[strongSwan] Host to Subnet tunnel established but no ping.

Noel Kuntze noel at familie-kuntze.de
Wed Apr 5 20:11:25 CEST 2017 

On 05.04.2017 08:59, Muhammad Yousuf Khan wrote:
> conn vpn1
> [...]
>  auto=start
>  leftsourceip=10.240.0.2

> conn vpn1
>  auto=start
>  leftsourceip=172.31.15.251

What version of strongSwan is this? With modern strongSwan, that's an invalid combination of settings.
leftsourceip is used to request or assign virtual IPs and this doesn't happen 

Don't use auto=start. Use auto=route.
Using authby=secrets when setting leftauth and rightauth is pointless. Don't set authby when you already set leftauth and/or rightauth.

> here you can see the tunnel is established and packet are being sent in one direction however we do not receive packet from other direction. 

So figure out what's wrong on the other side.

> Security Associations (1 up, 0 connecting):
>         vpn1[1]: ESTABLISHED 90 seconds ago, 172.31.15.251[54.236.61.172]...X.X.X.X[X.X.X.X]
>         vpn1[1]: IKEv1 SPIs: 6c3c7a44c29e0b5d_i* c6112aad11e12705_r, pre-shared key reauthentication in 23 hours
>         vpn1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>         vpn1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cfeeb215_i cc4ac0ab_o
>         vpn1{1}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o (0 pkts, 11s ago), rekeying in 7 hours
>         vpn1{1}:   172.31.0.0/20 === X.X.X.X
>         vpn1{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ce6f78f9_i c78b826e_o
>         vpn1{2}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 3780 bytes_o (45 pkts, 11s ago), rekeying in 7 hours
>         vpn1{2}:   172.31.0.0/20 === X.X.X.X
> 

There shouldn't be two CHILD_SAs. Did you initiate the tunnel from both sides in parallel?

Provide the information outlined at the wiki[1] in the next email.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170405/4d093c9a/attachment.sig>

More information about the Users mailing list