[strongSwan] [reposted] Fw: strongswan behind nat. vpn connected but packets not encrypted -

Qqblog Qqblog qqblog at ymail.com
Thu Jun 22 18:09:21 CEST 2017 

[reposted due to poor formatting]


i am a newbie to VPN. vpn connected but packets not encrypted. 
pls kindly advise

10.A.0.4 (A server, strongswan)  -> google firewall 35.A.167.172 -> 203.B.127.136 huawei vpn -> 203.B.127.14(public IP) B server

[A server] : can ping huawei vpn but not via tunnel. cannot ping B server
[B server] : can ping google firewall via tunnel

strongswan statusall
Status of IKE charon daemon (strongSwan 5.4.0, Linux 2.6.32-696.3.2.el6.x86_64, x86_64):
  uptime: 3 hours, since Jun 22 10:32:40 2017    malloc: sbrk 532480, mmap 0, used 395760, free 136720    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9    loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pgp dnskey sshkey pem gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcpListening IP addresses:
  10.A.0.4  Connections:
        chhk:  %any...203.B.127.136  IKEv1/2         chhk:   local:  [10.A.0.4] uses pre-shared key authentication         chhk:   remote: [203.B.127.136] uses pre-shared key authentication         chhk:   child:  0.0.0.0/0 === 203.B.127.14/32 TUNNEL  Security Associations (1 up, 0 connecting):
        chhk[5]: ESTABLISHED 45 minutes ago, 10.A.0.4[10.A.0.4]...203.B.127.136[203.B.127.136]         chhk[5]: IKEv1 SPIs: 93aaf2969c35614d_i 0d81525fcb1364fd_r*, pre-shared key reauthentication in 7 hours         chhk[5]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024         chhk{5}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c519724e_i ccffe26a_o         chhk{5}:  3DES_CBC/HMAC_MD5_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 17 minutes         chhk{5}:   35.A.167.172/32 === 203.B.127.14/32  -------------------------------
ipsec.conf

config setup  charondebug="ike 2, knl 1, cfg 2"
conn %default
 type=tunnel  ike=3des-md5-modp1024  ikelifetime=28800s  esp=3des-md5-modp1024  keylife=3600s  keyexchange=ike  authby=secret 
conn chhk
 left=%any  leftsubnet=0.0.0.0/0  right=203.B.127.136  rightsubnet=0.0.0.0/0  auto=add
 ------------------------------------
ip xfrm policy

src 203.B.127.14/32 dst 35.A.167.172/32 
        dir fwd priority 2819 ptype main          tmpl src 203.B.127.136 dst 10.A.0.4                 proto esp reqid 1 mode tunnel src 203.B.127.14/32 dst 35.A.167.172/32 
        dir in priority 2819 ptype main          tmpl src 203.B.127.136 dst 10.A.0.4                 proto esp reqid 1 mode tunnel src 35.A.167.172/32 dst 203.B.127.14/32 
        dir out priority 2819 ptype main          tmpl src 10.A.0.4 dst 203.B.127.136                 proto esp reqid 1 mode tunnel  -------------------------------------------------
ip route list table all

10.140.0.1 dev eth0  scope link 
169.254.0.0/16 dev eth0  scope link  metric 1002 
default via 10.140.0.1 dev eth0  proto static 
local 10.A.0.4 dev eth0  table local  proto kernel  scope host  src 10.A.0.4 
broadcast 10.A.0.4 dev eth0  table local  proto kernel  scope link  src 10.A.0.4 
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1 

------------------------------------------------------------------
# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  
=======================================================

[server A]
ping 203.B.127.136

14:10:11.675222 IP centos-6-2.c.centos-169715.internal > 203.B.127.136: ICMP echo request, id 62844, seq 7, length 64
14:10:11.691214 IP 203.B.127.136 > centos-6-2.c.centos-169715.internal: ICMP echo reply, id 62844, seq 7, length 64
14:10:11.733312 IP centos-6-2.c.centos-169715.internal.ipsec-nat-t > 203.B.127.136.ipsec-nat-t: isakmp-nat-keep-alive

[server A]
ping 203.B.127.14

tcpdump host 203.B.127.14
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:11:44.079172 IP centos-6-2.c.centos-169715.internal > 203.B.127.14: ICMP echo request, id 63356, seq 39, length 64
14:11:45.079175 IP centos-6-2.c.centos-169715.internal > 203.B.127.14: ICMP echo request, id 63356, seq 40, length 64

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170622/bd48a6fc/attachment-0001.html>

More information about the Users mailing list