[strongSwan] IPSec Tunnel Up, But No Traffic

Joe Ryan jr at aphyt.com
Tue Jul 29 22:24:33 CEST 2014 

Hello Everyone,

I have a DigitalOcean VPS running Ubuntu 12.04 that I want to connect to 
with a BeagleBone running Debian so that I can access all of the devices 
on the same subnet as the BeagleBone, and not have to worry about an IT 
department opening ports. I have tried this with both StrongSwan 4.5.2 
and 5.2.0 and have the same result, so I'm sure it's my configuration. 
After bringing up the the connection everything negotiates as expected, 
and the final line of ipsec status all is machinetun{1}:   10.128.0.0/16 
=== 192.168.250.0/24 where machinetun is the connection 10.128.0.0/16 is 
a private network on DigitalOcean and the 192.168.250.0/24 is a private 
network on my machine. My logs show the CHILD_SA being established and 
rekeyed as expected, with keep alive packets going out frequently, and 
nothing to suggest a problem.

At this point I would hope that I would be able to ping the gateway on 
my machine, 192.168.250.60 from the DigitalOcean VPS private IP address 
using one of the following:

#ping the BeagleBone gateway from DO
ping 192.168.250.60
#ping the BeagleBone gateway with an interface on the DO private network
ping -I 10.128.120.160 192.168.250.60

But get no results in this direction or the reverse.

I also have net.ipv4.ip_forward 1 on both machines.

My configurations are below, and I hope someone might have a good idea 
what direction I can look to in to figure out what I've done wrong.

# BeagleBone Conf
config setup
         strictcrlpolicy=no
         charondebug=1
conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=%forever
         keyexchange=ikev2
         left=%any
         leftcert=beagleCert.der
         leftid=beagle at hostname.com
         lefthostaccess=yes
         leftfirewall=yes

conn machinetun
         leftsourceip=%config
	leftsubnet=192.168.250.0/24
         right=hostname.com
         rightid=@hostname.com
         rightsubnet=10.128.0.0/16
         auto=start

# DigitalOcean Conf
config setup
         strictcrlpolicy=no
conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev2
         left=%any
         leftcert=svCert.der
         leftid=@hostname.com
         lefthostaccess=yes
         leftfirewall=yes

conn machinetun
         leftsubnet=10.128.0.0/16
         right=%any
         rightsubnet=192.168.250.0/24
         rightid=beagle at hostname.com
         rightsourceip=10.128.0.50
         auto=add

Thank you,
Joe

More information about the Users mailing list