[strongSwan] strongswan <> openbsd isakmpd: tunnel up but no traffic

Wed Sep 9 17:49:32 CEST 2015

Hello guys,
I need your help to identify a problem on this scenario host-to-site:

Left: Debian 7.8 with strongswan 5.2.1-6+deb8u1~b and Public IP
Right: OpenBSD 5.7 behind NAT (192.168.200.0/24 subnet)

Tunnel goes up but no traffic.
Firewall on VPN nodes is not enabled on both sides at the moment.

Configurations are:
Debian side
# cat /etc/ipsec.conf
...
conn xxx
        keyexchange=ikev1
        ike=aes-md5-modp2048!
        esp=aes-md5-modp2048!
        ikelifetime=3600s
        lifetime=3600s
        left=x.234.225.230
        rightid=192.168.200.253
        rightsubnet=192.168.200.0/24
        authby=secret
        auto=start

# cat /etc/ipsec.secrets
...
192.168.200.253 : PSK "xxx"

OpenBSD side
# cat /etc/ipsec.conf
...
ike active esp \
        from 192.168.200.0/24 to x.234.225.230 \
        main auth hmac-md5 enc aes group modp2048 lifetime 3600 \
        quick auth hmac-md5 enc aes group modp2048 lifetime 3600 \
        psk "xxx"

Tunnel is up:

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.2.0-4-amd64, x86_64):
  uptime: 12 minutes, since Sep 09 17:25:00 2015
  malloc: sbrk 380928, mmap 0, used 314576, free 66352
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
  x.234.225.230
  y:dcc0:dead:b9ff:fede:feed:52cb:c18f
  y:dcc0:dead:b9ff:fede:feed:32ea:2182
Connections:
        xxx:  x.234.225.230...%any  IKEv1
        xxx:   local:  [x.234.225.230] uses pre-shared key authentication
        xxx:   remote: [192.168.200.253] uses pre-shared key authentication
        xxx:   child:  x.234.225.230/32 === 192.168.200.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
        xxx[3]: ESTABLISHED 12 minutes ago,
x.234.225.230[x.234.225.230]...x.234.166.185[192.168.200.253]
        xxx[3]: IKEv1 SPIs: 9657ae7f533495ad_i e0bae10a418368ad_r*,
pre-shared key reauthentication in 31 minutes
        xxx[3]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048
        xxx{2}:  INSTALLED, TUNNEL, ESP SPIs: c3410589_i 3711f492_o
        xxx{2}:  AES_CBC_128/HMAC_MD5_96, 0 bytes_i, 0 bytes_o,
rekeying in 33 minutes
        xxx{2}:   x.234.225.230/32 === 192.168.200.0/24

# ip xfrm policy
src 192.168.200.0/24 dst x.234.225.230/32
        dir fwd priority 2851 ptype main
        tmpl src x.234.166.185 dst x.234.225.230
                proto esp reqid 2 mode tunnel
src 192.168.200.0/24 dst x.234.225.230/32
        dir in priority 2851 ptype main
        tmpl src x.234.166.185 dst x.234.225.230
                proto esp reqid 2 mode tunnel
src x.234.225.230/32 dst 192.168.200.0/24
        dir out priority 2851 ptype main
        tmpl src x.234.225.230 dst x.234.166.185
                proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src ::/0 dst ::/
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main

but no traffic goes through the tunnel (the goal is reach the local
subnet 192.168.200.0/24 from the Debian host).

Any ideas?
Thanks for any help.

Regards,
-f