[strongSwan] net-net sample can not work on ubuntu14.04

zhuyj mounter625 at 163.com
Mon May 4 11:19:59 CEST 2015 

On sun, I run "iptables-save"

root at strongswan2:~# iptables-save
# Generated by iptables-save v1.4.21 on Mon May  4 17:15:11 2015
*filter
:INPUT ACCEPT [226:21465]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [78:9832]
-A FORWARD -s 10.1.0.0/16 -d 10.2.0.0/16 -i eth1 -m policy --dir in 
--pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 10.2.0.0/16 -d 10.1.0.0/16 -o eth1 -m policy --dir out 
--pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Mon May  4 17:15:11 2015

I expect that it can help us all.

Zhu Yanjun

On 05/04/2015 04:43 PM, zhuyj wrote:
> Hi, all
>
> On moon, I run "ping 10.2.0.1"
>
> root at strongswan1:~# ping 10.2.0.1 -c 3
> PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
> 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.310 ms
> 64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=0.256 ms
> 64 bytes from 10.2.0.1: icmp_seq=3 ttl=64 time=0.310 ms
>
> --- 10.2.0.1 ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 1998ms
> rtt min/avg/max/mdev = 0.256/0.292/0.310/0.025 ms
>
> On sun:
> I ran "tcpudmp -ni any esp"
>
> root at strongswan2:~# tcpdump -ni any esp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
> decode
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 
> 262144 bytes
> 16:26:02.556831 IP 192.168.0.1 > 192.168.0.2: 
> ESP(spi=0xc01ee203,seq=0x2df), length 132
> 16:26:02.556933 IP 192.168.0.2 > 192.168.0.1: 
> ESP(spi=0xc795a4e6,seq=0xf), length 132
> 16:26:03.555752 IP 192.168.0.1 > 192.168.0.2: 
> ESP(spi=0xc01ee203,seq=0x2e0), length 132
> 16:26:03.555830 IP 192.168.0.2 > 192.168.0.1: 
> ESP(spi=0xc795a4e6,seq=0x10), length 132
> 16:26:04.554739 IP 192.168.0.1 > 192.168.0.2: 
> ESP(spi=0xc01ee203,seq=0x2e1), length 132
> 16:26:04.554828 IP 192.168.0.2 > 192.168.0.1: 
> ESP(spi=0xc795a4e6,seq=0x11), length 132
> ^C
> 6 packets captured
> 7 packets received by filter
> 0 packets dropped by kernel
>
> That means moon can reach sun.
>
> But I ran "10.2.0.10" on moon,
>
> root at strongswan1:~# ping 10.2.0.10 -c 3
> PING 10.2.0.10 (10.2.0.10) 56(84) bytes of data.
>
> --- 10.2.0.10 ping statistics ---
> 3 packets transmitted, 0 received, 100% packet loss, time 1999ms
>
> On sun, I ran "tcpdump -ni any esp"
> root at strongswan2:~# tcpdump -ni any esp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
> decode
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 
> 262144 bytes
> 16:28:49.681340 IP 192.168.0.1 > 192.168.0.2: 
> ESP(spi=0xcfab21ac,seq=0x1), length 132
> 16:28:50.680976 IP 192.168.0.1 > 192.168.0.2: 
> ESP(spi=0xcfab21ac,seq=0x2), length 132
> 16:28:51.681102 IP 192.168.0.1 > 192.168.0.2: 
> ESP(spi=0xcfab21ac,seq=0x3), length 132
>
> On 10.2.0.10, I run "tcpdump -ni any icmp"
> root at localhost:/root> tcpdump -ni any icmp
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
> decode
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 
> 65535 bytes
> 08:21:17.292698 IP 10.1.0.1 > 10.2.0.10: ICMP echo request, id 2620, 
> seq 1, length 64
> 08:21:17.293311 IP 10.2.0.10 > 10.1.0.1: ICMP echo reply, id 2620, seq 
> 1, length 64
> 08:21:18.292629 IP 10.1.0.1 > 10.2.0.10: ICMP echo request, id 2620, 
> seq 2, length 64
> 08:21:18.292648 IP 10.2.0.10 > 10.1.0.1: ICMP echo reply, id 2620, seq 
> 2, length 64
> 08:21:19.292806 IP 10.1.0.1 > 10.2.0.10: ICMP echo request, id 2620, 
> seq 3, length 64
> 08:21:19.292829 IP 10.2.0.10 > 10.1.0.1: ICMP echo reply, id 2620, seq 
> 3, length 64
>
> That means icmp packets can pass the vpn tunnel, but these packets can 
> reach 10.2.0.10, and 10.2.0.10 replies these packets.
> But these replied packets can not pass vun tunnel.
>
> This network topology can show the above test.
>
> 10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 
> 10.2.0.1<---->10.2.0.10
>                           icmp request packets 
> ----------------------------------------------------------->10.2.0.10
> reach here<----icmp reply
>
> The icmp request can reach 10.2.0.10, but the icmp reply packets can 
> only reach 10.2.0.1, can
> not pass vpn tunnel.
>
> What should I do to make these icmp reply packets reach 10.1.0.1?
>
> Any reply is appreciated.
>
> Best Regards!
> Zhu Yanjun
>
> On 05/04/2015 04:17 PM, zhuyj wrote:
>> Hi, all
>>
>> I followed this link: 
>> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
>>
>> I configured 4 vmare hosts. The hosts are ubuntu14.04.
>>
>> The network topology is as below.
>>
>> 10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 
>> 10.2.0.1<---->10.2.0.10
>>
>> strongswan is 5.1.2.
>>
>> From this link: 
>> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, after a 
>> vpn tunnel is created,
>> I ran "ping 10.2.0.10" on clinet 10.1.0.10. But I can not get any 
>> reply from 10.2.0.10.
>>
>> I can find the icmp packets into moon. But moon will not forward 
>> these icmp packets.
>>
>> I exactly followed this link 
>> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, but I 
>> can not get
>> the same test result with this link.
>>
>> Does any one have the similar experience?
>>
>> Any reply is appreciated.
>>
>> Thanks a lot.
>> Zhu Yanjun
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

More information about the Users mailing list