[strongSwan] VPN connection to Remote Fortigate Client

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Apr 11 18:36:29 CEST 2019 

Hi,

Provide your nat rules in iptables/nftables (whatever you're using) or provide the complete rule set, as shown with `iptables-save`.

Am 11.04.19 um 09:04 schrieb MOSES KARIUKI:
> Hello Noel, Team,
> 
> Any kind souls out there?
> Please assist with the below question.
> 
> 
> On Mon, Apr 8, 2019 at 3:22 PM MOSES KARIUKI <kariukims at gmail.com <mailto:kariukims at gmail.com>> wrote:
> 
>     Thanks a lot Noel. The connection is up and stable. Very helpful. 
>     One more thing, the remote client is able to ping my private IP, but i am unable to ping his private IP address. I have checked and my routes seem OK. What do you suggest?
> 
>     Below is my status:
> 
>     */sudo ipsec statusall/*
>     Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.18.0-1008-gcp, x86_64):
>       uptime: 28 seconds, since Apr 08 12:14:39 2019
>       malloc: sbrk 1622016, mmap 0, used 629024, free 992992
>       worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
>       loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
>     Listening IP addresses:
>       10.138.0.4
>     Connections:
>         televida:  10.138.0.4...200.**.***.***  IKEv2, dpddelay=30s
>         televida:   local:  [35.1**.2**.***] uses pre-shared key authentication
>         televida:   remote: [200.**.***.***] uses pre-shared key authentication
>         televida:   child:  10.138.0.0/20 <http://10.138.0.0/20> === 10.28.2.0/24 <http://10.28.2.0/24> TUNNEL, dpdaction=clear
> 
>     Security Associations (1 up, 0 connecting):
>         televida[1]: ESTABLISHED 23 seconds ago, 10.138.0.4[35.1**.2**.***]...200.**.***.***[200.**.***.***]
>         televida[1]: IKEv2 SPIs: 055627d3eb22222f_i 081a1b696be14ad2_r*, pre-shared key reauthentication in 23 hours
>         televida[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
>         televida{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c5fb101f_i 82900426_o
>         televida{2}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
>         televida{2}:   10.138.0.4/32 <http://10.138.0.4/32> === 10.28.2.0/24 <http://10.28.2.0/24>
>     kariukims at klick-001:~$ ping 10.28.2.9
>     PING 10.28.2.9 (10.28.2.9) 56(84) bytes of data.
>     ^C
>     --- 10.28.2.9 ping statistics ---
>     3 packets transmitted, 0 received, 100% packet loss, time 56ms
> 
> 
>     Kind regards,
>     Moses K
> 
>     On Mon, Apr 8, 2019 at 3:09 PM MOSES KARIUKI <kariukims at gmail.com <mailto:kariukims at gmail.com>> wrote:
> 
>         Thanks a lot Noel. The connection is up and stable. Very helpful. 
>         One more thing, the remote client is able to ping my private IP, but i am unable to ping his private IP address. I have checked and my routes seem OK. What do you suggest?
> 
>         Kind regards,
>         Moses K
> 
> 
>         On Thu, Apr 4, 2019 at 9:50 PM Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> 
>             Hi,
> 
>             You configured "rightsourceip=10.10.10.0/24 <http://10.10.10.0/24>" but that's supposed to be a site-to-site connection. Use rightsubnet instead.
>             rightsourceip is for assigning and requesting virtual IPs. The best way for you would be to migrate to swanctl instead.
>             Its configuration format is a lot clearer.
> 
>             Kind regards
> 
>             Noel
> 
>             Am 02.04.19 um 11:27 schrieb MOSES KARIUKI:
>             > Dear Tobias,
>             >
>             > :) :)
>             > I read the message. But I can't really interpret what setting is needed to make it work. I have listed my current configuration. I am still finding my way with Linux networking and Strongswan.
>             >
>             > Please assist. I will really appreciate and also offer assist others.
>             >
>             > regards,
>             > Moses
>             >
>             >
>             >
>             > On Tue, Apr 2, 2019 at 11:23 AM Tobias Brunner <tobias at strongswan.org <mailto:tobias at strongswan.org> <mailto:tobias at strongswan.org <mailto:tobias at strongswan.org>>> wrote:
>             >
>             >     Hi Moses,
>             >
>             >     > Apr  1 20:57:58 klick-001 charon: 11[IKE] expected a virtual IP
>             >     > request, sending FAILED_CP_REQUIRED
>             >
>             >     I guess reading is hard.  Or is that message (that you explicitly marked
>             >     in your email) really that unclear?
>             >
>             >     Regards,
>             >     Tobias
>             >
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190411/7a5536c1/attachment.sig>

More information about the Users mailing list