[strongSwan] notifying watcher failed: Broken pipe

Yeagley, Josiah jyeagley at harris.com
Sat Jan 30 21:55:45 CET 2016 

So, my celebration was a bit short lived. Alice and Bob cannot ping each other. :-\ I've been trying to solve this on my own because I do not want to continue to bother everyone on this mailing list... but I have not been able to figure out what the problem is. 

Quick review of my setup. I have implemented the example located here: https://www.strongswan.org/uml/testresults/ikev2/net2net-psk/ using two Gateworks 5300s running OpenWRT Chaos Calmer (14.08). They have strongsawn U5.2.0/K3.14.16). Here is how my interfaces are configured http://paste.ubuntu.com/14769187/

With the previous fix the net-net connection comes up and the tunnel is established. As can be seen by the output of 'ipsec statusall' http://paste.ubuntu.com/14768915/

Alice (10.1.0.10) can ping Moon (10.1.0.1) & Sun (10.2.0.1) but not Bob (10.2.0.10)
Bob (10.2.0.10) can ping Sun (10.2.0.1) & Moon (10.1.0.1) but not Alice (10.1.0.10)

Since Alice (10.1.0.10) can ping Sun (10.2.0.1) but not Bob (10.2.0.10) I am assuming what is happening is that the eth1 interface on Sun (10.2.0.1) is not forwarding the packets from Alice (10.1.0.10) on to Bob  (10.2.0.10).  After googling the issue some I added the following lines to /etc/firewall.user http://paste.ubuntu.com/14769548/

But this does not fix the problem. Alice cannot ping Bob :-\  The following is the output of 'iptables -L' http://paste.ubuntu.com/14769773/  So, I believe that means the firewall settings are working. After a bit more searching I added the following lines to my firewall.user

Moon
--------
iptables -I FORWARD -i eth0 -s 10.2.0.0/16 -d 10.1.0.0/16 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -s 10.1.0.0/16 -d 10.2.0.0/16 -m policy --dir out --pol ipsec -j ACCEPT

Sun
-----
iptables -I FORWARD -i eth0 -s 10.1.0.0/16 -d 10.2.0.0/16 -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -s 10.2.0.0/16 -d 10.1.0.0/16 -m policy --dir out --pol ipsec -j ACCEPT

but this also did not fix the problem and Alice and Bob still cannot ping each other. 

When I type 'ip route list table 220' on moon the output I get is "10.2.0.0/16 via 192.168.0.2 dev eth0  proto static  src 10.1.0.1" which I believe means it should route all traffic bound for 10.2.x.x through the tunnel.... I believe it is happening since Alice (10.1.0.10) can ping eth1 on Sun (10.2.0.1). 

I am at a loss as to why this isn't working... so I am hoping someone on this mailing list will be able to spot what I have misconfigured or what I am missing. Any help will be much appreciated! 

~Josiah s. Yeagley

More information about the Users mailing list