[strongSwan] strange issues with strongswan ipsec tunnel

lenovomi lenovomi at gmail.com
Tue Dec 31 00:57:06 CET 2019


Hi,
I am so desperate seeking for some advice/help/hint. I set up an ipsec
tunel between router (right side) with public wan IP, and local nat
network 192.168.0.x. Left side is VM box behind nat with ip
10.0.1.156. It looks like tunnel is active... but the issue which is
happening is that sometimes hosts from 192.168.1.x cant ping
10.0.1.156... sometimes it works ... but have no idea why.

I observed strange behavior, ping from 10.0.1.156 to any host inside
192.168.1.x works all the time. In case ping from 192.168.1x to
10.0.1.156 doesnt work once ping from 10.0.1.156 to any host instide
192.168.1.0/24 is executed then immediately ping from any host inside
192.168.1.0/24 to 10.0.1.156 works immediately.

Do you have any idea whats going on? :(

thanks!



ipsec statusall
Security Associations (1 up, 0 connecting):
         vpn[11]: ESTABLISHED 29 minutes ago,
10.0.1.156[10.0.1.156]...78.99.148.x[78.99.148.x]
         vpn[11]: IKEv1 SPIs: 5c7f4916bdf05b17_i 4a01d1b8845538c7_r*,
pre-shared key reauthentication in 2 hours
         vpn[11]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
         vpn{18}:  REKEYED, TUNNEL, reqid 1, expires in 25 minutes
         vpn{18}:   10.0.1.156/32 === 192.168.1.0/24
         vpn{19}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca827fb5_i 0ef6380d_o
         vpn{19}:  AES_CBC_256/HMAC_SHA1_96/MODP_2048, 0 bytes_i, 0
bytes_o, rekeying in 18 minutes
         vpn{19}:   10.0.1.156/32 === 192.168.1.0/24

ipsec.conf
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn vpn
    keyexchange=ike
    auto=add
   # compress=no
    type=tunnel
   # fragmentation=yes
   # forceencaps=yes
    dpdaction=none
    dpddelay=300s
    rekey=yes
    keyingtries=3
    authby=secret
    left=%any4
    leftid=10.0.1.156
    leftsubnet=10.0.1.156/32
    leftfirewall=yes
    right=%any4
    rightid=%any
   # rightsourceip=192.168.1.0/24
    rightsubnet=192.168.1.0/24
   # rightdns=8.8.8.8,208.67.222.222
    ike=aes256-sha1-modp2048
    esp=aes256-sha1-modp2048


root at roonserver:/home/heap# iptables-save
# Generated by iptables-save v1.6.1 on Tue Dec 31 00:50:54 2019
*mangle
:PREROUTING ACCEPT [1768439:2024183480]
:INPUT ACCEPT [1598091:1809064255]
:FORWARD ACCEPT [169545:215034758]
:OUTPUT ACCEPT [1436042:1265656905]
:POSTROUTING ACCEPT [1640750:1483916434]
-A FORWARD -s 192.168.1.0/24 -o eth0 -p tcp -m policy --dir in --pol
ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j
TCPMSS --set-mss 1360
-A FORWARD -d 192.168.1.0/24 -o eth0 -p tcp -m policy --dir out --pol
ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j
TCPMSS --set-mss 1360
COMMIT
# Completed on Tue Dec 31 00:50:54 2019
# Generated by iptables-save v1.6.1 on Tue Dec 31 00:50:54 2019
*filter
:INPUT ACCEPT [1486611:1794766486]
:FORWARD ACCEPT [169489:215030706]
:OUTPUT ACCEPT [1421101:1263544042]
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
COMMIT
# Completed on Tue Dec 31 00:50:54 2019
# Generated by iptables-save v1.6.1 on Tue Dec 31 00:50:54 2019
*nat
:PREROUTING ACCEPT [25960:13260051]
:INPUT ACCEPT [24844:13152349]
:OUTPUT ACCEPT [35486:11861269]
:POSTROUTING ACCEPT [35100:11735433]
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -m policy --dir out --pol
ipsec -j ACCEPT
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Dec 31 00:50:54 2019



router> ipsec status
x     192.168.1.0     10.0.1.156   Up


original post> https://lists.strongswan.org/pipermail/users/2019-December/014119.html


More information about the Users mailing list