[strongSwan] Request for help with failed GRE-over-IPSec config
Athmane Bouazzouni
athmane2.dz at gmail.com
Fri Aug 14 20:37:19 CEST 2020
Hi,
Did you try adding:
installpolicy=yes
leftfirewall=yes
Regards.
On Fri, Aug 14, 2020 at 2:18 PM Philip Prindeville <
philipp_subx at redfish-solutions.com> wrote:
> Hi.
>
> I’m using 64-bit CentOS 8 Stream on a pair of Raspberry Pi4’s as hotspots.
>
> I’m using a self-signed Cert and derived public certs per this article:
>
>
> https://www.howtoforge.com/tutorial/strongswan-based-ipsec-vpn-using-certificates-and-pre-shared-key-on-ubuntu-16-04/
>
> There’s (hostnames) Pelican2 (gw1) and Pelican1 (gw5). But I’ll refer to
> them by their Strongswan configuration names.
>
> The capture is from gw1, which is at XX.XX.XX.246, and has dummy0 (
> 10.5.28.1/24) as the internal test subnet.
>
> Gw5 is at XX.XX.XX.245, and has dummy0 (10.5.30.1/24) as the internal
> test subnet.
>
> If I try to ping from gw5 to 10.5.28.1 then I get Unreachables.
>
> If I ping from gw1 to gw5 on 10.5.30.1 then it sometimes works, and I can
> briefly ping back in the reverse direction (i.e. to 10.5.28.1 from gw5
> which previously didn’t work).
>
> My issues are:
>
> (1) I can’t confirm that the PING is being encapsulated in GRE, then the
> GRE goes over IPSec ESP transport mode.
>
> (2) If that is in fact working, it looks like the decapsulated PING is
> being rejected by the firewall on gw1, or else there’s a misconfiguration…
>
> Unlike a Cisco router, which I can set an ACL and do full packet tracing,
> I’m not sure if there’s an equivalent way to do marking and logging in
> Linux + NFT in the kernel (because of the known limitations of how BPF
> interacts with the IPSec stack in Linux). Any pointers would be
> appreciated.
>
> Do I need to set up a “policy” rule that allows incoming decapsulated PING
> (ICMP Echo Request) packets?
>
> Are there known issues or additional configuration required to
> interoperate with firewalld?
>
> Thanks,
>
> -Philip
>
>
>
>
--
Regards,
Athmane (Adam) Bouazzouni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200814/ab0cffb3/attachment.html>
More information about the Users
mailing list