[strongSwan] Cannot ping machines on remote local network
noel.kuntze+strongswan-users-ml at thermi.consulting
noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Sep 5 04:54:31 CEST 2017
Hi,
> type=passthrough
You're sabotaging yourself. There is no IPsec processing happening with type=passthrough
> threads = 8
You're doing it again. That can lock up the daemon later. Don't do that. Luckily, the setting is outside the valid configuration block, so it's invalid and ignored.
>interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
Unnecessary.
> left=%defaultroute
Unnecessary.
> kernel-pfkey
Plugin for the legacy IPsec API. Don't use it.
>ping R6400
>PING R6400 (192.168.0.121) 56(84) bytes of data.
>From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
>Unreachable
>From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
>Unreachable
Your next hop is sending that error. You're leaking private address into the WAN. That is forbidden. Don't do that.
>Routers iptable output:
>
>iptables -vnL
The output is unusable. Provide the output of `iptables-save`.
>I have tried so many thinsg, but still cannot ping from either side or
>access
>any local machines.
>Does anyone have a clue? Can I provide additional info?
You're having no success because you're trying ramdom shit from the Internet. About 99,999% of the strongSwan related information on third party sites is wither well ng or of questinable quality. Don't get your information from any place but the project's website.
Kind regards
Noel
Am 5. September 2017 00:53:20 MESZ schrieb Ric S <burj-al-arab at gmx.de>:
>Hi folks,
>
>I have been ripping my hair out with this issue.
>
>I'm running strongswan 5.5.3 on a router. The routers lan subnet is
>192.168.0.1/24.
>I can successfully connect to it with an Ipad with ikev2 and surf the
>internet, but I cannot reach any internal machines.
>
>My config is the following:
>
>ipsec.conf:
>
>config setup
> charondebug="net 2, knl 2, cfg 2"
>
>conn ikev2
> keyexchange=ikev2
>ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-
>sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
>esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-
>sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
> dpdaction=clear
> dpddelay=60s
> left=%defaultroute
> leftfirewall=yes
> lefthostaccess=yes
> leftid=myname.ddns.net
> leftsubnet=192.168.0.0/24
> leftcert=host-vpn.der
> leftsendcert=always
> right=%any
> rightauth=eap-tls
> rightsourceip=%dhcp
> eap_identity=%any
> type=passthrough
> auto=add
>
>strongswanf.conf:
>
>charon {
>interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
>plugins {
> dhcp {
> force_server_address = yes
> server = 192.168.0.1
> identity_lease = yes
> }
> farp {
> load = yes
> }
>}}
>
>threads = 8
>dns1 = 8.8.8.8
>dns1 = 8.8.8.4
>
>
>
>Status:
>
>Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l):
> uptime: 14 minutes, since Sep 05 00:09:53 2017
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>scheduled: 8
>loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5
>random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
>pkcs12 pgp
>dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac
>sqlite
>attr kernel-pfkey kernel-netlink resolve socket-default farp stroke
>vici
>updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls
>xauth-
>generic xauth-eap dhcp whitelist led duplicheck
>Listening IP addresses:
> 169.254.255.1
> 192.168.0.1
> 87.168.243.83
>Connections:
> ikev2: %any...%any IKEv2, dpddelay=60s
> ikev2: local: [myname.ddns.net] uses public key authentication
> ikev2: cert: "C=DE, O=MYORG, CN=myname.ddns.net"
> ikev2: remote: uses EAP_TLS authentication with EAP identity '%any'
> ikev2: child: 192.168.0.0/24 === dynamic PASS, dpdaction=clear
>Security Associations (1 up, 0 connecting):
>ikev2[6]: ESTABLISHED 11 seconds ago, 87.168.243.83[myname.ddns.net]...
>109.43.1.19[R6400]
> ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public
>key reauthentication in 2 hours
> ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
>MODP_1024
> ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i
>04eb0f50_o
> ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
>rekeying in 48 minutes
> ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32
>
>swanctl --list-sas
>ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r*
> local 'myname.ddns.net' @ 87.168.243.83[4500]
> remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
> AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> established 92s ago, reauth in 9765s
> ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
>HMAC_SHA2_256_128
> installed 89s ago, rekeying in 2800s, expires in 3511s
> in c0983fe7, 0 bytes, 0 packets
> out 04eb0f50, 0 bytes, 0 packets
> local 192.168.0.0/24
> remote 192.168.0.121/32
>
>ip route list table 220
>192.168.0.121 via 62.155.242.107 dev ppp0 proto static src
>192.168.0.1
>
>FARP seems to work, this is a ping from one of the local machines:
>
>ping R6400
>PING R6400 (192.168.0.121) 56(84) bytes of data.
>From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
>Unreachable
>From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
>Unreachable
>
>
>Routers iptable output:
>
>iptables -vnL
>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
>destination
> 0 0 ACCEPT 0 -- ppp0 * 192.168.0.121
>192.168.0.0/24 policy match dir in pol ipsec reqid 4 proto 50
>161 29398 ACCEPT udp -- * * 0.0.0.0/0
>0.0.0.0/0
>udp dpt:4500
>8 4544 ACCEPT udp -- * * 0.0.0.0/0
>0.0.0.0/0
>udp dpt:500
> 0 0 log
>...
>
>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
>destination
> 0 0 ACCEPT 0 -- ppp0 * 192.168.0.121
>192.168.0.0/24 policy match dir in pol ipsec reqid 4 proto 50
> 0 0 ACCEPT 0 -- * ppp0 192.168.0.0/24
>192.168.0.121 policy match dir out pol ipsec reqid 4 proto 50
>...
>
>Chain OUTPUT (policy ACCEPT 480K packets, 377M bytes)
> pkts bytes target prot opt in out source
>destination
> 0 0 ACCEPT 0 -- * ppp0 192.168.0.0/24
>192.168.0.121 policy match dir out pol ipsec reqid 4 proto 50
>...
>
>
>iptables -vnL -t nat
>Chain PREROUTING (policy ACCEPT 38764 packets, 3219K bytes)
> pkts bytes target prot opt in out source
>destination
> 2 62 DNAT icmp -- * * 0.0.0.0/0
>87.168.243.83 to:192.168.0.1
> 444 47552 TRIGGER 0 -- * * 0.0.0.0/0
>87.168.243.83 TRIGGER type:dnat match:0 relate:0
>
>Chain INPUT (policy ACCEPT 15994 packets, 934K bytes)
> pkts bytes target prot opt in out source
>destination
>
>Chain OUTPUT (policy ACCEPT 23271 packets, 1467K bytes)
> pkts bytes target prot opt in out source
>destination
>
>Chain POSTROUTING (policy ACCEPT 23270 packets, 1467K bytes)
> pkts bytes target prot opt in out source
>destination
>0 0 MASQUERADE 0 -- * vlan2 0.0.0.0/0
>0.0.0.0/0
>3023 165K SNAT 0 -- * ppp0 192.168.0.0/24
>0.0.0.0/0
>to:87.168.243.83
>0 0 MASQUERADE 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>mark match 0x80000000/0x80000000
>
>
>iptables -vnL -t mangle
>Chain PREROUTING (policy ACCEPT 1209K packets, 733M bytes)
> pkts bytes target prot opt in out source
>destination
>1209K 733M FILTER_IN 0 -- * * 0.0.0.0/0
>0.0.0.0/0
> 88 10536 MARK 0 -- !ppp0 * 0.0.0.0/0
>87.168.243.83 MARK or 0x80000000
>1209K 733M CONNMARK 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>CONNMARK save
>
>Chain INPUT (policy ACCEPT 682K packets, 386M bytes)
> pkts bytes target prot opt in out source
>destination
>289K 351M IMQ 0 -- ppp0 * 0.0.0.0/0
>0.0.0.0/0
>IMQ: todev 0
>
>Chain FORWARD (policy ACCEPT 522K packets, 346M bytes)
> pkts bytes target prot opt in out source
>destination
>0 0 TCPMSS tcp -- * * 0.0.0.0/0
>0.0.0.0/0
>policy match dir out pol ipsec tcp flags:0x06/0x02 tcpmss match
>1361:1536
>TCPMSS set 1360
>0 0 TCPMSS tcp -- * * 0.0.0.0/0
>0.0.0.0/0
>policy match dir in pol ipsec tcp flags:0x06/0x02 tcpmss match
>1361:1536
>TCPMSS set 1360
>7654 415K TCPMSS tcp -- * * 0.0.0.0/0
>0.0.0.0/0
>tcp flags:0x06/0x02 TCPMSS clamp to PMTU
>291K 294M IMQ 0 -- ppp0 * 0.0.0.0/0
>0.0.0.0/0
>IMQ: todev 0
>
>Chain OUTPUT (policy ACCEPT 503K packets, 382M bytes)
> pkts bytes target prot opt in out source
>destination
>
>Chain POSTROUTING (policy ACCEPT 1025K packets, 728M bytes)
> pkts bytes target prot opt in out source
>destination
>0 0 TCPMSS tcp -- * * 0.0.0.0/0
>0.0.0.0/0
>policy match dir out pol ipsec tcp flags:0x06/0x02 tcpmss match
>1361:1536
>TCPMSS set 1360
>1025K 728M FILTER_OUT 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>7242 1346K DSCP 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>DSCP match !0x00 DSCP set 0x00
>
>Chain FILTER_IN (1 references)
> pkts bytes target prot opt in out source
>destination
>1209K 733M CONNMARK 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>CONNMARK restore
>1209K 733M SVQOS_SVCS 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>mark match 0x0/0x7ffc00
>1209K 733M CONNMARK 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>CONNMARK save
>1209K 733M RETURN 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>
>Chain FILTER_OUT (1 references)
> pkts bytes target prot opt in out source
>destination
>1025K 728M CONNMARK 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>CONNMARK restore
>1025K 728M SVQOS_SVCS 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>mark match 0x0/0x7ffc00
>1025K 728M CONNMARK 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>CONNMARK save
>1025K 728M RETURN 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>
>Chain SVQOS_SVCS (2 references)
> pkts bytes target prot opt in out source
>destination
>2234K 1461M RETURN 0 -- * * 0.0.0.0/0
>0.0.0.0/0
>
>
>I have tried so many thinsg, but still cannot ping from either side or
>access
>any local machines.
>Does anyone have a clue? Can I provide additional info?
Sent from mobile
More information about the Users
mailing list