[strongSwan] The magical strongswan issue :( CLOUD -> Home and back

florian.rommel at datalounges.com florian.rommel at datalounges.com
Wed Apr 29 18:17:33 CEST 2015

Hi all... I have a somewhat peculiar problem.

I have 2 ubuntu machines, one VM in the cloud (openstack) and one at home
(real machine)

I have strongswan configured and running.. the tunnel gets established and
shows all good to go as shown here:

Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-49-generic,
  uptime: 18 minutes, since Apr 29 18:46:30 2015
  malloc: sbrk 2568192, mmap 0, used 357408, free 2210784
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl
xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default
stroke updown eap-identity eap-mschapv2 addrblock
Listening IP addresses:
          DL:  X.X.X.243...Y.Y.Y.23  IKEv1
          DL:   local:  [X.X.X.243] uses pre-shared key authentication
          DL:   remote: [] uses pre-shared key authentication
          DL:   child: === TUNNEL
Routed Connections:
          DL{1}:  ROUTED, TUNNEL
          DL{1}: ===
Security Associations (1 up, 0 connecting):
          DL[2]: ESTABLISHED 4 minutes ago,
          DL[2]: IKEv1 SPIs: d72df1afe7128b38_i e7b692b6c6ecc9d6_r*,
pre-shared key reauthentication in 7 hours
          DL[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
          DL{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c29e6c6b_i c7ad645a_o
          DL{1}:  3DES_CBC/HMAC_MD5_96, 7286 bytes_i (9 pkts, 260s ago),
2696 bytes_o (9 pkts, 260s ago), rekeying in 50 minutes
          DL{1}: ===

Now, the interesting part is that on the gateway on the RIGHT side
(, I can ping ANY machine on the LEFT side ( with no
BUT from any machine on the LEFT SIDE  i cannot ping anything on the RIGHT
SIDE and form any OTHER machine on the RIGHT side, besides the gateway, I
cannot ping the LEFT side.   This seems VERY VERY confusing.. and looks to
be a multi part.. but.. I am stuck.

TCPDUMP on the LEFT side with destination on the right side:
 sudo tcpdump -v -i em1 -n dst net
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535
19:09:45.556977 IP (tos 0x0, ttl 63, id 10792, offset 0, flags [none],
proto ICMP (1), length 84)
    X.X.X.243 > ICMP echo request, id 13637, seq 0, length 64
19:09:46.535900 IP (tos 0x0, ttl 63, id 61548, offset 0, flags [none],
proto ICMP (1), length 84)
    X.X.X.243 > ICMP echo request, id 13637, seq 1, length 64
19:09:47.536998 IP (tos 0x0, ttl 63, id 11984, offset 0, flags [none],
proto ICMP (1), length 84)
    X.X.X.243 > ICMP echo request, id 13637, seq 2, length 64

On the right side nothing ever shows up.

There are IPTables rules on the LEFT side that NAT, since its also a
gateway but...should that matter? What else can I set and where?? Here is
the ipsec.conf file still from the LEFT side (same on the RIGHT just

config setup

conn %default

conn DL

Routing table on the LEFT side:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         noname.gateway         UG    0      0        0 em1        *        U     0      0        0 em2   UG    0      0        0 em2
X.X.X.0    *        U     0      0        0 em1

ANY help would greatly appreciated.. if its something to do with IPTABLES?
or routing??

Thanks already..

More information about the Users mailing list