[strongSwan] Help with setup

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Jan 31 21:32:50 CET 2022 

Hello Michael,

Can you pastebin me the output of iptables-save, and the value of the forwarding related settings in sysctl?

Kind regards
Noel

Am 31.01.22 um 19:03 schrieb Michael Deignan:
> I am attempting to set up a strongswan connection between my home's redhat linux router and my work's redhat linux router. Both are running Redhat 8 and have the strongswan binaries installed from https://pkgs.org/download/strongswan <https://pkgs.org/download/strongswan>.
> 
> The connection appears to be successful but I cannot talk to anything on either side of the connection, e.g. I cannot ping either router or any machines on either side of the connection. I have set up the iptables postrouting rules per the wiki.
> 
> Might someone give me a clue figuring out where else I should look to get it working?
> 
> Thank you.
> 
> 
> WorkRouter swanctl.conf:
> 
> connections {
>   homenet {
>    version=2
>    local_addrs=WORK.PUBLIC.IP.ADDRESS
>    proposals=aes256-sha1-modp1024
>    remote_addrs=HOME.PUBLIC.IP.ADDRESS
>    children {
>     homenet {
>      esp_proposals=aes256-sha1
>      remote_ts=192.168.127.0/24 <http://192.168.127.0/24>
>      local_ts=192.168.126.0/24 <http://192.168.126.0/24>
>     }
>    }
>   }
> }
> 
> HomeRouter swanctl.conf:
> 
> worknet {
>   version=2
>   local_addrs=HOME.PUBLIC.IP.ADDRESS
>   proposals=aes256-sha1-modp1024
>   remote_addrs=WORK.PUBLIC.IP.ADDRESS
>   children {
>    worknet {
>     esp_proposals=aes256-sha1
>     local_ts=192.168.127.0/24 <http://192.168.127.0/24>
>     remote_ts=192.168.126.0/24 <http://192.168.126.0/24>
>    }
>   }
> }
> 
> HomeRouter initiating connection:
> 
> swanctl --initiate --ike worknet --child worknet
> 
> [IKE] initiating IKE_SA worknet[4] to WORK.PUBLIC.IP.ADDRESS
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> [NET] sending packet: from HOME.PUBLIC.IP.ADDRESS[500] to WORK.PUBLIC.IP.ADDRESS[500] (336 bytes)
> [NET] received packet: from WORK.PUBLIC.IP.ADDRESS[500] to HOME.PUBLIC.IP.ADDRESS[500] (344 bytes)
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
> [CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> [CFG] no IDi configured, fall back on IP address
> [IKE] authentication of 'HOME.PUBLIC.IP.ADDRESS' (myself) with pre-shared key
> [IKE] establishing CHILD_SA worknet{1}
> [ENC] generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> [NET] sending packet: from HOME.PUBLIC.IP.ADDRESS[4500] to WORK.PUBLIC.IP.ADDRESS[4500] (348 bytes)
> [NET] received packet: from WORK.PUBLIC.IP.ADDRESS[4500] to HOME.PUBLIC.IP.ADDRESS[4500] (236 bytes)
> [ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
> [IKE] authentication of 'WORK.PUBLIC.IP.ADDRESS' with pre-shared key successful
> [IKE] IKE_SA worknet[4] established between HOME.PUBLIC.IP.ADDRESS[HOME.PUBLIC.IP.ADDRESS]...WORK.PUBLIC.IP.ADDRESS[WORK.PUBLIC.IP.ADDRESS]
> [IKE] scheduling rekeying in 13339s
> [IKE] maximum IKE_SA lifetime 14779s
> [CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
> [IKE] CHILD_SA worknet{1} established with SPIs cfd5d0fa_i c4358b01_o and TS 192.168.127.0/24 <http://192.168.127.0/24> === 192.168.126.0/24 <http://192.168.126.0/24>
> [IKE] peer supports MOBIKE
> initiate completed successfully
> 
> 
> HomeRouter ip xfrm state:
> 
> src HOME.PUBLIC.IP.ADDRESS dst WORK.PUBLIC.IP.ADDRESS
>          proto esp spi 0xc4358b01 reqid 1 mode tunnel
>          replay-window 0 flag af-unspec
>          auth-trunc hmac(sha1) 0x8d6abe2f321b228663e9c88799dc3d9c78e891a7 96
>          enc cbc(aes) 0xb3820a34e1bf3f4cb4cb634a4ba9aeeaca17519bd7e323f35ff4726cc09c1c54
>          anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS
>          proto esp spi 0xcfd5d0fa reqid 1 mode tunnel
>          replay-window 32 flag af-unspec
>          auth-trunc hmac(sha1) 0x844dfdb29f581e317dad43b0c4a893669b1fa38a 96
>          enc cbc(aes) 0x130f8dc4bb5b4fd7eec13a595a45883a4b3c7d38b2a2fd0a0db635e9202e8aba
>          anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
> 
> HomeRouter ip xfrm policy:
> 
> src 192.168.127.0/24 <http://192.168.127.0/24> dst 192.168.126.0/24 <http://192.168.126.0/24>
>          dir out priority 375423 ptype main
>          tmpl src HOME.PUBLIC.IP.ADDRESS dst WORK.PUBLIC.IP.ADDRESS
>                  proto esp spi 0xc4358b01 reqid 1 mode tunnel
> src 192.168.126.0/24 <http://192.168.126.0/24> dst 192.168.127.0/24 <http://192.168.127.0/24>
>          dir fwd priority 375423 ptype main
>          tmpl src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS
>                  proto esp reqid 1 mode tunnel
> src 192.168.126.0/24 <http://192.168.126.0/24> dst 192.168.127.0/24 <http://192.168.127.0/24>
>          dir in priority 375423 ptype main
>          tmpl src WORK.PUBLIC.IP.ADDRESS dst HOME.PUBLIC.IP.ADDRESS
>                  proto esp reqid 1 mode tunnel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220131/2bdb6548/attachment.sig>

More information about the Users mailing list