[strongSwan] Fritzbox <-> strongSwan / Missing ping replies

Andreas Steffen andreas.steffen at strongswan.org
Thu Jan 22 23:23:38 CET 2015 

Hi Sascha,

due to the Linux netfilter architecture tcpdump running on an IPsec
endpoint shows you only the inbound decrypted plaintext but never the
outbound plaintext IP packets. Does tcpdump show outbound encrypted
ESP packets?

Regards

Andreas

On 01/22/2015 12:30 PM, sascha at schmidt.ps wrote:
> 
> Hi,
> 
> I've build a connection between a FRITZ!Box and a strongSwan server. On
> the virtual server where strongSwan is located I've added a virtual
> interface and configured the ip 192.168.0.10/24 on it.
> 
> Now I'm trying to ping each side of the vpn with no luck.
> 
> On the serverside (strongSwan) I can see the incoming icmp requests, but
> cannot see an answer:
> 
> tcpdump -i eth0 dst host 192.168.0.10 or src host 192.168.0.10
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 12:25:44.421577 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
> 10277, seq 3537, length 64
> 12:25:45.421483 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
> 10277, seq 3538, length 64
> 12:25:46.425221 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
> 10277, seq 3539, length 64
> 
> My ipsec.conf:
> 
> conn fritzbox
>         aggressive=no
>         keyingtries=0
>         type=tunnel
>         left=<strongSwan public ip>
>         leftsubnet=192.168.0.0/24
>         leftfirewall=yes
>         lefthostaccess=yes
>         leftnexthop=%defaultroute
>         #
>         ike=aes256-sha-modp1024
>         esp=aes256-sha1-modp1024
>         #
>         right=<hostname of fritzbox>
>         rightid=@<hostname of fritzbox>
>         rightsubnet=192.168.2.0/24
>         leftnexthop=%defaultroute
>         #
>         ikelifetime=4h
>         keylife=1h
>         #
>         authby=secret
>         auto=add
> 
> Starting strongSwan gives me the following last line:
> Jan 22 12:27:44 linux vpn: + <hostname of fritzbox> 192.168.2.0/24 ==
> <fritzbox public ip> -- <strongSwan public ip> == 192.168.0.0/24
> 
> "route" shows me:
> 192.168.0.0     *               255.255.255.0   U     0      0        0
> eth0
> 
> Any hints what I made wrong or where I have to tweak the settings?
> 
> Greets
> Sascha
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150122/6d57b906/attachment-0001.bin>

More information about the Users mailing list