[strongSwan] net2net can not work well on ubuntu14.04

yzhu1 Yanjun.Zhu at windriver.com
Fri May 8 12:14:42 CEST 2015 

On moon:
Iptables rules:

# Generated by iptables-save v1.4.21 on Fri May  8 18:10:58 2015
*filter
:INPUT ACCEPT [4274:596163]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [190:20743]
-A INPUT -s 10.2.0.0/16 -d 10.4.0.1/32 -i eth1 -m policy --dir in --pol 
ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 10.2.0.0/16 -d 10.4.0.1/32 -i eth1 -m policy --dir in 
--pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 10.4.0.1/32 -d 10.2.0.0/16 -o eth1 -m policy --dir out 
--pol ipsec --reqid 1 --proto esp -j ACCEPT
-A OUTPUT -s 10.4.0.1/32 -d 10.2.0.0/16 -o eth1 -m policy --dir out 
--pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Fri May  8 18:10:58 2015

  ip -4 r s table all
10.2.0.0/16 via 192.168.0.2 dev eth1  table 220  proto static  src 10.4.0.1
default via 128.224.162.1 dev eth0  proto static
10.1.0.0/16 dev eth2  proto kernel  scope link  src 10.1.0.1
128.224.162.0/23 dev eth0  proto kernel  scope link  src 
128.224.163.143  metric 1
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
broadcast 10.1.0.0 dev eth2  table local  proto kernel  scope link  src 
10.1.0.1
local 10.1.0.1 dev eth2  table local  proto kernel  scope host src 10.1.0.1
broadcast 10.1.255.255 dev eth2  table local  proto kernel  scope link  
src 10.1.0.1
local 10.4.0.1 dev eth1  table local  proto kernel  scope host src 10.4.0.1
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link src 
127.0.0.1
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host src 
127.0.0.1
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 
127.0.0.1
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  
src 127.0.0.1
broadcast 128.224.162.0 dev eth0  table local  proto kernel  scope link  
src 128.224.163.143
local 128.224.163.143 dev eth0  table local  proto kernel  scope host  
src 128.224.163.143
broadcast 128.224.163.255 dev eth0  table local  proto kernel scope 
link  src 128.224.163.143
broadcast 192.168.0.0 dev eth1  table local  proto kernel  scope link  
src 192.168.0.1
local 192.168.0.1 dev eth1  table local  proto kernel  scope host src 
192.168.0.1
broadcast 192.168.0.255 dev eth1  table local  proto kernel  scope link  
src 192.168.0.1

cat /proc/sys/net/ipv4/ip_forward
1


On 05/08/2015 06:01 PM, zhuyj wrote:
> Hi, all
>
> I configured 4 vmare hosts. The hosts are ubuntu14.04. The gateway 
> moon does not forward icmp packets.
>
> The network topology is as below.
>
> 10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 
> 10.2.0.1<---->10.2.0.10
>
> strongswan is 5.3.0.
>
> On moon
> /usr/local/etc/ipsec.conf is as below:
>
> config setup
>
> conn %default
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
>     authby=secret
>     keyexchange=ikev2
>     mobike=no
>
> conn net-net
>     left=%defaultroute
>     leftsourceip=%config
>     leftfirewall=yes
>     leftid=@moon.strongswan.org
>     right=192.168.0.2
>     rightsubnet=10.2.0.0/16
>     rightid=@sun.strongswan.org
>     auto=add
> /usr/local/etc/ipsec.secrets is as below:
>
> : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
>
> On Sun
> /usr/local/etc/ipsec.conf is as below:
> config setup
>
> conn %default
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
>     authby=secret
>     keyexchange=ikev2
>     mobike=no
>
> conn net-net
>     left=192.168.0.2
>     leftsubnet=10.2.0.0/16
>     leftid=@sun.strongswan.org
>     leftfirewall=yes
>     right=192.168.0.1
>     rightid=@moon.strongswan.org
>     auto=add
>     rightsourceip=10.4.0.0/24
>
> /usr/local/etc/ipsec.secrets is as below:
>
> : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
>
> Others remain unchanged.
>
> I ran "ping 10.2.0.10" on clinet 10.1.0.10. But I can not get any 
> reply from 10.2.0.10.
>
> I can find the icmp packets into moon. But moon will not forward these 
> icmp packets.
>
> After an iptables rule (iptables -t nat -A POSTROUTING -s 10.4.0.0/16 
> -j MASQUERADE) is run in
> sun, I can ping 10.2.0.10 on moon.
>
> But I can not ping 10.2.0.1 on client 10.1.0.10.
>
> That is, moon can reach client 10.2.0.10.But client 10.10.10 can not 
> reach sun.
>
> 10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 
> 10.2.0.1<---->10.2.0.10
> icmp------------------------------------------------------------------>here 
>
> icmp----------->
>
> In a word, moon can not forward icmp packets.
>
> Does any one have the similar experience?
>
> Any reply is appreciated.
>
> Thanks a lot.
> Zhu Yanjun
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

More information about the Users mailing list