[strongSwan] {Disarmed} RE: {Disarmed} Re: no ping the internal network

Ian McDonald iam at st-andrews.ac.uk
Thu Apr 18 09:11:02 CEST 2013


Is there a firewall between your client and the server?
-----Original Message-----
From: carachi diego
Sent:  18/04/2013, 08:07
To: users at lists.strongswan.org
Subject: {Disarmed} Re: [strongSwan] no ping the internal network


hello Noel,
Thank you for your reply.
I tried but I am not enable to ping the other network of my server?
any suggestion?


Thank you very much


2013/4/18 carachi diego <carachi83 at gmail.com<mailto:carachi83 at gmail.com>>
hello Noel,
Thank you for your reply.
I tried but I am not enable to ping the other network of my server?
any suggestion?


Thank you very much


2013/4/17 Noel Kuntze <noel at familie-kuntze.de<mailto:noel at familie-kuntze.de>>
Hello,

Can you ping one of the interfaces of the router? If yes, then you might
need to enable forwarding for the tunnel in the kernel settings. (sysctl
on linux, key net.ipv[46].conf.tunl[0123456789].forwarding = 1). The
latter made my setup work. You might also want to investigate the
decryption errors, which might be related to your problem.

Regards,
Noel

> Hello,
>
> I configure strongswan but the client (win XP) is connected to the
> server but I am not able from the client to ping the internal network.
>
> Where can be the problem??
> Thank you
>
>
> ---------------------------------------------------------------------
> root at debian:~# ipsec start --nofork --debug-all
> Starting strongSwan 5.0.2 IPsec [starter]...
> !! Your strongswan.conf contains manual plugin load options for charon.
> !! This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
> Loading config setup
> Loading conn %default
>   ikelifetime=60m
>   keylife=20m
>   rekeymargin=3m
>   keyingtries=1
>   keyexchange=ikev1
> Loading conn 'rw'
>   left=172.16.151.100
>   leftcert=server.crt
>   leftid=@ipsec.org<http://ipsec.org> <http://ipsec.org>
>   leftsubnet=MailScanner warning: numerical links are often malicious: 192.168.7.0/24<http://192.168.7.0/24> <MailScanner warning: numerical links are often malicious: http://192.168.7.0/24<http://192.168.7.0/24>>
>   leftfirewall=yes
>   right=%any
>   rightsourceip=MailScanner warning: numerical links are often malicious: 192.168.7.0/24<http://192.168.7.0/24> <MailScanner warning: numerical links are often malicious: http://192.168.7.0/24<http://192.168.7.0/24>>
>   auto=add
> found netkey IPsec stack
> Attempting to start charon...
> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2, Linux
> 3.2.0-0.bpo.4-amd64, x86_64)
> 00[LIB] enabled  AES_CBC[aes]: passed 6 test vectors
> 00[LIB] enabled  AES_CBC[aes]: passed 6 test vectors
> 00[LIB] enabled  AES_CBC[aes]: passed 6 test vectors
> 00[LIB] enabled  3DES_CBC[des]: passed 2 test vectors
> 00[LIB] enabled  DES_CBC[des]: passed 2 test vectors
> 00[LIB] enabled  DES_ECB[des]: passed 2 test vectors
> 00[LIB] enabled  HASH_SHA1[sha1]: passed 4 test vectors
> 00[LIB] enabled  PRF_KEYED_SHA1[sha1]: no test vectors found
> 00[LIB] enabled  HASH_SHA224[sha2]: passed 3 test vectors
> 00[LIB] enabled  HASH_SHA256[sha2]: passed 3 test vectors
> 00[LIB] enabled  HASH_SHA384[sha2]: passed 3 test vectors
> 00[LIB] enabled  HASH_SHA512[sha2]: passed 3 test vectors
> 00[LIB] enabled  HASH_MD5[md5]: passed 7 test vectors
> 00[LIB] enabled  RNG_STRONG[random]: passed 3 test vectors
> 00[LIB] enabled  RNG_TRUE[random]: skipping test (disabled by config)
> 00[LIB] enabled  PRF_HMAC_SHA1[hmac]: passed 6 test vectors
> 00[LIB] enabled  PRF_HMAC_MD5[hmac]: passed 6 test vectors
> 00[LIB] enabled  PRF_HMAC_SHA2_256[hmac]: passed 6 test vectors
> 00[LIB] enabled  PRF_HMAC_SHA2_384[hmac]: passed 6 test vectors
> 00[LIB] enabled  PRF_HMAC_SHA2_512[hmac]: passed 6 test vectors
> 00[LIB] enabled  HMAC_SHA1_96[hmac]: passed 2 test vectors
> 00[LIB] enabled  HMAC_SHA1_128[hmac]: passed 2 test vectors
> 00[LIB] enabled  HMAC_SHA1_160[hmac]: passed 2 test vectors
> 00[LIB] enabled  HMAC_MD5_96[hmac]: passed 2 test vectors
> 00[LIB] enabled  HMAC_MD5_128[hmac]: passed 2 test vectors
> 00[LIB] enabled  HMAC_SHA2_256_128[hmac]: passed 3 test vectors
> 00[LIB] enabled  HMAC_SHA2_256_256[hmac]: no test vectors found
> 00[LIB] enabled  HMAC_SHA2_384_192[hmac]: passed 3 test vectors
> 00[LIB] enabled  HMAC_SHA2_384_384[hmac]: no test vectors found
> 00[LIB] enabled  HMAC_SHA2_512_256[hmac]: passed 3 test vectors
> 00[LIB] enabled  PRF_AES128_XCBC[xcbc]: passed 7 test vectors
> 00[LIB] enabled  AES_XCBC_96[xcbc]: passed 5 test vectors
> 00[LIB] enabled  PRF_AES128_CMAC[cmac]: passed 7 test vectors
> 00[LIB] enabled  AES_CMAC_96[cmac]: passed 4 test vectors
> 00[LIB] enabled  AES_CTR[ctr]: passed 9 test vectors
> 00[LIB] enabled  AES_CTR[ctr]: passed 9 test vectors
> 00[LIB] enabled  AES_CTR[ctr]: passed 9 test vectors
> 00[LIB] enabled  AES_CCM_8[ccm]: passed 5 test vectors
> 00[LIB] enabled  AES_CCM_8[ccm]: passed 5 test vectors
> 00[LIB] enabled  AES_CCM_8[ccm]: passed 5 test vectors
> 00[LIB] enabled  AES_CCM_12[ccm]: passed 1 test vectors
> 00[LIB] enabled  AES_CCM_12[ccm]: passed 1 test vectors
> 00[LIB] enabled  AES_CCM_12[ccm]: passed 1 test vectors
> 00[LIB] enabled  AES_CCM_16[ccm]: passed 5 test vectors
> 00[LIB] enabled  AES_CCM_16[ccm]: passed 5 test vectors
> 00[LIB] enabled  AES_CCM_16[ccm]: passed 5 test vectors
> 00[LIB] enabled  AES_GCM_8[gcm]: passed 1 test vectors
> 00[LIB] enabled  AES_GCM_8[gcm]: passed 1 test vectors
> 00[LIB] enabled  AES_GCM_8[gcm]: passed 1 test vectors
> 00[LIB] enabled  AES_GCM_12[gcm]: passed 1 test vectors
> 00[LIB] enabled  AES_GCM_12[gcm]: passed 1 test vectors
> 00[LIB] enabled  AES_GCM_12[gcm]: passed 1 test vectors
> 00[LIB] enabled  AES_GCM_16[gcm]: passed 5 test vectors
> 00[LIB] enabled  AES_GCM_16[gcm]: passed 5 test vectors
> 00[LIB] enabled  AES_GCM_16[gcm]: passed 5 test vectors
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG]   loaded ca certificate "C=UK, ST=Beds, L=Luton, O=Beds,
> OU=IT, CN=Beds CA, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>" from '/etc/ipsec.d/cacerts/ca.crt'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/server.key'
> 00[DMN] loaded plugins: charon curl test-vectors aes des sha1 sha2 md5
> pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr
> ccm gcm stroke kernel-netlink socket-default updown
> 00[JOB] spawning 16 worker threads
> charon (2651) started after 40 ms
> 08[CFG] received stroke: add connection 'rw'
> 08[CFG] adding virtual IP address pool MailScanner warning: numerical links are often malicious: 192.168.7.0/24<http://192.168.7.0/24>
> <MailScanner warning: numerical links are often malicious: http://192.168.7.0/24<http://192.168.7.0/24>>
> 08[CFG]   loaded certificate "C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
> CN=server, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>" from 'server.crt'
> 08[CFG]   id 'ipsec.org<http://ipsec.org> <http://ipsec.org>' not confirmed by
> certificate, defaulting to 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
> CN=server, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>'
> 08[CFG] added configuration 'rw'
> 09[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (3756 bytes)
> 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V ]
> 09[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
> 09[ENC] received unknown vendor ID:
> 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
> 09[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> 09[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
> 09[IKE] received NAT-T (RFC 3947) vendor ID
> 09[IKE] received FRAGMENTATION vendor ID
> 09[IKE] received DPD vendor ID
> 09[ENC] received unknown vendor ID:
> f1:4b:94:b7:bf:f1:fe:f0:27:73:b8:c4:9f:ed:ed:26
> 09[ENC] received unknown vendor ID:
> 16:6f:93:2d:55:eb:64:d8:e4:df:4f:d3:7e:23:13:f0:d0:fd:84:51
> 09[ENC] received unknown vendor ID:
> 84:04:ad:f9:cd:a0:57:60:b2:ca:29:2e:4b:ff:53:7b
> 09[IKE] received Cisco Unity vendor ID
> 09[IKE] 172.16.151.131 is initiating a Main Mode IKE_SA
> 09[ENC] generating ID_PROT response 0 [ SA V V V ]
> 09[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (140 bytes)
> 10[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (365 bytes)
> 10[ENC] parsed ID_PROT request 0 [ KE No CERTREQ NAT-D NAT-D ]
> 10[IKE] ignoring certificate request without data
> 10[IKE] sending cert request for "C=UK, ST=Beds, L=Luton, O=Beds,
> OU=IT, CN=Beds CA, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>"
> 10[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
> 10[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (527 bytes)
> 11[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (1724 bytes)
> 11[ENC] parsed ID_PROT request 0 [ ID CERT SIG ]
> 11[IKE] received end entity cert "C=UK, ST=Beds, L=Luton, O=Beds,
> OU=IT, CN=client, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>"
> 11[CFG] looking for RSA signature peer configs matching
> 172.16.151.100...172.16.151.131[C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
> CN=client, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>]
> 11[CFG] selected peer config "rw"
> 11[CFG]   using certificate "C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
> CN=client, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>"
> 11[CFG]   using trusted ca certificate "C=UK, ST=Beds, L=Luton,
> O=Beds, OU=IT, CN=Beds CA, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>"
> 11[CFG] checking certificate status of "C=UK, ST=Beds, L=Luton,
> O=Beds, OU=IT, CN=client, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>"
> 11[CFG] certificate status is not available
> 11[CFG]   reached self-signed root ca with a path length of 0
> 11[IKE] authentication of 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
> CN=client, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>' with RSA successful
> 11[IKE] authentication of 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
> CN=server, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>' (myself) successful
> 11[IKE] IKE_SA rw[1] established between 172.16.151.100[C=UK, ST=Beds,
> L=Luton, O=Beds, OU=IT, CN=server, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>]...172.16.151.131[C=UK, ST=Beds, L=Luton,
> O=Beds, OU=IT, CN=client, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>]
> 11[IKE] scheduling reauthentication in 3297s
> 11[IKE] maximum IKE_SA lifetime 3477s
> 11[IKE] sending end entity cert "C=UK, ST=Beds, L=Luton, O=Beds,
> OU=IT, CN=server, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>"
> 11[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
> 11[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (1756 bytes)
> 13[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (92 bytes)
> 13[ENC] parsed INFORMATIONAL_V1 request 2720293503 [ HASH
> N(INITIAL_CONTACT) ]
> 13[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (92 bytes)
> 13[ENC] parsed TRANSACTION request 640267562 [ HASH CP ]
> 13[IKE] peer requested virtual IP %any
> 13[CFG] assigning new lease to 'C=UK, ST=Beds, L=Luton, O=Beds, OU=IT,
> CN=client, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>'
> 13[IKE] assigning virtual IP 192.168.7.1 to peer 'C=UK, ST=Beds,
> L=Luton, O=Beds, OU=IT, CN=client, N=Strongswan, E=root at ipsec.beds.com<mailto:root at ipsec.beds.com>
> <mailto:root at ipsec.beds.com<mailto:root at ipsec.beds.com>>'
> 13[ENC] generating TRANSACTION response 640267562 [ HASH CP ]
> 13[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (76 bytes)
> 15[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (684 bytes)
> 15[ENC] parsed QUICK_MODE request 2781654303 [ HASH SA No ID ID ]
> 15[IKE] received 3600s lifetime, configured 1200s
> 15[ENC] generating QUICK_MODE response 2781654303 [ HASH SA No ID ID ]
> 15[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (172 bytes)
> 07[IKE] sending retransmit 1 of response message ID 2781654303, seq 5
> 07[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (172 bytes)
> 08[IKE] sending retransmit 2 of response message ID 2781654303, seq 5
> 08[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (172 bytes)
> 09[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (92 bytes)
> 09[ENC] parsed INFORMATIONAL_V1 request 51255654 [ HASH N(DPD) ]
> 09[ENC] generating INFORMATIONAL_V1 request 2918765658 [ HASH N(DPD_ACK) ]
> 09[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (92 bytes)
> 10[IKE] sending retransmit 3 of response message ID 2781654303, seq 5
> 10[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (172 bytes)
> 12[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (684 bytes)
> 12[ENC] parsed QUICK_MODE request 2439206719 [ HASH SA No ID ID ]
> 12[IKE] CHILD_SA rw{1} established with SPIs c8de18b3_i 6b57c330_o and
> TS MailScanner warning: numerical links are often malicious: 192.168.7.0/24<http://192.168.7.0/24> <MailScanner warning: numerical links are often malicious: http://192.168.7.0/24<http://192.168.7.0/24>> === MailScanner warning: numerical links are often malicious: 192.168.7.1/32<http://192.168.7.1/32>
> <MailScanner warning: numerical links are often malicious: http://192.168.7.1/32<http://192.168.7.1/32>>
> 13[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (92 bytes)
> 13[ENC] parsed INFORMATIONAL_V1 request 959431080 [ HASH N(DPD) ]
> 13[ENC] generating INFORMATIONAL_V1 request 3238217689<tel:3238217689> [ HASH N(DPD_ACK) ]
> 13[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (92 bytes)
> 14[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (684 bytes)
> 14[ENC] invalid HASH_V1 payload length, decryption failed?
> 14[ENC] could not decrypt payloads
> 14[IKE] message parsing failed
> 14[ENC] generating INFORMATIONAL_V1 request 2658081635 [ HASH N(PLD_MAL) ]
> 14[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (76 bytes)
> 14[IKE] QUICK_MODE request with message ID 2439206719 processing failed
> 15[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (684 bytes)
> 15[ENC] invalid HASH_V1 payload length, decryption failed?
> 15[ENC] could not decrypt payloads
> 15[IKE] message parsing failed
> 15[ENC] generating INFORMATIONAL_V1 request 2558400398 [ HASH N(PLD_MAL) ]
> 15[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (76 bytes)
> 15[IKE] QUICK_MODE request with message ID 2439206719 processing failed
> 07[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (684 bytes)
> 07[ENC] invalid HASH_V1 payload length, decryption failed?
> 07[ENC] could not decrypt payloads
> 07[IKE] message parsing failed
> 07[ENC] generating INFORMATIONAL_V1 request 45400192 [ HASH N(PLD_MAL) ]
> 07[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (76 bytes)
> 07[IKE] QUICK_MODE request with message ID 2439206719 processing failed
> 08[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (92 bytes)
> 08[ENC] parsed INFORMATIONAL_V1 request 1445932911 [ HASH N(DPD) ]
> 08[ENC] generating INFORMATIONAL_V1 request 446635703 [ HASH N(DPD_ACK) ]
> 08[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (92 bytes)
> 09[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (684 bytes)
> 09[ENC] parsed QUICK_MODE request 3074289790<tel:3074289790> [ HASH SA No ID ID ]
> 09[IKE] received 3600s lifetime, configured 1200s
> 09[IKE] detected rekeying of CHILD_SA rw{1}
> 09[ENC] generating QUICK_MODE response 3074289790<tel:3074289790> [ HASH SA No ID ID ]
> 09[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (172 bytes)
> 10[IKE] sending retransmit 1 of response message ID 3074289790<tel:3074289790>, seq 6
> 10[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (172 bytes)
> 11[IKE] sending retransmit 2 of response message ID 3074289790<tel:3074289790>, seq 6
> 11[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (172 bytes)
> 13[NET] received packet: from 172.16.151.131[500] to
> 172.16.151.100[500] (92 bytes)
> 13[ENC] parsed INFORMATIONAL_V1 request 4153077593<tel:4153077593> [ HASH N(DPD) ]
> 13[ENC] generating INFORMATIONAL_V1 request 677315988 [ HASH N(DPD_ACK) ]
> 13[NET] sending packet: from 172.16.151.100[500] to
> 172.16.151.131[500] (92 bytes)
>
>
>
> --
> http://www.2dd.it
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users


_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users



--
http://www.2dd.it



--
http://www.2dd.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130418/5d6c0e89/attachment.html>


More information about the Users mailing list