[strongSwan] Fritzbox <-> strongSwan / Missing ping replies
sascha at schmidt.ps
sascha at schmidt.ps
Mon Jan 26 16:16:52 CET 2015
Hi,
I've noticed, that "ping" works after the first "rekeying"...
Forcing a permanent rekeying with margintime=59 made it work
immediately. But this floods the log and seems not to be intended to
work this way.
Any hint what I made wrong?
Thx
Sascha
Zitat von sascha at schmidt.ps:
> Ok that makes sense. But replies to pings don't reach the source,
> either. So it seems that something is wrong with "routing"?
>
> I really don't have a clue what to debug to find out what's going wrong.
>
> Greets
> Sascha
>
> Zitat von Andreas Steffen <andreas.steffen at strongswan.org>:
>
>> Hi Sascha,
>>
>> due to the Linux netfilter architecture tcpdump running on an IPsec
>> endpoint shows you only the inbound decrypted plaintext but never the
>> outbound plaintext IP packets. Does tcpdump show outbound encrypted
>> ESP packets?
>>
>> Regards
>>
>> Andreas
>>
>> On 01/22/2015 12:30 PM, sascha at schmidt.ps wrote:
>>>
>>> Hi,
>>>
>>> I've build a connection between a FRITZ!Box and a strongSwan server. On
>>> the virtual server where strongSwan is located I've added a virtual
>>> interface and configured the ip 192.168.0.10/24 on it.
>>>
>>> Now I'm trying to ping each side of the vpn with no luck.
>>>
>>> On the serverside (strongSwan) I can see the incoming icmp requests, but
>>> cannot see an answer:
>>>
>>> tcpdump -i eth0 dst host 192.168.0.10 or src host 192.168.0.10
>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>>> 12:25:44.421577 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
>>> 10277, seq 3537, length 64
>>> 12:25:45.421483 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
>>> 10277, seq 3538, length 64
>>> 12:25:46.425221 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
>>> 10277, seq 3539, length 64
>>>
>>> My ipsec.conf:
>>>
>>> conn fritzbox
>>> aggressive=no
>>> keyingtries=0
>>> type=tunnel
>>> left=<strongSwan public ip>
>>> leftsubnet=192.168.0.0/24
>>> leftfirewall=yes
>>> lefthostaccess=yes
>>> leftnexthop=%defaultroute
>>> #
>>> ike=aes256-sha-modp1024
>>> esp=aes256-sha1-modp1024
>>> #
>>> right=<hostname of fritzbox>
>>> rightid=@<hostname of fritzbox>
>>> rightsubnet=192.168.2.0/24
>>> leftnexthop=%defaultroute
>>> #
>>> ikelifetime=4h
>>> keylife=1h
>>> #
>>> authby=secret
>>> auto=add
>>>
>>> Starting strongSwan gives me the following last line:
>>> Jan 22 12:27:44 linux vpn: + <hostname of fritzbox> 192.168.2.0/24 ==
>>> <fritzbox public ip> -- <strongSwan public ip> == 192.168.0.0/24
>>>
>>> "route" shows me:
>>> 192.168.0.0 * 255.255.255.0 U 0 0 0
>>> eth0
>>>
>>> Any hints what I made wrong or where I have to tweak the settings?
>>>
>>> Greets
>>> Sascha
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>> --
>> ======================================================================
>> Andreas Steffen andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution! www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list