[strongSwan] Cannot ping in tunnel

Hoggins! hoggins at radiom.fr
Wed Dec 7 11:45:07 CET 2016 

Hello list,

This is my first post here, I'm hoping I'm not asking something too stupid.

I have a tunnel definition towards a provider (OVH, french ISP), and
it's working well on my Ubuntu 16.04 (ipsec version shows : "Linux
strongSwan U5.3.5/K4.4.0-51-generic") with the following ipsec.conf file :

    conn %default
      ikelifetime=60m
      keylife=20m
      rekeymargin=3m
      keyingtries=1
      authby=secret
      keyexchange=ikev2
      mobike=no
      reauth=no

    conn vrack3576_psk
      auto=add
      type=tunnel
      dpdaction=restart
      dpddelay=30s
      dpdtimeout=120s
      right=92.222.188.77
      rightsubnet=192.168.55.0/24
      leftsourceip=%config


... fairly simple actually.

It connects without problem and I can ping the other party.

... now I'm trying the same config on another server. It's distribution
is fairly old (Fedora 18, can't upgrade for the moment), and it's using
"Linux strongSwan U5.0.0/K4.4.8".
When issuing "strongswan up vrack3576_psk", everything looks fine :

    strongswan up vrack3576_psk
    initiating IKE_SA vrack3576_psk[5] to 92.222.188.77
    generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
    sending packet: from 192.168.1.72[500] to 92.222.188.77[500]
    received packet: from 92.222.188.77[500] to 192.168.1.72[500]
    parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
    CERTREQ N(MULT_AUTH) ]
    local host is behind NAT, sending keep alives
    received 1 cert requests for an unknown ca
    no IDi configured, fall back on IP address
    authentication of '192.168.1.72' (myself) with pre-shared key
    establishing CHILD_SA vrack3576_psk
    generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR
    DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    sending packet: from 192.168.1.72[4500] to 92.222.188.77[4500]
    received packet: from 92.222.188.77[4500] to 192.168.1.72[4500]
    parsed IKE_AUTH response 1 [ IDr AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) ]
    authentication of '92.222.188.77' with pre-shared key successful
    IKE_SA vrack3576_psk[5] established between
    192.168.1.72[192.168.1.72]...92.222.188.77[92.222.188.77]
    scheduling rekeying in 3322s
    maximum IKE_SA lifetime 3502s
    installing new virtual IP 192.168.100.10
    CHILD_SA vrack3576_psk{5} established with SPIs c17a934e_i
    c57dfbbe_o and TS 192.168.100.10/32 === 192.168.55.0/24


... and strongswan statusall shows :

    Status of IKE charon daemon (strongSwan 5.0.0, Linux 4.4.8, x86_64):
      uptime: 24 minutes, since Dec 07 11:19:09 2016
      malloc: sbrk 270336, mmap 0, used 197104, free 73232
      worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
    scheduled: 17
      loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
    revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
    fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
    socket-default stroke updown xauth-generic
    Listening IP addresses:
      192.168.34.10
      10.2.1.2
      10.5.1.2
      10.3.1.2
      192.168.35.10
      192.168.36.10
      192.168.37.10
      192.168.38.10
      192.168.39.10
      192.168.100.10
      192.168.1.72
    Connections:
    vrack3576_psk:  %any...92.222.188.77  IKEv2, dpddelay=30s
    vrack3576_psk:   local:  [%any] uses pre-shared key authentication
    vrack3576_psk:   remote: [92.222.188.77] uses pre-shared key
    authentication
    vrack3576_psk:   child:  dynamic === 192.168.55.0/24 TUNNEL,
    dpdaction=restart
    Security Associations (1 up, 0 connecting):
    vrack3576_psk[5]: ESTABLISHED 11 minutes ago,
    192.168.1.72[192.168.1.72]...92.222.188.77[92.222.188.77]
    vrack3576_psk[5]: IKEv2 SPIs: 8e08ef882cbc4b61_i*
    0455f833b266865e_r, rekeying in 44 minutes, pre-shared key
    reauthentication in 39 minutes
    vrack3576_psk[5]: IKE proposal:
    AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    vrack3576_psk{5}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c17a934e_i
    c57dfbbe_o
    vrack3576_psk{5}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
    rekeying in 4 minutes
    vrack3576_psk{5}:   192.168.100.10/32 === 192.168.55.0/24


But I can't ping any address in 192.168.55.0/24.

Can you help me on what additional info I need to provide to help
debugging ?

Thanks !

    Hoggins!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161207/54b1259f/attachment.sig>

More information about the Users mailing list