[strongSwan] Ping does not come back / but its visible in tcpdump

Valeri Geiser valeri.geiser at km-logistik-service.de
Mon Nov 25 08:15:38 CET 2019 

Hi,

I solved this with mobike= no.

Best regards,
Valeri

Am 25.11.19 um 07:38 schrieb Valeri Geiser:
>
> Hi,
>
> I am new to strongswan and I just had to setup a connection to a 
> Lancom router. So far, I worked through the documentation and the 
> ikev2 tunnel gets established and policy-based routing installed.
>
> Now I am trying to ping the vpn gateway using the internal network 
> address. I can see the packet leaving in tcpdump, I can see in the 
> Lancom traces the receipt and response created (to correct virtual 
> address using correct tunnel) and I can see in tcpdump on the client 
> also that a package comes back. However, ping says it did not get 
> anything. This is the same also when I shut down the firewall and set 
> everything to accept, so it should not be a firewall issue.
>
> Here is my swanctl.conf
> connections {
>   home {
>       version = 2
>       local_addrs  = A.A.A.A (external IP of client, no NAT involved)
>       remote_addrs = B.B.B.B(external IP of lancom, no NAT involved)
>
>       local {
>          auth = psk
>          id = clst01 at km-logistik-service.de
>       }
>       remote {
>          auth = psk
>          id = B.B.B.B
>       }
>       children {
>          home {
>             remote_ts = 10.131.208.0/24,10.166.47.8/29
>
>             updown = /usr/lib/ipsec/_updown iptables
>          }
>       }
>
>       vips = 0.0.0.0
>    }
> }
>
> secrets {
>    ike {
>       secret = *****
>       id = B.B.B.B
>    }
> }
>
> Here is connection start with swanctl
> swanctl --initiate --child home
> [IKE] initiating IKE_SA home[1] to B.B.B.B
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> [NET] sending packet: from A.A.A.A[500] to B.B.B.B[500] (760 bytes)
> [NET] received packet: from B.B.B.B[500] to [500] (38 bytes)
> [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> [IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
> [IKE] initiating IKE_SA home[1] to B.B.B.B
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> [NET] sending packet: from A.A.A.A[500] to B.B.B.B[500] (952 bytes)
> [NET] received packet: from B.B.B.B[500] to A.A.A.A[500] (464 bytes)
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
> N(NATD_D_IP) N(FRAG_SUP) V ]
> [ENC] received unknown vendor ID: 
> 81:75:2e:b5:91:4d:73:5c:df:cd:c8:58:c3:a8:ed:7c:1c:66:d1:42
> [CFG] selected proposal: 
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> [IKE] authentication of 'clst01 at km-logistik-service.de' (myself) with 
> pre-shared key
> [IKE] establishing CHILD_SA home{1}
> [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH 
> CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) 
> N(MSG_ID_SYN_SUP) ]
> [NET] sending packet: from A.A.A.A[4500] to B.B.B.B[4500] (384 bytes)
> [NET] received packet: from B.B.B.B[4500] to A.A.A.A[4500] (256 bytes)
> [ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(DNS ADDR) TSi TSr 
> N(INIT_CONTACT) SA ]
> [IKE] authentication of 'B.B.B.B' with pre-shared key successful
> [IKE] IKE_SA home[1] established between 
> A.A.A.A[clst01 at km-logistik-service.de]...B.B.B.B[B.B.B.B]
> [IKE] scheduling rekeying in 14018s
> [IKE] maximum IKE_SA lifetime 15458s
> [IKE] installing DNS server 10.166.47.12 to /etc/resolv.conf
> [IKE] installing new virtual IP 172.16.103.12
> [CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
> [IKE] CHILD_SA home{1} established with SPIs ca7ea316_i efb49814_o and 
> TS 172.16.103.12/32 === 10.166.47.8/29
> initiate completed successfully
>
> Here is policies for routing (relevant parts):
> ip -s xfrm policy
> src 172.16.103.12/32 dst 10.166.47.8/29 uid 0
>     dir out action allow index 1217 priority 368767 ptype main share 
> any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2019-11-23 22:15:04 use 2019-11-23 22:16:46
>     tmpl src A.A.A.A dst B.B.B.B
>         proto esp spi 0xefb49814(4021590036) reqid 1(0x00000001) mode 
> tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.166.47.8/29 dst 172.16.103.12/32 uid 0
>     dir fwd action allow index 1210 priority 368767 ptype main share 
> any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2019-11-23 22:15:04 use -
>     tmpl src B.B.B.B dst A.A.A.A
>         proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.166.47.8/29 dst 172.16.103.12/32 uid 0
>     dir in action allow index 1200 priority 368767 ptype main share 
> any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2019-11-23 22:15:04 use -
>     tmpl src B.B.B.B dst A.A.A.A
>         proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>
> Here is tcpdump from what I think is the ping and its response 
> (pinging 10.166.47.12 which is assigned to Lancom on ethernet port 1):
> 22:03:20.304824 IP (tos 0x0, ttl 64, id 1894, offset 0, flags [DF], 
> proto ESP (50), length 140)
>     A.A.A.A > B.B.B.B: ESP(spi=0xbf3e0bb5,seq=0x224), length 120
> 22:03:20.320540 IP (tos 0x0, ttl 57, id 34530, offset 0, flags [none], 
> proto UDP (17), length 148)
>     B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [no cksum] UDP-encap: 
> ESP(spi=0xc9012da8,seq=0x223), length 120
>
> I am just clueless now and any help is appreciated. Let me know if any 
> further information is required.
>
> -- 
>
> Bei Fragen oder Unklarheiten stehen wir Ihnen gerne zur Verfügung.
>
> MFG, Valeri Geiser
>
> *KM Logistik - Service GmbH
> Hauptstraße 2
> 66459 Kirkel-Limbach*
>
> *
> Phone: *(+49) 68417567899
> *Fax: *(+49) 6841 9933441
>
> *Email:*valeri.geiser at km-logistik-service.de 
> <mailto:valeri.geiser at km-logistik-service.de>
> *Web:*http://km-logistik-service.de <http://km-logistik-service.de/>
>
> KM Logistik - Service Gesellschaft mit beschränkter Haftung
> Sitz der Gesellschaft: 66459 Kirkel | Geschäftsführer: Klaus Miosga | 
> Registergericht: Homburg HRB 17405
>
>
-- 

Bei Fragen oder Unklarheiten stehen wir Ihnen gerne zur Verfügung.

MFG, Valeri Geiser

*KM Logistik - Service GmbH
Hauptstraße 2
66459 Kirkel-Limbach*

*
Phone: *(+49) 68417567899
*Fax: *(+49) 6841 9933441

*Email:*valeri.geiser at km-logistik-service.de 
<mailto:valeri.geiser at km-logistik-service.de>
*Web:*http://km-logistik-service.de <http://km-logistik-service.de/>

KM Logistik - Service Gesellschaft mit beschränkter Haftung
Sitz der Gesellschaft: 66459 Kirkel | Geschäftsführer: Klaus Miosga | 
Registergericht: Homburg HRB 17405


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191125/44252cff/attachment-0001.html>

More information about the Users mailing list