[strongSwan] site-to-site tunnel, ping doesn't work.
Carl-Clemens Ebinger
post at ebinger.cc
Mon Aug 16 16:04:35 CEST 2021
Hello list,
i've installed strongswan on debiann 11. i've configured an
ipsec-PSK-site-to-site tunnel on both sides via /etc/ipsec.conf and
/etc/ipsec.secrets.
1. I miss a strongswan.service-file now.
2. Ipsec-Tunnel is established, but i can't ping. (telnet also doesnt
work)
Below my results for several commands. I obfuscated the IP-Adresses of
the endpoints with *.
# ipsec status
Security Associations (1 up, 0 connecting):
platon-to-sokrates[1]: ESTABLISHED 51 seconds ago, *[*]...*[*]
platon-to-sokrates{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c7bd55b2_i
cd42d7f4_o
platon-to-sokrates{1}: 192.168.27.0/24 === 192.168.28.0/24
# ip xfrm policy
src 192.168.27.0/24 dst 192.168.28.0/24
dir out priority 375423 ptype main
tmpl src * dst *
proto esp spi 0xcd42d7f4 reqid 1 mode tunnel
src 192.168.28.0/24 dst 192.168.27.0/24
dir fwd priority 375423 ptype main
tmpl src * dst *
proto esp reqid 1 mode tunnel
src 192.168.28.0/24 dst 192.168.27.0/24
dir in priority 375423 ptype main
tmpl src * dst *
proto esp reqid 1 mode tunnel
# ip xfrm state
src * dst *
proto esp spi 0xcd42d7f4 reqid 1 mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(sha256)
0x369406a71a215db449b2addc62c467888e43e79b22cdc833691eef77574ec432 128
enc cbc(aes)
0xb59877889ab92bf8bc3f153b230ffb334b103e6f0c3d1c16d24e1da8f3ac2b67
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src * dst *
proto esp spi 0xc7bd55b2 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha256)
0x08b7237306cef348a204d869d2494c564b6d8364163fe9d8e632e36e76a25dfd 128
enc cbc(aes)
0x41f58592f959dc49f63378dccc2d8591da4e0066a5b87a621a60b5643b011555
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
# /usr/lib/ipsec/xfrmi -l
(empty)
Do you have an idea what is missing?
Best Regards,
CCE
More information about the Users
mailing list