[strongSwan] Cannot ping machines on remote local network
Ric S
burj-al-arab at gmx.de
Tue Sep 5 00:53:20 CEST 2017
Hi folks,
I have been ripping my hair out with this issue.
I'm running strongswan 5.5.3 on a router. The routers lan subnet is
192.168.0.1/24.
I can successfully connect to it with an Ipad with ikev2 and surf the
internet, but I cannot reach any internal machines.
My config is the following:
ipsec.conf:
config setup
charondebug="net 2, knl 2, cfg 2"
conn ikev2
keyexchange=ikev2
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-
sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-
sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
dpdaction=clear
dpddelay=60s
left=%defaultroute
leftfirewall=yes
lefthostaccess=yes
leftid=myname.ddns.net
leftsubnet=192.168.0.0/24
leftcert=host-vpn.der
leftsendcert=always
right=%any
rightauth=eap-tls
rightsourceip=%dhcp
eap_identity=%any
type=passthrough
auto=add
strongswanf.conf:
charon {
interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
plugins {
dhcp {
force_server_address = yes
server = 192.168.0.1
identity_lease = yes
}
farp {
load = yes
}
}}
threads = 8
dns1 = 8.8.8.8
dns1 = 8.8.8.4
Status:
Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l):
uptime: 14 minutes, since Sep 05 00:09:53 2017
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 8
loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5
random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac sqlite
attr kernel-pfkey kernel-netlink resolve socket-default farp stroke vici
updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls xauth-
generic xauth-eap dhcp whitelist led duplicheck
Listening IP addresses:
169.254.255.1
192.168.0.1
87.168.243.83
Connections:
ikev2: %any...%any IKEv2, dpddelay=60s
ikev2: local: [myname.ddns.net] uses public key authentication
ikev2: cert: "C=DE, O=MYORG, CN=myname.ddns.net"
ikev2: remote: uses EAP_TLS authentication with EAP identity '%any'
ikev2: child: 192.168.0.0/24 === dynamic PASS, dpdaction=clear
Security Associations (1 up, 0 connecting):
ikev2[6]: ESTABLISHED 11 seconds ago, 87.168.243.83[myname.ddns.net]...
109.43.1.19[R6400]
ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public
key reauthentication in 2 hours
ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
MODP_1024
ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i
04eb0f50_o
ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
rekeying in 48 minutes
ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32
swanctl --list-sas
ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r*
local 'myname.ddns.net' @ 87.168.243.83[4500]
remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 92s ago, reauth in 9765s
ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
HMAC_SHA2_256_128
installed 89s ago, rekeying in 2800s, expires in 3511s
in c0983fe7, 0 bytes, 0 packets
out 04eb0f50, 0 bytes, 0 packets
local 192.168.0.0/24
remote 192.168.0.121/32
ip route list table 220
192.168.0.121 via 62.155.242.107 dev ppp0 proto static src 192.168.0.1
FARP seems to work, this is a ping from one of the local machines:
ping R6400
PING R6400 (192.168.0.121) 56(84) bytes of data.
>From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host Unreachable
>From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host Unreachable
Routers iptable output:
iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT 0 -- ppp0 * 192.168.0.121
192.168.0.0/24 policy match dir in pol ipsec reqid 4 proto 50
161 29398 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:4500
8 4544 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
udp dpt:500
0 0 log
...
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT 0 -- ppp0 * 192.168.0.121
192.168.0.0/24 policy match dir in pol ipsec reqid 4 proto 50
0 0 ACCEPT 0 -- * ppp0 192.168.0.0/24
192.168.0.121 policy match dir out pol ipsec reqid 4 proto 50
...
Chain OUTPUT (policy ACCEPT 480K packets, 377M bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT 0 -- * ppp0 192.168.0.0/24
192.168.0.121 policy match dir out pol ipsec reqid 4 proto 50
...
iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 38764 packets, 3219K bytes)
pkts bytes target prot opt in out source
destination
2 62 DNAT icmp -- * * 0.0.0.0/0
87.168.243.83 to:192.168.0.1
444 47552 TRIGGER 0 -- * * 0.0.0.0/0
87.168.243.83 TRIGGER type:dnat match:0 relate:0
Chain INPUT (policy ACCEPT 15994 packets, 934K bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 23271 packets, 1467K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 23270 packets, 1467K bytes)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE 0 -- * vlan2 0.0.0.0/0 0.0.0.0/0
3023 165K SNAT 0 -- * ppp0 192.168.0.0/24 0.0.0.0/0
to:87.168.243.83
0 0 MASQUERADE 0 -- * * 0.0.0.0/0 0.0.0.0/0
mark match 0x80000000/0x80000000
iptables -vnL -t mangle
Chain PREROUTING (policy ACCEPT 1209K packets, 733M bytes)
pkts bytes target prot opt in out source
destination
1209K 733M FILTER_IN 0 -- * * 0.0.0.0/0 0.0.0.0/0
88 10536 MARK 0 -- !ppp0 * 0.0.0.0/0
87.168.243.83 MARK or 0x80000000
1209K 733M CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK save
Chain INPUT (policy ACCEPT 682K packets, 386M bytes)
pkts bytes target prot opt in out source
destination
289K 351M IMQ 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0
IMQ: todev 0
Chain FORWARD (policy ACCEPT 522K packets, 346M bytes)
pkts bytes target prot opt in out source
destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir out pol ipsec tcp flags:0x06/0x02 tcpmss match 1361:1536
TCPMSS set 1360
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir in pol ipsec tcp flags:0x06/0x02 tcpmss match 1361:1536
TCPMSS set 1360
7654 415K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
tcp flags:0x06/0x02 TCPMSS clamp to PMTU
291K 294M IMQ 0 -- ppp0 * 0.0.0.0/0 0.0.0.0/0
IMQ: todev 0
Chain OUTPUT (policy ACCEPT 503K packets, 382M bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1025K packets, 728M bytes)
pkts bytes target prot opt in out source
destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0
policy match dir out pol ipsec tcp flags:0x06/0x02 tcpmss match 1361:1536
TCPMSS set 1360
1025K 728M FILTER_OUT 0 -- * * 0.0.0.0/0 0.0.0.0/0
7242 1346K DSCP 0 -- * * 0.0.0.0/0 0.0.0.0/0
DSCP match !0x00 DSCP set 0x00
Chain FILTER_IN (1 references)
pkts bytes target prot opt in out source
destination
1209K 733M CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore
1209K 733M SVQOS_SVCS 0 -- * * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x7ffc00
1209K 733M CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK save
1209K 733M RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FILTER_OUT (1 references)
pkts bytes target prot opt in out source
destination
1025K 728M CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore
1025K 728M SVQOS_SVCS 0 -- * * 0.0.0.0/0 0.0.0.0/0
mark match 0x0/0x7ffc00
1025K 728M CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK save
1025K 728M RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain SVQOS_SVCS (2 references)
pkts bytes target prot opt in out source
destination
2234K 1461M RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
I have tried so many thinsg, but still cannot ping from either side or access
any local machines.
Does anyone have a clue? Can I provide additional info?
More information about the Users
mailing list