Hi all
I am desperately trying to resolve a problem with my strongSwan IPSEC setup,
which nicely builds up tunnels, but then refuses to send data. I.e. a ping
results in a sendmsg: Operation not permitted message.
The very strange thing is that this error cannot really be reproduced.
The setup consists out of 4 Bintec routers (VPN 25) and a strongSwan central
gateway. Both sides build up the tunnels without error. Some connections work,
some do not (s. above). The pattern is completely random.
Other peculiarities:
- A reconnect (down followed by an up) does not help.
- A reboot of the central gateway may help (connections which did not work
before work afterwards) or make things worse (vice versa).
- Letting the ping run shows that sometimes the ping works after a few minutes.
The firewall is switched off:
iptables -t nat -S
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
Example: Right now, the connection from the central site (172.25.12.x) to peer
A (172.25.17.x) works, peer B (172.25.14.x) does not.
ip xfrm policy
src 172.25.12.0/24 dst 172.25.14.0/24
dir out priority 2344
tmpl src xxx.138.2.8 dst 81.221.137.215
proto esp reqid 16409 mode tunnel
src 172.25.14.0/24 dst 172.25.12.0/24
dir fwd priority 2344
tmpl src xxx.221.137.215 dst xxx.138.2.8
proto esp reqid 16409 mode tunnel
src 172.25.14.0/24 dst 172.25.12.0/24
dir in priority 2344
tmpl src xxx.221.137.215 dst xxx.138.2.8
proto esp reqid 16409 mode tunnel
src 172.25.12.0/24 dst 172.25.17.0/24
dir out priority 2344
tmpl src xxx.138.2.8 dst xxx.165.86.30
proto esp reqid 16405 mode tunnel
src 172.25.17.0/24 dst 172.25.12.0/24
dir fwd priority 2344
tmpl src xxx.165.86.30 dst xxx.138.2.8
proto esp reqid 16405 mode tunnel
src 172.25.17.0/24 dst 172.25.12.0/24
dir in priority 2344
tmpl src xxx.165.86.30 dst xxx.138.2.8
proto esp reqid 16405 mode tunnel
ip xfrm state
src xxx.138.2.8 dst xxx.221.137.215
proto esp spi 0x277dc464 reqid 16409 mode tunnel
replay-window 32
auth hmac(sha1) 0x1867b21b2cd0f6591d91a1ab0f922cbf37865a42
enc cbc(aes) 0xa5c02d0c447534cb2e6fd71c60493a07
sel src 0.0.0.0/0 dst 0.0.0.0/0
src xxx.221.137.215 dst xxx.138.2.8
proto esp spi 0x2dfa6a76 reqid 16409 mode tunnel
replay-window 32
auth hmac(sha1) 0x3f1ee074ea0e9c912b52402622d8f5d869eff4c7
enc cbc(aes) 0xe0ec5aad971eeb5ec2dc858c8d618b93
sel src 0.0.0.0/0 dst 0.0.0.0/0
src xxx.138.2.8 dst xxx.165.86.30
proto esp spi 0x51b0c228 reqid 16405 mode tunnel
replay-window 32
auth hmac(sha1) 0x7665aeaa34bf182f7e7b3cf8a8af1f3ccdfbac3c
enc cbc(aes) 0x848422734c6a0db8d3b2e63dd0bed03b
sel src 0.0.0.0/0 dst 0.0.0.0/0
src xxx.165.86.30 dst xxx.138.2.8
proto esp spi 0xf1a97267 reqid 16405 mode tunnel
replay-window 32
auth hmac(sha1) 0x15d3842fc5a10151bdca4c3f830ad357d614ac7c
enc cbc(aes) 0xf270f04642567f692ef5eb2a0360619d
sel src 0.0.0.0/0 dst 0.0.0.0/0
ping 172.25.17.2
PING 172.25.17.2 (172.25.17.2) 56(84) bytes of data.
64 bytes from 172.25.17.2: icmp_seq=1 ttl=62 time=55.3 ms
64 bytes from 172.25.17.2: icmp_seq=2 ttl=62 time=53.3 ms
64 bytes from 172.25.17.2: icmp_seq=3 ttl=62 time=55.0 ms
64 bytes from 172.25.17.2: icmp_seq=4 ttl=62 time=54.8 ms
64 bytes from 172.25.17.2: icmp_seq=5 ttl=62 time=54.1 ms
PING 172.25.14.2 (172.25.14.2) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
Does anybody have any idea how to track this problem down?
Thanks
Peter
--
Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 -
sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
