[strongSwan] VPN connection to Remote Fortigate Client
MOSES KARIUKI
kariukims at gmail.com
Mon Apr 8 14:22:58 CEST 2019
Thanks a lot Noel. The connection is up and stable. Very helpful.
One more thing, the remote client is able to ping my private IP, but i am
unable to ping his private IP address. I have checked and my routes seem
OK. What do you suggest?
Below is my status:
*sudo ipsec statusall*
Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.18.0-1008-gcp,
x86_64):
uptime: 28 seconds, since Apr 08 12:14:39 2019
malloc: sbrk 1622016, mmap 0, used 629024, free 992992
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Listening IP addresses:
10.138.0.4
Connections:
televida: 10.138.0.4...200.**.***.*** IKEv2, dpddelay=30s
televida: local: [35.1**.2**.***] uses pre-shared key authentication
televida: remote: [200.**.***.***] uses pre-shared key authentication
televida: child: 10.138.0.0/20 === 10.28.2.0/24 TUNNEL,
dpdaction=clear
Security Associations (1 up, 0 connecting):
televida[1]: ESTABLISHED 23 seconds ago,
10.138.0.4[35.1**.2**.***]...200.**.***.***[200.**.***.***]
televida[1]: IKEv2 SPIs: 055627d3eb22222f_i 081a1b696be14ad2_r*,
pre-shared key reauthentication in 23 hours
televida[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
televida{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c5fb101f_i
82900426_o
televida{2}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
rekeying in 41 minutes
televida{2}: 10.138.0.4/32 === 10.28.2.0/24
kariukims at klick-001:~$ ping 10.28.2.9
PING 10.28.2.9 (10.28.2.9) 56(84) bytes of data.
^C
--- 10.28.2.9 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 56ms
Kind regards,
Moses K
On Mon, Apr 8, 2019 at 3:09 PM MOSES KARIUKI <kariukims at gmail.com> wrote:
> Thanks a lot Noel. The connection is up and stable. Very helpful.
> One more thing, the remote client is able to ping my private IP, but i am
> unable to ping his private IP address. I have checked and my routes seem
> OK. What do you suggest?
>
> Kind regards,
> Moses K
>
>
> On Thu, Apr 4, 2019 at 9:50 PM Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
>> Hi,
>>
>> You configured "rightsourceip=10.10.10.0/24" but that's supposed to be a
>> site-to-site connection. Use rightsubnet instead.
>> rightsourceip is for assigning and requesting virtual IPs. The best way
>> for you would be to migrate to swanctl instead.
>> Its configuration format is a lot clearer.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 02.04.19 um 11:27 schrieb MOSES KARIUKI:
>> > Dear Tobias,
>> >
>> > :) :)
>> > I read the message. But I can't really interpret what setting is needed
>> to make it work. I have listed my current configuration. I am still finding
>> my way with Linux networking and Strongswan.
>> >
>> > Please assist. I will really appreciate and also offer assist others.
>> >
>> > regards,
>> > Moses
>> >
>> >
>> >
>> > On Tue, Apr 2, 2019 at 11:23 AM Tobias Brunner <tobias at strongswan.org
>> <mailto:tobias at strongswan.org>> wrote:
>> >
>> > Hi Moses,
>> >
>> > > Apr 1 20:57:58 klick-001 charon: 11[IKE] expected a virtual IP
>> > > request, sending FAILED_CP_REQUIRED
>> >
>> > I guess reading is hard. Or is that message (that you explicitly
>> marked
>> > in your email) really that unclear?
>> >
>> > Regards,
>> > Tobias
>> >
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190408/8f2e8589/attachment-0001.html>
More information about the Users
mailing list