[strongSwan] Cannot ping machines on remote local network

Ric S burj-al-arab at gmx.de
Wed Sep 6 15:55:48 CEST 2017


Update, I compiled kernel wih xfrm stats and noticed, the error 
XfrmInStateProtoError, increases by one for each ping, so the issue must be in 
this area, what could be the cause for this:

cat /proc/net/xfrm_stat 
XfrmInError                     0
XfrmInBufferError               0
XfrmInHdrError                  0
XfrmInNoStates                  0
XfrmInStateProtoError           13
XfrmInStateModeError            0
XfrmInStateSeqError             0
XfrmInStateExpired              0
XfrmInStateMismatch             0
XfrmInStateInvalid              0
XfrmInTmplMismatch              0
XfrmInNoPols                    0
XfrmInPolBlock                  0
XfrmInPolError                  0
XfrmOutError                    0
XfrmOutBundleGenError           0
XfrmOutBundleCheckError         0
XfrmOutNoStates                 0
XfrmOutStateProtoError          0
XfrmOutStateModeError           0
XfrmOutStateSeqError            0
XfrmOutStateExpired             0
XfrmOutPolBlock                 0
XfrmOutPolDead                  0
XfrmOutPolError                 0
XfrmFwdHdrError                 0
XfrmOutStateInvalid             0
XfrmAcquireError                0

swanctl --list-sas
ikev2: #2, ESTABLISHED, IKEv2, ff455cdb92936f01_i b37e2279167e23ed_r*
  local  'myname.ddns.net' @ 87.168.XXX.XXX[4500]
  remote 'R6400' @ XX.XX.1.5[50455] [192.168.0.121]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 41s ago, reauth in 9733s
  ikev2: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
HMAC_SHA2_256_128
    installed 37s ago, rekeying in 2798s, expires in 3563s
    in  cc231009,      0 bytes,     0 packets
    out 05998a07,      0 bytes,     0 packets
    local  192.168.0.0/24
    remote 192.168.0.121/32

Also I gave wrong info before neither Win7 or iOS can surf the internet 
through the tunnel. iOS obviously bypasses the vpn, as I see no outgoing 
connections on the routers wan to a specific adress I contact from iOS.
So basically the only thing going through is the tunnel connection esp traffic 

On Mittwoch, 6. September 2017 00:05:23 CEST Ric S wrote:
> On Dienstag, 5. September 2017 16:36:30 CEST Noel Kuntze wrote:
> > Hi,
> > 
> > See the article about forwarding[1] that I linked previously.
> 
> I have done some more experimenting. It is really strange, right after the
> connection established I get a few pings through, but they stop after 3 or 4
> pings, then maybe one in a few minutes goes through.
> 
> Very strange. I also notice, that after a while I cannot esatblish a
> connection to the router, until I request a new IP. Just like traffic is
> intercepted by the ISP.
> 
> But since the Test is done with a LTE modem, thus want to see next week, if
> I get the same results on a regular line.
> 
> > Kind regards
> > 
> > Noel
> > 
> > [1]
> > https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTun
> > n
> > eling#MTUMSS-issues
> > 
> > On 05.09.2017 16:33, Ric S wrote:
> > > On Dienstag, 5. September 2017 12:36:47 CEST Noel Kuntze wrote:
> > >> Hi,
> > >> 
> > >> I just noticed that your NAT rules cause problems if you try to
> > >> initiate
> > >> connections to the RW, too. Read and apply the advice from the article
> > >> about NAT problems[1].
> > > 
> > > I added :
> > > 
> > > iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
> > > 
> > > I noticed when I ping the iPad from lan I now see that packages are
> > > matching and ping changes
> > > 
> > > Chain POSTROUTING (policy ACCEPT 1320 packets, 89681 bytes)
> > > 
> > >  pkts bytes target     prot opt in     out     source
> > >  destination>
> > >  
> > >     1    84 ACCEPT     0    --  *      *       0.0.0.0/0
> > >     0.0.0.0/0           policy match dir out pol ipsec>
> > > 
> > > before adding the rule:
> > > 
> > > ping R6400
> > > PING R6400 (192.168.0.121) 56(84) bytes of data.
> > > From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> > > Unreachable From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination
> > > Host Unreachable From 62.155.242.107 (62.155.242.107) icmp_seq=3
> > > Destination Host Unreachable
> > > 
> > > 
> > > after adding the rule:
> > > 
> > > ping R6400
> > > PING R6400 (192.168.0.121) 56(84) bytes of data.
> > > hangs here
> > > 
> > > Thus this rule most likely is one part of the solution.
> > > 
> > > Now I setup a second client, Win7, unlike iOS surfing the net does not
> > > work, and with wireshark I see incoming TCP Retransmissions messages,
> > > looks like there is an issue with mtu/mss? I also managed to get one
> > > ping
> > > through the tunnel to the a lan machine.
> > > 
> > > What is the best way to specify mtu sizes etc in strongswan?
> > > 
> > >> Kind regards
> > >> 
> > >> Noel
> > >> 
> > >> [1]
> > >> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplit
> > >> Tu
> > >> nn
> > >> eling#General-NAT-problems
> > >> 
> > >> On 05.09.2017 12:32, Ric S wrote:
> > >>> On Dienstag, 5. September 2017 11:28:59 CEST Noel Kuntze wrote:
> > >>>> Hi,
> > >>>> 
> > >>>>> ifconfig
> > >>>> 
> > >>>> Please don't use the net-tools. Use iproute2. The net-tools are
> > >>>> woefully
> > >>>> inadequate for this day and age. They are deprecated since the early
> > >>>> 2000s.
> > >>>> 
> > >>>> Please provide the output of `ip address`, `ip route show table all`,
> > >>>> `ip
> > >>>> rule` and `sysctl -A | grep rp_filter`.
> > >>>> 
> > >>>> I suspect that at least the rp_filter needs to be set to 2.
> > >>> 
> > >>> I just set all interfaces to 2, still no go.
> > >>> 
> > >>> 
> > >>> 
> > >>> root at titan:~# ip address
> > >>> 1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 65536 qdisc noqueue qlen 1
> > >>> 
> > >>>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > >>>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>>     
> > >>>     inet6 ::1/128 scope host
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>> 
> > >>> 2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
> > >>> 
> > >>>     link/void
> > >>> 
> > >>> 3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
> > >>> 1000
> > >>> 
> > >>>     link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
> > >>>     inet6 fe80::a263:91ff:feea:2e14/64 scope link
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>> 
> > >>> 4: vlan1 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> > >>> master br0>
> > >>> 
> > >>>     link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
> > >>>     inet6 fe80::a263:91ff:feea:2e14/64 scope link
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>> 
> > >>> 5: vlan2 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> > >>> 
> > >>>     link/ether a0:63:91:ea:2e:15 brd ff:ff:ff:ff:ff:ff
> > >>>     inet 192.168.5.254/24 brd 192.168.5.255 scope global vlan2:0
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>>     
> > >>>     inet6 fe80::a263:91ff:feea:2e15/64 scope link
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>> 
> > >>> 6: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master
> > >>> br0
> > >>> qlen 1000>
> > >>> 
> > >>>     link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
> > >>>     inet6 fe80::a263:91ff:feea:2e16/64 scope link
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>> 
> > >>> 7: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master
> > >>> br0
> > >>> qlen 1000>
> > >>> 
> > >>>     link/ether a0:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
> > >>>     inet6 fe80::a263:91ff:feea:2e17/64 scope link
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>> 
> > >>> 9: wl0.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
> > >>> 1000
> > >>> 
> > >>>     link/ether a2:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
> > >>>     inet 192.168.10.1/24 brd 192.168.10.255 scope global wl0.1
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>>     
> > >>>     inet6 fe80::a063:91ff:feea:2e17/64 scope link
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>> 
> > >>> 10: wl1.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
> > >>> 1000
> > >>> 
> > >>>     link/ether a2:63:91:ea:2e:18 brd ff:ff:ff:ff:ff:ff
> > >>>     inet 192.168.9.1/24 brd 192.168.9.255 scope global wl1.1
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>>     
> > >>>     inet6 fe80::a063:91ff:feea:2e18/64 scope link
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>> 
> > >>> 12: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue qlen
> > >>> 1000
> > >>> 
> > >>>     link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
> > >>>     inet 169.254.255.1/16 brd 169.254.255.255 scope global br0:0
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>>     
> > >>>     inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>>     
> > >>>     inet6 fe80::a263:91ff:feea:2e16/64 scope link
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>> 
> > >>> 13: ppp0: <POINTOPOINT,MULTICAST,UP,10000> mtu 1492 qdisc fq_codel
> > >>> qlen
> > >>> 3
> > >>> 
> > >>>     link/ppp
> > >>>     inet 87.168.251.19 peer 62.155.242.107/32 brd 87.168.251.19 scope
> > >>>     global ppp0>
> > >>>     
> > >>>        valid_lft forever preferred_lft forever
> > >>> 
> > >>> root at titan:~# ip route show table all
> > >>> 192.168.0.121 via 62.155.242.107 dev ppp0  table 220  proto static 
> > >>> src
> > >>> 192.168.0.1 default via 62.155.242.107 dev ppp0
> > >>> 62.155.242.107 dev ppp0  proto kernel  scope link  src 87.168.251.19
> > >>> 127.0.0.0/8 dev lo  scope link
> > >>> 169.254.0.0/16 dev br0  proto kernel  scope link  src 169.254.255.1
> > >>> 192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.1
> > >>> 192.168.5.0/24 dev vlan2  proto kernel  scope link  src 192.168.5.254
> > >>> 192.168.9.0/24 dev wl1.1  proto kernel  scope link  src 192.168.9.1
> > >>> 192.168.10.0/24 dev wl0.1  proto kernel  scope link  src 192.168.10.1
> > >>> local 87.168.251.19 dev ppp0  table local  proto kernel  scope host 
> > >>> src
> > >>> 87.168.251.19 broadcast 87.168.251.19 dev ppp0  table local  proto
> > >>> kernel
> > >>> 
> > >>>  scope link  src 87.168.251.19 broadcast 127.0.0.0 dev lo  table local
> > >>> 
> > >>> proto kernel  scope link  src 127.0.0.1 local 127.0.0.0/8 dev lo 
> > >>> table
> > >>> local  proto kernel  scope host  src 127.0.0.1 local 127.0.0.1 dev lo
> > >>> table local  proto kernel  scope host  src 127.0.0.1 broadcast
> > >>> 127.255.255.255 dev lo  table local  proto kernel  scope link  src
> > >>> 127.0.0.1 broadcast 169.254.0.0 dev br0  table local  proto kernel
> > >>> scope
> > >>> link  src 169.254.255.1 local 169.254.255.1 dev br0  table local 
> > >>> proto
> > >>> kernel  scope host  src 169.254.255.1 broadcast 169.254.255.255 dev
> > >>> br0
> > >>> table local  proto kernel  scope link  src 169.254.255.1 broadcast
> > >>> 192.168.0.0 dev br0  table local  proto kernel  scope link  src
> > >>> 192.168.0.1 local 192.168.0.1 dev br0  table local  proto kernel 
> > >>> scope
> > >>> host  src 192.168.0.1 broadcast 192.168.0.255 dev br0  table local
> > >>> proto
> > >>> kernel  scope link  src 192.168.0.1 broadcast 192.168.5.0 dev vlan2
> > >>> table local  proto kernel  scope link  src 192.168.5.254 local
> > >>> 192.168.5.254 dev vlan2  table local  proto kernel  scope host  src
> > >>> 192.168.5.254 broadcast 192.168.5.255 dev vlan2  table local  proto
> > >>> kernel  scope link  src 192.168.5.254 broadcast 192.168.9.0 dev wl1.1
> > >>> table local  proto kernel  scope link  src 192.168.9.1 local
> > >>> 192.168.9.1
> > >>> dev wl1.1  table local  proto kernel  scope host  src 192.168.9.1
> > >>> broadcast 192.168.9.255 dev wl1.1  table local  proto kernel  scope
> > >>> link
> > >>> src 192.168.9.1 broadcast 192.168.10.0 dev wl0.1  table local  proto
> > >>> kernel  scope link  src 192.168.10.1 local 192.168.10.1 dev wl0.1 
> > >>> table
> > >>> local  proto kernel  scope host  src 192.168.10.1 broadcast
> > >>> 192.168.10.255 dev wl0.1  table local  proto kernel  scope link  src
> > >>> 192.168.10.1 unreachable default dev lo  table unspec  proto kernel
> > >>> metric -1  error -101 fe80::/64 dev eth0  proto kernel  metric 256
> > >>> fe80::/64 dev vlan1  proto kernel  metric 256
> > >>> fe80::/64 dev br0  proto kernel  metric 256
> > >>> fe80::/64 dev eth1  proto kernel  metric 256
> > >>> fe80::/64 dev wl0.1  proto kernel  metric 256
> > >>> fe80::/64 dev eth2  proto kernel  metric 256
> > >>> fe80::/64 dev wl1.1  proto kernel  metric 256
> > >>> fe80::/64 dev vlan2  proto kernel  metric 256
> > >>> unreachable default dev lo  table unspec  proto kernel  metric -1 
> > >>> error
> > >>> -101 local ::1 dev lo  table local  proto none  metric 0
> > >>> local fe80::a063:91ff:feea:2e17 dev lo  table local  proto none 
> > >>> metric
> > >>> 0
> > >>> local fe80::a063:91ff:feea:2e18 dev lo  table local  proto none 
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e14 dev lo  table local  proto none 
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e14 dev lo  table local  proto none 
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e15 dev lo  table local  proto none 
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e16 dev lo  table local  proto none 
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e16 dev lo  table local  proto none 
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e17 dev lo  table local  proto none 
> > >>> metric
> > >>> 0
> > >>> ff00::/8 dev eth0  table local  metric 256
> > >>> ff00::/8 dev vlan1  table local  metric 256
> > >>> ff00::/8 dev br0  table local  metric 256
> > >>> ff00::/8 dev eth1  table local  metric 256
> > >>> ff00::/8 dev wl0.1  table local  metric 256
> > >>> ff00::/8 dev eth2  table local  metric 256
> > >>> ff00::/8 dev wl1.1  table local  metric 256
> > >>> ff00::/8 dev vlan2  table local  metric 256
> > >>> unreachable default dev lo  table unspec  proto kernel  metric -1 
> > >>> error
> > >>> -101 root at titan:~# ip rule
> > >>> 0:      from all lookup local
> > >>> 220:    from all lookup 220
> > >>> 32766:  from all lookup main
> > >>> 32767:  from all lookup default
> > >>> root at titan:~# sysctl -A | grep rp_filter
> > >>> net.ipv4.conf.all.arp_filter = 0
> > >>> net.ipv4.conf.all.rp_filter = 2
> > >>> net.ipv4.conf.br0.arp_filter = 0
> > >>> net.ipv4.conf.br0.rp_filter = 2
> > >>> net.ipv4.conf.default.arp_filter = 0
> > >>> net.ipv4.conf.default.rp_filter = 2
> > >>> net.ipv4.conf.eth0.arp_filter = 0
> > >>> net.ipv4.conf.eth0.rp_filter = 2
> > >>> net.ipv4.conf.eth1.arp_filter = 0
> > >>> net.ipv4.conf.eth1.rp_filter = 2
> > >>> net.ipv4.conf.eth2.arp_filter = 0
> > >>> net.ipv4.conf.eth2.rp_filter = 2
> > >>> net.ipv4.conf.lo.arp_filter = 0
> > >>> net.ipv4.conf.lo.rp_filter = 2
> > >>> net.ipv4.conf.ppp0.arp_filter = 0
> > >>> net.ipv4.conf.ppp0.rp_filter = 2
> > >>> net.ipv4.conf.teql0.arp_filter = 0
> > >>> net.ipv4.conf.teql0.rp_filter = 2
> > >>> net.ipv4.conf.vlan1.arp_filter = 0
> > >>> net.ipv4.conf.vlan1.rp_filter = 2
> > >>> net.ipv4.conf.vlan2.arp_filter = 0
> > >>> net.ipv4.conf.vlan2.rp_filter = 2
> > >>> net.ipv4.conf.wl0.1.arp_filter = 0
> > >>> net.ipv4.conf.wl0.1.rp_filter = 2
> > >>> net.ipv4.conf.wl1.1.arp_filter = 0
> > >>> net.ipv4.conf.wl1.1.rp_filter = 2
> > >>> 
> > >>>>> Just a dynamic ip, who cares.
> > >>>> 
> > >>>> Enough people that it's RFC'd[1].
> > >>> 
> > >>> Sure but it doesn't hurt and makes sure you got the right info.
> > >>> 
> > >>>> Kind regards
> > >>>> 
> > >>>> Noel
> > >>>> 
> > >>>> [1] https://tools.ietf.org/html/rfc1918#section-3
> > >>>> 
> > >>>> On 05.09.2017 11:06, Ric S wrote:
> > >>>>> Current configs now:
> > >>>>> 
> > >>>>> strongswan.conf:
> > >>>>> 
> > >>>>> charon {
> > >>>>> plugins {
> > >>>>> 
> > >>>>>         dhcp {
> > >>>>>         force_server_address = yes
> > >>>>>         server = 192.168.0.1
> > >>>>>         identity_lease = yes
> > >>>>>         }
> > >>>>>         farp {
> > >>>>>         load = yes
> > >>>>>         }
> > >>>>> 
> > >>>>> }}
> > >>>>> 
> > >>>>> dns1 = 8.8.8.8
> > >>>>> dns1 = 8.8.8.4
> > >>>>> 
> > >>>>> ipsec.conf:
> > >>>>> 
> > >>>>> config setup
> > >>>>> 
> > >>>>>  charondebug="net 2, knl 2, cfg 2"
> > >>>>> 
> > >>>>> conn ikev2
> > >>>>> 
> > >>>>>  keyexchange=ikev2
> > >>>>>  ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,
> > >>>>>  ae
> > >>>>>  s1
> > >>>>>  28
> > >>>>>  -sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128
> > >>>>>  -s
> > >>>>>  ha
> > >>>>>  25
> > >>>>>  6-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes
> > >>>>>  25
> > >>>>>  6-
> > >>>>>  sh
> > >>>>>  a1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes2
> > >>>>>  esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha
> > >>>>>  1,
> > >>>>>  ae
> > >>>>>  s
> > >>>>>  128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-
> > >>>>>  sh
> > >>>>>  a2
> > >>>>>  56
> > >>>>>  ,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536
> > >>>>>  ,a
> > >>>>>  es
> > >>>>>  12
> > >>>>>  8-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm
> > >>>>>  dpdaction=clear
> > >>>>>  dpddelay=60s
> > >>>>>  leftfirewall=yes
> > >>>>>  lefthostaccess=yes
> > >>>>>  leftid=carone.ddns.net
> > >>>>>  leftsubnet=192.168.0.0/24
> > >>>>>  leftcert=host-vpn.der
> > >>>>>  leftsendcert=always
> > >>>>>  right=%any
> > >>>>>  rightauth=eap-tls
> > >>>>>  rightsourceip=%dhcp
> > >>>>>  eap_identity=%any
> > >>>>>  auto=add
> > >>>>> 
> > >>>>> On Dienstag, 5. September 2017 04:54:31 CEST you wrote:
> > >>>>>> Hi,
> > >>>>>> 
> > >>>>>>> type=passthrough
> > >>>>> 
> > >>>>> Removed it, also did not use it previous attempts.
> > >>>>> 
> > >>>>>> You're sabotaging yourself. There is no IPsec processing happening
> > >>>>>> with
> > >>>>>> type=passthrough
> > >>>>>> 
> > >>>>>>> threads = 8
> > >>>>> 
> > >>>>> Removed.
> > >>>>> 
> > >>>>>> You're doing it again. That can lock up the daemon later. Don't do
> > >>>>>> that.
> > >>>>>> Luckily, the setting is outside the valid configuration block, so
> > >>>>>> it's
> > >>>>>> invalid and ignored.
> > >>>>>> 
> > >>>>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> > >>>>> 
> > >>>>> I removed it. Just for the record these are my interfaces:
> > >>>>> 
> > >>>>> ifconfig
> > >>>>> br0       Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16
> > >>>>> 
> > >>>>>           inet addr:192.168.0.1  Bcast:192.168.0.255
> > >>>>>           Mask:255.255.255.0
> > >>>>>           inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> > >>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >>>>>           RX packets:5108 errors:0 dropped:0 overruns:0 frame:0
> > >>>>>           TX packets:4497 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>>           collisions:0 txqueuelen:1000
> > >>>>>           RX bytes:585507 (571.7 KiB)  TX bytes:3738948 (3.5 MiB)
> > >>>>> 
> > >>>>> br0:0     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16
> > >>>>> 
> > >>>>>           inet addr:169.254.255.1  Bcast:169.254.255.255
> > >>>>>           Mask:255.255.0.0
> > >>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >>>>> 
> > >>>>> eth0      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:14
> > >>>>> 
> > >>>>>           inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> > >>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >>>>>           RX packets:12075 errors:0 dropped:0 overruns:0 frame:0
> > >>>>>           TX packets:12590 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>>           collisions:0 txqueuelen:1000
> > >>>>>           RX bytes:1941972 (1.8 MiB)  TX bytes:9910375 (9.4 MiB)
> > >>>>>           Interrupt:179 Base address:0x4000
> > >>>>> 
> > >>>>> eth1      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:16
> > >>>>> 
> > >>>>>           inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> > >>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >>>>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:7541
> > >>>>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>>           collisions:0 txqueuelen:1000
> > >>>>>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
> > >>>>>           Interrupt:163
> > >>>>> 
> > >>>>> eth2      Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:17
> > >>>>> 
> > >>>>>           inet6 addr: fe80::a263:91ff:feea:2e17/64 Scope:Link
> > >>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >>>>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > >>>>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>>           collisions:0 txqueuelen:1000
> > >>>>>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
> > >>>>>           Interrupt:169
> > >>>>> 
> > >>>>> lo        Link encap:Local Loopback
> > >>>>> 
> > >>>>>           inet addr:127.0.0.1  Mask:255.0.0.0
> > >>>>>           inet6 addr: ::1/128 Scope:Host
> > >>>>>           UP LOOPBACK RUNNING MULTICAST  MTU:65536  Metric:1
> > >>>>>           RX packets:425 errors:0 dropped:0 overruns:0 frame:0
> > >>>>>           TX packets:425 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>>           collisions:0 txqueuelen:1
> > >>>>>           RX bytes:53057 (51.8 KiB)  TX bytes:53057 (51.8 KiB)
> > >>>>> 
> > >>>>> ppp0      Link encap:Point-to-Point Protocol
> > >>>>> 
> > >>>>>           inet addr:87.168.251.19  P-t-P:62.155.242.107
> > >>>>>           Mask:255.255.255.255
> > >>>>>           UP POINTOPOINT RUNNING MULTICAST  MTU:1492  Metric:1
> > >>>>>           RX packets:1010 errors:0 dropped:0 overruns:0 frame:0
> > >>>>>           TX packets:1092 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>>           collisions:0 txqueuelen:3
> > >>>>>           RX bytes:470447 (459.4 KiB)  TX bytes:160357 (156.5 KiB)
> > >>>>> 
> > >>>>> vlan1     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:14
> > >>>>> 
> > >>>>>           inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> > >>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >>>>>           RX packets:9247 errors:0 dropped:0 overruns:0 frame:0
> > >>>>>           TX packets:9767 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>>           collisions:0 txqueuelen:0
> > >>>>>           RX bytes:759337 (741.5 KiB)  TX bytes:9462367 (9.0 MiB)
> > >>>>> 
> > >>>>> vlan2     Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:15
> > >>>>> 
> > >>>>>           inet6 addr: fe80::a263:91ff:feea:2e15/64 Scope:Link
> > >>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >>>>>           RX packets:2828 errors:0 dropped:3 overruns:0 frame:0
> > >>>>>           TX packets:2815 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>>           collisions:0 txqueuelen:0
> > >>>>>           RX bytes:916985 (895.4 KiB)  TX bytes:397032 (387.7 KiB)
> > >>>>> 
> > >>>>> vlan2:0   Link encap:Ethernet  HWaddr A0:XX:XX:XX:XX:15
> > >>>>> 
> > >>>>>           inet addr:192.168.5.254  Bcast:192.168.5.255
> > >>>>>           Mask:255.255.255.0
> > >>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >>>>> 
> > >>>>> wl0.1     Link encap:Ethernet  HWaddr A2:XX:XX:XX:XX:17
> > >>>>> 
> > >>>>>           inet addr:192.168.10.1  Bcast:192.168.10.255
> > >>>>>           Mask:255.255.255.0
> > >>>>>           inet6 addr: fe80::a063:91ff:feea:2e17/64 Scope:Link
> > >>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >>>>>           RX packets:3615 errors:0 dropped:5 overruns:0 frame:7541
> > >>>>>           TX packets:3989 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>>           collisions:0 txqueuelen:1000
> > >>>>>           RX bytes:538878 (526.2 KiB)  TX bytes:998737 (975.3 KiB)
> > >>>>> 
> > >>>>> wl1.1     Link encap:Ethernet  HWaddr A2:XX:XX:XX:XX:18
> > >>>>> 
> > >>>>>           inet addr:192.168.9.1  Bcast:192.168.9.255
> > >>>>>           Mask:255.255.255.0
> > >>>>>           inet6 addr: fe80::a063:91ff:feea:2e18/64 Scope:Link
> > >>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >>>>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > >>>>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>>           collisions:0 txqueuelen:1000
> > >>>>>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
> > >>>>>> 
> > >>>>>> Unnecessary.
> > >>>>>> 
> > >>>>>>> left=%defaultroute
> > >>>>> 
> > >>>>> Removed.
> > >>>>> 
> > >>>>>> Unnecessary.
> > >>>>>> 
> > >>>>>>> kernel-pfkey
> > >>>>>> 
> > >>>>>> Plugin for the legacy IPsec API. Don't use it.
> > >>>>>> 
> > >>>>>>> ping R6400
> > >>>>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
> > >>>>>>> 
> > >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> > >>>>>> >
> > >>>>>>> Unreachable
> > >>>>>>> 
> > >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> > >>>>>> >
> > >>>>>>> Unreachable
> > >>>>> 
> > >>>>> Just a dynamic ip, who cares.
> > >>>>> 
> > >>>>>> Your next hop is sending that error. You're leaking private address
> > >>>>>> into
> > >>>>>> the WAN. That is forbidden. Don't do that.
> > >>>>>> 
> > >>>>>>> Routers iptable output:
> > >>>>>>> 
> > >>>>>>> iptables -vnL
> > >>>>>> 
> > >>>>>> The output is unusable. Provide the output of `iptables-save`.
> > >>>>> 
> > >>>>> I disabled a few features, e.g. QOS in order to reduce the output
> > >>>>> 
> > >>>>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> > >>>>> *raw
> > >>>>> 
> > >>>>> :PREROUTING ACCEPT [12217:1705679]
> > >>>>> :OUTPUT ACCEPT [9354:9118762]
> > >>>>> 
> > >>>>> COMMIT
> > >>>>> # Completed on Tue Sep  5 10:42:27 2017
> > >>>>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> > >>>>> *nat
> > >>>>> 
> > >>>>> :PREROUTING ACCEPT [285:28593]
> > >>>>> :INPUT ACCEPT [604:43260]
> > >>>>> :OUTPUT ACCEPT [47:3676]
> > >>>>> :POSTROUTING ACCEPT [47:3676]
> > >>>>> 
> > >>>>> -A PREROUTING -d 87.168.251.19 -p icmp -j DNAT --to-destination
> > >>>>> 192.168.0.1
> > >>>>> -A PREROUTING -d 87.168.251.19 -j TRIGGER --trigger-proto
> > >>>>> --trigger-match
> > >>>>> 0-0 --trigger-relate 0-0 -A POSTROUTING -o vlan2 -j MASQUERADE
> > >>>>> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j SNAT
> > >>>>> --to-source
> > >>>>> 87.168.251.19 -A POSTROUTING -m mark  --mark0x80000000/0x80000000 -j
> > >>>>> MASQUERADE
> > >>>>> -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o ppp0 -j SNAT
> > >>>>> --to-source
> > >>>>> 87.168.251.19 -A POSTROUTING -s 192.168.9.0/255.255.255.0 -o ppp0 -j
> > >>>>> SNAT
> > >>>>> --to-source 87.168.251.19 COMMIT
> > >>>>> # Completed on Tue Sep  5 10:42:27 2017
> > >>>>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> > >>>>> *mangle
> > >>>>> 
> > >>>>> :PREROUTING ACCEPT [3009:537902]
> > >>>>> :INPUT ACCEPT [8937:741571]
> > >>>>> :FORWARD ACCEPT [2521:798226]
> > >>>>> :OUTPUT ACCEPT [2190:2277003]
> > >>>>> :POSTROUTING ACCEPT [11882:9919352]
> > >>>>> 
> > >>>>> -A PREROUTING -d 87.168.251.19 -i ! ppp0 -j MARK  --set-xmark
> > >>>>> 0x80000000/0x80000000 -A PREROUTING -j CONNMARK --save-mark
> > >>>>> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> > >>>>> --clamp-mss-to-pmtu COMMIT
> > >>>>> # Completed on Tue Sep  5 10:42:27 2017
> > >>>>> # Generated by iptables-save v1.3.7 on Tue Sep  5 10:42:27 2017
> > >>>>> *filter
> > >>>>> 
> > >>>>> :INPUT ACCEPT [0:0]
> > >>>>> :FORWARD ACCEPT [0:0]
> > >>>>> :OUTPUT ACCEPT [111:17285]
> > >>>>> :advgrp_1 - [0:0]
> > >>>>> :advgrp_10 - [0:0]
> > >>>>> :advgrp_2 - [0:0]
> > >>>>> :advgrp_3 - [0:0]
> > >>>>> :advgrp_4 - [0:0]
> > >>>>> :advgrp_5 - [0:0]
> > >>>>> :advgrp_6 - [0:0]
> > >>>>> :advgrp_7 - [0:0]
> > >>>>> :advgrp_8 - [0:0]
> > >>>>> :advgrp_9 - [0:0]
> > >>>>> :grp_1 - [0:0]
> > >>>>> :grp_10 - [0:0]
> > >>>>> :grp_2 - [0:0]
> > >>>>> :grp_3 - [0:0]
> > >>>>> :grp_4 - [0:0]
> > >>>>> :grp_5 - [0:0]
> > >>>>> :grp_6 - [0:0]
> > >>>>> :grp_7 - [0:0]
> > >>>>> :grp_8 - [0:0]
> > >>>>> :grp_9 - [0:0]
> > >>>>> :lan2wan - [0:0]
> > >>>>> :logaccept - [0:0]
> > >>>>> :logdrop - [0:0]
> > >>>>> :logreject - [0:0]
> > >>>>> :trigger_out - [0:0]
> > >>>>> 
> > >>>>> -A INPUT -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m
> > >>>>> policy
> > >>>>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A INPUT -p udp
> > >>>>> -m
> > >>>>> udp --dport 4500 -j ACCEPT
> > >>>>> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > >>>>> -A INPUT -s 66.220.2.74 -p icmp -j ACCEPT
> > >>>>> -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
> > >>>>> -A INPUT -i ppp0 -p udp -m udp --dport 520 -j logdrop
> > >>>>> -A INPUT -i br0 -p udp -m udp --dport 520 -j logdrop
> > >>>>> -A INPUT -p udp -m udp --dport 520 -j logaccept
> > >>>>> -A INPUT -i br0 -j logaccept
> > >>>>> -A INPUT -i ppp0 -p icmp -j logdrop
> > >>>>> -A INPUT -p igmp -j logdrop
> > >>>>> -A INPUT -i lo -m state --state NEW -j ACCEPT
> > >>>>> -A INPUT -i br0 -m state --state NEW -j logaccept
> > >>>>> -A INPUT -i wl0.1 -p udp -m udp --dport 67 -j logaccept
> > >>>>> -A INPUT -i wl0.1 -p udp -m udp --dport 53 -j logaccept
> > >>>>> -A INPUT -i wl0.1 -p tcp -m tcp --dport 53 -j logaccept
> > >>>>> -A INPUT -i wl0.1 -m state --state NEW -j logdrop
> > >>>>> -A INPUT -i wl0.1 -j logaccept
> > >>>>> -A INPUT -i wl1.1 -p udp -m udp --dport 67 -j logaccept
> > >>>>> -A INPUT -i wl1.1 -p udp -m udp --dport 53 -j logaccept
> > >>>>> -A INPUT -i wl1.1 -p tcp -m tcp --dport 53 -j logaccept
> > >>>>> -A INPUT -i wl1.1 -m state --state NEW -j logdrop
> > >>>>> -A INPUT -i wl1.1 -j logaccept
> > >>>>> -A INPUT -j logdrop
> > >>>>> -A FORWARD -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m
> > >>>>> policy
> > >>>>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s
> > >>>>> 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir
> > >>>>> out
> > >>>>> --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s
> > >>>>> 192.168.0.10
> > >>>>> -d
> > >>>>> 194.25.134.46 -j ACCEPT
> > >>>>> -A FORWARD -s 192.168.0.10 -d 194.25.134.110 -j ACCEPT
> > >>>>> -A FORWARD -s 192.168.0.10 -j LOG
> > >>>>> -A FORWARD -s 192.168.0.10 -j DROP
> > >>>>> -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
> > >>>>> -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl1.1 -m state --state
> > >>>>> NEW
> > >>>>> -j
> > >>>>> logdrop -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl0.1 -m state
> > >>>>> --state
> > >>>>> NEW -j logdrop -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p
> > >>>>> gre
> > >>>>> -j
> > >>>>> logaccept -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p tcp -m
> > >>>>> tcp
> > >>>>> --dport 1723 -j logaccept -A FORWARD -i wl0.1 -j logaccept
> > >>>>> -A FORWARD -i wl1.1 -j logaccept
> > >>>>> -A FORWARD -j lan2wan
> > >>>>> -A FORWARD -i br0 -o br0 -j logaccept
> > >>>>> -A FORWARD -i br0 -o ppp0 -j logaccept
> > >>>>> -A FORWARD -i ppp0 -o br0 -j TRIGGER --trigger-proto --trigger-match
> > >>>>> 0-0
> > >>>>> --trigger-relate 0-0 -A FORWARD -i br0 -j trigger_out
> > >>>>> -A FORWARD -i br0 -o wl0.1 -m state --state NEW -j logdrop
> > >>>>> -A FORWARD -i br0 -o wl1.1 -m state --state NEW -j logdrop
> > >>>>> -A FORWARD -i br0 -m state --state NEW -j logaccept
> > >>>>> -A FORWARD -j logdrop
> > >>>>> -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m
> > >>>>> policy
> > >>>>> --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT -A OUTPUT -o
> > >>>>> br0
> > >>>>> -j
> > >>>>> logaccept
> > >>>>> -A logaccept -j ACCEPT
> > >>>>> -A logdrop -m state --state NEW -j LOG --log-prefix "DROP "
> > >>>>> --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -m
> > >>>>> state
> > >>>>> --state INVALID -j LOG --log-prefix "DROP " --log-tcp-sequence
> > >>>>> --log-tcp-options --log-ip-options -A logdrop -j DROP
> > >>>>> -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence
> > >>>>> --log-tcp-options --log-ip-options -A logreject -p tcp -j REJECT
> > >>>>> --reject-with tcp-reset
> > >>>>> COMMIT
> > >>>>> # Completed on Tue Sep  5 10:42:27 2017
> > >>>>> 
> > >>>>>>> I have tried so many thinsg, but still cannot ping from either
> > >>>>>>> side
> > >>>>>>> or
> > >>>>>>> access
> > >>>>>>> any local machines.
> > >>>>>>> Does anyone have a clue? Can I provide additional info?
> > >>>>>> 
> > >>>>>> You're having no success because you're trying ramdom shit from the
> > >>>>>> Internet. About 99,999% of the strongSwan related information on
> > >>>>>> third
> > >>>>>> party sites is wither well ng or of questinable quality. Don't get
> > >>>>>> your
> > >>>>>> information from any place but the project's website.
> > >>>>> 
> > >>>>> Well that's what I did in the first place and it also lacks info,
> > >>>>> e.g.
> > >>>>> it
> > >>>>> did not list all of the required kernel modules, took my a bit to
> > >>>>> find
> > >>>>> out which modules it needs as it did not complain at startup, but
> > >>>>> requested features at runtime which were not there, e.g. a STD RNG.
> > >>>>> 
> > >>>>> 
> > >>>>> Thanks for any hints, hope the above info helps.
> > >>>>> 
> > >>>>> Cheers Richard
> > >>>>> 
> > >>>>>> Kind regards
> > >>>>>> 
> > >>>>>> Noel
> > >>>>>> 
> > >>>>>> Am 5. September 2017 00:53:20 MESZ schrieb Ric S <burj-al-
> 
> arab at gmx.de>:
> > >>>>>>> Hi folks,
> > >>>>>>> 
> > >>>>>>> I have been ripping my hair out with this issue.
> > >>>>>>> 
> > >>>>>>> I'm running strongswan 5.5.3 on a router. The routers lan subnet
> > >>>>>>> is
> > >>>>>>> 192.168.0.1/24.
> > >>>>>>> I can successfully connect to it with an Ipad with ikev2 and surf
> > >>>>>>> the
> > >>>>>>> internet, but I cannot reach any internal machines.
> > >>>>>>> 
> > >>>>>>> My config is the following:
> > >>>>>>> 
> > >>>>>>> ipsec.conf:
> > >>>>>>> 
> > >>>>>>> config setup
> > >>>>>>> 
> > >>>>>>> charondebug="net 2, knl 2, cfg 2"
> > >>>>>>> 
> > >>>>>>> conn ikev2
> > >>>>>>> 
> > >>>>>>> keyexchange=ikev2
> > >>>>>>> 
> > >>>>>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048
> > >>>>>>> ,a
> > >>>>>>> es
> > >>>>>>> 12
> > >>>>>>> 8-
> > >>>>>>> sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
> > >>>>>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sh
> > >>>>>>> a1
> > >>>>>>> ,a
> > >>>>>>> es
> > >>>>>>> 128
> > >>>>>>> - sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
> > >>>>>>> 
> > >>>>>>> dpdaction=clear
> > >>>>>>> dpddelay=60s
> > >>>>>>> left=%defaultroute
> > >>>>>>> leftfirewall=yes
> > >>>>>>> lefthostaccess=yes
> > >>>>>>> leftid=myname.ddns.net
> > >>>>>>> leftsubnet=192.168.0.0/24
> > >>>>>>> leftcert=host-vpn.der
> > >>>>>>> leftsendcert=always
> > >>>>>>> right=%any
> > >>>>>>> rightauth=eap-tls
> > >>>>>>> rightsourceip=%dhcp
> > >>>>>>> eap_identity=%any
> > >>>>>>> type=passthrough
> > >>>>>>> auto=add
> > >>>>>>> 
> > >>>>>>> strongswanf.conf:
> > >>>>>>> 
> > >>>>>>> charon {
> > >>>>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> > >>>>>>> plugins {
> > >>>>>>> 
> > >>>>>>>        dhcp {
> > >>>>>>>        force_server_address = yes
> > >>>>>>>        server = 192.168.0.1
> > >>>>>>>        identity_lease = yes
> > >>>>>>>        }
> > >>>>>>>        farp {
> > >>>>>>>        load = yes
> > >>>>>>>        }
> > >>>>>>> 
> > >>>>>>> }}
> > >>>>>>> 
> > >>>>>>> threads = 8
> > >>>>>>> dns1 = 8.8.8.8
> > >>>>>>> dns1 = 8.8.8.4
> > >>>>>>> 
> > >>>>>>> 
> > >>>>>>> 
> > >>>>>>> Status:
> > >>>>>>> 
> > >>>>>>> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80,
> 
> armv7l):
> > >>>>>>>  uptime: 14 minutes, since Sep 05 00:09:53 2017
> > >>>>>>>  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
> > >>>>>>>  0/0/0/0,
> > >>>>>>> 
> > >>>>>>> scheduled: 8
> > >>>>>>> loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1
> > >>>>>>> md5
> > >>>>>>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
> > >>>>>>> pkcs12 pgp
> > >>>>>>> dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac
> > >>>>>>> hmac
> > >>>>>>> sqlite
> > >>>>>>> attr kernel-pfkey kernel-netlink resolve socket-default farp
> > >>>>>>> stroke
> > >>>>>>> vici
> > >>>>>>> updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius
> > >>>>>>> eap-tls
> > >>>>>>> xauth-
> > >>>>>>> generic xauth-eap dhcp whitelist led duplicheck
> > >>>>>>> 
> > >>>>>>> Listening IP addresses:
> > >>>>>>>  169.254.255.1
> > >>>>>>>  192.168.0.1
> > >>>>>>>  87.168.243.83
> > >>>>>>> 
> > >>>>>>> Connections:
> > >>>>>>>       ikev2:  %any...%any  IKEv2, dpddelay=60s
> > >>>>>>>      
> > >>>>>>>      ikev2:   local:  [myname.ddns.net] uses public key
> > >>>>>>>      authentication
> > >>>>>>>      
> > >>>>>>>       ikev2:    cert:  "C=DE, O=MYORG, CN=myname.ddns.net"
> > >>>>>>>  
> > >>>>>>>  ikev2:   remote: uses EAP_TLS authentication with EAP identity
> > >>>>>>>  '%any'
> > >>>>>>>  
> > >>>>>>>      ikev2:   child:  192.168.0.0/24 === dynamic PASS,
> > >>>>>>>      dpdaction=clear
> > >>>>>>> 
> > >>>>>>> Security Associations (1 up, 0 connecting):
> > >>>>>>> ikev2[6]: ESTABLISHED 11 seconds ago,
> > >>>>>>> 87.168.243.83[myname.ddns.net]...
> > >>>>>>> 109.43.1.19[R6400]
> > >>>>>>> 
> > >>>>>>>  ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*,
> > >>>>>>>  public
> > >>>>>>> 
> > >>>>>>> key reauthentication in 2 hours
> > >>>>>>> 
> > >>>>>>>       ikev2[6]: IKE proposal:
> > >>>>>>>       AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
> > >>>>>>> 
> > >>>>>>> MODP_1024
> > >>>>>>> 
> > >>>>>>>    ikev2{4}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
> > >>>>>>>    c0983fe7_i
> > >>>>>>> 
> > >>>>>>> 04eb0f50_o
> > >>>>>>> 
> > >>>>>>>       ikev2{4}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0
> > >>>>>>>       bytes_o,
> > >>>>>>> 
> > >>>>>>> rekeying in 48 minutes
> > >>>>>>> 
> > >>>>>>>       ikev2{4}:   192.168.0.0/24 === 192.168.0.121/32
> > >>>>>>> 
> > >>>>>>> swanctl --list-sas
> > >>>>>>> ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i
> > >>>>>>> 688c466c497d2b9a_r*
> > >>>>>>> 
> > >>>>>>>  local  'myname.ddns.net' @ 87.168.243.83[4500]
> > >>>>>>>  remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
> > >>>>>>>  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> > >>>>>>>  established 92s ago, reauth in 9765s
> > >>>>>>>  ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
> > >>>>>>> 
> > >>>>>>> HMAC_SHA2_256_128
> > >>>>>>> 
> > >>>>>>>    installed 89s ago, rekeying in 2800s, expires in 3511s
> > >>>>>>>    in  c0983fe7,      0 bytes,     0 packets
> > >>>>>>>    out 04eb0f50,      0 bytes,     0 packets
> > >>>>>>>    local  192.168.0.0/24
> > >>>>>>>    remote 192.168.0.121/32
> > >>>>>>> 
> > >>>>>>> ip route list table 220
> > >>>>>>> 192.168.0.121 via 62.155.242.107 dev ppp0  proto static  src
> > >>>>>>> 192.168.0.1
> > >>>>>>> 
> > >>>>>>> FARP seems to work, this is a ping from one of the local machines:
> > >>>>>>> 
> > >>>>>>> ping R6400
> > >>>>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
> > >>>>>>> 
> > >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> > >>>>>> >
> > >>>>>>> Unreachable
> > >>>>>>> 
> > >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> > >>>>>> >
> > >>>>>>> Unreachable




More information about the Users mailing list