[strongSwan] Cannot ping machines on remote local network
Ric S
burj-al-arab at gmx.de
Wed Sep 6 15:55:48 CEST 2017
Update, I compiled kernel wih xfrm stats and noticed, the error
XfrmInStateProtoError, increases by one for each ping, so the issue must be in
this area, what could be the cause for this:
cat /proc/net/xfrm_stat
XfrmInError 0
XfrmInBufferError 0
XfrmInHdrError 0
XfrmInNoStates 0
XfrmInStateProtoError 13
XfrmInStateModeError 0
XfrmInStateSeqError 0
XfrmInStateExpired 0
XfrmInStateMismatch 0
XfrmInStateInvalid 0
XfrmInTmplMismatch 0
XfrmInNoPols 0
XfrmInPolBlock 0
XfrmInPolError 0
XfrmOutError 0
XfrmOutBundleGenError 0
XfrmOutBundleCheckError 0
XfrmOutNoStates 0
XfrmOutStateProtoError 0
XfrmOutStateModeError 0
XfrmOutStateSeqError 0
XfrmOutStateExpired 0
XfrmOutPolBlock 0
XfrmOutPolDead 0
XfrmOutPolError 0
XfrmFwdHdrError 0
XfrmOutStateInvalid 0
XfrmAcquireError 0
swanctl --list-sas
ikev2: #2, ESTABLISHED, IKEv2, ff455cdb92936f01_i b37e2279167e23ed_r*
local 'myname.ddns.net' @ 87.168.XXX.XXX[4500]
remote 'R6400' @ XX.XX.1.5[50455] [192.168.0.121]
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 41s ago, reauth in 9733s
ikev2: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
HMAC_SHA2_256_128
installed 37s ago, rekeying in 2798s, expires in 3563s
in cc231009, 0 bytes, 0 packets
out 05998a07, 0 bytes, 0 packets
local 192.168.0.0/24
remote 192.168.0.121/32
Also I gave wrong info before neither Win7 or iOS can surf the internet
through the tunnel. iOS obviously bypasses the vpn, as I see no outgoing
connections on the routers wan to a specific adress I contact from iOS.
So basically the only thing going through is the tunnel connection esp traffic
On Mittwoch, 6. September 2017 00:05:23 CEST Ric S wrote:
> On Dienstag, 5. September 2017 16:36:30 CEST Noel Kuntze wrote:
> > Hi,
> >
> > See the article about forwarding[1] that I linked previously.
>
> I have done some more experimenting. It is really strange, right after the
> connection established I get a few pings through, but they stop after 3 or 4
> pings, then maybe one in a few minutes goes through.
>
> Very strange. I also notice, that after a while I cannot esatblish a
> connection to the router, until I request a new IP. Just like traffic is
> intercepted by the ISP.
>
> But since the Test is done with a LTE modem, thus want to see next week, if
> I get the same results on a regular line.
>
> > Kind regards
> >
> > Noel
> >
> > [1]
> > https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTun
> > n
> > eling#MTUMSS-issues
> >
> > On 05.09.2017 16:33, Ric S wrote:
> > > On Dienstag, 5. September 2017 12:36:47 CEST Noel Kuntze wrote:
> > >> Hi,
> > >>
> > >> I just noticed that your NAT rules cause problems if you try to
> > >> initiate
> > >> connections to the RW, too. Read and apply the advice from the article
> > >> about NAT problems[1].
> > >
> > > I added :
> > >
> > > iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
> > >
> > > I noticed when I ping the iPad from lan I now see that packages are
> > > matching and ping changes
> > >
> > > Chain POSTROUTING (policy ACCEPT 1320 packets, 89681 bytes)
> > >
> > > pkts bytes target prot opt in out source
> > > destination>
> > >
> > > 1 84 ACCEPT 0 -- * * 0.0.0.0/0
> > > 0.0.0.0/0 policy match dir out pol ipsec>
> > >
> > > before adding the rule:
> > >
> > > ping R6400
> > > PING R6400 (192.168.0.121) 56(84) bytes of data.
> > > From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> > > Unreachable From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination
> > > Host Unreachable From 62.155.242.107 (62.155.242.107) icmp_seq=3
> > > Destination Host Unreachable
> > >
> > >
> > > after adding the rule:
> > >
> > > ping R6400
> > > PING R6400 (192.168.0.121) 56(84) bytes of data.
> > > hangs here
> > >
> > > Thus this rule most likely is one part of the solution.
> > >
> > > Now I setup a second client, Win7, unlike iOS surfing the net does not
> > > work, and with wireshark I see incoming TCP Retransmissions messages,
> > > looks like there is an issue with mtu/mss? I also managed to get one
> > > ping
> > > through the tunnel to the a lan machine.
> > >
> > > What is the best way to specify mtu sizes etc in strongswan?
> > >
> > >> Kind regards
> > >>
> > >> Noel
> > >>
> > >> [1]
> > >> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplit
> > >> Tu
> > >> nn
> > >> eling#General-NAT-problems
> > >>
> > >> On 05.09.2017 12:32, Ric S wrote:
> > >>> On Dienstag, 5. September 2017 11:28:59 CEST Noel Kuntze wrote:
> > >>>> Hi,
> > >>>>
> > >>>>> ifconfig
> > >>>>
> > >>>> Please don't use the net-tools. Use iproute2. The net-tools are
> > >>>> woefully
> > >>>> inadequate for this day and age. They are deprecated since the early
> > >>>> 2000s.
> > >>>>
> > >>>> Please provide the output of `ip address`, `ip route show table all`,
> > >>>> `ip
> > >>>> rule` and `sysctl -A | grep rp_filter`.
> > >>>>
> > >>>> I suspect that at least the rp_filter needs to be set to 2.
> > >>>
> > >>> I just set all interfaces to 2, still no go.
> > >>>
> > >>>
> > >>>
> > >>> root at titan:~# ip address
> > >>> 1: lo: <LOOPBACK,MULTICAST,UP,10000> mtu 65536 qdisc noqueue qlen 1
> > >>>
> > >>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > >>> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> inet6 ::1/128 scope host
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> 2: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
> > >>>
> > >>> link/void
> > >>>
> > >>> 3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
> > >>> 1000
> > >>>
> > >>> link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
> > >>> inet6 fe80::a263:91ff:feea:2e14/64 scope link
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> 4: vlan1 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> > >>> master br0>
> > >>>
> > >>> link/ether a0:63:91:ea:2e:14 brd ff:ff:ff:ff:ff:ff
> > >>> inet6 fe80::a263:91ff:feea:2e14/64 scope link
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> 5: vlan2 at eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue
> > >>>
> > >>> link/ether a0:63:91:ea:2e:15 brd ff:ff:ff:ff:ff:ff
> > >>> inet 192.168.5.254/24 brd 192.168.5.255 scope global vlan2:0
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> inet6 fe80::a263:91ff:feea:2e15/64 scope link
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> 6: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master
> > >>> br0
> > >>> qlen 1000>
> > >>>
> > >>> link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
> > >>> inet6 fe80::a263:91ff:feea:2e16/64 scope link
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> 7: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel master
> > >>> br0
> > >>> qlen 1000>
> > >>>
> > >>> link/ether a0:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
> > >>> inet6 fe80::a263:91ff:feea:2e17/64 scope link
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> 9: wl0.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
> > >>> 1000
> > >>>
> > >>> link/ether a2:63:91:ea:2e:17 brd ff:ff:ff:ff:ff:ff
> > >>> inet 192.168.10.1/24 brd 192.168.10.255 scope global wl0.1
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> inet6 fe80::a063:91ff:feea:2e17/64 scope link
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> 10: wl1.1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc fq_codel qlen
> > >>> 1000
> > >>>
> > >>> link/ether a2:63:91:ea:2e:18 brd ff:ff:ff:ff:ff:ff
> > >>> inet 192.168.9.1/24 brd 192.168.9.255 scope global wl1.1
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> inet6 fe80::a063:91ff:feea:2e18/64 scope link
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> 12: br0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue qlen
> > >>> 1000
> > >>>
> > >>> link/ether a0:63:91:ea:2e:16 brd ff:ff:ff:ff:ff:ff
> > >>> inet 169.254.255.1/16 brd 169.254.255.255 scope global br0:0
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> inet 192.168.0.1/24 brd 192.168.0.255 scope global br0
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> inet6 fe80::a263:91ff:feea:2e16/64 scope link
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> 13: ppp0: <POINTOPOINT,MULTICAST,UP,10000> mtu 1492 qdisc fq_codel
> > >>> qlen
> > >>> 3
> > >>>
> > >>> link/ppp
> > >>> inet 87.168.251.19 peer 62.155.242.107/32 brd 87.168.251.19 scope
> > >>> global ppp0>
> > >>>
> > >>> valid_lft forever preferred_lft forever
> > >>>
> > >>> root at titan:~# ip route show table all
> > >>> 192.168.0.121 via 62.155.242.107 dev ppp0 table 220 proto static
> > >>> src
> > >>> 192.168.0.1 default via 62.155.242.107 dev ppp0
> > >>> 62.155.242.107 dev ppp0 proto kernel scope link src 87.168.251.19
> > >>> 127.0.0.0/8 dev lo scope link
> > >>> 169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
> > >>> 192.168.0.0/24 dev br0 proto kernel scope link src 192.168.0.1
> > >>> 192.168.5.0/24 dev vlan2 proto kernel scope link src 192.168.5.254
> > >>> 192.168.9.0/24 dev wl1.1 proto kernel scope link src 192.168.9.1
> > >>> 192.168.10.0/24 dev wl0.1 proto kernel scope link src 192.168.10.1
> > >>> local 87.168.251.19 dev ppp0 table local proto kernel scope host
> > >>> src
> > >>> 87.168.251.19 broadcast 87.168.251.19 dev ppp0 table local proto
> > >>> kernel
> > >>>
> > >>> scope link src 87.168.251.19 broadcast 127.0.0.0 dev lo table local
> > >>>
> > >>> proto kernel scope link src 127.0.0.1 local 127.0.0.0/8 dev lo
> > >>> table
> > >>> local proto kernel scope host src 127.0.0.1 local 127.0.0.1 dev lo
> > >>> table local proto kernel scope host src 127.0.0.1 broadcast
> > >>> 127.255.255.255 dev lo table local proto kernel scope link src
> > >>> 127.0.0.1 broadcast 169.254.0.0 dev br0 table local proto kernel
> > >>> scope
> > >>> link src 169.254.255.1 local 169.254.255.1 dev br0 table local
> > >>> proto
> > >>> kernel scope host src 169.254.255.1 broadcast 169.254.255.255 dev
> > >>> br0
> > >>> table local proto kernel scope link src 169.254.255.1 broadcast
> > >>> 192.168.0.0 dev br0 table local proto kernel scope link src
> > >>> 192.168.0.1 local 192.168.0.1 dev br0 table local proto kernel
> > >>> scope
> > >>> host src 192.168.0.1 broadcast 192.168.0.255 dev br0 table local
> > >>> proto
> > >>> kernel scope link src 192.168.0.1 broadcast 192.168.5.0 dev vlan2
> > >>> table local proto kernel scope link src 192.168.5.254 local
> > >>> 192.168.5.254 dev vlan2 table local proto kernel scope host src
> > >>> 192.168.5.254 broadcast 192.168.5.255 dev vlan2 table local proto
> > >>> kernel scope link src 192.168.5.254 broadcast 192.168.9.0 dev wl1.1
> > >>> table local proto kernel scope link src 192.168.9.1 local
> > >>> 192.168.9.1
> > >>> dev wl1.1 table local proto kernel scope host src 192.168.9.1
> > >>> broadcast 192.168.9.255 dev wl1.1 table local proto kernel scope
> > >>> link
> > >>> src 192.168.9.1 broadcast 192.168.10.0 dev wl0.1 table local proto
> > >>> kernel scope link src 192.168.10.1 local 192.168.10.1 dev wl0.1
> > >>> table
> > >>> local proto kernel scope host src 192.168.10.1 broadcast
> > >>> 192.168.10.255 dev wl0.1 table local proto kernel scope link src
> > >>> 192.168.10.1 unreachable default dev lo table unspec proto kernel
> > >>> metric -1 error -101 fe80::/64 dev eth0 proto kernel metric 256
> > >>> fe80::/64 dev vlan1 proto kernel metric 256
> > >>> fe80::/64 dev br0 proto kernel metric 256
> > >>> fe80::/64 dev eth1 proto kernel metric 256
> > >>> fe80::/64 dev wl0.1 proto kernel metric 256
> > >>> fe80::/64 dev eth2 proto kernel metric 256
> > >>> fe80::/64 dev wl1.1 proto kernel metric 256
> > >>> fe80::/64 dev vlan2 proto kernel metric 256
> > >>> unreachable default dev lo table unspec proto kernel metric -1
> > >>> error
> > >>> -101 local ::1 dev lo table local proto none metric 0
> > >>> local fe80::a063:91ff:feea:2e17 dev lo table local proto none
> > >>> metric
> > >>> 0
> > >>> local fe80::a063:91ff:feea:2e18 dev lo table local proto none
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e14 dev lo table local proto none
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e14 dev lo table local proto none
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e15 dev lo table local proto none
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e16 dev lo table local proto none
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e16 dev lo table local proto none
> > >>> metric
> > >>> 0
> > >>> local fe80::a263:91ff:feea:2e17 dev lo table local proto none
> > >>> metric
> > >>> 0
> > >>> ff00::/8 dev eth0 table local metric 256
> > >>> ff00::/8 dev vlan1 table local metric 256
> > >>> ff00::/8 dev br0 table local metric 256
> > >>> ff00::/8 dev eth1 table local metric 256
> > >>> ff00::/8 dev wl0.1 table local metric 256
> > >>> ff00::/8 dev eth2 table local metric 256
> > >>> ff00::/8 dev wl1.1 table local metric 256
> > >>> ff00::/8 dev vlan2 table local metric 256
> > >>> unreachable default dev lo table unspec proto kernel metric -1
> > >>> error
> > >>> -101 root at titan:~# ip rule
> > >>> 0: from all lookup local
> > >>> 220: from all lookup 220
> > >>> 32766: from all lookup main
> > >>> 32767: from all lookup default
> > >>> root at titan:~# sysctl -A | grep rp_filter
> > >>> net.ipv4.conf.all.arp_filter = 0
> > >>> net.ipv4.conf.all.rp_filter = 2
> > >>> net.ipv4.conf.br0.arp_filter = 0
> > >>> net.ipv4.conf.br0.rp_filter = 2
> > >>> net.ipv4.conf.default.arp_filter = 0
> > >>> net.ipv4.conf.default.rp_filter = 2
> > >>> net.ipv4.conf.eth0.arp_filter = 0
> > >>> net.ipv4.conf.eth0.rp_filter = 2
> > >>> net.ipv4.conf.eth1.arp_filter = 0
> > >>> net.ipv4.conf.eth1.rp_filter = 2
> > >>> net.ipv4.conf.eth2.arp_filter = 0
> > >>> net.ipv4.conf.eth2.rp_filter = 2
> > >>> net.ipv4.conf.lo.arp_filter = 0
> > >>> net.ipv4.conf.lo.rp_filter = 2
> > >>> net.ipv4.conf.ppp0.arp_filter = 0
> > >>> net.ipv4.conf.ppp0.rp_filter = 2
> > >>> net.ipv4.conf.teql0.arp_filter = 0
> > >>> net.ipv4.conf.teql0.rp_filter = 2
> > >>> net.ipv4.conf.vlan1.arp_filter = 0
> > >>> net.ipv4.conf.vlan1.rp_filter = 2
> > >>> net.ipv4.conf.vlan2.arp_filter = 0
> > >>> net.ipv4.conf.vlan2.rp_filter = 2
> > >>> net.ipv4.conf.wl0.1.arp_filter = 0
> > >>> net.ipv4.conf.wl0.1.rp_filter = 2
> > >>> net.ipv4.conf.wl1.1.arp_filter = 0
> > >>> net.ipv4.conf.wl1.1.rp_filter = 2
> > >>>
> > >>>>> Just a dynamic ip, who cares.
> > >>>>
> > >>>> Enough people that it's RFC'd[1].
> > >>>
> > >>> Sure but it doesn't hurt and makes sure you got the right info.
> > >>>
> > >>>> Kind regards
> > >>>>
> > >>>> Noel
> > >>>>
> > >>>> [1] https://tools.ietf.org/html/rfc1918#section-3
> > >>>>
> > >>>> On 05.09.2017 11:06, Ric S wrote:
> > >>>>> Current configs now:
> > >>>>>
> > >>>>> strongswan.conf:
> > >>>>>
> > >>>>> charon {
> > >>>>> plugins {
> > >>>>>
> > >>>>> dhcp {
> > >>>>> force_server_address = yes
> > >>>>> server = 192.168.0.1
> > >>>>> identity_lease = yes
> > >>>>> }
> > >>>>> farp {
> > >>>>> load = yes
> > >>>>> }
> > >>>>>
> > >>>>> }}
> > >>>>>
> > >>>>> dns1 = 8.8.8.8
> > >>>>> dns1 = 8.8.8.4
> > >>>>>
> > >>>>> ipsec.conf:
> > >>>>>
> > >>>>> config setup
> > >>>>>
> > >>>>> charondebug="net 2, knl 2, cfg 2"
> > >>>>>
> > >>>>> conn ikev2
> > >>>>>
> > >>>>> keyexchange=ikev2
> > >>>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,
> > >>>>> ae
> > >>>>> s1
> > >>>>> 28
> > >>>>> -sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128
> > >>>>> -s
> > >>>>> ha
> > >>>>> 25
> > >>>>> 6-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes
> > >>>>> 25
> > >>>>> 6-
> > >>>>> sh
> > >>>>> a1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes2
> > >>>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha
> > >>>>> 1,
> > >>>>> ae
> > >>>>> s
> > >>>>> 128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-
> > >>>>> sh
> > >>>>> a2
> > >>>>> 56
> > >>>>> ,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536
> > >>>>> ,a
> > >>>>> es
> > >>>>> 12
> > >>>>> 8-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm
> > >>>>> dpdaction=clear
> > >>>>> dpddelay=60s
> > >>>>> leftfirewall=yes
> > >>>>> lefthostaccess=yes
> > >>>>> leftid=carone.ddns.net
> > >>>>> leftsubnet=192.168.0.0/24
> > >>>>> leftcert=host-vpn.der
> > >>>>> leftsendcert=always
> > >>>>> right=%any
> > >>>>> rightauth=eap-tls
> > >>>>> rightsourceip=%dhcp
> > >>>>> eap_identity=%any
> > >>>>> auto=add
> > >>>>>
> > >>>>> On Dienstag, 5. September 2017 04:54:31 CEST you wrote:
> > >>>>>> Hi,
> > >>>>>>
> > >>>>>>> type=passthrough
> > >>>>>
> > >>>>> Removed it, also did not use it previous attempts.
> > >>>>>
> > >>>>>> You're sabotaging yourself. There is no IPsec processing happening
> > >>>>>> with
> > >>>>>> type=passthrough
> > >>>>>>
> > >>>>>>> threads = 8
> > >>>>>
> > >>>>> Removed.
> > >>>>>
> > >>>>>> You're doing it again. That can lock up the daemon later. Don't do
> > >>>>>> that.
> > >>>>>> Luckily, the setting is outside the valid configuration block, so
> > >>>>>> it's
> > >>>>>> invalid and ignored.
> > >>>>>>
> > >>>>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> > >>>>>
> > >>>>> I removed it. Just for the record these are my interfaces:
> > >>>>>
> > >>>>> ifconfig
> > >>>>> br0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> > >>>>>
> > >>>>> inet addr:192.168.0.1 Bcast:192.168.0.255
> > >>>>> Mask:255.255.255.0
> > >>>>> inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> > >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > >>>>> RX packets:5108 errors:0 dropped:0 overruns:0 frame:0
> > >>>>> TX packets:4497 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>> collisions:0 txqueuelen:1000
> > >>>>> RX bytes:585507 (571.7 KiB) TX bytes:3738948 (3.5 MiB)
> > >>>>>
> > >>>>> br0:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> > >>>>>
> > >>>>> inet addr:169.254.255.1 Bcast:169.254.255.255
> > >>>>> Mask:255.255.0.0
> > >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > >>>>>
> > >>>>> eth0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
> > >>>>>
> > >>>>> inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> > >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > >>>>> RX packets:12075 errors:0 dropped:0 overruns:0 frame:0
> > >>>>> TX packets:12590 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>> collisions:0 txqueuelen:1000
> > >>>>> RX bytes:1941972 (1.8 MiB) TX bytes:9910375 (9.4 MiB)
> > >>>>> Interrupt:179 Base address:0x4000
> > >>>>>
> > >>>>> eth1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:16
> > >>>>>
> > >>>>> inet6 addr: fe80::a263:91ff:feea:2e16/64 Scope:Link
> > >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > >>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:7541
> > >>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>> collisions:0 txqueuelen:1000
> > >>>>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> > >>>>> Interrupt:163
> > >>>>>
> > >>>>> eth2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:17
> > >>>>>
> > >>>>> inet6 addr: fe80::a263:91ff:feea:2e17/64 Scope:Link
> > >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > >>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > >>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>> collisions:0 txqueuelen:1000
> > >>>>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> > >>>>> Interrupt:169
> > >>>>>
> > >>>>> lo Link encap:Local Loopback
> > >>>>>
> > >>>>> inet addr:127.0.0.1 Mask:255.0.0.0
> > >>>>> inet6 addr: ::1/128 Scope:Host
> > >>>>> UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
> > >>>>> RX packets:425 errors:0 dropped:0 overruns:0 frame:0
> > >>>>> TX packets:425 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>> collisions:0 txqueuelen:1
> > >>>>> RX bytes:53057 (51.8 KiB) TX bytes:53057 (51.8 KiB)
> > >>>>>
> > >>>>> ppp0 Link encap:Point-to-Point Protocol
> > >>>>>
> > >>>>> inet addr:87.168.251.19 P-t-P:62.155.242.107
> > >>>>> Mask:255.255.255.255
> > >>>>> UP POINTOPOINT RUNNING MULTICAST MTU:1492 Metric:1
> > >>>>> RX packets:1010 errors:0 dropped:0 overruns:0 frame:0
> > >>>>> TX packets:1092 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>> collisions:0 txqueuelen:3
> > >>>>> RX bytes:470447 (459.4 KiB) TX bytes:160357 (156.5 KiB)
> > >>>>>
> > >>>>> vlan1 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:14
> > >>>>>
> > >>>>> inet6 addr: fe80::a263:91ff:feea:2e14/64 Scope:Link
> > >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > >>>>> RX packets:9247 errors:0 dropped:0 overruns:0 frame:0
> > >>>>> TX packets:9767 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>> collisions:0 txqueuelen:0
> > >>>>> RX bytes:759337 (741.5 KiB) TX bytes:9462367 (9.0 MiB)
> > >>>>>
> > >>>>> vlan2 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
> > >>>>>
> > >>>>> inet6 addr: fe80::a263:91ff:feea:2e15/64 Scope:Link
> > >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > >>>>> RX packets:2828 errors:0 dropped:3 overruns:0 frame:0
> > >>>>> TX packets:2815 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>> collisions:0 txqueuelen:0
> > >>>>> RX bytes:916985 (895.4 KiB) TX bytes:397032 (387.7 KiB)
> > >>>>>
> > >>>>> vlan2:0 Link encap:Ethernet HWaddr A0:XX:XX:XX:XX:15
> > >>>>>
> > >>>>> inet addr:192.168.5.254 Bcast:192.168.5.255
> > >>>>> Mask:255.255.255.0
> > >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > >>>>>
> > >>>>> wl0.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:17
> > >>>>>
> > >>>>> inet addr:192.168.10.1 Bcast:192.168.10.255
> > >>>>> Mask:255.255.255.0
> > >>>>> inet6 addr: fe80::a063:91ff:feea:2e17/64 Scope:Link
> > >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > >>>>> RX packets:3615 errors:0 dropped:5 overruns:0 frame:7541
> > >>>>> TX packets:3989 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>> collisions:0 txqueuelen:1000
> > >>>>> RX bytes:538878 (526.2 KiB) TX bytes:998737 (975.3 KiB)
> > >>>>>
> > >>>>> wl1.1 Link encap:Ethernet HWaddr A2:XX:XX:XX:XX:18
> > >>>>>
> > >>>>> inet addr:192.168.9.1 Bcast:192.168.9.255
> > >>>>> Mask:255.255.255.0
> > >>>>> inet6 addr: fe80::a063:91ff:feea:2e18/64 Scope:Link
> > >>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > >>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > >>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > >>>>> collisions:0 txqueuelen:1000
> > >>>>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> > >>>>>>
> > >>>>>> Unnecessary.
> > >>>>>>
> > >>>>>>> left=%defaultroute
> > >>>>>
> > >>>>> Removed.
> > >>>>>
> > >>>>>> Unnecessary.
> > >>>>>>
> > >>>>>>> kernel-pfkey
> > >>>>>>
> > >>>>>> Plugin for the legacy IPsec API. Don't use it.
> > >>>>>>
> > >>>>>>> ping R6400
> > >>>>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
> > >>>>>>>
> > >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> > >>>>>> >
> > >>>>>>> Unreachable
> > >>>>>>>
> > >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> > >>>>>> >
> > >>>>>>> Unreachable
> > >>>>>
> > >>>>> Just a dynamic ip, who cares.
> > >>>>>
> > >>>>>> Your next hop is sending that error. You're leaking private address
> > >>>>>> into
> > >>>>>> the WAN. That is forbidden. Don't do that.
> > >>>>>>
> > >>>>>>> Routers iptable output:
> > >>>>>>>
> > >>>>>>> iptables -vnL
> > >>>>>>
> > >>>>>> The output is unusable. Provide the output of `iptables-save`.
> > >>>>>
> > >>>>> I disabled a few features, e.g. QOS in order to reduce the output
> > >>>>>
> > >>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> > >>>>> *raw
> > >>>>>
> > >>>>> :PREROUTING ACCEPT [12217:1705679]
> > >>>>> :OUTPUT ACCEPT [9354:9118762]
> > >>>>>
> > >>>>> COMMIT
> > >>>>> # Completed on Tue Sep 5 10:42:27 2017
> > >>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> > >>>>> *nat
> > >>>>>
> > >>>>> :PREROUTING ACCEPT [285:28593]
> > >>>>> :INPUT ACCEPT [604:43260]
> > >>>>> :OUTPUT ACCEPT [47:3676]
> > >>>>> :POSTROUTING ACCEPT [47:3676]
> > >>>>>
> > >>>>> -A PREROUTING -d 87.168.251.19 -p icmp -j DNAT --to-destination
> > >>>>> 192.168.0.1
> > >>>>> -A PREROUTING -d 87.168.251.19 -j TRIGGER --trigger-proto
> > >>>>> --trigger-match
> > >>>>> 0-0 --trigger-relate 0-0 -A POSTROUTING -o vlan2 -j MASQUERADE
> > >>>>> -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j SNAT
> > >>>>> --to-source
> > >>>>> 87.168.251.19 -A POSTROUTING -m mark --mark0x80000000/0x80000000 -j
> > >>>>> MASQUERADE
> > >>>>> -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o ppp0 -j SNAT
> > >>>>> --to-source
> > >>>>> 87.168.251.19 -A POSTROUTING -s 192.168.9.0/255.255.255.0 -o ppp0 -j
> > >>>>> SNAT
> > >>>>> --to-source 87.168.251.19 COMMIT
> > >>>>> # Completed on Tue Sep 5 10:42:27 2017
> > >>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> > >>>>> *mangle
> > >>>>>
> > >>>>> :PREROUTING ACCEPT [3009:537902]
> > >>>>> :INPUT ACCEPT [8937:741571]
> > >>>>> :FORWARD ACCEPT [2521:798226]
> > >>>>> :OUTPUT ACCEPT [2190:2277003]
> > >>>>> :POSTROUTING ACCEPT [11882:9919352]
> > >>>>>
> > >>>>> -A PREROUTING -d 87.168.251.19 -i ! ppp0 -j MARK --set-xmark
> > >>>>> 0x80000000/0x80000000 -A PREROUTING -j CONNMARK --save-mark
> > >>>>> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> > >>>>> --clamp-mss-to-pmtu COMMIT
> > >>>>> # Completed on Tue Sep 5 10:42:27 2017
> > >>>>> # Generated by iptables-save v1.3.7 on Tue Sep 5 10:42:27 2017
> > >>>>> *filter
> > >>>>>
> > >>>>> :INPUT ACCEPT [0:0]
> > >>>>> :FORWARD ACCEPT [0:0]
> > >>>>> :OUTPUT ACCEPT [111:17285]
> > >>>>> :advgrp_1 - [0:0]
> > >>>>> :advgrp_10 - [0:0]
> > >>>>> :advgrp_2 - [0:0]
> > >>>>> :advgrp_3 - [0:0]
> > >>>>> :advgrp_4 - [0:0]
> > >>>>> :advgrp_5 - [0:0]
> > >>>>> :advgrp_6 - [0:0]
> > >>>>> :advgrp_7 - [0:0]
> > >>>>> :advgrp_8 - [0:0]
> > >>>>> :advgrp_9 - [0:0]
> > >>>>> :grp_1 - [0:0]
> > >>>>> :grp_10 - [0:0]
> > >>>>> :grp_2 - [0:0]
> > >>>>> :grp_3 - [0:0]
> > >>>>> :grp_4 - [0:0]
> > >>>>> :grp_5 - [0:0]
> > >>>>> :grp_6 - [0:0]
> > >>>>> :grp_7 - [0:0]
> > >>>>> :grp_8 - [0:0]
> > >>>>> :grp_9 - [0:0]
> > >>>>> :lan2wan - [0:0]
> > >>>>> :logaccept - [0:0]
> > >>>>> :logdrop - [0:0]
> > >>>>> :logreject - [0:0]
> > >>>>> :trigger_out - [0:0]
> > >>>>>
> > >>>>> -A INPUT -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m
> > >>>>> policy
> > >>>>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A INPUT -p udp
> > >>>>> -m
> > >>>>> udp --dport 4500 -j ACCEPT
> > >>>>> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> > >>>>> -A INPUT -s 66.220.2.74 -p icmp -j ACCEPT
> > >>>>> -A INPUT -m state --state RELATED,ESTABLISHED -j logaccept
> > >>>>> -A INPUT -i ppp0 -p udp -m udp --dport 520 -j logdrop
> > >>>>> -A INPUT -i br0 -p udp -m udp --dport 520 -j logdrop
> > >>>>> -A INPUT -p udp -m udp --dport 520 -j logaccept
> > >>>>> -A INPUT -i br0 -j logaccept
> > >>>>> -A INPUT -i ppp0 -p icmp -j logdrop
> > >>>>> -A INPUT -p igmp -j logdrop
> > >>>>> -A INPUT -i lo -m state --state NEW -j ACCEPT
> > >>>>> -A INPUT -i br0 -m state --state NEW -j logaccept
> > >>>>> -A INPUT -i wl0.1 -p udp -m udp --dport 67 -j logaccept
> > >>>>> -A INPUT -i wl0.1 -p udp -m udp --dport 53 -j logaccept
> > >>>>> -A INPUT -i wl0.1 -p tcp -m tcp --dport 53 -j logaccept
> > >>>>> -A INPUT -i wl0.1 -m state --state NEW -j logdrop
> > >>>>> -A INPUT -i wl0.1 -j logaccept
> > >>>>> -A INPUT -i wl1.1 -p udp -m udp --dport 67 -j logaccept
> > >>>>> -A INPUT -i wl1.1 -p udp -m udp --dport 53 -j logaccept
> > >>>>> -A INPUT -i wl1.1 -p tcp -m tcp --dport 53 -j logaccept
> > >>>>> -A INPUT -i wl1.1 -m state --state NEW -j logdrop
> > >>>>> -A INPUT -i wl1.1 -j logaccept
> > >>>>> -A INPUT -j logdrop
> > >>>>> -A FORWARD -s 192.168.0.121 -d 192.168.0.0/255.255.255.0 -i ppp0 -m
> > >>>>> policy
> > >>>>> --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s
> > >>>>> 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m policy --dir
> > >>>>> out
> > >>>>> --pol ipsec --reqid 1 --proto esp -j ACCEPT -A FORWARD -s
> > >>>>> 192.168.0.10
> > >>>>> -d
> > >>>>> 194.25.134.46 -j ACCEPT
> > >>>>> -A FORWARD -s 192.168.0.10 -d 194.25.134.110 -j ACCEPT
> > >>>>> -A FORWARD -s 192.168.0.10 -j LOG
> > >>>>> -A FORWARD -s 192.168.0.10 -j DROP
> > >>>>> -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
> > >>>>> -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl1.1 -m state --state
> > >>>>> NEW
> > >>>>> -j
> > >>>>> logdrop -A FORWARD -d 192.168.0.0/255.255.255.0 -i wl0.1 -m state
> > >>>>> --state
> > >>>>> NEW -j logdrop -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p
> > >>>>> gre
> > >>>>> -j
> > >>>>> logaccept -A FORWARD -s 192.168.0.0/255.255.255.0 -o ppp0 -p tcp -m
> > >>>>> tcp
> > >>>>> --dport 1723 -j logaccept -A FORWARD -i wl0.1 -j logaccept
> > >>>>> -A FORWARD -i wl1.1 -j logaccept
> > >>>>> -A FORWARD -j lan2wan
> > >>>>> -A FORWARD -i br0 -o br0 -j logaccept
> > >>>>> -A FORWARD -i br0 -o ppp0 -j logaccept
> > >>>>> -A FORWARD -i ppp0 -o br0 -j TRIGGER --trigger-proto --trigger-match
> > >>>>> 0-0
> > >>>>> --trigger-relate 0-0 -A FORWARD -i br0 -j trigger_out
> > >>>>> -A FORWARD -i br0 -o wl0.1 -m state --state NEW -j logdrop
> > >>>>> -A FORWARD -i br0 -o wl1.1 -m state --state NEW -j logdrop
> > >>>>> -A FORWARD -i br0 -m state --state NEW -j logaccept
> > >>>>> -A FORWARD -j logdrop
> > >>>>> -A OUTPUT -s 192.168.0.0/255.255.255.0 -d 192.168.0.121 -o ppp0 -m
> > >>>>> policy
> > >>>>> --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT -A OUTPUT -o
> > >>>>> br0
> > >>>>> -j
> > >>>>> logaccept
> > >>>>> -A logaccept -j ACCEPT
> > >>>>> -A logdrop -m state --state NEW -j LOG --log-prefix "DROP "
> > >>>>> --log-tcp-sequence --log-tcp-options --log-ip-options -A logdrop -m
> > >>>>> state
> > >>>>> --state INVALID -j LOG --log-prefix "DROP " --log-tcp-sequence
> > >>>>> --log-tcp-options --log-ip-options -A logdrop -j DROP
> > >>>>> -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence
> > >>>>> --log-tcp-options --log-ip-options -A logreject -p tcp -j REJECT
> > >>>>> --reject-with tcp-reset
> > >>>>> COMMIT
> > >>>>> # Completed on Tue Sep 5 10:42:27 2017
> > >>>>>
> > >>>>>>> I have tried so many thinsg, but still cannot ping from either
> > >>>>>>> side
> > >>>>>>> or
> > >>>>>>> access
> > >>>>>>> any local machines.
> > >>>>>>> Does anyone have a clue? Can I provide additional info?
> > >>>>>>
> > >>>>>> You're having no success because you're trying ramdom shit from the
> > >>>>>> Internet. About 99,999% of the strongSwan related information on
> > >>>>>> third
> > >>>>>> party sites is wither well ng or of questinable quality. Don't get
> > >>>>>> your
> > >>>>>> information from any place but the project's website.
> > >>>>>
> > >>>>> Well that's what I did in the first place and it also lacks info,
> > >>>>> e.g.
> > >>>>> it
> > >>>>> did not list all of the required kernel modules, took my a bit to
> > >>>>> find
> > >>>>> out which modules it needs as it did not complain at startup, but
> > >>>>> requested features at runtime which were not there, e.g. a STD RNG.
> > >>>>>
> > >>>>>
> > >>>>> Thanks for any hints, hope the above info helps.
> > >>>>>
> > >>>>> Cheers Richard
> > >>>>>
> > >>>>>> Kind regards
> > >>>>>>
> > >>>>>> Noel
> > >>>>>>
> > >>>>>> Am 5. September 2017 00:53:20 MESZ schrieb Ric S <burj-al-
>
> arab at gmx.de>:
> > >>>>>>> Hi folks,
> > >>>>>>>
> > >>>>>>> I have been ripping my hair out with this issue.
> > >>>>>>>
> > >>>>>>> I'm running strongswan 5.5.3 on a router. The routers lan subnet
> > >>>>>>> is
> > >>>>>>> 192.168.0.1/24.
> > >>>>>>> I can successfully connect to it with an Ipad with ikev2 and surf
> > >>>>>>> the
> > >>>>>>> internet, but I cannot reach any internal machines.
> > >>>>>>>
> > >>>>>>> My config is the following:
> > >>>>>>>
> > >>>>>>> ipsec.conf:
> > >>>>>>>
> > >>>>>>> config setup
> > >>>>>>>
> > >>>>>>> charondebug="net 2, knl 2, cfg 2"
> > >>>>>>>
> > >>>>>>> conn ikev2
> > >>>>>>>
> > >>>>>>> keyexchange=ikev2
> > >>>>>>>
> > >>>>>>> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048
> > >>>>>>> ,a
> > >>>>>>> es
> > >>>>>>> 12
> > >>>>>>> 8-
> > >>>>>>> sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes1
> > >>>>>>> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sh
> > >>>>>>> a1
> > >>>>>>> ,a
> > >>>>>>> es
> > >>>>>>> 128
> > >>>>>>> - sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128
> > >>>>>>>
> > >>>>>>> dpdaction=clear
> > >>>>>>> dpddelay=60s
> > >>>>>>> left=%defaultroute
> > >>>>>>> leftfirewall=yes
> > >>>>>>> lefthostaccess=yes
> > >>>>>>> leftid=myname.ddns.net
> > >>>>>>> leftsubnet=192.168.0.0/24
> > >>>>>>> leftcert=host-vpn.der
> > >>>>>>> leftsendcert=always
> > >>>>>>> right=%any
> > >>>>>>> rightauth=eap-tls
> > >>>>>>> rightsourceip=%dhcp
> > >>>>>>> eap_identity=%any
> > >>>>>>> type=passthrough
> > >>>>>>> auto=add
> > >>>>>>>
> > >>>>>>> strongswanf.conf:
> > >>>>>>>
> > >>>>>>> charon {
> > >>>>>>> interfaces_ignore = vlan2, eth0, eth1, eth2, wl0.1, wl1.1
> > >>>>>>> plugins {
> > >>>>>>>
> > >>>>>>> dhcp {
> > >>>>>>> force_server_address = yes
> > >>>>>>> server = 192.168.0.1
> > >>>>>>> identity_lease = yes
> > >>>>>>> }
> > >>>>>>> farp {
> > >>>>>>> load = yes
> > >>>>>>> }
> > >>>>>>>
> > >>>>>>> }}
> > >>>>>>>
> > >>>>>>> threads = 8
> > >>>>>>> dns1 = 8.8.8.8
> > >>>>>>> dns1 = 8.8.8.4
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> Status:
> > >>>>>>>
> > >>>>>>> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.4.80,
>
> armv7l):
> > >>>>>>> uptime: 14 minutes, since Sep 05 00:09:53 2017
> > >>>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
> > >>>>>>> 0/0/0/0,
> > >>>>>>>
> > >>>>>>> scheduled: 8
> > >>>>>>> loaded plugins: charon test-vectors aes des blowfish rc2 sha2 sha1
> > >>>>>>> md5
> > >>>>>>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
> > >>>>>>> pkcs12 pgp
> > >>>>>>> dnskey sshkey pem openssl fips-prf gmp curve25519 agent xcbc cmac
> > >>>>>>> hmac
> > >>>>>>> sqlite
> > >>>>>>> attr kernel-pfkey kernel-netlink resolve socket-default farp
> > >>>>>>> stroke
> > >>>>>>> vici
> > >>>>>>> updown eap-identity eap-aka eap-md5 eap-mschapv2 eap-radius
> > >>>>>>> eap-tls
> > >>>>>>> xauth-
> > >>>>>>> generic xauth-eap dhcp whitelist led duplicheck
> > >>>>>>>
> > >>>>>>> Listening IP addresses:
> > >>>>>>> 169.254.255.1
> > >>>>>>> 192.168.0.1
> > >>>>>>> 87.168.243.83
> > >>>>>>>
> > >>>>>>> Connections:
> > >>>>>>> ikev2: %any...%any IKEv2, dpddelay=60s
> > >>>>>>>
> > >>>>>>> ikev2: local: [myname.ddns.net] uses public key
> > >>>>>>> authentication
> > >>>>>>>
> > >>>>>>> ikev2: cert: "C=DE, O=MYORG, CN=myname.ddns.net"
> > >>>>>>>
> > >>>>>>> ikev2: remote: uses EAP_TLS authentication with EAP identity
> > >>>>>>> '%any'
> > >>>>>>>
> > >>>>>>> ikev2: child: 192.168.0.0/24 === dynamic PASS,
> > >>>>>>> dpdaction=clear
> > >>>>>>>
> > >>>>>>> Security Associations (1 up, 0 connecting):
> > >>>>>>> ikev2[6]: ESTABLISHED 11 seconds ago,
> > >>>>>>> 87.168.243.83[myname.ddns.net]...
> > >>>>>>> 109.43.1.19[R6400]
> > >>>>>>>
> > >>>>>>> ikev2[6]: IKEv2 SPIs: 243db36d71718704_i 688c466c497d2b9a_r*,
> > >>>>>>> public
> > >>>>>>>
> > >>>>>>> key reauthentication in 2 hours
> > >>>>>>>
> > >>>>>>> ikev2[6]: IKE proposal:
> > >>>>>>> AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/
> > >>>>>>>
> > >>>>>>> MODP_1024
> > >>>>>>>
> > >>>>>>> ikev2{4}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
> > >>>>>>> c0983fe7_i
> > >>>>>>>
> > >>>>>>> 04eb0f50_o
> > >>>>>>>
> > >>>>>>> ikev2{4}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0
> > >>>>>>> bytes_o,
> > >>>>>>>
> > >>>>>>> rekeying in 48 minutes
> > >>>>>>>
> > >>>>>>> ikev2{4}: 192.168.0.0/24 === 192.168.0.121/32
> > >>>>>>>
> > >>>>>>> swanctl --list-sas
> > >>>>>>> ikev2: #6, ESTABLISHED, IKEv2, 243db36d71718704_i
> > >>>>>>> 688c466c497d2b9a_r*
> > >>>>>>>
> > >>>>>>> local 'myname.ddns.net' @ 87.168.243.83[4500]
> > >>>>>>> remote 'R6400' @ 109.43.1.19[39898] [192.168.0.121]
> > >>>>>>> AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> > >>>>>>> established 92s ago, reauth in 9765s
> > >>>>>>> ikev2: #4, reqid 3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/
> > >>>>>>>
> > >>>>>>> HMAC_SHA2_256_128
> > >>>>>>>
> > >>>>>>> installed 89s ago, rekeying in 2800s, expires in 3511s
> > >>>>>>> in c0983fe7, 0 bytes, 0 packets
> > >>>>>>> out 04eb0f50, 0 bytes, 0 packets
> > >>>>>>> local 192.168.0.0/24
> > >>>>>>> remote 192.168.0.121/32
> > >>>>>>>
> > >>>>>>> ip route list table 220
> > >>>>>>> 192.168.0.121 via 62.155.242.107 dev ppp0 proto static src
> > >>>>>>> 192.168.0.1
> > >>>>>>>
> > >>>>>>> FARP seems to work, this is a ping from one of the local machines:
> > >>>>>>>
> > >>>>>>> ping R6400
> > >>>>>>> PING R6400 (192.168.0.121) 56(84) bytes of data.
> > >>>>>>>
> > >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=1 Destination Host
> > >>>>>> >
> > >>>>>>> Unreachable
> > >>>>>>>
> > >>>>>> >From 62.155.242.107 (62.155.242.107) icmp_seq=2 Destination Host
> > >>>>>> >
> > >>>>>>> Unreachable
More information about the Users
mailing list