[strongSwan] Fritzbox <-> strongSwan / Missing ping replies

sascha at schmidt.ps sascha at schmidt.ps
Fri Jan 23 13:52:04 CET 2015


Ok that makes sense. But replies to pings don't reach the source,  
either. So it seems that something is wrong with "routing"?

I really don't have a clue what to debug to find out what's going wrong.

Greets
Sascha

Zitat von Andreas Steffen <andreas.steffen at strongswan.org>:

> Hi Sascha,
>
> due to the Linux netfilter architecture tcpdump running on an IPsec
> endpoint shows you only the inbound decrypted plaintext but never the
> outbound plaintext IP packets. Does tcpdump show outbound encrypted
> ESP packets?
>
> Regards
>
> Andreas
>
> On 01/22/2015 12:30 PM, sascha at schmidt.ps wrote:
>>
>> Hi,
>>
>> I've build a connection between a FRITZ!Box and a strongSwan server. On
>> the virtual server where strongSwan is located I've added a virtual
>> interface and configured the ip 192.168.0.10/24 on it.
>>
>> Now I'm trying to ping each side of the vpn with no luck.
>>
>> On the serverside (strongSwan) I can see the incoming icmp requests, but
>> cannot see an answer:
>>
>> tcpdump -i eth0 dst host 192.168.0.10 or src host 192.168.0.10
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 12:25:44.421577 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
>> 10277, seq 3537, length 64
>> 12:25:45.421483 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
>> 10277, seq 3538, length 64
>> 12:25:46.425221 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
>> 10277, seq 3539, length 64
>>
>> My ipsec.conf:
>>
>> conn fritzbox
>>         aggressive=no
>>         keyingtries=0
>>         type=tunnel
>>         left=<strongSwan public ip>
>>         leftsubnet=192.168.0.0/24
>>         leftfirewall=yes
>>         lefthostaccess=yes
>>         leftnexthop=%defaultroute
>>         #
>>         ike=aes256-sha-modp1024
>>         esp=aes256-sha1-modp1024
>>         #
>>         right=<hostname of fritzbox>
>>         rightid=@<hostname of fritzbox>
>>         rightsubnet=192.168.2.0/24
>>         leftnexthop=%defaultroute
>>         #
>>         ikelifetime=4h
>>         keylife=1h
>>         #
>>         authby=secret
>>         auto=add
>>
>> Starting strongSwan gives me the following last line:
>> Jan 22 12:27:44 linux vpn: + <hostname of fritzbox> 192.168.2.0/24 ==
>> <fritzbox public ip> -- <strongSwan public ip> == 192.168.0.0/24
>>
>> "route" shows me:
>> 192.168.0.0     *               255.255.255.0   U     0      0        0
>> eth0
>>
>> Any hints what I made wrong or where I have to tweak the settings?
>>
>> Greets
>> Sascha
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==




More information about the Users mailing list