[strongSwan] strongswan not picking up traffic

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Sep 13 21:11:10 CEST 2017


Hello,

Please provide all the information that is listed on the HelpRequests[1] page on the wiki. Use the listed commands to get that information.

Right now, you don't even have a CHILD_SA that could be used to encapsulate the traffic nor an IKE_SA to negotiate that CHILD_SA over.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

On 13.09.2017 19:18, Anvar Kuchkartaev wrote:
> What happened when you initiate host-host connection from any side? Can you share your ipsec.conf file contents ‎so I could see if any mistakes over there? One more question how are your firewall rules configured? Do they allow udp 500,4500, ah, esp protocols from both side?
>
> Anvar Kuchkartaev 
> anvar at anvartay.com 
> *From: *Chengcheng Fu
> *Sent: *miércoles, 13 de septiembre de 2017 06:27 p.m.
> *To: *users at lists.strongswan.org
> *Subject: *[strongSwan] strongswan not picking up traffic
>
>
> Hi,
>
> I'm trying to setup a GRE over IPSec.
>
> I have the GRE working, but Strongswan wouldn't pickup the gre traffic and encrypt it.
>
> Following is my topology
>
> hub 192.168.23.193 - 192.168.23.203 spoke
>
>
> And here are my output.
> Hub side:
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
> uptime: 108 seconds, since Sep 14 00:23:00 2017
> malloc: sbrk 2027520, mmap 0, used 273392, free 1754128
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
> Listening IP addresses:
> 192.168.23.193
> 192.168.34.1
> Connections:
> host-host: 192.168.23.193...%any IKEv2
> host-host: local: [192.168.23.193] uses pre-shared key authentication
> host-host: remote: uses pre-shared key authentication
> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
> Security Associations (0 up, 0 connecting):
> none
>
>
>
> Spoke side:
> Status of IKE charon daemon (strongSwan 5.6.0, Linux 4.9.47, x86_64):
> uptime: 4 seconds, since Sep 14 00:17:44 2017
> malloc: sbrk 2289664, mmap 0, used 287184, free 2002480
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
> Listening IP addresses:
> 192.168.23.203
> 192.168.34.3
> Connections:
> host-host: 192.168.23.203...192.168.23.193 IKEv2
> host-host: local: [192.168.23.203] uses pre-shared key authentication
> host-host: remote: [192.168.23.193] uses pre-shared key authentication
> host-host: child: dynamic[gre] === dynamic[gre] TRANSPORT
> Security Associations (0 up, 0 connecting):
> none
>
>
>
> Any thoughts?
>
> Regards,
>
> Terry
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170913/5745b180/attachment.sig>


More information about the Users mailing list