[strongSwan] Cannot ping machines on remote local network

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Sep 5 11:28:59 CEST 2017


Hi,

> ifconfig

Please don't use the net-tools. Use iproute2. The net-tools are woefully inadequate for this day and age. They
are deprecated since the early 2000s.

Please provide the output of `ip address`, `ip route show table all`, `ip rule` and `sysctl -A | grep rp_filter`.

I suspect that at least the rp_filter needs to be set to 2.

> 
> Just a dynamic ip, who cares.
> 

Enough people that it's RFC'd[1].

Kind regards

Noel

[1] https://tools.ietf.org/html/rfc1918#section-3

On 05.09.2017 11:06, Ric S wrote:
> Current configs now:
> 
> strongswan.conf:
> 
> charon {
> plugins {
>         dhcp {
>         force_server_address = yes
>         server = 192.168.0.1
>         identity_lease = yes
>         }
>         farp {
>         load = yes
>         }
> }}
> 
> dns1 = 8.8.8.8
> dns1 = 8.8.8.4
> 
> ipsec.conf:
> 
> config setup
>  charondebug="net 2, knl 2, cfg 2"
> 
> 
> conn ikev2
>  keyexchange=ikev2
>  ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes2
>  esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm
>  dpdaction=clear
>  dpddelay=60s
>  leftfirewall=yes
>  lefthostaccess=yes
>  leftid=carone.ddns.net
>  leftsubnet=192.168.0.0/24
>  leftcert=host-vpn.der
>  leftsendcert=always
>  right=%any
>  rightauth=eap-tls
>  rightsourceip=%dhcp
>  eap_identity=%any
>  auto=add
> 
> 
> On Dienstag, 5. September 2017 04:54:31 CEST you wrote:
>> Hi,
>>
>>> type=passthrough
> 
> Removed it, also did not use it previous attempts.
>>
>> You're sabotaging yourself. There is no IPsec processing happening with
>> type=passthrough
>>> threads = 8
> 
> Removed.
>>
>> You're doing it again. That can lock up the daemon later. Don't do that.
>> Luckily, the setting is outside the valid configuration block, so it's
>> invalid and ignored.
>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> 
> I removed it. Just for the record these are my interfaces:
> 
> ifconfig
> br0       Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16  
>           inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
>           inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:5108 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:4497 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:585507 (571.7 KiB)  TX bytes:3738948 (3.5 MiB)
> 
> br0:0     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16  
>           inet addr:169.254.255.1  Bcast:169.254.255.255  Mask:255.255.0.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> 
> eth0      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:14  
>           inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:12075 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:12590 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:1941972 (1.8 MiB)  TX bytes:9910375 (9.4 MiB)
>           Interrupt:179 Base address:0x4000 
> 
> eth1      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16  
>           inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:7541
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>           Interrupt:163 
> 
> eth2      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:17  
>           inet6 addr: fe80::a263:91ff:feea:2e17/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>           Interrupt:169 
> 
> lo        Link encap:Local Loopback  
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING MULTICAST  MTU:65536  Metric:1
>           RX packets:425 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:425 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1 
>           RX bytes:53057 (51.8 KiB)  TX bytes:53057 (51.8 KiB)
> 
> ppp0      Link encap:Point-to-Point Protocol  
>           inet addr:87.168.251.19  P-t-P:62.155.242.107  Mask:255.255.255.255
>           UP POINTOPOINT RUNNING MULTICAST  MTU:1492  Metric:1
>           RX packets:1010 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1092 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:3 
>           RX bytes:470447 (459.4 KiB)  TX bytes:160357 (156.5 KiB)
> 
> vlan1     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:14  
>           inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:9247 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:9767 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:759337 (741.5 KiB)  TX bytes:9462367 (9.0 MiB)
> 
> vlan2     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:15  
>           inet6 addr: fe80::a263:91ff:feea:2e15/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:2828 errors:0 dropped:3 overruns:0 frame:0
>           TX packets:2815 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:916985 (895.4 KiB)  TX bytes:397032 (387.7 KiB)
> 
> vlan2:0   Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:15  
>           inet addr:192.168.5.254  Bcast:192.168.5.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> 
> wl0.1     Link encap:Ethernet  HWaddr A2:XX:XX:XX:XX:17  
>           inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
>           inet6 addr: fe80::a063:91ff:feea:2e17/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:3615 errors:0 dropped:5 overruns:0 frame:7541
>           TX packets:3989 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:538878 (526.2 KiB)  TX bytes:998737 (975.3 KiB)
> 
> wl1.1     Link encap:Ethernet  HWaddr A2:XX:XX:XX:XX:18  
>           inet addr:192.168.9.1  Bcast:192.168.9.255  Mask:255.255.255.0
>           inet6 addr: fe80::a063:91ff:feea:2e18/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
> 
>>
>> Unnecessary.
>>
>>> left=%defaultroute
> 
> Removed.
> 
>>
>> Unnecessary.
>>
>>> kernel-pfkey
>>
>> Plugin for the legacy IPsec API. Don't use it.
>>
>>> ping R6400
>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
>>> Unreachable
>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
>>> Unreachable
> 
> Just a dynamic ip, who cares.
> 
>>
>> Your next hop is sending that error. You're leaking private address into the
>> WAN. That is forbidden. Don't do that.
>>> Routers iptable output:
>>>
>>> iptables -vnL
>>
>> The output is unusable. Provide the output of `iptables-save`.
> 
> I disabled a few features, e.g. QOS in order to reduce the output
> 
> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> *raw
> :PREROUTING ACCEPT [12217:1705679]
> :OUTPUT ACCEPT [9354:9118762]
> COMMIT
> # Completed on Tue Sep  5 10:42:27 2017
> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> *nat
> :PREROUTING ACCEPT [285:28593]
> :INPUT ACCEPT [604:43260]
> :OUTPUT ACCEPT [47:3676]
> :POSTROUTING ACCEPT [47:3676]
> -A PREROUTING -d 87.168.251.19 -p icmp -j DNAT --to-destination 192.168.0.1 
> -A PREROUTING -d 87.168.251.19 -j TRIGGER --trigger-proto --trigger-match 0-0 --trigger-relate 0-0 
> -A POSTROUTING -o vlan2 -j MASQUERADE 
> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j SNAT --to-source 87.168.251.19 
> -A POSTROUTING -m mark  --mark0x80000000/0x80000000 -j MASQUERADE 
> -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o ppp0 -j SNAT --to-source 87.168.251.19 
> -A POSTROUTING -s 192.168.9.0/255.255.255.0 -o ppp0 -j SNAT --to-source 87.168.251.19 
> COMMIT
> # Completed on Tue Sep  5 10:42:27 2017
> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> *mangle
> :PREROUTING ACCEPT [3009:537902]
> :INPUT ACCEPT [8937:741571]
> :FORWARD ACCEPT [2521:798226]
> :OUTPUT ACCEPT [2190:2277003]
> :POSTROUTING ACCEPT [11882:9919352]
> -A PREROUTING -d 87.168.251.19 -i ! ppp0 -j MARK  --set-xmark 0x80000000/0x80000000
> -A PREROUTING -j CONNMARK --save-mark 
> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
> COMMIT
> # Completed on Tue Sep  5 10:42:27 2017
> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [111:17285]
> :advgrp_1 - [0:0]
> :advgrp_10 - [0:0]
> :advgrp_2 - [0:0]
> :advgrp_3 - [0:0]
> :advgrp_4 - [0:0]
> :advgrp_5 - [0:0]
> :advgrp_6 - [0:0]
> :advgrp_7 - [0:0]
> :advgrp_8 - [0:0]
> :advgrp_9 - [0:0]
> :grp_1 - [0:0]
> :grp_10 - [0:0]
> :grp_2 - [0:0]
> :grp_3 - [0:0]
> :grp_4 - [0:0]
> :grp_5 - [0:0]
> :grp_6 - [0:0]
> :grp_7 - [0:0]
> :grp_8 - [0:0]
> :grp_9 - [0:0]
> :lan2wan - [0:0]
> :logaccept - [0:0]
> :logdrop - [0:0]
> :logreject - [0:0]
> :trigger_out - [0:0]
> -A INPUT -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT 
> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT 
> -A INPUT -p udp -m udp --dport 500 -j ACCEPT 
> -A INPUT -s 66.220.2.74 -p icmp -j ACCEPT 
> -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept 
> -A INPUT -i ppp0 -p udp -m udp --dport 520 -j logdrop 
> -A INPUT -i br0 -p udp -m udp --dport 520 -j logdrop 
> -A INPUT -p udp -m udp --dport 520 -j logaccept 
> -A INPUT -i br0 -j logaccept 
> -A INPUT -i ppp0 -p icmp -j logdrop 
> -A INPUT -p igmp -j logdrop 
> -A INPUT -i lo -m state --state NEW -j ACCEPT 
> -A INPUT -i br0 -m state --state NEW -j logaccept 
> -A INPUT -i wl0.1 -p udp -m udp --dport 67 -j logaccept 
> -A INPUT -i wl0.1 -p udp -m udp --dport 53 -j logaccept 
> -A INPUT -i wl0.1 -p tcp -m tcp --dport 53 -j logaccept 
> -A INPUT -i wl0.1 -m state --state NEW -j logdrop 
> -A INPUT -i wl0.1 -j logaccept 
> -A INPUT -i wl1.1 -p udp -m udp --dport 67 -j logaccept 
> -A INPUT -i wl1.1 -p udp -m udp --dport 53 -j logaccept 
> -A INPUT -i wl1.1 -p tcp -m tcp --dport 53 -j logaccept 
> -A INPUT -i wl1.1 -m state --state NEW -j logdrop 
> -A INPUT -i wl1.1 -j logaccept 
> -A INPUT -j logdrop 
> -A FORWARD -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT 
> -A FORWARD -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT 
> -A FORWARD -s 192.168.0.10 -d 194.25.134.46 -j ACCEPT 
> -A FORWARD -s 192.168.0.10 -d 194.25.134.110 -j ACCEPT 
> -A FORWARD -s 192.168.0.10 -j LOG 
> -A FORWARD -s 192.168.0.10 -j DROP 
> -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept 
> -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl1.1 -m state --state NEW -j logdrop 
> -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl0.1 -m state --state NEW -j logdrop 
> -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p gre -j logaccept 
> -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p tcp -m tcp --dport 1723 -j logaccept 
> -A FORWARD -i wl0.1 -j logaccept 
> -A FORWARD -i wl1.1 -j logaccept 
> -A FORWARD -j lan2wan 
> -A FORWARD -i br0 -o br0 -j logaccept 
> -A FORWARD -i br0 -o ppp0 -j logaccept 
> -A FORWARD -i ppp0 -o br0 -j TRIGGER --trigger-proto --trigger-match 0-0 --trigger-relate 0-0 
> -A FORWARD -i br0 -j trigger_out 
> -A FORWARD -i br0 -o wl0.1 -m state --state NEW -j logdrop 
> -A FORWARD -i br0 -o wl1.1 -m state --state NEW -j logdrop 
> -A FORWARD -i br0 -m state --state NEW -j logaccept 
> -A FORWARD -j logdrop 
> -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT 
> -A OUTPUT -o br0 -j logaccept 
> -A logaccept -j ACCEPT 
> -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 
> -A logdrop -m state --state INVALID -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options 
> -A logdrop -j DROP 
> -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence --log-tcp-options --log-ip-options 
> -A logreject -p tcp -j REJECT --reject-with tcp-reset 
> COMMIT
> # Completed on Tue Sep  5 10:42:27 2017
> 
>>
>>> I have tried so many thinsg, but still cannot ping from either side or
>>> access
>>> any local machines.
>>> Does anyone have a clue? Can I provide additional info?
>>
>> You're having no success because you're trying ramdom shit from the
>> Internet. About 99,999% of the strongSwan related information on third
>> party sites is wither well ng or of questinable quality. Don't get your
>> information from any place but the project's website.
> 
> Well that's what I did in the first place and it also lacks info, e.g. it did not list all of the required kernel modules, took my a bit to 
> find out which modules it needs as it did not complain at startup, but requested features at runtime which were not there, e.g. a STD RNG.
> 
> 
> Thanks for any hints, hope the above info helps.
> 
> Cheers Richard
>>
>> Kind regards
>>
>> Noel
>>
>> Am 5. September 2017 00:53:20 MESZ schrieb Ric S <burj-al-arab at gmx.de>:
>>> Hi folks,
>>>
>>> I have been ripping my hair out with this issue.
>>>
>>> I'm running strongswan 5.5.3 on a router. The routers lan subnet is
>>> 192.168.0.1/24.
>>> I can successfully connect to it with an Ipad with ikev2 and surf the
>>> internet, but I cannot reach any internal machines.
>>>
>>> My config is the following:
>>>
>>> ipsec.conf:
>>>
>>> config setup
>>>
>>> charondebug="net 2, knl 2, cfg 2"
>>>
>>> conn ikev2
>>>
>>> keyexchange=ikev2
>>>
>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-
>>> sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128
>>> - sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
>>>
>>> dpdaction=clear
>>> dpddelay=60s
>>> left=%defaultroute
>>> leftfirewall=yes
>>> lefthostaccess=yes
>>> leftid=myname.ddns.net
>>> leftsubnet=192.168.0.0/24
>>> leftcert=host-vpn.der
>>> leftsendcert=always
>>> right=%any
>>> rightauth=eap-tls
>>> rightsourceip=%dhcp
>>> eap_identity=%any
>>> type=passthrough
>>> auto=add
>>>
>>> strongswanf.conf:
>>>
>>> charon {
>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
>>> plugins {
>>>
>>>        dhcp {
>>>        force_server_address = yes
>>>        server = 192.168.0.1
>>>        identity_lease = yes
>>>        }
>>>        farp {
>>>        load = yes
>>>        }
>>>
>>> }}
>>>
>>> threads = 8
>>> dns1 = 8.8.8.8
>>> dns1 = 8.8.8.4
>>>
>>>
>>>
>>> Status:
>>>
>>> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80, armv7l):
>>>  uptime: 14 minutes, since Sep 05 00:09:53 2017
>>>  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>>>
>>> scheduled: 8
>>> loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1 md5
>>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
>>> pkcs12 pgp
>>> dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac hmac
>>> sqlite
>>> attr kernel-pfkey kernel-netlink resolve socket-default farp stroke
>>> vici
>>> updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius eap-tls
>>> xauth-
>>> generic xauth-eap dhcp whitelist led duplicheck
>>>
>>> Listening IP addresses:
>>>  169.254.255.1
>>>  192.168.0.1
>>>  87.168.243.83
>>>
>>> Connections:
>>>       ikev2:  %any...%any  IKEv2, dpddelay=60s
>>>      
>>>      ikev2:   local:  [myname.ddns.net] uses public key authentication
>>>      
>>>       ikev2:    cert:  "C=DE, O=MYORG, CN=myname.ddns.net"
>>>  
>>>  ikev2:   remote: uses EAP_TLS authentication with EAP identity '%any'
>>>  
>>>      ikev2:   child:  192.168.0.0/24 === dynamic PASS, dpdaction=clear
>>>
>>> Security Associations (1 up, 0 connecting):
>>> ikev2[6]: ESTABLISHED 11 seconds ago, 87.168.243.83[myname.ddns.net]...
>>> 109.43.1.19[R6400]
>>>
>>>  ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*, public
>>>
>>> key reauthentication in 2 hours
>>>
>>>       ikev2[6]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
>>>
>>> MODP_1024
>>>
>>>    ikev2{4}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c0983fe7_i
>>>
>>> 04eb0f50_o
>>>
>>>       ikev2{4}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
>>>
>>> rekeying in 48 minutes
>>>
>>>       ikev2{4}:   192.168.0.0/24 === 192.168.0.121/32
>>>
>>> swanctl --list-sas
>>> ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i 688c466c497d2b9a_r*
>>>
>>>  local  'myname.ddns.net' @ 87.168.243.83[4500]
>>>  remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
>>>  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>>>  established 92s ago, reauth in 9765s
>>>  ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
>>>
>>> HMAC_SHA2_256_128
>>>
>>>    installed 89s ago, rekeying in 2800s, expires in 3511s
>>>    in  c0983fe7,      0 bytes,     0 packets
>>>    out 04eb0f50,      0 bytes,     0 packets
>>>    local  192.168.0.0/24
>>>    remote 192.168.0.121/32
>>>
>>> ip route list table 220
>>> 192.168.0.121 via 62.155.242.107 dev ppp0  proto static  src
>>> 192.168.0.1
>>>
>>> FARP seems to work, this is a ping from one of the local machines:
>>>
>>> ping R6400
>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
>>> Unreachable
>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
>>> Unreachable
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170905/fb0150b4/attachment-0001.sig>


More information about the Users mailing list