[strongSwan] Tunnel established but cannot ping. Request help.

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Apr 4 22:53:35 CEST 2019 

Hi,

> 21:06:46.079466 IP (tos 0x0, ttl 64, id 9795, offset 0, flags [DF], proto ICMP (1), length 84)
>     80.0.0.1 > 10.1.1.1: ICMP echo request, id 1694, seq 30, length 64
The source IP is changed. Fix your damn NAT rules and follow the contents of the HelpRequests[1] page to the letter.
The ForwardingAndSplitTunneling[2] tells you what the problem is and how to fix it.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
[2] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems

Am 04.04.19 um 22:49 schrieb Makarand Pradhan:
> Hello Everyone,
>
> This is the first time I'm trying to use StrongSwan.
>
> I'm trying to use strongswan to create an IPSec tunnel. The tunnel status says up but I cannot ping over the tunnel. Would appreciate any pointers to get it working.
>
> Please find below a detailed view of the issue.
>
> Setup:
>
> (Left subnet)
> 172.16.18.88 80.0.0.1 <-Router-> 30.0.0.1 10.1.1.1
> wlan0        eth0                                eth0     eth1   
> Raspberry pi                                   Raspberry pi
> StrongSwan running here.         StrongSwan running here.
>
> Left config:
> config setup
>                charondebug=@all@
>                cachecrls=yes
>                uniqueids=yes
>                strictcrlpolicy=no
>                # uniqueids = no
>
> conn pi_to_pi
>                type=tunnel
>                authby=secret
>                auto=start
>                keyexchange=ike
>                esp=3des-md5
>                left=%defaultroute
>                leftid=80.0.0.1
>                leftsubnet=172.16.18.88/24
>                right=30.0.0.1
>                rightsubnet=10.1.1.0/24
>
> root at raspberrypi:~# ipsec status
> Security Associations (1 up, 0 connecting):
>     pi_to_pi[1]: ESTABLISHED 10 minutes ago, 80.0.0.1[80.0.0.1]...30.0.0.1[30.0.0.1]
>     pi_to_pi{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb15009b_i cc28abb3_o
>     pi_to_pi{1}:   172.16.18.0/24 === 10.1.1.0/24
>
> root at raspberrypi:~# ip xfrm policy | more
> src 10.1.1.0/24 dst 172.16.18.0/24 
>                dir fwd priority 187712 
>                tmpl src 30.0.0.1 dst 80.0.0.1
>                               proto esp reqid 1 mode tunnel
> src 10.1.1.0/24 dst 172.16.18.0/24 
>                dir in priority 187712 
>                tmpl src 30.0.0.1 dst 80.0.0.1
>                               proto esp reqid 1 mode tunnel
> src 172.16.18.0/24 dst 10.1.1.0/24 
>                dir out priority 187712 
>                tmpl src 80.0.0.1 dst 30.0.0.1
>                               proto esp reqid 1 mode tunnel
>
> root at raspberrypi:~# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
>
> Ping fails
> root at raspberrypi:~# ping 10.1.1.1 -I 172.16.18.88
> PING 10.1.1.1 (10.1.1.1) from 172.16.18.88 : 56(84) bytes of data.
>
>
> TCP dump shows that the pkt is not going out over the tunnel but is just sent to the next hop:
>
> 21:06:46.079466 IP (tos 0x0, ttl 64, id 9795, offset 0, flags [DF], proto ICMP (1), length 84)
>     80.0.0.1 > 10.1.1.1: ICMP echo request, id 1694, seq 30, length 64
>                0x0000:  e8e8 7590 02c1 b827 eb85 9967 0800 4500  ..u....'...g..E.
>                0x0010:  0054 2643 4000 4001 b963 5000 0001 0a01  mailto:.T&C at .@..cP.....
>                0x0020:  0101 0800 844a 069e 001e d663 a65c 0436  .....J.....c.\.6
>                0x0030:  0100 0809 0a0b 0c0d 0e0f 1011 1213 1415  ................
>                0x0040:  1617 1819 1a1b 1c1d 1e1f 2021 2223 2425  ...........!"#$%
>                0x0050:  2627 2829 2a2b 2c2d 2e2f 3031 3233 3435  &'()*+,-./012345
>                0x0060:  3637                                     67
>
> Any pointers to get the tunnel working would be highly appreciated.
>
> With Rgds,
> Makarand.
>
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> #1-1815 Meyerside Drive
> Mississauga, Ontario
> L5T 1G3
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: mailto:makarandpradhan at is5com.com
> Website: http://www.is5com.com/
>
>  
> Confidentiality Notice: 
> This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190404/9a6aeca2/attachment-0001.sig>

More information about the Users mailing list