[strongSwan] Problem with tunnel half-working

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Oct 31 13:34:50 CET 2019 

Hello Roberto,

Please provide the output of `iptables-save`.

Kind regards

Noel

Am 30.10.19 um 23:46 schrieb Bertucci Roberto:
> Hello, i have a problem with a s2s VPN between StrongSwan and Cisco ASA.
> 
> Site A is the one with StrongSwan server and Site B is the one with ASA.
> 
> Site A is Ubuntu 19.10
> 
>  
> 
> Ipsec tunnel raises up and stays up nicely.
> 
>  
> 
> Site A internal network is 10.0.1.0/24 – external network is 10.0.0.0/24 adn the gateway router nats with YYY.YYY.YYY.YYY address.
> 
> Site B internal network is 192.168.0.0/23
> 
>  
> 
> This ping works:
> 
> 192.168.1.XXX -à10.0.1.YYYY
> 
>  
> 
> This ping does not work:
> 
> 10.0.1.YYYY -à192.168.1.XXX
> 
>  
> 
> If i try a traceroute from 10.0.1 to 192.168.1, it seems that packets are routed through internet connection and not through tunnel.
> 
>  
> 
> These are configuration and system status of StrongSwan server.
> 
>  
> 
> ==== sysctl.conf ====
> 
> net.ipv4.ip_forward=1
> 
> net.ipv4.conf.all.accept_redirects =0
> 
> net.ipv4.conf.all.send_redirects =0
> 
>  
> 
> ==== strongswan.conf ====
> 
> charon {
> 
>        load_modular = yes
> 
>        #install_routes = no
> 
>        plugins {
> 
>              include strongswan.d/charon/*.conf
> 
>        }
> 
> }
> 
>  
> 
> ==== ipsec.conf ====
> 
> config setup
> 
>         #charondebug="all 2"
> 
>         charondebug="cfg 2"
> 
>         uniqueids=yes
> 
>         strictcrlpolicy=no
> 
>  
> 
> conn %default
> 
>         ikelifetime=1440m
> 
>         keylife=60m
> 
>         rekeymargin=3m
> 
>         keyingtries=1
> 
>         keyexchange=ikev1
> 
>         authby=secret
> 
>  
> 
> conn spc-to-varazze
> 
>        left=10.0.0.100
> 
>        #leftfirewall=yes
> 
>        leftsubnet=10.0.1.0/24
> 
>        right=XXX.XXX.XXX.XXX
> 
>        rightsubnet=192.168.0.0/23
> 
>        auto=start
> 
>        ike=aes256-sha1-modp1024
> 
>        esp=aes256-sha1-modp1024
> 
>  
> 
> ==== xfrm status ====
> 
> root at router:/etc# ip -s xfrm state
> 
> src 10.0.0.100 dst XXX.XXX.XXX.XXX
> 
>        proto esp spi 0x6a05615e(1778737502) reqid 1(0x00000001) mode tunnel
> 
>        replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
> 
>        auth-trunc hmac(sha1) 0x687fd2cdd4dcf0bf14ef6c1655fb04af70010257 (160 bits) 96
> 
>        enc cbc(aes) 0x270e6c31e071a3771eb0508e1805fd0e (128 bits)
> 
>        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> 
>        anti-replay context: seq 0x0, oseq 0x529, bitmap 0x00000000
> 
>        lifetime config:
> 
>          limit: soft (INF)(bytes), hard (INF)(bytes)
> 
>          limit: soft (INF)(packets), hard (INF)(packets)
> 
>          expire add: soft 3414(sec), hard 3600(sec)
> 
>          expire use: soft 0(sec), hard 0(sec)
> 
>        lifetime current:
> 
>          79260(bytes), 1321(packets)
> 
>          add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
> 
>        stats:
> 
>          replay-window 0 replay 0 failed 0
> 
> src XXX.XXX.XXX.XXX dst 10.0.0.100
> 
>        proto esp spi 0xcf6665c0(3479594432) reqid 1(0x00000001) mode tunnel
> 
>        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
> 
>        auth-trunc hmac(sha1) 0xa9c698de75653b442199eed162b8f653bbe159ca (160 bits) 96
> 
>        enc cbc(aes) 0xfd9ef251dcaff2853e89cac211b53d19 (128 bits)
> 
>        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
> 
>        anti-replay context: seq 0x529, oseq 0x0, bitmap 0xffffffff
> 
>        lifetime config:
> 
>          limit: soft (INF)(bytes), hard (INF)(bytes)
> 
>          limit: soft (INF)(packets), hard (INF)(packets)
> 
>          expire add: soft 3407(sec), hard 3600(sec)
> 
>          expire use: soft 0(sec), hard 0(sec)
> 
>        lifetime current:
> 
>          79260(bytes), 1321(packets)
> 
>          add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
> 
>        stats:
> 
>          replay-window 0 replay 0 failed 0
> 
>  
> 
> ==== iptables and ufw status ====
> 
> root at router:/etc# iptables -L
> 
> Chain INPUT (policy ACCEPT)
> 
> target     prot opt source               destination         
> 
> ACCEPT     all  --  anywhere             anywhere            
> 
> ACCEPT     all  --  anywhere             anywhere            
> 
> ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
> 
>  
> 
> Chain FORWARD (policy ACCEPT)
> 
> target     prot opt source               destination         
> 
> ACCEPT     all  --  anywhere             anywhere            
> 
> ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
> 
>  
> 
> Chain OUTPUT (policy ACCEPT)
> 
> target     prot opt source               destination         
> 
> root at router:/etc# ufw status
> 
> Status: inactive
> 
> r
> 
>  
> 
> I’ve done a lot of searches but no one of the aswers i found was useful.
> 
>  
> 
> Any help/suggestion will be welcome.
> 
>  
> 
> RB
> 
>  
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191031/0f2fc628/attachment.sig>

More information about the Users mailing list