) ]
>> > 13[ENC] generating INFORMATIONAL_V1 request 3238217689 [ HASH
>> N(DPD_ACK) ]
>> > 13[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (92 bytes)
>> > 14[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (684 bytes)
>> > 14[ENC] invalid HASH_V1 payload length, decryption failed?
>> > 14[ENC] could not decrypt payloads
>> > 14[IKE] message parsing failed
>> > 14[ENC] generating INFORMATIONAL_V1 request 2658081635 [ HASH
>> N(PLD_MAL) ]
>> > 14[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (76 bytes)
>> > 14[IKE] QUICK_MODE request with message ID 2439206719 processing failed
>> > 15[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (684 bytes)
>> > 15[ENC] invalid HASH_V1 payload length, decryption failed?
>> > 15[ENC] could not decrypt payloads
>> > 15[IKE] message parsing failed
>> > 15[ENC] generating INFORMATIONAL_V1 request 2558400398 [ HASH
>> N(PLD_MAL) ]
>> > 15[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (76 bytes)
>> > 15[IKE] QUICK_MODE request with message ID 2439206719 processing failed
>> > 07[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (684 bytes)
>> > 07[ENC] invalid HASH_V1 payload length, decryption failed?
>> > 07[ENC] could not decrypt payloads
>> > 07[IKE] message parsing failed
>> > 07[ENC] generating INFORMATIONAL_V1 request 45400192 [ HASH N(PLD_MAL) ]
>> > 07[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (76 bytes)
>> > 07[IKE] QUICK_MODE request with message ID 2439206719 processing failed
>> > 08[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (92 bytes)
>> > 08[ENC] parsed INFORMATIONAL_V1 request 1445932911 [ HASH N(DPD) ]
>> > 08[ENC] generating INFORMATIONAL_V1 request 446635703 [ HASH N(DPD_ACK)
>> ]
>> > 08[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (92 bytes)
>> > 09[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (684 bytes)
>> > 09[ENC] parsed QUICK_MODE request 3074289790 [ HASH SA No ID ID ]
>> > 09[IKE] received 3600s lifetime, configured 1200s
>> > 09[IKE] detected rekeying of CHILD_SA rw{1}
>> > 09[ENC] generating QUICK_MODE response 3074289790 [ HASH SA No ID ID ]
>> > 09[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (172 bytes)
>> > 10[IKE] sending retransmit 1 of response message ID 3074289790, seq 6
>> > 10[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (172 bytes)
>> > 11[IKE] sending retransmit 2 of response message ID 3074289790, seq 6
>> > 11[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (172 bytes)
>> > 13[NET] received packet: from 172.16.151.131[500] to
>> > 172.16.151.100[500] (92 bytes)
>> > 13[ENC] parsed INFORMATIONAL_V1 request 4153077593 [ HASH N(DPD) ]
>> > 13[ENC] generating INFORMATIONAL_V1 request 677315988 [ HASH N(DPD_ACK)
>> ]
>> > 13[NET] sending packet: from 172.16.151.100[500] to
>> > 172.16.151.131[500] (92 bytes)
>> >
>> >
>> >
>> > --
>> > http://www.2dd.it
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
>
> --
> http://www.2dd.it
>



-- 
http://www.2dd.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130418/97904221/attachment.html>


More information about the Users mailing list