[strongSwan] [reposted] Fw: strongswan behind nat. vpn connected but packets not encrypted -

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jun 23 14:39:54 CEST 2017 

As i previously wrote, provide the output of `iptables-save` and run `tcpdump -n host 203.B.127.14`.
The output of `iptables -L` is pretty much useless, because it doesn't show all the tables and
what you pasted from tcpdump is useless, too, because it doesn't show any IPs.

On 22.06.2017 18:09, Qqblog Qqblog wrote:
> [reposted due to poor formatting]
>
>
>
> i am a newbie to VPN. vpn connected but packets not encrypted. 
>
> pls kindly advise
>
>
> 10.A.0.4 (A server, strongswan)  -> google firewall 35.A.167.172 -> 203.B.127.136 huawei vpn -> 203.B.127.14(public IP) B server
>
>
> [A server] : can ping huawei vpn but not via tunnel. cannot ping B server
>
> [B server] : can ping google firewall via tunnel
>
>
> strongswan statusall
>
> Status of IKE charon daemon (strongSwan 5.4.0, Linux 2.6.32-696.3.2.el6.x86_64, x86_64):
>
>   uptime: 3 hours, since Jun 22 10:32:40 2017
>   
>   malloc: sbrk 532480, mmap 0, used 395760, free 136720
>   
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9
>   
>   loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pgp dnskey sshkey pem gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
> Listening IP addresses:
>
>   10.A.0.4
>   
> Connections:
>
>         chhk:  %any...203.B.127.136  IKEv1/2
>         chhk:   local:  [10.A.0.4] uses pre-shared key authentication
>         chhk:   remote: [203.B.127.136] uses pre-shared key authentication
>         chhk:   child:  0.0.0.0/0 === 203.B.127.14/32 TUNNEL
> Security Associations (1 up, 0 connecting):
>
>         chhk[5]: ESTABLISHED 45 minutes ago, 10.A.0.4[10.A.0.4]...203.B.127.136[203.B.127.136]
>         chhk[5]: IKEv1 SPIs: 93aaf2969c35614d_i 0d81525fcb1364fd_r*, pre-shared key reauthentication in 7 hours
>         chhk[5]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
>         chhk{5}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c519724e_i ccffe26a_o
>         chhk{5}:  3DES_CBC/HMAC_MD5_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 17 minutes
>         chhk{5}:   35.A.167.172/32 === 203.B.127.14/32 
> -------------------------------
>
> ipsec.conf
>
>
> config setup
>  charondebug="ike 2, knl 1, cfg 2"
>
> conn %default
>
>  type=tunnel
>  
>  ike=3des-md5-modp1024
>  
>  ikelifetime=28800s
>  
>  esp=3des-md5-modp1024
>  
>  keylife=3600s
>  
>  keyexchange=ike
>  
>  authby=secret
>  
>
> conn chhk
>
>  left=%any
>  
>  leftsubnet=0.0.0.0/0
>  
>  right=203.B.127.136
>  
>  rightsubnet=0.0.0.0/0
>  
>  auto=add
>
>  
> ------------------------------------
>
> ip xfrm policy
>
>
> src 203.B.127.14/32 dst 35.A.167.172/32 
>
>         dir fwd priority 2819 ptype main 
>         tmpl src 203.B.127.136 dst 10.A.0.4
>                 proto esp reqid 1 mode tunnel
> src 203.B.127.14/32 dst 35.A.167.172/32 
>
>         dir in priority 2819 ptype main 
>         tmpl src 203.B.127.136 dst 10.A.0.4
>                 proto esp reqid 1 mode tunnel
> src 35.A.167.172/32 dst 203.B.127.14/32 
>
>         dir out priority 2819 ptype main 
>         tmpl src 10.A.0.4 dst 203.B.127.136
>                 proto esp reqid 1 mode tunnel
> -------------------------------------------------
>
> ip route list table all
>
>
> 10.140.0.1 dev eth0  scope link 
>
> 169.254.0.0/16 dev eth0  scope link  metric 1002 
>
> default via 10.140.0.1 dev eth0  proto static 
>
> local 10.A.0.4 dev eth0  table local  proto kernel  scope host  src 10.A.0.4 
>
> broadcast 10.A.0.4 dev eth0  table local  proto kernel  scope link  src 10.A.0.4 
>
> broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
>
>
> ------------------------------------------------
> ------------------
>
> # iptables -L
>
>
> Chain INPUT (policy ACCEPT)
>
> target     prot opt source               destination         
>
> Chain FORWARD (policy ACCEPT)
>
> target     prot opt source               destination         
>
> Chain OUTPUT (policy ACCEPT)
>
> target     prot opt source               destination  
>
> =======================================================
>
>
> [server A]
>
> ping 203.B.127.136
>
>
> 14:10:11.675222 IP centos-6-2.c.centos-169715.internal > 203.B.127.136: ICMP echo request, id 62844, seq 7, length 64
>
> 14:10:11.691214 IP 203.B.127.136 > centos-6-2.c.centos-169715.internal: ICMP echo reply, id 62844, seq 7, length 64
>
> 14:10:11.733312 IP centos-6-2.c.centos-169715.internal.ipsec-nat-t > 203.B.127.136.ipsec-nat-t: isakmp-nat-keep-alive
>
>
> [server A]
>
> ping 203.B.127.14
>
>
> tcpdump host 203.B.127.14
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>
> 14:11:44.079172 IP centos-6-2.c.centos-169715.internal > 203.B.127.14: ICMP echo request, id 63356, seq 39, length 64
>
> 14:11:45.079175 IP centos-6-2.c.centos-169715.internal > 203.B.127.14: ICMP echo request, id 63356, seq 40, length 64
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170623/31883ae9/attachment.sig>

More information about the Users mailing list