[strongSwan] Problem with tunnel half-working
Bertucci Roberto
Roberto.Bertucci at itdsolutions.it
Thu Oct 31 14:06:28 CET 2019
Thank you for your answer, here it is requested output.
# Generated by iptables-save v1.8.3 on Thu Oct 31 13:05:37 2019
*nat
:PREROUTING ACCEPT [4751:549595]
:INPUT ACCEPT [2337:146691]
:OUTPUT ACCEPT [156:11302]
:POSTROUTING ACCEPT [29:2308]
-A POSTROUTING -o ens3 -j MASQUERADE
COMMIT
# Completed on Thu Oct 31 13:05:37 2019
# Generated by iptables-save v1.8.3 on Thu Oct 31 13:05:37 2019
*filter
:INPUT ACCEPT [2260:129224]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [111797:10736526]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ens4 -j ACCEPT
-A INPUT -i ens3 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ens4 -o ens3 -j ACCEPT
-A FORWARD -i ens3 -o ens4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Oct 31 13:05:37 2019
Il giorno 31/10/19, 13:35 "Noel Kuntze" <noel.kuntze+strongswan-users-ml at thermi.consulting> ha scritto:
Hello Roberto,
Please provide the output of `iptables-save`.
Kind regards
Noel
Am 30.10.19 um 23:46 schrieb Bertucci Roberto:
> Hello, i have a problem with a s2s VPN between StrongSwan and Cisco ASA.
>
> Site A is the one with StrongSwan server and Site B is the one with ASA.
>
> Site A is Ubuntu 19.10
>
>
>
> Ipsec tunnel raises up and stays up nicely.
>
>
>
> Site A internal network is 10.0.1.0/24 – external network is 10.0.0.0/24 adn the gateway router nats with YYY.YYY.YYY.YYY address.
>
> Site B internal network is 192.168.0.0/23
>
>
>
> This ping works:
>
> 192.168.1.XXX -à10.0.1.YYYY
>
>
>
> This ping does not work:
>
> 10.0.1.YYYY -à192.168.1.XXX
>
>
>
> If i try a traceroute from 10.0.1 to 192.168.1, it seems that packets are routed through internet connection and not through tunnel.
>
>
>
> These are configuration and system status of StrongSwan server.
>
>
>
> ==== sysctl.conf ====
>
> net.ipv4.ip_forward=1
>
> net.ipv4.conf.all.accept_redirects =0
>
> net.ipv4.conf.all.send_redirects =0
>
>
>
> ==== strongswan.conf ====
>
> charon {
>
> load_modular = yes
>
> #install_routes = no
>
> plugins {
>
> include strongswan.d/charon/*.conf
>
> }
>
> }
>
>
>
> ==== ipsec.conf ====
>
> config setup
>
> #charondebug="all 2"
>
> charondebug="cfg 2"
>
> uniqueids=yes
>
> strictcrlpolicy=no
>
>
>
> conn %default
>
> ikelifetime=1440m
>
> keylife=60m
>
> rekeymargin=3m
>
> keyingtries=1
>
> keyexchange=ikev1
>
> authby=secret
>
>
>
> conn spc-to-varazze
>
> left=10.0.0.100
>
> #leftfirewall=yes
>
> leftsubnet=10.0.1.0/24
>
> right=XXX.XXX.XXX.XXX
>
> rightsubnet=192.168.0.0/23
>
> auto=start
>
> ike=aes256-sha1-modp1024
>
> esp=aes256-sha1-modp1024
>
>
>
> ==== xfrm status ====
>
> root at router:/etc# ip -s xfrm state
>
> src 10.0.0.100 dst XXX.XXX.XXX.XXX
>
> proto esp spi 0x6a05615e(1778737502) reqid 1(0x00000001) mode tunnel
>
> replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
>
> auth-trunc hmac(sha1) 0x687fd2cdd4dcf0bf14ef6c1655fb04af70010257 (160 bits) 96
>
> enc cbc(aes) 0x270e6c31e071a3771eb0508e1805fd0e (128 bits)
>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>
> anti-replay context: seq 0x0, oseq 0x529, bitmap 0x00000000
>
> lifetime config:
>
> limit: soft (INF)(bytes), hard (INF)(bytes)
>
> limit: soft (INF)(packets), hard (INF)(packets)
>
> expire add: soft 3414(sec), hard 3600(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 79260(bytes), 1321(packets)
>
> add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
>
> stats:
>
> replay-window 0 replay 0 failed 0
>
> src XXX.XXX.XXX.XXX dst 10.0.0.100
>
> proto esp spi 0xcf6665c0(3479594432) reqid 1(0x00000001) mode tunnel
>
> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
>
> auth-trunc hmac(sha1) 0xa9c698de75653b442199eed162b8f653bbe159ca (160 bits) 96
>
> enc cbc(aes) 0xfd9ef251dcaff2853e89cac211b53d19 (128 bits)
>
> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
>
> anti-replay context: seq 0x529, oseq 0x0, bitmap 0xffffffff
>
> lifetime config:
>
> limit: soft (INF)(bytes), hard (INF)(bytes)
>
> limit: soft (INF)(packets), hard (INF)(packets)
>
> expire add: soft 3407(sec), hard 3600(sec)
>
> expire use: soft 0(sec), hard 0(sec)
>
> lifetime current:
>
> 79260(bytes), 1321(packets)
>
> add 2019-10-30 22:15:10 use 2019-10-30 22:15:15
>
> stats:
>
> replay-window 0 replay 0 failed 0
>
>
>
> ==== iptables and ufw status ====
>
> root at router:/etc# iptables -L
>
> Chain INPUT (policy ACCEPT)
>
> target prot opt source destination
>
> ACCEPT all -- anywhere anywhere
>
> ACCEPT all -- anywhere anywhere
>
> ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
>
>
>
> Chain FORWARD (policy ACCEPT)
>
> target prot opt source destination
>
> ACCEPT all -- anywhere anywhere
>
> ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
>
>
>
> Chain OUTPUT (policy ACCEPT)
>
> target prot opt source destination
>
> root at router:/etc# ufw status
>
> Status: inactive
>
> r
>
>
>
> I’ve done a lot of searches but no one of the aswers i found was useful.
>
>
>
> Any help/suggestion will be welcome.
>
>
>
> RB
>
>
>
More information about the Users
mailing list