[strongSwan] stongswan tunnel up but child subnets not pinging

Noel Kuntze noel at familie-kuntze.de
Tue Feb 16 17:01:03 CET 2016 

> hello i managed to install strongswan and managed to establish a connection to remote partner but child subnets are not pinging each other what could be the problem?

> Security Associations (1 up, 0 connecting):
>          MTN[10]: ESTABLISHED 2 minutes ago, 185.3.95.94[185.3.95.94]...41.223.117.190[41.223.117.190]
>          MTN[10]: IKEv1 SPIs: 28e33873f54aaaff_i* 6d3ab411e92b6c05_r, pre-shared key reauthentication in 7 hours
>          MTN[10]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>          MTN[10]: Tasks queued: QUICK_MODE
>          MTN[10]: Tasks active: MODE_CONFIG
The tunnel is not actually up. Only the IKE_SA is. The IKE_SA does not transport traffic, CHILD_SAs do that.

> [root at li788-94 strongswan]# iptables -nvL
Don't show `iptables -L` or something. Always show `iptables-save`. `iptables -L` only
shows the *filter table. `iptables-save` shows all tables. It's also more readable.

>
> conn %default
>         ikelifetime=28800s
>         keylife=200s
>         rekeymargin=300
>         keyingtries=1
>         keyexchange=ikev1
>         ike=aes128-sha1-modp1024-diffie-hellman group 2
>
>         esp=3des-sha1
>         ike=3des-sha1-modp1024
>         mobike=yes
>         leftikeport=4500
>         rightikeport=4500
>         authby=secret
>  conn MTN
>   type=tunnel
>     left=185.3.95.94
>     # left=%defaultroute
>     # leftcert=client.cert
>     #     authby=secret
>     leftsubnet=192.168.200.172/17
>     leftsourceip=%config
>      leftfirewall=yes
>      right=41.223.117.190
>      #rightid=41.223.117.190
>     rightsubnet=172.25.48.36/32,172.25.48.43/32
>      #      rightsubnet=172.25.48.36/16
>      #  rightsubnet=172.25.48.36
>    auto=start
>     rightsubnet=172.25.48.36/32,172.25.48.43/32
IKEv1 does not support several subnets in a single CHILD_SA. You need to specify
a CHILD_SA per subnet pair.

>         ike=aes128-sha1-modp1024-diffie-hellman group 2
That line is formatted wrong. "-diffie-hellman group 2" is invalid.
Read the man page.

> conn %default
>         ike=aes128-sha1-modp1024-diffie-hellman group 2
> [...]
>         ike=3des-sha1-modp1024
Don't declare options multiple times in a conn section.

>  conn MTN
>   type=tunnel
>     left=185.3.95.94
>     # left=%defaultroute
Indent your config correctly.

> ip route add 172.25.48.43 via 41.223.117.190 dev eth0 proto static src 192.168.200.177
> ip route add 172.25.48.36 via 41.223.117.190 dev eth0 proto static src 192.168.200.177
>
> 172.25.48.36 via 41.223.117.190 dev eth0 proto static src 192.168.200.177
>
> ip route add 41.223.117.190 dev eth0
>
> ip route add 41.223.117.190 via 185.3.95.1 dev eth0:1
>
> ip route add 41.223.117.190/32 via 185.3.95.1 dev eth0
strongSwan does the routing for you. Don't install routes yourself.

> tup: Starting Openswan IPsec U2.6.32/K4.4.0-x86_64-linode63...
> Feb 14 16:04:24 li788-94 ipsec_setup: Using NETKEY(XFRM) stack
What's up with that? strongSwan is not openswan.

> Feb 16 09:47:05 li788-94 charon: 03[IKE] IKE_SA MTN[11] established between 185.3.95.94[185.3.95.94]...41.223.117.190[41.223.117.190]
> Feb 16 09:47:05 li788-94 charon: 03[IKE] scheduling reauthentication in 28221s
> Feb 16 09:47:05 li788-94 charon: 03[IKE] maximum IKE_SA lifetime 28521s
> Feb 16 09:47:05 li788-94 charon: 03[ENC] generating TRANSACTION request 689769898 [ HASH CPRQ(ADDR DNS) ]
> Feb 16 09:47:05 li788-94 charon: 03[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 16 09:47:09 li788-94 charon: 15[IKE] sending retransmit 1 of request message ID 689769898, seq 4
> Feb 16 09:47:09 li788-94 charon: 15[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 16 09:47:16 li788-94 charon: 16[IKE] sending retransmit 2 of request message ID 689769898, seq 4
> Feb 16 09:47:16 li788-94 charon: 16[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 16 09:47:29 li788-94 charon: 04[IKE] sending retransmit 3 of request message ID 689769898, seq 4
> Feb 16 09:47:29 li788-94 charon: 04[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 16 09:47:53 li788-94 charon: 01[IKE] sending retransmit 4 of request message ID 689769898, seq 4
> Feb 16 09:47:53 li788-94 charon: 01[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 16 09:48:35 li788-94 charon: 11[IKE] sending retransmit 5 of request message ID 689769898, seq 4
> Feb 16 09:48:35 li788-94 charon: 11[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 16 09:49:28 li788-94 charon: 03[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (164 bytes)
> Feb 16 09:49:28 li788-94 charon: 03[ENC] parsed QUICK_MODE request 959964764 [ HASH SA No ID ID ]
> Feb 16 09:49:28 li788-94 charon: 03[IKE] received 28800s lifetime, configured 200s
> Feb 16 09:49:28 li788-94 charon: 03[IKE] received 1843200000 lifebytes, configured 0
> Feb 16 09:49:28 li788-94 charon: 03[ENC] generating QUICK_MODE response 959964764 [ HASH SA No ID ID ]
> Feb 16 09:49:28 li788-94 charon: 03[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (180 bytes)
> Feb 16 09:49:28 li788-94 charon: 02[NET] received packet: from 41.223.117.190[4500] to 185.3.95.94[4500] (52 bytes)
> Feb 16 09:49:28 li788-94 charon: 02[ENC] parsed QUICK_MODE request 959964764 [ HASH ]
> Feb 16 09:49:28 li788-94 charon: 02[IKE] CHILD_SA MTN{1} established with SPIs cead478f_i 1c001196_o and TS 192.168.200.177/32 === 172.25.48.43/32
> Feb 16 09:49:28 li788-94 vpn: + 41.223.117.190 172.25.48.43/32 == 41.223.117.190 -- 185.3.95.94 == 192.168.200.177/32
> Feb 16 09:49:50 li788-94 charon: 13[IKE] giving up after 5 retransmits
Go and find out why there are retransmits. Look at the logs of the other side.
I think it's possible that there's some issue with the other side.

> iptables -I OUTPUT -o eth0 -p all  -j ACCEPT
Filtering output is pretty useless in most cases, and so is specifying -p all.
Specifying -p all does not have any effect except makes you take more time to type the command and take up some bytes.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160216/c887b70e/attachment.pgp>

More information about the Users mailing list