[strongSwan] Destination unreachable issue

Noel Kuntze noel at familie-kuntze.de
Tue Dec 23 20:03:16 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Xin,

You need to configure your firewall to allow UDP ports 500 and 4500 through, as well as the esp and ah protocols.
StrongSwan does not send such ICMP messages to initiators.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 22.12.2014 um 06:54 schrieb Xin:
>
> Hi, I’m using centOS with strongswan, but I cannot connect from win7 client. When win7 send a IKE_SA_INIT to server, the server reply with an ICMP packet, and showed “Destination unreachable(Host administratively prohibited) from wireshark”. And there is no log on /var/etc/strongswan. The log showed like the following below:
>
> Dec 22 12:14:21 02[JOB] watcher got notification, rebuilding
>
> Dec 22 12:14:21 02[JOB]   watching 9 for reading
>
> Dec 22 12:14:21 02[JOB]   watching 15 for reading
>
> Dec 22 12:14:21 02[JOB]   watching 16 for reading
>
> Dec 22 12:14:21 02[JOB]   watching 18 for reading
>
> Dec 22 12:14:21 02[JOB] watcher going to select()
>
> Dec 22 12:14:39 02[JOB] watched FD 15 ready to read
>
> Dec 22 12:14:39 02[JOB]   watching 9 for reading
>
> Dec 22 12:14:39 02[JOB]   watching 16 for reading
>
> Dec 22 12:14:39 02[JOB]   watching 18 for reading
>
> Dec 22 12:14:39 02[JOB] watcher going to select()
>
> Dec 22 12:14:39 02[JOB] watcher got notification, rebuilding
>
> Dec 22 12:14:39 02[JOB]   watching 9 for reading
>
> Dec 22 12:14:39 02[JOB]   watching 15 for reading
>
> Dec 22 12:14:39 02[JOB]   watching 16 for reading
>
> Dec 22 12:14:39 02[JOB]   watching 18 for reading
>
> Dec 22 12:14:39 02[JOB] watcher going to select()
>
> Dec 22 12:14:58 02[JOB] watched FD 15 ready to read
>
> 
>
> It is the first I deploy to the CentOS server, and just only one line log different from the Ubuntu server(running with no problem):
>
> Dec 22 12:14:20 00[LIB] openssl FIPS mode(0) – disabled
>
> 
>
> I have added the --with-fips-mode=1 to the ./configuration, but not worked.
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUmbx0AAoJEDg5KY9j7GZYVO8P/1so05/w5TVvVdP+4+EPfHhV
YwobcGgr25zK/saVJCnMU/Vok2M3EaeGb5IcXmjvhGGDUZbSWBBEsPoSPyE5cvVZ
Lzdi/IaUD4qAt+sjQc2dDj+bm2MviSfBEXU1C7WC7AXD8Qmjh4RiFhwM6eVTBpx/
/5WYOfAiZ4xWkwY2TIv+gOIQ7VtFVKmC0yI7efYtdDkUtUxza7DLSSPGAtbM93ls
SY0LNv4516whzOIn9tQaDlV7zR1XWyGXlKjMajsH7WgDz63I6Ydjs6B1sEqOt/KW
z4OTNF3Hbbzzl+o2J7gq3USx2h++JkMoF2hLmGLHMyCiyQPBU1vTWv8ioKsYPl/W
Y6MX9DqBnxv78J8wFzYaYK58J7V1wV065K6hAFjeJ4MjJ+mvTM+2f4sFqIOL3Zdn
22m7e6mq+SbLSsSXwjZ89LJiZksoJFtazrbQDwmKBT6lwpnNePLAd91uyDHVUAk/
3+UNCI2mSyWbAx0mtt6mM3leB+8fTOsfHCcWWdtJq25d4M8bakOOoh3re+ZJN5EL
LQ8iopBy39x4FW46EY5tRht9/wNJySR0eyhL+dihd3kNvl7Is9i8VTqbLqCv/vHj
1LFtz1w/KgIYY8HYH+3H4itJgdQ3uM8nc7PYLtsKilU4u5DA3wWAgMRAEUtOXFag
F1J6YkxH+SkPC8sb9nU+
=sXYR
-----END PGP SIGNATURE-----



More information about the Users mailing list