[strongSwan] Cannot ping machines on remote local network
Bas van Dijk
v.dijk.bas at gmail.com
Tue Sep 5 02:20:54 CEST 2017
Hi Ric,
Is IP forwarding enabled on the router?
sysctl net.ipv4.ip_forward=1
Bas
On 5 Sep 2017 12:53 AM, "Ric S" <burj-al-arab at gmx.de> wrote:
> Hi folks,
>
> I have been ripping my hair out with this issue.
>
> I'm running strongswan 5.5.3 on a router. The routers lan subnet is
> 192.168.0.1/24.
> I can successfully connect to it with an Ipad with ikev2 and surf the
> internet, but I cannot reach any internal machines.
>
> My config is the following:
>
> ipsec.conf:
>
> config setup
> charondebug="net 2, knl 2, cfg 2"
>
> conn ikev2
> keyexchange=ikev2
> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-
> modp2048,aes128-
> sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-
> modp1024,aes128-sha1,aes128-
> sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
> dpdaction=clear
> dpddelay=60s
> left=%defaultroute
> leftfirewall=yes
> lefthostaccess=yes
> leftid=myname.ddns.net
> leftsubnet=192.168.0.0/24
> leftcert=host-vpn.der
> leftsendcert=always
> right=%any
> rightauth=eap-tls
> rightsourceip=%dhcp
> eap_identity=%any
> type=passthrough
> auto=add
>
> strongswanf.conf:
>
> charon {
> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> plugins {
> dhcp {
> force_server_address = yes
> server = 192.168.0.1
> identity_lease = yes
> }
> farp {
> load = yes
> }
> }}
>
> threads = 8
> dns1 = 8.8.8.8
> dns1 = 8.8.8.4
>
>
>
> Status:
>
> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l):
> uptime: 14 minutes, since Sep 05 00:09:53 2017
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 8
> loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12
> pgp
> dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac
> sqlite
> attr kernel-pfkey kernel-netlink resolve socket-default farp stroke vici
> updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls xauth-
> generic xauth-eap dhcp whitelist led duplicheck
> Listening IP addresses:
> 169.254.255.1
> 192.168.0.1
> 87.168.243.83
> Connections:
> ikev2: %any...%any IKEv2, dpddelay=60s
> ikev2: local: [myname.ddns.net] uses public key authentication
> ikev2: cert: "C=DE, O=MYORG, CN=myname.ddns.net"
> ikev2: remote: uses EAP_TLS authentication with EAP identity
> '%any'
> ikev2: child: 192.168.0.0/24 === dynamic PASS, dpdaction=clear
> Security Associations (1 up, 0 connecting):
> ikev2[6]: ESTABLISHED 11 seconds ago, 87.168.243.83[myname.ddns.net
> ]...
> 109.43.1.19[R6400]
> ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public
> key reauthentication in 2 hours
> ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
> MODP_1024
> ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i
> 04eb0f50_o
> ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
> rekeying in 48 minutes
> ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32
>
> swanctl --list-sas
> ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r*
> local 'myname.ddns.net' @ 87.168.243.83[4500]
> remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
> AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> established 92s ago, reauth in 9765s
> ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
> HMAC_SHA2_256_128
> installed 89s ago, rekeying in 2800s, expires in 3511s
> in c0983fe7, 0 bytes, 0 packets
> out 04eb0f50, 0 bytes, 0 packets
> local 192.168.0.0/24
> remote 192.168.0.121/32
>
> ip route list table 220
> 192.168.0.121 via 62.155.242.107 dev ppp0 proto static src 192.168.0.1
>
> FARP seems to work, this is a ping from one of the local machines:
>
> ping R6400
> PING R6400 (192.168.0.121) 56(84) bytes of data.
> From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> Unreachable
> From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> Unreachable
>
>
> Routers iptable output:
>
> iptables -vnL
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT 0 -- ppp0 * 192.168.0.121
> 192.168.0.0/24 policy match dir in pol ipsec reqid 4 proto 50
> 161 29398 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0
> udp dpt:4500
> 8 4544 ACCEPT udp -- * * 0.0.0.0/0
> 0.0.0.0/0
> udp dpt:500
> 0 0 log
> ...
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT 0 -- ppp0 * 192.168.0.121
> 192.168.0.0/24 policy match dir in pol ipsec reqid 4 proto 50
> 0 0 ACCEPT 0 -- * ppp0 192.168.0.0/24
> 192.168.0.121 policy match dir out pol ipsec reqid 4 proto 50
> ...
>
> Chain OUTPUT (policy ACCEPT 480K packets, 377M bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT 0 -- * ppp0 192.168.0.0/24
> 192.168.0.121 policy match dir out pol ipsec reqid 4 proto 50
> ...
>
>
> iptables -vnL -t nat
> Chain PREROUTING (policy ACCEPT 38764 packets, 3219K bytes)
> pkts bytes target prot opt in out source
> destination
> 2 62 DNAT icmp -- * * 0.0.0.0/0
> 87.168.243.83 to:192.168.0.1
> 444 47552 TRIGGER 0 -- * * 0.0.0.0/0
> 87.168.243.83 TRIGGER type:dnat match:0 relate:0
>
> Chain INPUT (policy ACCEPT 15994 packets, 934K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 23271 packets, 1467K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 23270 packets, 1467K bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 MASQUERADE 0 -- * vlan2 0.0.0.0/0
> 0.0.0.0/0
> 3023 165K SNAT 0 -- * ppp0 192.168.0.0/24
> 0.0.0.0/0
> to:87.168.243.83
> 0 0 MASQUERADE 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
> mark match 0x80000000/0x80000000
>
>
> iptables -vnL -t mangle
> Chain PREROUTING (policy ACCEPT 1209K packets, 733M bytes)
> pkts bytes target prot opt in out source
> destination
> 1209K 733M FILTER_IN 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
> 88 10536 MARK 0 -- !ppp0 * 0.0.0.0/0
> 87.168.243.83 MARK or 0x80000000
> 1209K 733M CONNMARK 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
> CONNMARK save
>
> Chain INPUT (policy ACCEPT 682K packets, 386M bytes)
> pkts bytes target prot opt in out source
> destination
> 289K 351M IMQ 0 -- ppp0 * 0.0.0.0/0
> 0.0.0.0/0
> IMQ: todev 0
>
> Chain FORWARD (policy ACCEPT 522K packets, 346M bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 TCPMSS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0
> policy match dir out pol ipsec tcp flags:0x06/0x02 tcpmss match 1361:1536
> TCPMSS set 1360
> 0 0 TCPMSS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0
> policy match dir in pol ipsec tcp flags:0x06/0x02 tcpmss match 1361:1536
> TCPMSS set 1360
> 7654 415K TCPMSS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0
> tcp flags:0x06/0x02 TCPMSS clamp to PMTU
> 291K 294M IMQ 0 -- ppp0 * 0.0.0.0/0
> 0.0.0.0/0
> IMQ: todev 0
>
> Chain OUTPUT (policy ACCEPT 503K packets, 382M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 1025K packets, 728M bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 TCPMSS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0
> policy match dir out pol ipsec tcp flags:0x06/0x02 tcpmss match 1361:1536
> TCPMSS set 1360
> 1025K 728M FILTER_OUT 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
> 7242 1346K DSCP 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
> DSCP match !0x00 DSCP set 0x00
>
> Chain FILTER_IN (1 references)
> pkts bytes target prot opt in out source
> destination
> 1209K 733M CONNMARK 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
> CONNMARK restore
> 1209K 733M SVQOS_SVCS 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
> mark match 0x0/0x7ffc00
> 1209K 733M CONNMARK 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
> CONNMARK save
> 1209K 733M RETURN 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain FILTER_OUT (1 references)
> pkts bytes target prot opt in out source
> destination
> 1025K 728M CONNMARK 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
> CONNMARK restore
> 1025K 728M SVQOS_SVCS 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
> mark match 0x0/0x7ffc00
> 1025K 728M CONNMARK 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
> CONNMARK save
> 1025K 728M RETURN 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain SVQOS_SVCS (2 references)
> pkts bytes target prot opt in out source
> destination
> 2234K 1461M RETURN 0 -- * * 0.0.0.0/0
> 0.0.0.0/0
>
>
> I have tried so many thinsg, but still cannot ping from either side or
> access
> any local machines.
> Does anyone have a clue? Can I provide additional info?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/1a221c72/attachment-0001.html>
More information about the Users
mailing list