[strongSwan] Fritzbox <-> strongSwan / Missing ping replies
sascha at schmidt.ps
sascha at schmidt.ps
Mon Jan 26 16:16:52 CET 2015
I've noticed, that "ping" works after the first "rekeying"...
Forcing a permanent rekeying with margintime=59 made it work
immediately. But this floods the log and seems not to be intended to
work this way.
Any hint what I made wrong?
Zitat von sascha at schmidt.ps:
> Ok that makes sense. But replies to pings don't reach the source,
> either. So it seems that something is wrong with "routing"?
> I really don't have a clue what to debug to find out what's going wrong.
> Zitat von Andreas Steffen <andreas.steffen at strongswan.org>:
>> Hi Sascha,
>> due to the Linux netfilter architecture tcpdump running on an IPsec
>> endpoint shows you only the inbound decrypted plaintext but never the
>> outbound plaintext IP packets. Does tcpdump show outbound encrypted
>> ESP packets?
>> On 01/22/2015 12:30 PM, sascha at schmidt.ps wrote:
>>> I've build a connection between a FRITZ!Box and a strongSwan server. On
>>> the virtual server where strongSwan is located I've added a virtual
>>> interface and configured the ip 192.168.0.10/24 on it.
>>> Now I'm trying to ping each side of the vpn with no luck.
>>> On the serverside (strongSwan) I can see the incoming icmp requests, but
>>> cannot see an answer:
>>> tcpdump -i eth0 dst host 192.168.0.10 or src host 192.168.0.10
>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>>> 12:25:44.421577 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
>>> 10277, seq 3537, length 64
>>> 12:25:45.421483 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
>>> 10277, seq 3538, length 64
>>> 12:25:46.425221 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
>>> 10277, seq 3539, length 64
>>> My ipsec.conf:
>>> conn fritzbox
>>> left=<strongSwan public ip>
>>> right=<hostname of fritzbox>
>>> rightid=@<hostname of fritzbox>
>>> Starting strongSwan gives me the following last line:
>>> Jan 22 12:27:44 linux vpn: + <hostname of fritzbox> 192.168.2.0/24 ==
>>> <fritzbox public ip> -- <strongSwan public ip> == 192.168.0.0/24
>>> "route" shows me:
>>> 192.168.0.0 * 255.255.255.0 U 0 0 0
>>> Any hints what I made wrong or where I have to tweak the settings?
>>> Users mailing list
>>> Users at lists.strongswan.org
>> Andreas Steffen andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution! www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
> Users mailing list
> Users at lists.strongswan.org
More information about the Users