[strongSwan] net-net sample can not work on ubuntu14.04

zhuyj mounter625 at 163.com
Mon May 4 10:43:20 CEST 2015


Hi, all

On moon, I run "ping 10.2.0.1"

root at strongswan1:~# ping 10.2.0.1 -c 3
PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.310 ms
64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=0.256 ms
64 bytes from 10.2.0.1: icmp_seq=3 ttl=64 time=0.310 ms

--- 10.2.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.256/0.292/0.310/0.025 ms

On sun:
I ran "tcpudmp -ni any esp"

root at strongswan2:~# tcpdump -ni any esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 
262144 bytes
16:26:02.556831 IP 192.168.0.1 > 192.168.0.2: 
ESP(spi=0xc01ee203,seq=0x2df), length 132
16:26:02.556933 IP 192.168.0.2 > 192.168.0.1: 
ESP(spi=0xc795a4e6,seq=0xf), length 132
16:26:03.555752 IP 192.168.0.1 > 192.168.0.2: 
ESP(spi=0xc01ee203,seq=0x2e0), length 132
16:26:03.555830 IP 192.168.0.2 > 192.168.0.1: 
ESP(spi=0xc795a4e6,seq=0x10), length 132
16:26:04.554739 IP 192.168.0.1 > 192.168.0.2: 
ESP(spi=0xc01ee203,seq=0x2e1), length 132
16:26:04.554828 IP 192.168.0.2 > 192.168.0.1: 
ESP(spi=0xc795a4e6,seq=0x11), length 132
^C
6 packets captured
7 packets received by filter
0 packets dropped by kernel

That means moon can reach sun.

But I ran "10.2.0.10" on moon,

root at strongswan1:~# ping 10.2.0.10 -c 3
PING 10.2.0.10 (10.2.0.10) 56(84) bytes of data.

--- 10.2.0.10 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

On sun, I ran "tcpdump -ni any esp"
root at strongswan2:~# tcpdump -ni any esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 
262144 bytes
16:28:49.681340 IP 192.168.0.1 > 192.168.0.2: 
ESP(spi=0xcfab21ac,seq=0x1), length 132
16:28:50.680976 IP 192.168.0.1 > 192.168.0.2: 
ESP(spi=0xcfab21ac,seq=0x2), length 132
16:28:51.681102 IP 192.168.0.1 > 192.168.0.2: 
ESP(spi=0xcfab21ac,seq=0x3), length 132

On 10.2.0.10, I run "tcpdump -ni any icmp"
root at localhost:/root> tcpdump -ni any icmp
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 
bytes
08:21:17.292698 IP 10.1.0.1 > 10.2.0.10: ICMP echo request, id 2620, seq 
1, length 64
08:21:17.293311 IP 10.2.0.10 > 10.1.0.1: ICMP echo reply, id 2620, seq 
1, length 64
08:21:18.292629 IP 10.1.0.1 > 10.2.0.10: ICMP echo request, id 2620, seq 
2, length 64
08:21:18.292648 IP 10.2.0.10 > 10.1.0.1: ICMP echo reply, id 2620, seq 
2, length 64
08:21:19.292806 IP 10.1.0.1 > 10.2.0.10: ICMP echo request, id 2620, seq 
3, length 64
08:21:19.292829 IP 10.2.0.10 > 10.1.0.1: ICMP echo reply, id 2620, seq 
3, length 64

That means icmp packets can pass the vpn tunnel, but these packets can 
reach 10.2.0.10, and 10.2.0.10 replies these packets.
But these replied packets can not pass vun tunnel.

This network topology can show the above test.

10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 
10.2.0.1<---->10.2.0.10
                           icmp request packets 
----------------------------------------------------------->10.2.0.10
reach here<----icmp reply

The icmp request can reach 10.2.0.10, but the icmp reply packets can 
only reach 10.2.0.1, can
not pass vpn tunnel.

What should I do to make these icmp reply packets reach 10.1.0.1?

Any reply is appreciated.

Best Regards!
Zhu Yanjun

On 05/04/2015 04:17 PM, zhuyj wrote:
> Hi, all
>
> I followed this link: 
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
>
> I configured 4 vmare hosts. The hosts are ubuntu14.04.
>
> The network topology is as below.
>
> 10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 
> 10.2.0.1<---->10.2.0.10
>
> strongswan is 5.1.2.
>
> From this link: 
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, after a 
> vpn tunnel is created,
> I ran "ping 10.2.0.10" on clinet 10.1.0.10. But I can not get any 
> reply from 10.2.0.10.
>
> I can find the icmp packets into moon. But moon will not forward these 
> icmp packets.
>
> I exactly followed this link 
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, but I 
> can not get
> the same test result with this link.
>
> Does any one have the similar experience?
>
> Any reply is appreciated.
>
> Thanks a lot.
> Zhu Yanjun
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>




More information about the Users mailing list