[strongSwan] Host to Subnet tunnel established but no ping.

Muhammad Yousuf Khan sirtcp at gmail.com
Wed Apr 5 08:59:39 CEST 2017


Hi,

i have configure a subnet to subnet tunnel succesfully from AWS to Google
cloud with strong swan. however there is a problem when i am creating a
tunnel from host to subnet. PLEASE NOTE that this is a test environment for
production. because one of our client does not allow us to use private IP
as encryption domain. so i am creating a test scenario so later i can just
change the settings and connect to the remote client.

here is a diagram of connection.


10.2.0.2/32------NAT-PublicIP
X.X.X.X------------------Y.Y.Y.YPublicIPNAT----------172.31.15.251/20

in this case public ip X.X.X.X has to create a tunnel with 172.31.15.251/32
subnet. where strongswan is running on 10.2.0.2/32 and on otherend it is
running on 172.31.15.251

however my requirement is create tunnel b/w X.X.X.X
--------------172.31.15.251 it is because the other side  does not allow
private IP as encryption domain. thus i have been wokring on this setup for
quite some time even the tunnel is also created though communication is not
established.

here is the 10.2.0.2/32 /etc/ipsec.conf
conn vpn1
 type=tunnel
 authby=secret
 forceencaps=yes
 auto=start
 left=10.240.0.2
 leftsourceip=10.240.0.2
 leftid=X.X.X.X
  leftsubnet=X.X.X.X
 #leftfirewall=yes
 leftauth=psk
 right=Y.Y.Y.Y
 rightid=Y.Y.Y.Y
 rightsubnet=172.31.0.0/20
 rightauth=psk
 ikelifetime=86400s
 keylife=28800s
 ike=aes256-sha1-modp1024
 esp=aes256-sha1-modp1024
 aggressive = no
 lifebytes=4608000
 #mobike=no
 keyexchange = ikev1


here is the 172.31.15.251/32 /etc/ipsec.conf


conn vpn1
 type=tunnel
 authby=secret
 forceencaps=yes
 auto=start
 left=172.31.15.251
 leftsourceip=172.31.15.251
 leftid=Y.Y.Y.Y
 leftsubnet=172.31.0.0/20
 #leftfirewall=yes
 leftauth=psk
 right=X.X.X.X
 rightid=X.X.X.X
 rightsubnet=X.X.X.X
 rightauth=psk
 ikelifetime=86400s
 keylife=28800s
 ike=aes256-sha1-modp1024
 esp=aes256-sha1-modp1024
 aggressive = no
 lifebytes=4608000
 #mobike=no
 keyexchange = ikev1


here you can see the tunnel is established and packet are being sent in one
direction however we do not receive packet from other direction.

Connections:
        vpn1:  172.31.15.251...X.X.X.X  IKEv1
        vpn1:   local:  [Y.Y.Y.Y] uses pre-shared key authentication
        vpn1:   remote: [X.X.X.X] uses pre-shared key authentication
        vpn1:   child:  172.31.0.0/20 === X.X.X.X/32 TUNNEL
Security Associations (1 up, 0 connecting):
        vpn1[1]: ESTABLISHED 90 seconds ago,
172.31.15.251[54.236.61.172]...X.X.X.X[X.X.X.X]
        vpn1[1]: IKEv1 SPIs: 6c3c7a44c29e0b5d_i* c6112aad11e12705_r,
pre-shared key reauthentication in 23 hours
        vpn1[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        vpn1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cfeeb215_i
cc4ac0ab_o
        vpn1{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o (0 pkts,
11s ago), rekeying in 7 hours
        vpn1{1}:   172.31.0.0/20 === X.X.X.X
        vpn1{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce6f78f9_i
c78b826e_o
        vpn1{2}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 3780 bytes_o (45
pkts, 11s ago), rekeying in 7 hours
        vpn1{2}:   172.31.0.0/20 === X.X.X.X



Thanks,
Yousuf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170405/c5664847/attachment.html>


More information about the Users mailing list