[strongSwan] Tunnel established but cannot ping. Request help.

Makarand Pradhan MakarandPradhan at is5com.com
Thu Apr 4 22:49:24 CEST 2019


Hello Everyone,

This is the first time I'm trying to use StrongSwan.

I'm trying to use strongswan to create an IPSec tunnel. The tunnel status says up but I cannot ping over the tunnel. Would appreciate any pointers to get it working.

Please find below a detailed view of the issue.

Setup:

(Left subnet)
172.16.18.88 80.0.0.1 <-Router-> 30.0.0.1 10.1.1.1
wlan0        eth0                                eth0     eth1   
Raspberry pi                                   Raspberry pi
StrongSwan running here.         StrongSwan running here.

Left config:
config setup
               charondebug=@all@
               cachecrls=yes
               uniqueids=yes
               strictcrlpolicy=no
               # uniqueids = no

conn pi_to_pi
               type=tunnel
               authby=secret
               auto=start
               keyexchange=ike
               esp=3des-md5
               left=%defaultroute
               leftid=80.0.0.1
               leftsubnet=172.16.18.88/24
               right=30.0.0.1
               rightsubnet=10.1.1.0/24

root at raspberrypi:~# ipsec status
Security Associations (1 up, 0 connecting):
    pi_to_pi[1]: ESTABLISHED 10 minutes ago, 80.0.0.1[80.0.0.1]...30.0.0.1[30.0.0.1]
    pi_to_pi{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb15009b_i cc28abb3_o
    pi_to_pi{1}:   172.16.18.0/24 === 10.1.1.0/24

root at raspberrypi:~# ip xfrm policy | more
src 10.1.1.0/24 dst 172.16.18.0/24 
               dir fwd priority 187712 
               tmpl src 30.0.0.1 dst 80.0.0.1
                              proto esp reqid 1 mode tunnel
src 10.1.1.0/24 dst 172.16.18.0/24 
               dir in priority 187712 
               tmpl src 30.0.0.1 dst 80.0.0.1
                              proto esp reqid 1 mode tunnel
src 172.16.18.0/24 dst 10.1.1.0/24 
               dir out priority 187712 
               tmpl src 80.0.0.1 dst 30.0.0.1
                              proto esp reqid 1 mode tunnel

root at raspberrypi:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Ping fails
root at raspberrypi:~# ping 10.1.1.1 -I 172.16.18.88
PING 10.1.1.1 (10.1.1.1) from 172.16.18.88 : 56(84) bytes of data.


TCP dump shows that the pkt is not going out over the tunnel but is just sent to the next hop:

21:06:46.079466 IP (tos 0x0, ttl 64, id 9795, offset 0, flags [DF], proto ICMP (1), length 84)
    80.0.0.1 > 10.1.1.1: ICMP echo request, id 1694, seq 30, length 64
               0x0000:  e8e8 7590 02c1 b827 eb85 9967 0800 4500  ..u....'...g..E.
               0x0010:  0054 2643 4000 4001 b963 5000 0001 0a01  mailto:.T&C at .@..cP.....
               0x0020:  0101 0800 844a 069e 001e d663 a65c 0436  .....J.....c.\.6
               0x0030:  0100 0809 0a0b 0c0d 0e0f 1011 1213 1415  ................
               0x0040:  1617 1819 1a1b 1c1d 1e1f 2021 2223 2425  ...........!"#$%
               0x0050:  2627 2829 2a2b 2c2d 2e2f 3031 3233 3435  &'()*+,-./012345
               0x0060:  3637                                     67

Any pointers to get the tunnel working would be highly appreciated.

With Rgds,
Makarand.

Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
#1-1815 Meyerside Drive
Mississauga, Ontario
L5T 1G3
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: mailto:makarandpradhan at is5com.com
Website: http://www.is5com.com/

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.



More information about the Users mailing list