[strongSwan] IPSec Tunnel Up, But No Traffic

Joe Ryan jr at aphyt.com
Tue Jul 29 23:34:35 CEST 2014 

Thank you Noel. I checked, and I have no rules in iptables -t nat -L -n. 
I was planning on adding those once I got tunnel communication.

I also ran

sudo iptables -A INPUT -p esp -j ACCEPT
sudo iptables -A OUTPUT -p esp -j ACCEPT

On both machines, but still have the same results. No response, with the 
output counter increment happening.

On 2014-07-29 13:56, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello Joe,
> 
> Are there any rules in *nat POSTROUTING? If so, please check those, as
> they can stop encrypted traffic from being sent to the correct
> destination.
> Furthermore, check if you permit esp packets.
> 
> Regards,
> Noel Kuntze
> 
> GPG Key id: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 29.07.2014 um 22:46 schrieb Joe Ryan:
>> Thank you for the response Noel, The bytes_o goes up when I ping from 
>> either of the hosts, but the bytes_i remains at zero for both. Both 
>> machines have an iptables firewall, and when I do iptables -L -n I see 
>> that StrongSwan has inserted several rules (as shown below) matching 
>> ipsec traffic. From your response it seems I should open additional 
>> protocols, sources and destinations, but I'm not sure what I should 
>> open to get traffic, but stay secure. Any suggestions would be great.
>> 
>> Thank you,
>> Joe
>> 
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>> ACCEPT     all  --  10.128.0.0/16        192.168.250.0/24     policy 
>> match dir in pol ipsec reqid 1 proto 50
>> 
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>> ACCEPT     all  --  10.128.0.0/16        192.168.250.0/24     policy 
>> match dir in pol ipsec reqid 1 proto 50
>> ACCEPT     all  --  192.168.250.0/24     10.128.0.0/16        policy 
>> match dir out pol ipsec reqid 1 proto 50
>> 
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>> ACCEPT     all  --  192.168.250.0/24     10.128.0.0/16        policy 
>> match dir out pol ipsec reqid 1 proto 50
>> 
>> On 2014-07-29 13:27, Noel Kuntze wrote:
>> Hello Jose,
>> 
>> Is there a firewall active on either of the host? Do the traffic
>> counters, which are shown in the output of "ipsec statusall",
>> increment?
>> 
>> Regards,
>> Noel Kuntze
>> 
>> GPG Key id: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> Am 29.07.2014 um 22:24 schrieb Joe Ryan:
>> >>> Hello Everyone,
>> >>>
>> >>> I have a DigitalOcean VPS running Ubuntu 12.04 that I want to connect to with a BeagleBone running Debian so that I can access all of the devices on the same subnet as the BeagleBone, and not have to worry about an IT department opening ports. I have tried this with both StrongSwan 4.5.2 and 5.2.0 and have the same result, so I'm sure it's my configuration. After bringing up the the connection everything negotiates as expected, and the final line of ipsec status all is machinetun{1}:   10.128.0.0/16 === 192.168.250.0/24 where machinetun is the connection 10.128.0.0/16 is a private network on DigitalOcean and the 192.168.250.0/24 is a private network on my machine. My logs show the CHILD_SA being established and rekeyed as expected, with keep alive packets going out frequently, and nothing to suggest a problem.
>> >>>
>> >>> At this point I would hope that I would be able to ping the gateway on my machine, 192.168.250.60 from the DigitalOcean VPS private IP address using one of the following:
>> >>>
>> >>> #ping the BeagleBone gateway from DO
>> >>> ping 192.168.250.60
>> >>> #ping the BeagleBone gateway with an interface on the DO private network
>> >>> ping -I 10.128.120.160 192.168.250.60
>> >>>
>> >>> But get no results in this direction or the reverse.
>> >>>
>> >>> I also have net.ipv4.ip_forward 1 on both machines.
>> >>>
>> >>> My configurations are below, and I hope someone might have a good idea what direction I can look to in to figure out what I've done wrong.
>> >>>
>> >>> # BeagleBone Conf
>> >>> config setup
>> >>>         strictcrlpolicy=no
>> >>>         charondebug=1
>> >>> conn %default
>> >>>         ikelifetime=60m
>> >>>         keylife=20m
>> >>>         rekeymargin=3m
>> >>>         keyingtries=%forever
>> >>>         keyexchange=ikev2
>> >>>         left=%any
>> >>>         leftcert=beagleCert.der
>> >>>         leftid=beagle at hostname.com
>> >>>         lefthostaccess=yes
>> >>>         leftfirewall=yes
>> >>>
>> >>> conn machinetun
>> >>>         leftsourceip=%config
>> >>>     leftsubnet=192.168.250.0/24
>> >>>         right=hostname.com
>> >>>         rightid=@hostname.com
>> >>>         rightsubnet=10.128.0.0/16
>> >>>         auto=start
>> >>>
>> >>> # DigitalOcean Conf
>> >>> config setup
>> >>>         strictcrlpolicy=no
>> >>> conn %default
>> >>>         ikelifetime=60m
>> >>>         keylife=20m
>> >>>         rekeymargin=3m
>> >>>         keyingtries=1
>> >>>         keyexchange=ikev2
>> >>>         left=%any
>> >>>         leftcert=svCert.der
>> >>>         leftid=@hostname.com
>> >>>         lefthostaccess=yes
>> >>>         leftfirewall=yes
>> >>>
>> >>> conn machinetun
>> >>>         leftsubnet=10.128.0.0/16
>> >>>         right=%any
>> >>>         rightsubnet=192.168.250.0/24
>> >>>         rightid=beagle at hostname.com
>> >>>         rightsourceip=10.128.0.50
>> >>>         auto=add
>> >>>
>> >>> Thank you,
>> >>> Joe
>> >>> _______________________________________________
>> >>> Users mailing list
>> >>> Users at lists.strongswan.org
>> >>> https://lists.strongswan.org/mailman/listinfo/users
>> 
>>> 
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBCAAGBQJT2Ap4AAoJEDg5KY9j7GZYOJIP/1lNi66ZHkZaGohX5yPu5Luf
> 8A/wHoU/hakxrYpKBfwD2Yik3PYEqGb2gU8KoQbZCwp3bqNg5ctwcI8gL1Hy57bM
> S9wb3ppHXbUNAkG+QGtPYZCLyQe8celiTx+U/izRFYMJcW+smAJ61vdGDyL5lF12
> AFTVBawB+9Knyn2mWgncZ9ylZJeETcEttBJwgLueMv4P7AF2aOEsj3D5ueWpLsTT
> TnjdOuoQoVjlNPoo2Ck5QxMHD827wdMk+80dEYQWrfHLS41gH0td+mgeQgzrN6Ar
> 70wmHjxzhATalmuZi4DC4U1Ls40ngeReXNgSCehEZoiXRy+/h3dvS0Fcc98nQ9le
> +MlKHUV69g8dsEeSxY9XevmTh69zVbicN2XIKkW2QfRxypXIWoa05EBAe9FgUAJS
> 3KWXMOc0drerqSY/trNwg537dQVv2HTf/8IolrQgInCIzCFMeKgPR1Js0b6x908+
> s4ri/uOIoRPZgsqJIp49wYPcrXEKc12ToFjljs3RBrTYdkGCWm4Ecav+0uI3U3Mx
> 2bympmygxX04KNXyD5JFbl90My5mVuwIThBg50fj8QzLrN5pxeUOzjCJWIkgRX+D
> jAtjRwnzlfMnifgFsEBJeZJHSJgB4GJonLiEhNY0PStF0sql59UplPwb2Ad9CvTQ
> a0sUWNGw+IG6dXFsUlLa
> =B0YR
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
Joe Ryan
aphyt - open source tools for industrial automation
jr at aphyt.com

More information about the Users mailing list