[strongSwan] The magical strongswan issue :( CLOUD -> Home and back
florian.rommel at datalounges.com
florian.rommel at datalounges.com
Wed Apr 29 18:17:33 CEST 2015
Hi all... I have a somewhat peculiar problem.
I have 2 ubuntu machines, one VM in the cloud (openstack) and one at home
(real machine)
I have strongswan configured and running.. the tunnel gets established and
shows all good to go as shown here:
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-49-generic,
x86_64):
uptime: 18 minutes, since Apr 29 18:46:30 2015
malloc: sbrk 2568192, mmap 0, used 357408, free 2210784
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl
xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default
stroke updown eap-identity eap-mschapv2 addrblock
Listening IP addresses:
X.X.X.243
10.0.1.200
Connections:
DL: X.X.X.243...Y.Y.Y.23 IKEv1
DL: local: [X.X.X.243] uses pre-shared key authentication
DL: remote: [10.1.0.15] uses pre-shared key authentication
DL: child: 10.0.1.0/24 === 10.1.0.0/24 TUNNEL
Routed Connections:
DL{1}: ROUTED, TUNNEL
DL{1}: 10.0.1.0/24 === 10.1.0.0/24
Security Associations (1 up, 0 connecting):
DL[2]: ESTABLISHED 4 minutes ago,
X.X.X.243[X.X.X.243]...Y.Y.Y.23[10.1.0.15]
DL[2]: IKEv1 SPIs: d72df1afe7128b38_i e7b692b6c6ecc9d6_r*,
pre-shared key reauthentication in 7 hours
DL[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
DL{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c29e6c6b_i c7ad645a_o
DL{1}: 3DES_CBC/HMAC_MD5_96, 7286 bytes_i (9 pkts, 260s ago),
2696 bytes_o (9 pkts, 260s ago), rekeying in 50 minutes
DL{1}: 10.0.1.0/24 === 10.1.0.0/24
Now, the interesting part is that on the gateway on the RIGHT side
(10.1.0.15, I can ping ANY machine on the LEFT side (10.0.1.0/24) with no
problem.
BUT from any machine on the LEFT SIDE i cannot ping anything on the RIGHT
SIDE and form any OTHER machine on the RIGHT side, besides the gateway, I
cannot ping the LEFT side. This seems VERY VERY confusing.. and looks to
be a multi part.. but.. I am stuck.
TCPDUMP on the LEFT side with destination 10.1.0.18 on the right side:
sudo tcpdump -v -i em1 -n dst net 10.1.0.0/24
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535
bytes
19:09:45.556977 IP (tos 0x0, ttl 63, id 10792, offset 0, flags [none],
proto ICMP (1), length 84)
X.X.X.243 > 10.1.0.18: ICMP echo request, id 13637, seq 0, length 64
19:09:46.535900 IP (tos 0x0, ttl 63, id 61548, offset 0, flags [none],
proto ICMP (1), length 84)
X.X.X.243 > 10.1.0.18: ICMP echo request, id 13637, seq 1, length 64
19:09:47.536998 IP (tos 0x0, ttl 63, id 11984, offset 0, flags [none],
proto ICMP (1), length 84)
X.X.X.243 > 10.1.0.18: ICMP echo request, id 13637, seq 2, length 64
On the right side nothing ever shows up.
There are IPTables rules on the LEFT side that NAT, since its also a
gateway but...should that matter? What else can I set and where?? Here is
the ipsec.conf file still from the LEFT side (same on the RIGHT just
reversed)
config setup
conn %default
ikelifetime=8h
keylife=1h
rekeymargin=3m
keyingtries=%forever
keyexchange=ikev1
authby=psk
ike=3des-sha1-modp1024
esp=3des-md5-modp1536
conn DL
auto=route
left=X.X.X.243
leftsubnet=10.0.1.0/24
leftid=X.X.X.243
leftfirewall=yes
right=Y.Y.Y.23
rightsubnet=10.1.0.0/24
rightid=10.1.0.15
keyexchange=ikev1
ike=3des-sha1-modp1024
esp=3des-md5-modp1536
Routing table on the LEFT side:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default noname.gateway 0.0.0.0 UG 0 0 0 em1
10.0.1.0 * 255.255.255.0 U 0 0 0 em2
10.1.0.0 10.0.1.200 255.255.255.0 UG 0 0 0 em2
X.X.X.0 * 255.255.248.0 U 0 0 0 em1
ANY help would greatly appreciated.. if its something to do with IPTABLES?
or routing??
Thanks already..
More information about the Users
mailing list