[strongSwan] Cannot ping in tunnel

Hoggins! hoggins at radiom.fr
Wed Dec 7 14:16:32 CET 2016 

Just compiled and installed Strongswan 5.5.1 ("Linux strongSwan
U5.5.1/K4.4.8"), still no luck.

Le 07/12/2016 à 11:45, Hoggins! a écrit :
> Hello list,
>
> This is my first post here, I'm hoping I'm not asking something too stupid.
>
> I have a tunnel definition towards a provider (OVH, french ISP), and
> it's working well on my Ubuntu 16.04 (ipsec version shows : "Linux
> strongSwan U5.3.5/K4.4.0-51-generic") with the following ipsec.conf file :
>
>     conn %default
>       ikelifetime=60m
>       keylife=20m
>       rekeymargin=3m
>       keyingtries=1
>       authby=secret
>       keyexchange=ikev2
>       mobike=no
>       reauth=no
>
>     conn vrack3576_psk
>       auto=add
>       type=tunnel
>       dpdaction=restart
>       dpddelay=30s
>       dpdtimeout=120s
>       right=92.222.188.77
>       rightsubnet=192.168.55.0/24
>       leftsourceip=%config
>
>
> ... fairly simple actually.
>
> It connects without problem and I can ping the other party.
>
> ... now I'm trying the same config on another server. It's distribution
> is fairly old (Fedora 18, can't upgrade for the moment), and it's using
> "Linux strongSwan U5.0.0/K4.4.8".
> When issuing "strongswan up vrack3576_psk", everything looks fine :
>
>     strongswan up vrack3576_psk
>     initiating IKE_SA vrack3576_psk[5] to 92.222.188.77
>     generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>     sending packet: from 192.168.1.72[500] to 92.222.188.77[500]
>     received packet: from 92.222.188.77[500] to 192.168.1.72[500]
>     parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>     CERTREQ N(MULT_AUTH) ]
>     local host is behind NAT, sending keep alives
>     received 1 cert requests for an unknown ca
>     no IDi configured, fall back on IP address
>     authentication of '192.168.1.72' (myself) with pre-shared key
>     establishing CHILD_SA vrack3576_psk
>     generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CP(ADDR
>     DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
>     sending packet: from 192.168.1.72[4500] to 92.222.188.77[4500]
>     received packet: from 92.222.188.77[4500] to 192.168.1.72[4500]
>     parsed IKE_AUTH response 1 [ IDr AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) ]
>     authentication of '92.222.188.77' with pre-shared key successful
>     IKE_SA vrack3576_psk[5] established between
>     192.168.1.72[192.168.1.72]...92.222.188.77[92.222.188.77]
>     scheduling rekeying in 3322s
>     maximum IKE_SA lifetime 3502s
>     installing new virtual IP 192.168.100.10
>     CHILD_SA vrack3576_psk{5} established with SPIs c17a934e_i
>     c57dfbbe_o and TS 192.168.100.10/32 === 192.168.55.0/24
>
>
> ... and strongswan statusall shows :
>
>     Status of IKE charon daemon (strongSwan 5.0.0, Linux 4.4.8, x86_64):
>       uptime: 24 minutes, since Dec 07 11:19:09 2016
>       malloc: sbrk 270336, mmap 0, used 197104, free 73232
>       worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
>     scheduled: 17
>       loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
>     revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
>     fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
>     socket-default stroke updown xauth-generic
>     Listening IP addresses:
>       192.168.34.10
>       10.2.1.2
>       10.5.1.2
>       10.3.1.2
>       192.168.35.10
>       192.168.36.10
>       192.168.37.10
>       192.168.38.10
>       192.168.39.10
>       192.168.100.10
>       192.168.1.72
>     Connections:
>     vrack3576_psk:  %any...92.222.188.77  IKEv2, dpddelay=30s
>     vrack3576_psk:   local:  [%any] uses pre-shared key authentication
>     vrack3576_psk:   remote: [92.222.188.77] uses pre-shared key
>     authentication
>     vrack3576_psk:   child:  dynamic === 192.168.55.0/24 TUNNEL,
>     dpdaction=restart
>     Security Associations (1 up, 0 connecting):
>     vrack3576_psk[5]: ESTABLISHED 11 minutes ago,
>     192.168.1.72[192.168.1.72]...92.222.188.77[92.222.188.77]
>     vrack3576_psk[5]: IKEv2 SPIs: 8e08ef882cbc4b61_i*
>     0455f833b266865e_r, rekeying in 44 minutes, pre-shared key
>     reauthentication in 39 minutes
>     vrack3576_psk[5]: IKE proposal:
>     AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>     vrack3576_psk{5}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c17a934e_i
>     c57dfbbe_o
>     vrack3576_psk{5}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>     rekeying in 4 minutes
>     vrack3576_psk{5}:   192.168.100.10/32 === 192.168.55.0/24
>
>
> But I can't ping any address in 192.168.55.0/24.
>
> Can you help me on what additional info I need to provide to help
> debugging ?
>
> Thanks !
>
>     Hoggins!
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161207/e17a4ac7/attachment.sig>

More information about the Users mailing list