[strongSwan] IPSec Tunnel Up, But No Traffic

Noel Kuntze noel at familie-kuntze.de
Tue Jul 29 22:54:45 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Vyronas, Joe,

IPsec on Linux is implemented using XFRM states and policies. Those can be seen in "ip xfrm state" and "ip xfrm policy".
Those basicly override the routing table. Hence, the routing table isn't the problem.
Also, judging from the incrementing counters, traffic goes through the tunnel, but the remote side doesn't respond.
Here [1] is a graphic of the packet flow in netfilter (firewall implementation of Linux)

[1] http://inai.de/images/nf-packet-flow.png

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 29.07.2014 um 22:52 schrieb Vyronas Tsingaras:
> I see no routes installed for the tunnel. Can you add them and post the outcome?
>
> On 29 July 2014 23:48:17 EEST, Joe Ryan <jr at aphyt.com> wrote:
>
>     On  DigitalOcean
>
>     default via 162.243.9.1 <http://162.243.9.1> dev eth0  metric 100
>     10.128.0.0/16 <http://10.128.0.0/16> dev eth1  proto kernel  scope link  src 10.128.120.160 <http://10.128.120.160>
>     162.243.9.0/24 <http://162.243.9.0/24> dev eth0  proto kernel  scope link  src 162.243.9.250 <http://162.243.9.250>
>
>     On BeagleBone
>
>     default via 192.168.250.50 <http://192.168.250.50> dev eth0
>     192.168.7.0/30 <http://192.168.7.0/30> dev usb0  proto kernel  scope link  src 192.168.7.2 <http://192.168.7.2>
>     192.168.250.0/24 <http://192.168.250.0/24> dev eth0  proto kernel  scope link  src 192.168.250.60 <http://192.168.250.60>
>
>     Thank you,
>     Joe
>
>
>     On 2014-07-29 13:36, Vyronas Tsingaras wrote:
>
>         Please post the output of
>
>         ip route show
>
>         On 29 July 2014 23:24:33 EEST, Joe Ryan <jr at aphyt.com> wrote:
>
>             Hello Everyone,
>
>             I have a DigitalOcean VPS running Ubuntu 12.04 that I want to
>             connect to
>             with a BeagleBone running Debian so that I can access all of the
>             devices
>             on the same subnet as the BeagleBone, and not have to worry about an
>             IT
>             department opening ports. I have tried this with both StrongSwan
>             4.5.2
>             and 5.2.0 and have the same result, so I'm sure it's my
>             configuration.
>             After bringing up the the connection everything negotiates as
>             expected,
>             and the final line of ipsec status all is machinetun{1}:
>             10.128.0.0/16 <http://10.128.0.0/16> [1]
>             === 192.168.250.0/24 <http://192.168.250.0/24> [2] where machinetun is the connection
>             10.128.0.0/16 <http://10.128.0.0/16> [1] is
>             a private network on DigitalOcean and the 192.168.250.0/24 <http://192.168.250.0/24> [2] is a
>             private
>             network on my machine. My logs show the CHILD_SA being established
>             and
>             rekeyed as expe!
>             cted,
>             with keep alive packets going out frequently, and
>             nothing to suggest a problem.
>
>             At this point I would hope that I would be able to ping the gateway
>             on
>             my machine, 192.168.250.60 <http://192.168.250.60> [3] from the DigitalOcean VPS private IP
>             address
>             using one of the following:
>
>             #ping the BeagleBone gateway from DO
>             ping 192.168.250.60 <http://192.168.250.60> [3]
>             #ping the BeagleBone gateway with an interface on the DO private
>             network
>             ping -I 10.128.120.160 <http://10.128.120.160> [4] 192.168.250.60 <http://192.168.250.60> [3]
>
>             But get no results in this direction or the reverse.
>
>             I also have net.ipv4.ip_forward 1 on both machines.
>
>             My configurations are below, and I hope someone might have a good
>             idea
>             what direction I can look to in to figure out what I've done wrong.
>
>             # BeagleBone Conf
>             config setup
>             strictcrlpolicy=no
>             !
>
>             charondebug=1
>             conn %default
>             ikelifetime=60m
>             keylife=20m
>             rekeymargin=3m
>             keyingtries=%forever
>             keyexchange=ikev2
>             left=%any
>             leftcert=beagleCert.der
>             leftid=beagle at hostname.com
>             lefthostaccess=yes
>             leftfirewall=yes
>
>             conn machinetun
>             leftsourceip=%config
>             leftsubnet=192.168.250.0/24 <http://192.168.250.0/24> [2]
>             right=hostname.com <http://hostname.com> [5]
>             rightid=@hostname! .com
>             rightsubnet=10.128.0.0/16 <http://10.128.0.0/16> [1]
>             auto=start
>
>             # DigitalOcean Conf
>             config setup
>             strictcrlpolicy=no
>             conn %default
>             ikelifetime=60m
>             keylife=20m
>             rekeymargin=3m
>             keyingtries=1
>             keyexchange=ikev2
>             left=%any
>             leftcert=svCert.!
>             der
>             /> leftid=@hostname.com
>             lefthostaccess=yes
>             leftfirewall=yes
>
>             conn machinetun
>             leftsubnet=10.128.0.0/16 <http://10.128.0.0/16> [1]
>             right=%any
>             rightsubnet=192.168.250.0/24 <http://192.168.250.0/24> [2]
>             rightid=beagle at hostname.com
>             rightsourceip=10.128.0.50 <http://10.128.0.50> [6]
>             auto=add
>
>             Thank you,
>             Joe
>
>             -------------------------
>
>             Users mailing list
>             Users at lists.strongswan.org
>             https://lists.strongswan.org/mailman/listinfo/users [7]
>             <https://lists.strongswan.org/mailman/listinfo/users>
>
>
>         --
>         Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>         Links:
>         ------
>         [1] <https://lists.strongswan.org/mailman/listinfo/users>http://10.128.0.0/16
>         [2] http://192.168.250.0/24
>         [3] http://192.168.250.60
>         [4] http://10.128.120.160
>         [5] http://hostname.com
>         [6] http://10.128.0.50
>         [7] https://lists.strongswan.org/mailman/listinfo/users
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJT2AoVAAoJEDg5KY9j7GZYsV0QAJr2adCFYQlf19xGovt73Avo
osF/IuV11Y4ByIbxWXuz2FN7CQdKG7eUoYSMTQHg8wM5sQxhVJCHSSihsxjcgj07
i0jPjvEDmGd4zCb/98g4BwtYgh8CI4MUtDZXDY4yxMQ6Q7Zyy00yKUC8nORI0utT
Y37foUmcCTUDD7aJ+3SWD/7nbs6mqCzfL4qbmbPy0xyY5AZ3nzAbyTL6qhcZRG27
CryBj6lchQg7XoiEX9CrCuIRpSKfJ2i4XMCHeuEl7C4xKYtwuLKhVLPH1qETpvj6
jFTiMaCjIVrnJ9odTfHu8KMfDUrPHcBRXZ/PqzfuCz3z6VTxaAnz93WFBo6qrdlx
gF7HoRoYjKPa82vb4P7Ey4MRNn2b4kpVVe03t57twZHVRDbjGIAbcwrqb9X5Mxz4
PadR58F41CW+qX9UP47M8hPT6EZXXng/24fQgSK+HqvBQUb25xMiDdFlcaGYwCYK
/Ue8ZTOZKR5Gnd4qk9e79TG8ZY4fERpRdY19LKjcFQnSsBCO+TDWB5AJPVE1b/eg
tyudHEgMh5cDTzLkxh3MsPDHWQrlVCrMHmCYKpdlE3z1qt/CJJ8thjjQpV2EHJ+B
HeeSyHX1/p/ZbaSZ7qluarfGQXBI3nLk2DHLBwlKgyVoW9T8F6/mghl/RoDfzsOn
i8hMYZReKRAi7mWzEj2r
=VSBU
-----END PGP SIGNATURE-----

More information about the Users mailing list