[strongSwan] Strongswan failed to forward decrypted packet to socket
Quaker
bigboyq at gmail.com
Tue Dec 19 08:57:02 CET 2017
I am using Strongswan 5.6.1 on my OpenVZ servers
And strongswan 5.6.1 is compiled by myself. kernel-libipsec enabled by
./configure --enable-eap-identity --enable-eap-md5 \ --enable-eap-mschapv2
--enable-eap-tls --enable-eap-ttls --enable-eap-peap \ --enable-eap-tnc
--enable-eap-dynamic --enable-eap-radius --enable-xauth-eap \
--enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock
--enable-unity \ --enable-certexpire --enable-radattr --enable-tools
--enable-openssl --disable-gmp --enable-kernel-libipsec
the strongswan.conf configuration modified as :
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
kernel-netlink {
fwmark = !0x4
}
socket-default {
fwmark = 0x4
}
kernel-libipsec {
allow_peer_ts = yes
}
}
}
I have created ipsec tunnel successfully between my OpenVZ server alpha and
beta:
But the socket connection fails.
By investigate the problem, I tried tcpdump, found that
If I ping from alpha to beta
tcpdump could found
esp from alpha->beta
esp from beta->alpha
but ping timeout
If I ping from beta to alpha
tcpdump could found
esp from beta->alpha
and ping timeout
if using tcp, and answer is similar
alpha->beta
alpha SYN_SENT
beta SYN_RECV
beta->alpha
beta SYN_SENT
alpha NULL
I guess there should be some problem during esp to socket
anyone could tell me how to detect the problem, or some further information
should I give.
alpha and beta belongs to different OpenVZ supplier, don't know the problem.
I have reinstalled alpha sometimes, but doesn't work.
beta:Linux beta 2.6.32-042stab125.5 #1 SMP Tue Oct 17 12:48:22 MSK 2017
x86_64 GNU/Linux
alpha: Linux alpha 2.6.32-042stab123.3 #1 SMP Fri May 5 12:29:05 MSK 2017
x86_64 GNU/Linux
Regards
Quaker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171219/314b5f1c/attachment.html>
More information about the Users
mailing list