[strongSwan] IPSec Tunnel Up, But No Traffic

Joe Ryan jr at aphyt.com
Tue Jul 29 22:48:17 CEST 2014 

On  DigitalOcean

default via 162.243.9.1 dev eth0  metric 100
10.128.0.0/16 dev eth1  proto kernel  scope link  src 10.128.120.160
162.243.9.0/24 dev eth0  proto kernel  scope link  src 162.243.9.250

On BeagleBone

default via 192.168.250.50 dev eth0
192.168.7.0/30 dev usb0  proto kernel  scope link  src 192.168.7.2
192.168.250.0/24 dev eth0  proto kernel  scope link  src 192.168.250.60

Thank you,
Joe


On 2014-07-29 13:36, Vyronas Tsingaras wrote:
> Please post the output of
> 
>  ip route show
> 
> On 29 July 2014 23:24:33 EEST, Joe Ryan <jr at aphyt.com> wrote:
> 
>> Hello Everyone,
>> 
>> I have a DigitalOcean VPS running Ubuntu 12.04 that I want to
>> connect to
>> with a BeagleBone running Debian so that I can access all of the
>> devices
>> on the same subnet as the BeagleBone, and not have to worry about an
>> IT
>> department opening ports. I have tried this with both StrongSwan
>> 4.5.2
>> and 5.2.0 and have the same result, so I'm sure it's my
>> configuration.
>> After bringing up the the connection everything negotiates as
>> expected,
>> and the final line of ipsec status all is machinetun{1}:
>> 10.128.0.0/16 [1]
>> === 192.168.250.0/24 [2] where machinetun is the connection
>> 10.128.0.0/16 [1] is
>> a private network on DigitalOcean and the 192.168.250.0/24 [2] is a
>> private
>> network on my machine. My logs show the CHILD_SA being established
>> and
>> rekeyed as expe!
>> cted,
>> with keep alive packets going out frequently, and
>> nothing to suggest a problem.
>> 
>> At this point I would hope that I would be able to ping the gateway
>> on
>> my machine, 192.168.250.60 [3] from the DigitalOcean VPS private IP
>> address
>> using one of the following:
>> 
>> #ping the BeagleBone gateway from DO
>> ping 192.168.250.60 [3]
>> #ping the BeagleBone gateway with an interface on the DO private
>> network
>> ping -I 10.128.120.160 [4] 192.168.250.60 [3]
>> 
>> But get no results in this direction or the reverse.
>> 
>> I also have net.ipv4.ip_forward 1 on both machines.
>> 
>> My configurations are below, and I hope someone might have a good
>> idea
>> what direction I can look to in to figure out what I've done wrong.
>> 
>> # BeagleBone Conf
>> config setup
>> strictcrlpolicy=no
>> !
>> 
>> charondebug=1
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=%forever
>> keyexchange=ikev2
>> left=%any
>> leftcert=beagleCert.der
>> leftid=beagle at hostname.com
>> lefthostaccess=yes
>> leftfirewall=yes
>> 
>> conn machinetun
>> leftsourceip=%config
>> leftsubnet=192.168.250.0/24 [2]
>> right=hostname.com [5]
>> rightid=@hostname.com
>> rightsubnet=10.128.0.0/16 [1]
>> auto=start
>> 
>> # DigitalOcean Conf
>> config setup
>> strictcrlpolicy=no
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> left=%any
>> leftcert=svCert.!
>> der
>> /> leftid=@hostname.com
>> lefthostaccess=yes
>> leftfirewall=yes
>> 
>> conn machinetun
>> leftsubnet=10.128.0.0/16 [1]
>> right=%any
>> rightsubnet=192.168.250.0/24 [2]
>> rightid=beagle at hostname.com
>> rightsourceip=10.128.0.50 [6]
>> auto=add
>> 
>> Thank you,
>> Joe
>> 
>> -------------------------
>> 
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users [7]
> 
>  --
>  Sent from my Android device with K-9 Mail. Please excuse my brevity.
> 
> Links:
> ------
> [1] http://10.128.0.0/16
> [2] http://192.168.250.0/24
> [3] http://192.168.250.60
> [4] http://10.128.120.160
> [5] http://hostname.com
> [6] http://10.128.0.50
> [7] https://lists.strongswan.org/mailman/listinfo/users

-- 
Joe Ryan
aphyt - open source tools for industrial automation
jr at aphyt.com

More information about the Users mailing list