[strongSwan] Problem with tunnel half-working
Bertucci Roberto
Roberto.Bertucci at itdsolutions.it
Wed Oct 30 23:46:04 CET 2019
Hello, i have a problem with a s2s VPN between StrongSwan and Cisco ASA.
Site A is the one with StrongSwan server and Site B is the one with ASA.
Site A is Ubuntu 19.10
Ipsec tunnel raises up and stays up nicely.
Site A internal network is 10.0.1.0/24 – external network is 10.0.0.0/24 adn the gateway router nats with YYY.YYY.YYY.YYY address.
Site B internal network is 192.168.0.0/23
This ping works:
192.168.1.XXX ---> 10.0.1.YYYY
This ping does not work:
10.0.1.YYYY ---> 192.168.1.XXX
If i try a traceroute from 10.0.1 to 192.168.1, it seems that packets are routed through internet connection and not through tunnel.
These are configuration and system status of StrongSwan server.
==== sysctl.conf ====
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
==== strongswan.conf ====
charon {
load_modular = yes
#install_routes = no
plugins {
include strongswan.d/charon/*.conf
}
}
==== ipsec.conf ====
config setup
#charondebug="all 2"
charondebug="cfg 2"
uniqueids=yes
strictcrlpolicy=no
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn spc-to-varazze
left=10.0.0.100
#leftfirewall=yes
leftsubnet=10.0.1.0/24
right=XXX.XXX.XXX.XXX
rightsubnet=192.168.0.0/23
auto=start
ike=aes256-sha1-modp1024
esp=aes256-sha1-modp1024
==== xfrm status ====
root at router:/etc# ip -s xfrm state
src 10.0.0.100 dst XXX.XXX.XXX.XXX
proto esp spi 0x6a05615e(1778737502) reqid 1(0x00000001) mode tunnel
replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0x687fd2cdd4dcf0bf14ef6c1655fb04af70010257 (160 bits) 96
enc cbc(aes) 0x270e6c31e071a3771eb0508e1805fd0e (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x529, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 3414(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
79260(bytes), 1321(packets)
add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
stats:
replay-window 0 replay 0 failed 0
src XXX.XXX.XXX.XXX dst 10.0.0.100
proto esp spi 0xcf6665c0(3479594432) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0xa9c698de75653b442199eed162b8f653bbe159ca (160 bits) 96
enc cbc(aes) 0xfd9ef251dcaff2853e89cac211b53d19 (128 bits)
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x529, oseq 0x0, bitmap 0xffffffff
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 3407(sec), hard 3600(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
79260(bytes), 1321(packets)
add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
stats:
replay-window 0 replay 0 failed 0
==== iptables and ufw status ====
root at router:/etc# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root at router:/etc# ufw status
Status: inactive
r
I’ve done a lot of searches but no one of the aswers i found was useful.
Any help/suggestion will be welcome.
RB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191030/48d0cf22/attachment-0001.html>
More information about the Users
mailing list