Hello, Currently, I have a VTI interface on CentOS7 going to a Juniper SRX. The tunnel shows up with both IKE and IPSEC SA's established and the IPSEC SPI's matching on both sides.
The Centos box has IPTABLES wide open current and selinux has been disabled temporarily to ensure they aren't impacting anything. The CENTOS box sits behind NAT. SRX(104.167.4.2) to 34.204.126.142 <Nat> to (172.31.140.0) Centos VTI interfaces and ST interface on the srx set to IPs on the 192.168.10.0/24 network I have users sitting on 10.8.0.0/24 that I am trying to have use this tunnel that are connected off of the CENTOS box. The issue I see no bytes transversing the VTI interface. When I ping from the SRX to the VTI interface I see the RX error incrementing but I get no response from the IP associated with the VTI interface. When I attempt to send pings to the SRX interface, I get TX errors on the VTI interface. The IP XFRM doesn't show a ESP SPI value but does show a REQ ID which is below. I am not sure if the value should show there or not as well. I also can't ping from a 10.8.x.x address across the VTI either. I am new to LIBRESWAN and would appreciate any help getting this issue resolved. I am sure its probably something I haven't configured correctly or overlooked but I am not knowledgeable enough to see what it is. Below is some information from my CENOS box. Paul ipsec whack --trafficstatus 006 #41: "SRX", type=ESP, add_time=0, inBytes=0, outBytes=0, id='104.167.4.2' ============ ipsec status 000 Total IPsec connections: loaded 1, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #41: "SRX":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2129s; newest IPSEC; eroute owner; isakmp#40; idle; import:admin initiate 000 #41: "SRX" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 000 #40: "SRX":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 155s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate =============== Ifconfig vti201: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8981 inet 192.168.10.2 netmask 255.255.255.0 destination 192.168.10.1 tunnel txqueuelen 1 (IPIP Tunnel) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 colliconn SRX ================ IPSECON.CONF config authby=secret #aggressive=no #type=tunnel left=172.31.140.0 leftid=34.204.126.142 right=102.167.4.2 auto=start mark=5/0xfffffff keyingtries=%forever rightsubnet=0.0.0.0/24 leftsubnet=10.8.0.0/24 ike=aes-sha1;modp1536 phase2=esp phase2alg=aes256-sha1;modp1536 vti-interface=vti201 vti-routing=yes leftvti=192.168.10.2/24 ip -s xfrm policy src 10.8.0.0/24 dst 0.0.0.0/24 uid 0 dir out action allow index 625 priority 2344 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-31 12:22:43 use - mark 5/0xfffffff tmpl src 172.31.140.0 dst 102.167.4.2 proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffffsrc 0.0.0.0/24 dst 10.8.0.0/24 uid 0 dir fwd action allow index 642 priority 2344 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-30 20:39:08 use - mark 5/0xfffffff tmpl src 102.167.4.2 dst 172.31.140.0 proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
