[strongSwan] Host to Subnet tunnel established but no ping.
Muhammad Yousuf Khan
sirtcp at gmail.com
Wed Apr 5 08:59:39 CEST 2017
Hi,
i have configure a subnet to subnet tunnel succesfully from AWS to Google
cloud with strong swan. however there is a problem when i am creating a
tunnel from host to subnet. PLEASE NOTE that this is a test environment for
production. because one of our client does not allow us to use private IP
as encryption domain. so i am creating a test scenario so later i can just
change the settings and connect to the remote client.
here is a diagram of connection.
10.2.0.2/32------NAT-PublicIP
X.X.X.X------------------Y.Y.Y.YPublicIPNAT----------172.31.15.251/20
in this case public ip X.X.X.X has to create a tunnel with 172.31.15.251/32
subnet. where strongswan is running on 10.2.0.2/32 and on otherend it is
running on 172.31.15.251
however my requirement is create tunnel b/w X.X.X.X
--------------172.31.15.251 it is because the other side does not allow
private IP as encryption domain. thus i have been wokring on this setup for
quite some time even the tunnel is also created though communication is not
established.
here is the 10.2.0.2/32 /etc/ipsec.conf
conn vpn1
type=tunnel
authby=secret
forceencaps=yes
auto=start
left=10.240.0.2
leftsourceip=10.240.0.2
leftid=X.X.X.X
leftsubnet=X.X.X.X
#leftfirewall=yes
leftauth=psk
right=Y.Y.Y.Y
rightid=Y.Y.Y.Y
rightsubnet=172.31.0.0/20
rightauth=psk
ikelifetime=86400s
keylife=28800s
ike=aes256-sha1-modp1024
esp=aes256-sha1-modp1024
aggressive = no
lifebytes=4608000
#mobike=no
keyexchange = ikev1
here is the 172.31.15.251/32 /etc/ipsec.conf
conn vpn1
type=tunnel
authby=secret
forceencaps=yes
auto=start
left=172.31.15.251
leftsourceip=172.31.15.251
leftid=Y.Y.Y.Y
leftsubnet=172.31.0.0/20
#leftfirewall=yes
leftauth=psk
right=X.X.X.X
rightid=X.X.X.X
rightsubnet=X.X.X.X
rightauth=psk
ikelifetime=86400s
keylife=28800s
ike=aes256-sha1-modp1024
esp=aes256-sha1-modp1024
aggressive = no
lifebytes=4608000
#mobike=no
keyexchange = ikev1
here you can see the tunnel is established and packet are being sent in one
direction however we do not receive packet from other direction.
Connections:
vpn1: 172.31.15.251...X.X.X.X IKEv1
vpn1: local: [Y.Y.Y.Y] uses pre-shared key authentication
vpn1: remote: [X.X.X.X] uses pre-shared key authentication
vpn1: child: 172.31.0.0/20 === X.X.X.X/32 TUNNEL
Security Associations (1 up, 0 connecting):
vpn1[1]: ESTABLISHED 90 seconds ago,
172.31.15.251[54.236.61.172]...X.X.X.X[X.X.X.X]
vpn1[1]: IKEv1 SPIs: 6c3c7a44c29e0b5d_i* c6112aad11e12705_r,
pre-shared key reauthentication in 23 hours
vpn1[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vpn1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cfeeb215_i
cc4ac0ab_o
vpn1{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o (0 pkts,
11s ago), rekeying in 7 hours
vpn1{1}: 172.31.0.0/20 === X.X.X.X
vpn1{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce6f78f9_i
c78b826e_o
vpn1{2}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 3780 bytes_o (45
pkts, 11s ago), rekeying in 7 hours
vpn1{2}: 172.31.0.0/20 === X.X.X.X
Thanks,
Yousuf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170405/c5664847/attachment.html>
More information about the Users
mailing list