[strongSwan] Ping only goes 1 way

Sergej Petrovsky sergej5561 at yandex.com
Thu Jun 27 22:12:58 CEST 2013 

Hi,

I doing a classic RW-NAT-GW server scenario. By this 2 howtos:

http://www.strongswan.org/uml/testresults/ikev2/nat-rw/index.html

http://www.free-it.de/archiv/talks_2005/paper-11156/paper-11156.html

The second one proved to be extremely useful because it would NOT work if the rightsubnetwithin= wouldn't be present in the Gateways configuration with:
"received TS_UNACCEPTABLE notify, no CHILD_SA built"

But I get to the point. This is the strangest thing I saw so far, the Roadwarrior can ping the gateway server while it's not possible to ping back from the gateway. How can that be???

The setup:

<RW laptop with dynamic Virtual IP>192.168.0.22 --- 192.168.0.1 <WIRELESS ROUTER NAT> 212.31.42.41 --- INTERNET --- 93.14.14.22 <Strongswan GW> -- 10.5.0.0/16


GW Server config
=============
conn rw
        left=93.14.14.22
        leftnexthop=%defaultroute
        leftcert=server.pem
        leftid=@domain.server.com
        leftsubnet=10.5.0.0/16
        right=%any
        rightsubnetwithin=0.0.0.0/0
        rightrsasigkey=%cert
        auto=add

rightsubnetwithin=0.0.0.0/0 << AS you can see this is exteremely useful because the RWs are moved between different wireless access points, both their external, both their internal lan ips frequently changing.

RW config
========

conn company
        left=%defaultroute
        #leftsourceip=192.168.0.22
        leftcert=laptop14.pem
        leftid=laptop14 at domain.server.com
        right=93.14.14.22
        rightid=@domain.server.com
        rightsubnet=10.5.0.0/16
        dpddelay=1m  # check connection every minute
        dpdtimeout=3m  # timeout after 5 minutes
        dpdaction=clear  # clear connection after timeout
        auto=add

#leftsourceip=192.168.0.22 << Now if I set the sourceip to the current virtual ip as the howto says it won't work with this error:

received INTERNAL_ADDRESS_FAILURE notify, no CHILD_SA built

Both this GW server and the RW have 1-1 single network interface (eth0 and wlan0). There is no firewall on any.
Therefore I configured ip aliases for them:

eth0:0 10.5.0.1
wlan0:0 10.5.0.2

So again from the RW 10.5.0.2 I can ping the GW server or telnet to any open tcp port, it's working fine but from the server I cannot reac the road warrior, how can that be?

I tried to add all kinds of routes for the 10.5.x.x net on the GW nothing seems to work.

10.5.0.0        <ISPGATE>      255.255.0.0     UG    0      0        0 eth0

Thank you very much,
Sergej

More information about the Users mailing list