[strongSwan] net2net can not work well on ubuntu14.04

Noel Kuntze noel at familie-kuntze.de
Sat May 9 01:22:12 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Zhuyj,

Please check the routing in your network. The answer packets from the host you are
trying to ping need to reach back the client. See [1] for information

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-LAN

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 08.05.2015 um 12:18 schrieb zhuyj:
> On moon:
>
> I found the icmp does not pass vpn tunnel instead these icmp packets pass eth1 directly.
> I created a vpn tunnel through eth1.
>
> tcpdump -ni eth1 icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 18:13:50.095301 IP 10.1.0.10 > 10.2.0.1: ICMP echo request, id 1757, seq 37, length 64
> 18:13:50.095465 IP 10.2.0.1 > 10.1.0.10: ICMP echo reply, id 1757, seq 37, length 64
> 18:13:51.103324 IP 10.1.0.10 > 10.2.0.1: ICMP echo request, id 1757, seq 38, length 64
> 18:13:51.103478 IP 10.2.0.1 > 10.1.0.10: ICMP echo reply, id 1757, seq 38, length 64
>
> Does anyone has idea?
>
> Any reply is appreciated.
>
> Zhu Yanjun
>
> On 05/08/2015 06:14 PM, yzhu1 wrote:
>> On moon:
>> Iptables rules:
>>
>> # Generated by iptables-save v1.4.21 on Fri May  8 18:10:58 2015
>> *filter
>> :INPUT ACCEPT [4274:596163]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [190:20743]
>> -A INPUT -s 10.2.0.0/16 -d 10.4.0.1/32 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A FORWARD -s 10.2.0.0/16 -d 10.4.0.1/32 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A FORWARD -s 10.4.0.1/32 -d 10.2.0.0/16 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> -A OUTPUT -s 10.4.0.1/32 -d 10.2.0.0/16 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
>> COMMIT
>> # Completed on Fri May  8 18:10:58 2015
>>
>>  ip -4 r s table all
>> 10.2.0.0/16 via 192.168.0.2 dev eth1  table 220  proto static  src 10.4.0.1
>> default via 128.224.162.1 dev eth0  proto static
>> 10.1.0.0/16 dev eth2  proto kernel  scope link  src 10.1.0.1
>> 128.224.162.0/23 dev eth0  proto kernel  scope link  src 128.224.163.143  metric 1
>> 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
>> broadcast 10.1.0.0 dev eth2  table local  proto kernel  scope link  src 10.1.0.1
>> local 10.1.0.1 dev eth2  table local  proto kernel  scope host src 10.1.0.1
>> broadcast 10.1.255.255 dev eth2  table local  proto kernel  scope link  src 10.1.0.1
>> local 10.4.0.1 dev eth1  table local  proto kernel  scope host src 10.4.0.1
>> broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link src 127.0.0.1
>> local 127.0.0.0/8 dev lo  table local  proto kernel  scope host src 127.0.0.1
>> local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1
>> broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1
>> broadcast 128.224.162.0 dev eth0  table local  proto kernel  scope link  src 128.224.163.143
>> local 128.224.163.143 dev eth0  table local  proto kernel  scope host  src 128.224.163.143
>> broadcast 128.224.163.255 dev eth0  table local  proto kernel scope link  src 128.224.163.143
>> broadcast 192.168.0.0 dev eth1  table local  proto kernel  scope link  src 192.168.0.1
>> local 192.168.0.1 dev eth1  table local  proto kernel  scope host src 192.168.0.1
>> broadcast 192.168.0.255 dev eth1  table local  proto kernel  scope link  src 192.168.0.1
>>
>> cat /proc/sys/net/ipv4/ip_forward
>> 1
>>
>>
>> On 05/08/2015 06:01 PM, zhuyj wrote:
>>> Hi, all
>>>
>>> I configured 4 vmare hosts. The hosts are ubuntu14.04. The gateway moon does not forward icmp packets.
>>>
>>> The network topology is as below.
>>>
>>> 10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 10.2.0.1<---->10.2.0.10
>>>
>>> strongswan is 5.3.0.
>>>
>>> On moon
>>> /usr/local/etc/ipsec.conf is as below:
>>>
>>> config setup
>>>
>>> conn %default
>>>     ikelifetime=60m
>>>     keylife=20m
>>>     rekeymargin=3m
>>>     keyingtries=1
>>>     authby=secret
>>>     keyexchange=ikev2
>>>     mobike=no
>>>
>>> conn net-net
>>>     left=%defaultroute
>>>     leftsourceip=%config
>>>     leftfirewall=yes
>>>     leftid=@moon.strongswan.org
>>>     right=192.168.0.2
>>>     rightsubnet=10.2.0.0/16
>>>     rightid=@sun.strongswan.org
>>>     auto=add
>>> /usr/local/etc/ipsec.secrets is as below:
>>>
>>> : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
>>>
>>> On Sun
>>> /usr/local/etc/ipsec.conf is as below:
>>> config setup
>>>
>>> conn %default
>>>     ikelifetime=60m
>>>     keylife=20m
>>>     rekeymargin=3m
>>>     keyingtries=1
>>>     authby=secret
>>>     keyexchange=ikev2
>>>     mobike=no
>>>
>>> conn net-net
>>>     left=192.168.0.2
>>>     leftsubnet=10.2.0.0/16
>>>     leftid=@sun.strongswan.org
>>>     leftfirewall=yes
>>>     right=192.168.0.1
>>>     rightid=@moon.strongswan.org
>>>     auto=add
>>>     rightsourceip=10.4.0.0/24
>>>
>>> /usr/local/etc/ipsec.secrets is as below:
>>>
>>> : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
>>>
>>> Others remain unchanged.
>>>
>>> I ran "ping 10.2.0.10" on clinet 10.1.0.10. But I can not get any reply from 10.2.0.10.
>>>
>>> I can find the icmp packets into moon. But moon will not forward these icmp packets.
>>>
>>> After an iptables rule (iptables -t nat -A POSTROUTING -s 10.4.0.0/16 -j MASQUERADE) is run in
>>> sun, I can ping 10.2.0.10 on moon.
>>>
>>> But I can not ping 10.2.0.1 on client 10.1.0.10.
>>>
>>> That is, moon can reach client 10.2.0.10.But client 10.10.10 can not reach sun.
>>>
>>> 10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 10.2.0.1<---->10.2.0.10
>>> icmp------------------------------------------------------------------>here
>>> icmp----------->
>>>
>>> In a word, moon can not forward icmp packets.
>>>
>>> Does any one have the similar experience?
>>>
>>> Any reply is appreciated.
>>>
>>> Thanks a lot.
>>> Zhu Yanjun
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVTUUkAAoJEDg5KY9j7GZYKrkQAKABtzux3tJnOjGqAYq5ybkU
Mk+55ys+JtHwnkXowXGQY+Iv7Dy1w9zccZ5N11hRo1pnFDfhh4qHlTKmbTBKNBYu
dIHg61NLm7ocbbpya/VIgMmvxzydFXJkd1hWUoc3H01nxs60yozGLMeLId8hZFpT
ZjyoH16+QMWO0y6ORb8PGn8vj4+gra1mxn2q+bdEKzAiiKIYrgK8zOrNH33epXTi
MBK9U8BsWIsEkHgHEuzKIBuGVbqOiHTaxvFuZwk8gHo/jUBZpRV+nAnZMDBCF7Xf
bm5B7WOUnX72y+kO4FV5ZCdYlyPsS+LD+2I0uvZCsIgpB7Y6fUDhkE+lS0vvl4xX
hv1RFeXrpGAAVP9Pk6Qi/iV38enF+kQX2ORvaeMXoARaaTheFVsJdpGkU8IVx1Ej
/FwVYiKX9A//HiKYFhhJjIQsXVDygdDJajk16KM51sqqzGOqPzkGfbYvMDsCs+sK
M6RZSlrMHhCqVsbGhGpp3QMY9secQeYv/9VvJZS6MWKu/cqBGE3OzzPvqmbdVbua
Wmf6RwtInQGU6L8ud7yPs2/JbAy+aebQuftFtIrNG1R7AL+uDjQa/0qDD8On48gr
BiEa9jLkXZfuO50fmNrwWarGBmLPav1Srvp5awWfumXmHSehR3vKz6KFpGQF/swL
G3rKH0I1YPw3S53nlAuC
=9PWR
-----END PGP SIGNATURE-----

More information about the Users mailing list