[strongSwan] stongswan tunnel up but child subnets not pinging

Fri Feb 19 20:12:43 CET 2016

Hello,

Do not flush your routing table. If you do that, strongSwan can't even contact the peers.
What I wrote was, that you should not try to insert your own routes or iptables rules
if you have no idea what you're doing.

The main routing table looks fine.

You have a lot of duplicate rules in *mangle. Clean those up.
Add a rule in front of the MASQUERADE rules that just accepts all traffic with a matching
IPsec policy:
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

The packet counters in the FORWARD chains are zero, so forwarding doesn't seem to be enabled.

> :FORWARD ACCEPT [0:0]

> Feb 19 10:25:34 li788-94 charon: 06[ENC] generating TRANSACTION request 1166488176 [ HASH CPRQ(ADDR DNS) ]
> Feb 19 10:25:34 li788-94 charon: 06[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 19 10:25:38 li788-94 charon: 04[IKE] sending retransmit 1 of request message ID 1166488176, seq 4
> Feb 19 10:25:38 li788-94 charon: 04[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 19 10:25:45 li788-94 charon: 01[IKE] sending retransmit 2 of request message ID 1166488176, seq 4
> Feb 19 10:25:45 li788-94 charon: 01[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 19 10:25:58 li788-94 charon: 13[IKE] sending retransmit 3 of request message ID 1166488176, seq 4
> Feb 19 10:25:58 li788-94 charon: 13[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 19 10:26:21 li788-94 charon: 14[IKE] sending retransmit 4 of request message ID 1166488176, seq 4
> Feb 19 10:26:21 li788-94 charon: 14[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 19 10:27:03 li788-94 charon: 05[IKE] sending retransmit 5 of request message ID 1166488176, seq 4
> Feb 19 10:27:03 li788-94 charon: 05[NET] sending packet: from 185.3.95.94[4500] to 41.223.117.190[4500] (76 bytes)
> Feb 19 10:28:19 li788-94 charon: 11[IKE] giving up after 5 retransmits
Look at the logs of the other side to see why it doesn't react.

Regards,
Noel

On 19.02.2016 11:55, christopher kamutumwa wrote:
> Hello,
> i have made all changes but problem still there need more help.
> changes made below and attached ipsec.conf/message log/
> statusall/routing table/iptable
>
> IP forwarding enabled in /etc/sysctl.conf
> net.ipv4.ip_forward = 1
>
> removed That line is formatted wrong. "-diffie-hellman group 2" is invalid
>
> did this Don't declare options multiple times in a conn section.
> flushed routing table to default-strongSwan does the routing for you.
> Don't install routes yourself.
>
>
> On 2/16/16, Noel Kuntze <noel at familie-kuntze.de> wrote:
>> > On 16.02.2016 18:03, christopher kamutumwa wrote:
>>> >> Hi does this mean if I flush my iptables and routing tables strongswan
>>> >> willroute and write firewall.and how can I tell that?
>> > No.
>> > strongSwan, by default, inserts routes into table 220 and uses policy based
>> > routing to route the traffic to the
>> > remote side(s) into routing table 220, where routes to the protected subnets
>> > are in.
>> >
>> > You seem to not have read the introduction[1] yet. Please read it.
> added iptables -t nat -I POSTROUTING -s 10.1.0.0/16 -o eth0 -m policy
> --dir out --pol ipsec --proto esp -j ACCEPT
> iptables -t nat -I PREROUTING -s 10.2.0.0/16 -i eth0 -m policy --dir
> in --pol ipsec --proto esp -j ACCEPT
> iptables -A input_rule -p esp -j ACCEPT
> iptables -A input_rule -p udp --dport 500 -j ACCEPT
> iptables -A input_rule -p udp --dport 4500 -j ACCEPT
>
> but still no pings to and from the other side though IKE_SA has always
> been up. please help
>
> CHris
>> >
>> > [1]
>> > https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan
>> >
>> > (Second mail, first one was sent to Christopher only)
>> >
>> > --
>> >
>> > Mit freundlichen Grüßen/Kind Regards,
>> > Noel Kuntze
>> >
>> > GPG Key ID: 0x63EC6658
>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> >
>> >
>> >
>> >
>> >

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160219/41be20ef/attachment.pgp>