[strongSwan] IPSec Tunnel Up, But No Traffic
Vyronas Tsingaras
vtsingaras at it.auth.gr
Tue Jul 29 22:52:17 CEST 2014
I see no routes installed for the tunnel. Can you add them and post the outcome?
On 29 July 2014 23:48:17 EEST, Joe Ryan <jr at aphyt.com> wrote:
>On DigitalOcean
>
>default via 162.243.9.1 dev eth0 metric 100
>10.128.0.0/16 dev eth1 proto kernel scope link src 10.128.120.160
>162.243.9.0/24 dev eth0 proto kernel scope link src 162.243.9.250
>
>On BeagleBone
>
>default via 192.168.250.50 dev eth0
>192.168.7.0/30 dev usb0 proto kernel scope link src 192.168.7.2
>192.168.250.0/24 dev eth0 proto kernel scope link src 192.168.250.60
>
>Thank you,
>Joe
>
>
>On 2014-07-29 13:36, Vyronas Tsingaras wrote:
>> Please post the output of
>>
>> ip route show
>>
>> On 29 July 2014 23:24:33 EEST, Joe Ryan <jr at aphyt.com> wrote:
>>
>>> Hello Everyone,
>>>
>>> I have a DigitalOcean VPS running Ubuntu 12.04 that I want to
>>> connect to
>>> with a BeagleBone running Debian so that I can access all of the
>>> devices
>>> on the same subnet as the BeagleBone, and not have to worry about an
>>> IT
>>> department opening ports. I have tried this with both StrongSwan
>>> 4.5.2
>>> and 5.2.0 and have the same result, so I'm sure it's my
>>> configuration.
>>> After bringing up the the connection everything negotiates as
>>> expected,
>>> and the final line of ipsec status all is machinetun{1}:
>>> 10.128.0.0/16 [1]
>>> === 192.168.250.0/24 [2] where machinetun is the connection
>>> 10.128.0.0/16 [1] is
>>> a private network on DigitalOcean and the 192.168.250.0/24 [2] is a
>>> private
>>> network on my machine. My logs show the CHILD_SA being established
>>> and
>>> rekeyed as expe!
>>> cted,
>>> with keep alive packets going out frequently, and
>>> nothing to suggest a problem.
>>>
>>> At this point I would hope that I would be able to ping the gateway
>>> on
>>> my machine, 192.168.250.60 [3] from the DigitalOcean VPS private IP
>>> address
>>> using one of the following:
>>>
>>> #ping the BeagleBone gateway from DO
>>> ping 192.168.250.60 [3]
>>> #ping the BeagleBone gateway with an interface on the DO private
>>> network
>>> ping -I 10.128.120.160 [4] 192.168.250.60 [3]
>>>
>>> But get no results in this direction or the reverse.
>>>
>>> I also have net.ipv4.ip_forward 1 on both machines.
>>>
>>> My configurations are below, and I hope someone might have a good
>>> idea
>>> what direction I can look to in to figure out what I've done wrong.
>>>
>>> # BeagleBone Conf
>>> config setup
>>> strictcrlpolicy=no
>>> !
>>>
>>> charondebug=1
>>> conn %default
>>> ikelifetime=60m
>>> keylife=20m
>>> rekeymargin=3m
>>> keyingtries=%forever
>>> keyexchange=ikev2
>>> left=%any
>>> leftcert=beagleCert.der
>>> leftid=beagle at hostname.com
>>> lefthostaccess=yes
>>> leftfirewall=yes
>>>
>>> conn machinetun
>>> leftsourceip=%config
>>> leftsubnet=192.168.250.0/24 [2]
>>> right=hostname.com [5]
>>> rightid=@hostname.com
>>> rightsubnet=10.128.0.0/16 [1]
>>> auto=start
>>>
>>> # DigitalOcean Conf
>>> config setup
>>> strictcrlpolicy=no
>>> conn %default
>>> ikelifetime=60m
>>> keylife=20m
>>> rekeymargin=3m
>>> keyingtries=1
>>> keyexchange=ikev2
>>> left=%any
>>> leftcert=svCert.!
>>> der
>>> /> leftid=@hostname.com
>>> lefthostaccess=yes
>>> leftfirewall=yes
>>>
>>> conn machinetun
>>> leftsubnet=10.128.0.0/16 [1]
>>> right=%any
>>> rightsubnet=192.168.250.0/24 [2]
>>> rightid=beagle at hostname.com
>>> rightsourceip=10.128.0.50 [6]
>>> auto=add
>>>
>>> Thank you,
>>> Joe
>>>
>>> -------------------------
>>>
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users [7]
>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>
>> Links:
>> ------
>> [1] http://10.128.0.0/16
>> [2] http://192.168.250.0/24
>> [3] http://192.168.250.60
>> [4] http://10.128.120.160
>> [5] http://hostname.com
>> [6] http://10.128.0.50
>> [7] https://lists.strongswan.org/mailman/listinfo/users
>
>--
>Joe Ryan
>aphyt - open source tools for industrial automation
>jr at aphyt.com
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140729/0386a6d7/attachment.html>
More information about the Users
mailing list