[strongSwan] strange issues with strongswan ipsec tunnel
lenovomi
lenovomi at gmail.com
Tue Dec 31 00:57:06 CET 2019
Hi,
I am so desperate seeking for some advice/help/hint. I set up an ipsec
tunel between router (right side) with public wan IP, and local nat
network 192.168.0.x. Left side is VM box behind nat with ip
10.0.1.156. It looks like tunnel is active... but the issue which is
happening is that sometimes hosts from 192.168.1.x cant ping
10.0.1.156... sometimes it works ... but have no idea why.
I observed strange behavior, ping from 10.0.1.156 to any host inside
192.168.1.x works all the time. In case ping from 192.168.1x to
10.0.1.156 doesnt work once ping from 10.0.1.156 to any host instide
192.168.1.0/24 is executed then immediately ping from any host inside
192.168.1.0/24 to 10.0.1.156 works immediately.
Do you have any idea whats going on? :(
thanks!
ipsec statusall
Security Associations (1 up, 0 connecting):
vpn[11]: ESTABLISHED 29 minutes ago,
10.0.1.156[10.0.1.156]...78.99.148.x[78.99.148.x]
vpn[11]: IKEv1 SPIs: 5c7f4916bdf05b17_i 4a01d1b8845538c7_r*,
pre-shared key reauthentication in 2 hours
vpn[11]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
vpn{18}: REKEYED, TUNNEL, reqid 1, expires in 25 minutes
vpn{18}: 10.0.1.156/32 === 192.168.1.0/24
vpn{19}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca827fb5_i 0ef6380d_o
vpn{19}: AES_CBC_256/HMAC_SHA1_96/MODP_2048, 0 bytes_i, 0
bytes_o, rekeying in 18 minutes
vpn{19}: 10.0.1.156/32 === 192.168.1.0/24
ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn vpn
keyexchange=ike
auto=add
# compress=no
type=tunnel
# fragmentation=yes
# forceencaps=yes
dpdaction=none
dpddelay=300s
rekey=yes
keyingtries=3
authby=secret
left=%any4
leftid=10.0.1.156
leftsubnet=10.0.1.156/32
leftfirewall=yes
right=%any4
rightid=%any
# rightsourceip=192.168.1.0/24
rightsubnet=192.168.1.0/24
# rightdns=8.8.8.8,208.67.222.222
ike=aes256-sha1-modp2048
esp=aes256-sha1-modp2048
root at roonserver:/home/heap# iptables-save
# Generated by iptables-save v1.6.1 on Tue Dec 31 00:50:54 2019
*mangle
:PREROUTING ACCEPT [1768439:2024183480]
:INPUT ACCEPT [1598091:1809064255]
:FORWARD ACCEPT [169545:215034758]
:OUTPUT ACCEPT [1436042:1265656905]
:POSTROUTING ACCEPT [1640750:1483916434]
-A FORWARD -s 192.168.1.0/24 -o eth0 -p tcp -m policy --dir in --pol
ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j
TCPMSS --set-mss 1360
-A FORWARD -d 192.168.1.0/24 -o eth0 -p tcp -m policy --dir out --pol
ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j
TCPMSS --set-mss 1360
COMMIT
# Completed on Tue Dec 31 00:50:54 2019
# Generated by iptables-save v1.6.1 on Tue Dec 31 00:50:54 2019
*filter
:INPUT ACCEPT [1486611:1794766486]
:FORWARD ACCEPT [169489:215030706]
:OUTPUT ACCEPT [1421101:1263544042]
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
COMMIT
# Completed on Tue Dec 31 00:50:54 2019
# Generated by iptables-save v1.6.1 on Tue Dec 31 00:50:54 2019
*nat
:PREROUTING ACCEPT [25960:13260051]
:INPUT ACCEPT [24844:13152349]
:OUTPUT ACCEPT [35486:11861269]
:POSTROUTING ACCEPT [35100:11735433]
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -m policy --dir out --pol
ipsec -j ACCEPT
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Dec 31 00:50:54 2019
router> ipsec status
x 192.168.1.0 10.0.1.156 Up
original post> https://lists.strongswan.org/pipermail/users/2019-December/014119.html
More information about the Users
mailing list