[strongSwan] net-net sample can not work on ubuntu14.04

zhuyj mounter625 at 163.com
Mon May 4 11:26:22 CEST 2015 

On, sun, I run "ip -4 route show table all". The result is as below:

root at strongswan2:~# ip -4 route show table all
10.1.0.0/16 via 192.168.0.1 dev eth1  table 220  proto static  src 10.2.0.1
default via 128.224.162.1 dev eth0
10.2.0.0/16 dev eth2  proto kernel  scope link  src 10.2.0.1
128.224.162.0/23 dev eth0  proto kernel  scope link  src 128.224.162.165
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.2
broadcast 10.2.0.0 dev eth2  table local  proto kernel  scope link  src 
10.2.0.1
local 10.2.0.1 dev eth2  table local  proto kernel  scope host src 10.2.0.1
broadcast 10.2.255.255 dev eth2  table local  proto kernel  scope link  
src 10.2.0.1
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link src 
127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host src 
127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 
127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  
src 127.0.0.1
broadcast 128.224.162.0 dev eth0  table local  proto kernel  scope link  
src 128.224.162.165
local 128.224.162.165 dev eth0  table local  proto kernel  scope host  
src 128.224.162.165
broadcast 128.224.163.255 dev eth0  table local  proto kernel scope 
link  src 128.224.162.165
broadcast 192.168.0.0 dev eth1  table local  proto kernel  scope link  
src 192.168.0.2
local 192.168.0.2 dev eth1  table local  proto kernel  scope host src 
192.168.0.2
broadcast 192.168.0.255 dev eth1  table local  proto kernel  scope link  
src 192.168.0.2

Hope the above can help us all.

Best Regards!
Zhu Yanjun
On 05/04/2015 05:19 PM, zhuyj wrote:
> On sun, I run "iptables-save"
>
> root at strongswan2:~# iptables-save
> # Generated by iptables-save v1.4.21 on Mon May  4 17:15:11 2015
> *filter
> :INPUT ACCEPT [226:21465]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [78:9832]
> -A FORWARD -s 10.1.0.0/16 -d 10.2.0.0/16 -i eth1 -m policy --dir in 
> --pol ipsec --reqid 1 --proto esp -j ACCEPT
> -A FORWARD -s 10.2.0.0/16 -d 10.1.0.0/16 -o eth1 -m policy --dir out 
> --pol ipsec --reqid 1 --proto esp -j ACCEPT
> COMMIT
> # Completed on Mon May  4 17:15:11 2015
>
> I expect that it can help us all.
>
> Zhu Yanjun
>
> On 05/04/2015 04:43 PM, zhuyj wrote:
>> Hi, all
>>
>> On moon, I run "ping 10.2.0.1"
>>
>> root at strongswan1:~# ping 10.2.0.1 -c 3
>> PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
>> 64 bytes from 10.2.0.1: icmp_seq=1 ttl=64 time=0.310 ms
>> 64 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=0.256 ms
>> 64 bytes from 10.2.0.1: icmp_seq=3 ttl=64 time=0.310 ms
>>
>> --- 10.2.0.1 ping statistics ---
>> 3 packets transmitted, 3 received, 0% packet loss, time 1998ms
>> rtt min/avg/max/mdev = 0.256/0.292/0.310/0.025 ms
>>
>> On sun:
>> I ran "tcpudmp -ni any esp"
>>
>> root at strongswan2:~# tcpdump -ni any esp
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
>> decode
>> listening on any, link-type LINUX_SLL (Linux cooked), capture size 
>> 262144 bytes
>> 16:26:02.556831 IP 192.168.0.1 > 192.168.0.2: 
>> ESP(spi=0xc01ee203,seq=0x2df), length 132
>> 16:26:02.556933 IP 192.168.0.2 > 192.168.0.1: 
>> ESP(spi=0xc795a4e6,seq=0xf), length 132
>> 16:26:03.555752 IP 192.168.0.1 > 192.168.0.2: 
>> ESP(spi=0xc01ee203,seq=0x2e0), length 132
>> 16:26:03.555830 IP 192.168.0.2 > 192.168.0.1: 
>> ESP(spi=0xc795a4e6,seq=0x10), length 132
>> 16:26:04.554739 IP 192.168.0.1 > 192.168.0.2: 
>> ESP(spi=0xc01ee203,seq=0x2e1), length 132
>> 16:26:04.554828 IP 192.168.0.2 > 192.168.0.1: 
>> ESP(spi=0xc795a4e6,seq=0x11), length 132
>> ^C
>> 6 packets captured
>> 7 packets received by filter
>> 0 packets dropped by kernel
>>
>> That means moon can reach sun.
>>
>> But I ran "10.2.0.10" on moon,
>>
>> root at strongswan1:~# ping 10.2.0.10 -c 3
>> PING 10.2.0.10 (10.2.0.10) 56(84) bytes of data.
>>
>> --- 10.2.0.10 ping statistics ---
>> 3 packets transmitted, 0 received, 100% packet loss, time 1999ms
>>
>> On sun, I ran "tcpdump -ni any esp"
>> root at strongswan2:~# tcpdump -ni any esp
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
>> decode
>> listening on any, link-type LINUX_SLL (Linux cooked), capture size 
>> 262144 bytes
>> 16:28:49.681340 IP 192.168.0.1 > 192.168.0.2: 
>> ESP(spi=0xcfab21ac,seq=0x1), length 132
>> 16:28:50.680976 IP 192.168.0.1 > 192.168.0.2: 
>> ESP(spi=0xcfab21ac,seq=0x2), length 132
>> 16:28:51.681102 IP 192.168.0.1 > 192.168.0.2: 
>> ESP(spi=0xcfab21ac,seq=0x3), length 132
>>
>> On 10.2.0.10, I run "tcpdump -ni any icmp"
>> root at localhost:/root> tcpdump -ni any icmp
>> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
>> decode
>> listening on any, link-type LINUX_SLL (Linux cooked), capture size 
>> 65535 bytes
>> 08:21:17.292698 IP 10.1.0.1 > 10.2.0.10: ICMP echo request, id 2620, 
>> seq 1, length 64
>> 08:21:17.293311 IP 10.2.0.10 > 10.1.0.1: ICMP echo reply, id 2620, 
>> seq 1, length 64
>> 08:21:18.292629 IP 10.1.0.1 > 10.2.0.10: ICMP echo request, id 2620, 
>> seq 2, length 64
>> 08:21:18.292648 IP 10.2.0.10 > 10.1.0.1: ICMP echo reply, id 2620, 
>> seq 2, length 64
>> 08:21:19.292806 IP 10.1.0.1 > 10.2.0.10: ICMP echo request, id 2620, 
>> seq 3, length 64
>> 08:21:19.292829 IP 10.2.0.10 > 10.1.0.1: ICMP echo reply, id 2620, 
>> seq 3, length 64
>>
>> That means icmp packets can pass the vpn tunnel, but these packets 
>> can reach 10.2.0.10, and 10.2.0.10 replies these packets.
>> But these replied packets can not pass vun tunnel.
>>
>> This network topology can show the above test.
>>
>> 10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 
>> 10.2.0.1<---->10.2.0.10
>>                           icmp request packets 
>> ----------------------------------------------------------->10.2.0.10
>> reach here<----icmp reply
>>
>> The icmp request can reach 10.2.0.10, but the icmp reply packets can 
>> only reach 10.2.0.1, can
>> not pass vpn tunnel.
>>
>> What should I do to make these icmp reply packets reach 10.1.0.1?
>>
>> Any reply is appreciated.
>>
>> Best Regards!
>> Zhu Yanjun
>>
>> On 05/04/2015 04:17 PM, zhuyj wrote:
>>> Hi, all
>>>
>>> I followed this link: 
>>> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/
>>>
>>> I configured 4 vmare hosts. The hosts are ubuntu14.04.
>>>
>>> The network topology is as below.
>>>
>>> 10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 
>>> 10.2.0.1<---->10.2.0.10
>>>
>>> strongswan is 5.1.2.
>>>
>>> From this link: 
>>> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, after 
>>> a vpn tunnel is created,
>>> I ran "ping 10.2.0.10" on clinet 10.1.0.10. But I can not get any 
>>> reply from 10.2.0.10.
>>>
>>> I can find the icmp packets into moon. But moon will not forward 
>>> these icmp packets.
>>>
>>> I exactly followed this link 
>>> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk/, but I 
>>> can not get
>>> the same test result with this link.
>>>
>>> Does any one have the similar experience?
>>>
>>> Any reply is appreciated.
>>>
>>> Thanks a lot.
>>> Zhu Yanjun
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

More information about the Users mailing list