[strongSwan] Don't know where to start

Noel Kuntze noel at familie-kuntze.de
Tue Apr 25 19:14:07 CEST 2017 

Hello René,

(I'm answering this from my original email account now.)

On 25.04.2017 19:05, Rene Maurer wrote:
> Routing is as follows:
> 
> # ip route show table 220
> 10.4.30.0/24 via xxx.137.25.195 dev ppp0  proto static src 10.4.48.1

> 
> # route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
> 10.4.48.0       0.0.0.0         255.255.240.0   U     0      0        0 eth0
> 
> And as already said:
>>> # net.ipv4.ip_forward = 1
>>> # iptables -t nat -A POSTROUTING -o ppp0 -j ACCEPT
>>> # iptables -A FORWARD -i eth0 -j ACCEPT
>> Make sure you use the right IKE version.
> Ok. Switch uses "IKEv2 only mode" and I use "keyexchange=ikev2".
> 
>> Check if the packets arrive at the switch.
> My partner (at remote site) can do this tomorrow.
> 
> But when I look at the log on my site together with
> "tcpdump -i ppp0", I have the impression that ikev2_auth
> is sent (once).

This looks good. Check if that packet makes it there. Some IKE implementations
just drop all packets from other peers when authentication fails and report a local
error instead of sending a noficication back.

> 
> ----------------------------------------------------------------------
> Apr 25 16:32:28 daemon.info syslog: 05[IKE] establishing CHILD_SA home{1}
> Apr 25 16:32:28 authpriv.info syslog: 05[IKE] establishing CHILD_SA home{1}
> Apr 25 16:32:28 daemon.info syslog: 05[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
> Apr 25 16:32:28 daemon.info syslog: 05[NET] sending packet: from 10.64.33.100[4500] to xxx.137.25.195[4500] (1120 bytes)
> 16:32:32.802620 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> Apr 25 16:32:32 daemon.info syslog: 03[IKE] retransmit 1 of request with message ID 1
> Apr 25 16:32:32 daemon.info syslog: 03[NET] sending packet: from 10.64.33.100[4500] to xxx.137.25.195[4500] (1120 bytes)
> 16:32:33.888422 IP xxx.137.25.195.4500 > 10.64.33.100.4500: NONESP-encap: isakmp: parent_sa inf2
> 16:32:33.898140 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: isakmp: parent_sa inf2[IR]
> Apr 25 16:32:33 daemon.info syslog: 02[NET] received packet: from xxx.137.25.195[4500] to 10.64.33.100[4500] (80 bytes)
> Apr 25 16:32:33 daemon.info syslog: 02[ENC] parsed INFORMATIONAL request 0 [ ]
> Apr 25 16:32:33 daemon.info syslog: 02[ENC] generating INFORMATIONAL response 0 [ ]
> Apr 25 16:32:33 daemon.info syslog: 02[NET] sending packet: from 10.64.33.100[4500] to xxx.137.25.195[4500] (80 bytes)
> 16:32:38.947424 IP xxx.137.25.195.4500 > 10.64.33.100.4500: NONESP-encap: isakmp: child_sa  inf2
> 16:32:38.964954 IP 10.64.33.100.4500 > xxx.137.25.195.4500: NONESP-encap: isakmp: child_sa  inf2[IR]
> ----------------------------------------------------------------------
> 
> NB: Any idea why I have seen your answer only on the mail-archive website?
> 

My other domain is too new (probably blacklisted for a while until there's enough mail from it and it's a bit older)
and maybe the DKIM settings are too strict. I'll set up DMARC to check and see what reports I get, if any.

Kind regards,
Noel

-- 
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170425/ac666a64/attachment.sig>

More information about the Users mailing list