'Re: [strongSwan] Tunnel established but cannot ping. Request help.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] Tunnel established but cannot ping. Request help.
From:       Makarand Pradhan <MakarandPradhan () is5com ! com>
Date:       2019-04-05 14:00:40
Message-ID: YQBPR0101MB15212C4F4265122BA0F4A56384510 () YQBPR0101MB1521 ! CANPRD01 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]

Suer thanks Noel,

"iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT" resolved \
the NAT issue. I can now see the ESP pkt going out and coming in:

14:11:08.573237 IP (tos 0x0, ttl 64, id 15744, offset 0, flags [DF], proto ESP (50), \
length 136)  80.0.0.1 > 30.0.0.1: ESP(spi=0xc0343e08,seq=0x3fd), length 116
        0x0000:  e8e8 7590 02c1 b827 eb85 9967 0800 4500  ..u....'...g..E.
        0x0010:  0088 3d80 4000 4032 8ec2 5000 0001 1e00  ..=.@.@2..P.....
...
14:11:08.574088 IP (tos 0x0, ttl 63, id 8591, offset 0, flags [none], proto ESP (50), \
length 136)  30.0.0.1 > 80.0.0.1: ESP(spi=0xc49184df,seq=0x3fd), length 116
        0x0000:  b827 eb85 9967 e8e8 7590 02c1 0800 4500  .'...g..u.....E.
        0x0010:  0088 218f 0000 3f32 ebb3 1e00 0001 5000  ..!...?2......P.
...
14:11:08.574088 IP (tos 0x0, ttl 64, id 20675, offset 0, flags [none], proto ICMP \
(1), length 84)  10.1.1.1 > 172.16.18.88: ICMP echo reply, id 3301, seq 1021, length \
64  0x0000:  b827 eb85 9967 e8e8 7590 02c1 0800 4500  .'...g..u.....E.
        0x0010:  0054 50c3 0000 4001 607c 0a01 0101 ac10  .TP...@.`|......

Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
#1-1815 Meyerside Drive
Mississauga, Ontario
L5T 1G3
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan@is5com.com
Website: www.iS5Com.com

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain \
information that is confidential and/or exempt from disclosure under applicable law. \
Any dissemination or copying of this message by anyone other than a named recipient \
is strictly prohibited. If you are not a named recipient or an employee or agent \
responsible for delivering this message to a named recipient, please notify us \
immediately, and permanently destroy this message and any copies you may have. \
Warning: Email may not be secure unless properly encrypted.

-----Original Message-----
From: Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> 
Sent: April 4, 2019 4:54 PM
To: Makarand Pradhan <MakarandPradhan@is5com.com>; users@lists.strongswan.org
Subject: Re: [strongSwan] Tunnel established but cannot ping. Request help.

Hi,

> 21:06:46.079466 IP (tos 0x0, ttl 64, id 9795, offset 0, flags [DF], 
> proto ICMP (1), length 84)
> 80.0.0.1 > 10.1.1.1: ICMP echo request, id 1694, seq 30, length 64
The source IP is changed. Fix your damn NAT rules and follow the contents of the \
HelpRequests[1] page to the letter. The ForwardingAndSplitTunneling[2] tells you what \
the problem is and how to fix it.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
[2] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems


Am 04.04.19 um 22:49 schrieb Makarand Pradhan:
> Hello Everyone,
> 
> This is the first time I'm trying to use StrongSwan.
> 
> I'm trying to use strongswan to create an IPSec tunnel. The tunnel status says up \
> but I cannot ping over the tunnel. Would appreciate any pointers to get it working. \
>  Please find below a detailed view of the issue.
> 
> Setup:
> 
> (Left subnet)
> 172.16.18.88 80.0.0.1 <-Router-> 30.0.0.1 10.1.1.1
> wlan0        eth0                                eth0     eth1 
> Raspberry pi                                   Raspberry pi StrongSwan 
> running here.         StrongSwan running here.
> 
> Left config:
> config setup
> charondebug=@all@
> cachecrls=yes
> uniqueids=yes
> strictcrlpolicy=no
> # uniqueids = no
> 
> conn pi_to_pi
> type=tunnel
> authby=secret
> auto=start
> keyexchange=ike
> esp=3des-md5
> left=%defaultroute
> leftid=80.0.0.1
> leftsubnet=172.16.18.88/24
> right=30.0.0.1
> rightsubnet=10.1.1.0/24
> 
> root@raspberrypi:~# ipsec status
> Security Associations (1 up, 0 connecting):
> pi_to_pi[1]: ESTABLISHED 10 minutes ago, 
> 80.0.0.1[80.0.0.1]...30.0.0.1[30.0.0.1]
> pi_to_pi{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb15009b_i 
> cc28abb3_o
> pi_to_pi{1}:   172.16.18.0/24 === 10.1.1.0/24
> 
> root@raspberrypi:~# ip xfrm policy | more src 10.1.1.0/24 dst 
> 172.16.18.0/24
> dir fwd priority 187712
> tmpl src 30.0.0.1 dst 80.0.0.1
> proto esp reqid 1 mode tunnel src 
> 10.1.1.0/24 dst 172.16.18.0/24
> dir in priority 187712
> tmpl src 30.0.0.1 dst 80.0.0.1
> proto esp reqid 1 mode tunnel src 
> 172.16.18.0/24 dst 10.1.1.0/24
> dir out priority 187712
> tmpl src 80.0.0.1 dst 30.0.0.1
> proto esp reqid 1 mode tunnel
> 
> root@raspberrypi:~# iptables -L -n
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Ping fails
> root@raspberrypi:~# ping 10.1.1.1 -I 172.16.18.88 PING 10.1.1.1 
> (10.1.1.1) from 172.16.18.88 : 56(84) bytes of data.
> 
> 
> TCP dump shows that the pkt is not going out over the tunnel but is just sent to \
> the next hop: 
> 21:06:46.079466 IP (tos 0x0, ttl 64, id 9795, offset 0, flags [DF], 
> proto ICMP (1), length 84)
> 80.0.0.1 > 10.1.1.1: ICMP echo request, id 1694, seq 30, length 64
> 0x0000:  e8e8 7590 02c1 b827 eb85 9967 0800 4500  ..u....'...g..E.
> 0x0010:  0054 2643 4000 4001 b963 5000 0001 0a01  mailto:.T&C@.@..cP.....
> 0x0020:  0101 0800 844a 069e 001e d663 a65c 0436  
> .....J.....c.\.6
> 0x0030:  0100 0809 0a0b 0c0d 0e0f 1011 1213 1415  ................
> 0x0040:  1617 1819 1a1b 1c1d 1e1f 2021 2223 2425  
> ...........!"#$%
> 0x0050:  2627 2829 2a2b 2c2d 2e2f 3031 3233 3435  
> &'()*+,-./012345
> 0x0060:  3637                                     67
> 
> Any pointers to get the tunnel working would be highly appreciated.
> 
> With Rgds,
> Makarand.
> 
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> #1-1815 Meyerside Drive
> Mississauga, Ontario
> L5T 1G3
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: mailto:makarandpradhan@is5com.com
> Website: http://www.is5com.com/
> 
> 
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may contain \
> information that is confidential and/or exempt from disclosure under applicable \
> law. Any dissemination or copying of this message by anyone other than a named \
> recipient is strictly prohibited. If you are not a named recipient or an employee \
> or agent responsible for delivering this message to a named recipient, please \
> notify us immediately, and permanently destroy this message and any copies you may \
> have. Warning: Email may not be secure unless properly encrypted. 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic