Hi Ashwin, you have to NAT the source address of the packets tunneled from the iPhones to the IP address of the physical VPN gateway interface because the private 10.2.0.0/16 address range of the assigned virtual IPs will not be routed over the Internet:
iptables -t nat -A POSTROUTING -s 10.2.0.0/16 -o eth1 -j MASQUERADE Regards Andreas On 07/03/2012 06:05 AM, Ashwin Rao wrote: > Hi, > > I would like my mobile clients to connect to the Internet via my VPN > server. My clients (an ipod touch and an android phone running android > 4.0) are able to create a VPN tunnel between my server running > strongswan 5.0.0 on ubuntu 12.04 (kernel 3.2.0-23-generic). I have > disabled all the firewalls and flushed out all the rules in iptables > on my server. I am not able to figure out why my clients are not able > to connect to the Internet. Are there any specific rules that I must > add in the routing tables to enable forwarding. I have enabled > forwarding and the output of cat /proc/sys/net/ipv4/ip_forward is 1. > My clients show that the VPN tunnel is established however I am not > able to access web pages from my mobile devices after the tunnel has > been established. I am able to access webpages when I disable VPN. > > My ipsec.conf is as follows > # ipsec.conf - strongSwan IPsec configuration file > config setup > # Add connections here. > conn mobile > type=tunnel > auto=add > keyexchange=ikev1 > authby=xauthrsasig > xauth=server > left=%defaultroute > [email protected] > leftsourceip=%config > leftsubnet=0.0.0.0/0 > leftcert=serverCert.pem > leftrsasigkey=%cert > right=%any > leftfirewall=yes > rightsourceip=10.2.0.1/16 > > My strongswan.conf is as follows > # strongswan.conf - strongSwan configuration file > > charon { > plugins { > attr { > dns = <dns1>, <dns2> > } > } > filelog { > /var/log/charon.log { > time_format = %b %e %T > append = no > default = 1 > flush_line = yes > } > stderr { > ike = 2 > knl = 3 > ike_name = yes > } > } > syslog { > identifier = charon-custom > daemon { > } > auth { > default = -1 > ike = 0 > } > } > } > > > The output of /home/arao/usr/sbin/ipsec start --nofork --debug-all is > as follows. This is followed by the output of ip route list table 0 > and ipsec status all > > Starting strongSwan 5.0.0 IPsec [starter]... > Loading config setup > Loading conn 'mobile' > type=tunnel > auto=add > keyexchange=ikev1 > authby=xauthrsasig > xauth=server > left=%defaultroute > [email protected] > leftsourceip=%config > leftsubnet=0.0.0.0/0 > leftcert=serverCert.pem > leftrsasigkey=%cert > right=%any > leftfirewall=yes > rightsourceip=10.2.0.1/16 > found netkey IPsec stack > plugin 'kernel-netlink': loaded successfully > listening on interfaces: > eth1 > ppp.ppp.4.186 > abcd::221:9abc:fecd:abcd > Attempting to start charon... > 00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux > 3.2.0-23-generic, x86_64) > 00[KNL] listening on interfaces: > 00[KNL] eth1 > 00[KNL] ppp.ppp.4.186 > 00[KNL] feaa::aaa:aaa:aaaa:aaaa > 00[CFG] loaded 0 RADIUS server configurations > 00[CFG] loading ca certificates from '/home/arao/etc/ipsec.d/cacerts' > 00[CFG] loaded ca certificate "C=US, O=snowmane, CN=snowmane CA" > from '/home/arao/etc/ipsec.d/cacerts/caCert.pem' > 00[CFG] loading aa certificates from '/home/arao/etc/ipsec.d/aacerts' > 00[CFG] loading ocsp signer certificates from > '/home/arao/etc/ipsec.d/ocspcerts' > 00[CFG] loading attribute certificates from '/home/arao/etc/ipsec.d/acerts' > 00[CFG] loading crls from '/home/arao/etc/ipsec.d/crls' > 00[CFG] loading secrets from '/home/arao/etc/ipsec.secrets' > 00[CFG] loaded RSA private key from > '/home/arao/etc/ipsec.d/private/serverKey.pem' > 00[CFG] loaded EAP secret for test > 00[DMN] loaded plugins: charon aes des sha1 sha2 md4 md5 random nonce > x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl > gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve > socket-default socket-raw socket-dynamic stroke updown eap-identity > eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-radius > xauth-generic > 00[JOB] spawning 16 worker threads > charon (2065) started after 40 ms > 10[CFG] received stroke: add connection 'mobile' > 10[KNL] getting interface name for %any > 10[KNL] %any is not a local address > 10[KNL] getting interface name for %any > 10[KNL] %any is not a local address > 10[CFG] left nor right host is our side, assuming left=local > 10[CFG] loaded certificate "C=US, O=snowmane, > CN=snowmane.mydomain.edu" from 'serverCert.pem' > 10[CFG] added configuration 'mobile' > 10[CFG] adding virtual IP address pool 'mobile': 10.2.0.1/16 > 11[NET] <1> received packet: from sss.sss.202.73[500] to ppp.ppp.4.186[500] > 11[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V ] > 11[IKE] <1> received NAT-T (RFC 3947) vendor ID > 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike vendor ID > 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-08 vendor ID > 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-07 vendor ID > 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-06 vendor ID > 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-05 vendor ID > 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-04 vendor ID > 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID > 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02 vendor ID > 11[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID > 11[IKE] <1> received XAuth vendor ID > 11[IKE] <1> received Cisco Unity vendor ID > 11[IKE] <1> received DPD vendor ID > 11[IKE] <1> sss.sss.202.73 is initiating a Main Mode IKE_SA > 11[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING > 11[ENC] <1> generating ID_PROT response 0 [ SA V V V ] > 11[NET] <1> sending packet: from ppp.ppp.4.186[500] to sss.sss.202.73[500] > 12[NET] <1> received packet: from sss.sss.202.73[500] to ppp.ppp.4.186[500] > 12[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] > 12[IKE] <1> sending cert request for "C=US, O=snowmane, CN=snowmane CA" > 12[ENC] <1> generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] > 12[NET] <1> sending packet: from ppp.ppp.4.186[500] to sss.sss.202.73[500] > 13[NET] <1> received packet: from sss.sss.202.73[500] to ppp.ppp.4.186[500] > 13[ENC] <1> parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) > ] > 13[IKE] <1> ignoring certificate request without data > 13[IKE] <1> received end entity cert "C=US, O=snowmane, CN=client" > 13[CFG] <1> looking for XAuthInitRSA peer configs matching > ppp.ppp.4.186...sss.sss.202.73[C=US, O=snowmane, CN=client] > 13[CFG] <1> selected peer config "mobile" > 13[CFG] <mobile|1> using certificate "C=US, O=snowmane, CN=client" > 13[CFG] <mobile|1> using trusted ca certificate "C=US, O=snowmane, > CN=snowmane CA" > 13[CFG] <mobile|1> checking certificate status of "C=US, O=snowmane, > CN=client" > 13[CFG] <mobile|1> certificate status is not available > 13[CFG] <mobile|1> reached self-signed root ca with a path length of 0 > 13[IKE] <mobile|1> authentication of 'C=US, O=snowmane, CN=client' > with RSA successful > 13[IKE] <mobile|1> authentication of 'snowmane.mydomain.edu' (myself) > successful > 13[IKE] <mobile|1> queueing XAUTH task > 13[IKE] <mobile|1> sending end entity cert "C=US, O=snowmane, > CN=snowmane.mydomain.edu" > 13[ENC] <mobile|1> generating ID_PROT response 0 [ ID CERT SIG ] > 13[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to > sss.sss.202.73[500] > 13[IKE] <mobile|1> activating new tasks > 13[IKE] <mobile|1> activating XAUTH task > 13[ENC] <mobile|1> generating TRANSACTION request 697392116 [ HASH CP ] > 13[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to > sss.sss.202.73[500] > 14[NET] <mobile|1> received packet: from sss.sss.202.73[500] to > ppp.ppp.4.186[500] > 14[ENC] <mobile|1> parsed TRANSACTION response 697392116 [ HASH CP ] > 14[IKE] <mobile|1> XAuth authentication of 'test' successful > 14[IKE] <mobile|1> reinitiating already active tasks > 14[IKE] <mobile|1> XAUTH task > 14[ENC] <mobile|1> generating TRANSACTION request 1383976983 [ HASH CP ] > 14[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to > sss.sss.202.73[500] > 15[NET] <mobile|1> received packet: from sss.sss.202.73[500] to > ppp.ppp.4.186[500] > 15[ENC] <mobile|1> parsed TRANSACTION response 1383976983 [ HASH CP ] > 15[IKE] <mobile|1> IKE_SA mobile[1] established between > ppp.ppp.4.186[snowmane.mydomain.edu]...sss.sss.202.73[C=US, > O=snowmane, CN=client] > 15[IKE] <mobile|1> IKE_SA mobile[1] state change: CONNECTING => ESTABLISHED > 15[IKE] <mobile|1> scheduling reauthentication in 10185s > 15[IKE] <mobile|1> maximum IKE_SA lifetime 10725s > 15[IKE] <mobile|1> activating new tasks > 15[IKE] <mobile|1> nothing to initiate > 08[NET] <mobile|1> received packet: from sss.sss.202.73[500] to > ppp.ppp.4.186[500] > 08[ENC] <mobile|1> unknown attribute type (28683) > 08[ENC] <mobile|1> parsed TRANSACTION request 3638562725 [ HASH CP ] > 08[IKE] <mobile|1> processing INTERNAL_IP4_ADDRESS attribute > 08[IKE] <mobile|1> processing INTERNAL_IP4_NETMASK attribute > 08[IKE] <mobile|1> processing INTERNAL_IP4_DNS attribute > 08[IKE] <mobile|1> processing INTERNAL_IP4_NBNS attribute > 08[IKE] <mobile|1> processing INTERNAL_ADDRESS_EXPIRY attribute > 08[IKE] <mobile|1> processing APPLICATION_VERSION attribute > 08[IKE] <mobile|1> processing UNITY_BANNER attribute > 08[IKE] <mobile|1> processing UNITY_DEF_DOMAIN attribute > 08[IKE] <mobile|1> processing UNITY_SPLITDNS_NAME attribute > 08[IKE] <mobile|1> processing UNITY_SPLIT_INCLUDE attribute > 08[IKE] <mobile|1> processing UNITY_LOCAL_LAN attribute > 08[IKE] <mobile|1> processing UNITY_PFS attribute > 08[IKE] <mobile|1> processing UNITY_SAVE_PASSWD attribute > 08[IKE] <mobile|1> processing UNITY_FW_TYPE attribute > 08[IKE] <mobile|1> processing UNITY_BACKUP_SERVERS attribute > 08[IKE] <mobile|1> processing (28683) attribute > 08[IKE] <mobile|1> peer requested virtual IP %any > 08[CFG] <mobile|1> assigning new lease to 'test' > 08[IKE] <mobile|1> assigning virtual IP 10.2.0.2 to peer 'test' > 08[IKE] <mobile|1> building INTERNAL_IP4_DNS attribute > 08[IKE] <mobile|1> building INTERNAL_IP4_DNS attribute > 08[ENC] <mobile|1> generating TRANSACTION response 3638562725 [ HASH CP ] > 08[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to > sss.sss.202.73[500] > 09[NET] <mobile|1> received packet: from sss.sss.202.73[500] to > ppp.ppp.4.186[500] > 09[ENC] <mobile|1> parsed QUICK_MODE request 3999904694 [ HASH SA No ID ID ] > 09[KNL] <mobile|1> getting SPI for reqid {1} > 09[KNL] <mobile|1> sending XFRM_MSG_ALLOCSPI: => 248 bytes @ 0x7ffd837ef760 > 09[KNL] <mobile|1> 0: F8 00 00 00 16 00 01 00 C9 00 00 00 11 08 00 > 00 ................ > .................................. > 09[KNL] <mobile|1> 240: 00 00 00 C0 FF FF FF CF > ........ > 09[KNL] <mobile|1> got SPI c41566b6 for reqid {1} > 09[ENC] <mobile|1> generating QUICK_MODE response 3999904694 [ HASH SA > No ID ID ] > 09[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to > sss.sss.202.73[500] > 10[NET] <mobile|1> received packet: from sss.sss.202.73[500] to > ppp.ppp.4.186[500] > 10[ENC] <mobile|1> parsed QUICK_MODE request 3999904694 [ HASH ] > 10[KNL] <mobile|1> adding SAD entry with SPI c41566b6 and reqid {1} > (mark 0/0x 0) > 10[KNL] <mobile|1> using encryption algorithm AES_CBC with key size 256 > 10[KNL] <mobile|1> using integrity algorithm HMAC_SHA1_96 with key size 160 > 10[KNL] <mobile|1> sending XFRM_MSG_UPDSA: => 436 bytes @ 0x7ffd82fee570 > 10[KNL] <mobile|1> 0: B4 01 00 00 1A 00 05 00 CA 00 00 00 11 08 00 > 00 ................ > ................. > 10[KNL] <mobile|1> 432: DC D7 7C 4E ..|N > 10[KNL] <mobile|1> adding SAD entry with SPI 0de9adeb and reqid {1} > (mark 0/0x 0) > 10[KNL] <mobile|1> using encryption algorithm AES_CBC with key size 256 > 10[KNL] <mobile|1> using integrity algorithm HMAC_SHA1_96 with key size 160 > 10[KNL] <mobile|1> sending XFRM_MSG_NEWSA: => 436 bytes @ 0x7ffd82fee570 > 10[KNL] <mobile|1> 0: B4 01 00 00 10 00 05 00 CB 00 00 00 11 08 00 > 00 ................ > ................... > 10[KNL] <mobile|1> 432: EF 2E 49 65 ..Ie > 10[KNL] <mobile|1> adding policy 0.0.0.0/0 === 10.2.0.2/32 out (mark > 0/0x 0) > 10[KNL] <mobile|1> sending XFRM_MSG_NEWPOLICY: => 184 bytes @ 0x7ffd82fee470 > 10[KNL] <mobile|1> 0: B8 00 00 00 13 00 05 00 CC 00 00 00 11 08 00 > 00 ................ > ........................ > 10[KNL] <mobile|1> 176: 01 01 00 00 00 00 00 00 > ........ > 10[KNL] <mobile|1> adding policy 10.2.0.2/32 === 0.0.0.0/0 in (mark > 0/0x 0) > 10[KNL] <mobile|1> sending XFRM_MSG_NEWPOLICY: => 184 bytes @ 0x7ffd82fee470 > 10[KNL] <mobile|1> 0: B8 00 00 00 13 00 05 00 CD 00 00 00 11 08 00 > 00 ................ > ...................... > 10[KNL] <mobile|1> 176: 00 01 00 00 00 00 00 00 > ........ > 10[KNL] <mobile|1> adding policy 10.2.0.2/32 === 0.0.0.0/0 fwd (mark > 0/0x 0) > 10[KNL] <mobile|1> sending XFRM_MSG_NEWPOLICY: => 184 bytes @ 0x7ffd82fee470 > 10[KNL] <mobile|1> 0: B8 00 00 00 13 00 05 00 CE 00 00 00 11 08 00 > 00 ................ > ........................ > 10[KNL] <mobile|1> 176: 02 01 00 00 00 00 00 00 > ........ > 10[KNL] <mobile|1> getting a local address in traffic selector 0.0.0.0/0 > 10[KNL] <mobile|1> using host %any > 10[KNL] <mobile|1> getting address to reach sss.sss.202.73 > 10[KNL] <mobile|1> getting interface name for ppp.ppp.4.186 > 10[KNL] <mobile|1> ppp.ppp.4.186 is on interface eth1 > 10[KNL] <mobile|1> installing route: 10.2.0.2/32 via ppp.ppp.4.100 src > %any dev eth1 > 10[KNL] <mobile|1> getting iface index for eth1 > 10[KNL] <mobile|1> policy 0.0.0.0/0 === 10.2.0.2/32 out (mark 0/0x > 0) already exists, increasing refcount > 10[KNL] <mobile|1> updating policy 0.0.0.0/0 === 10.2.0.2/32 out > (mark 0/0x 0) > 10[KNL] <mobile|1> sending XFRM_MSG_UPDPOLICY: => 252 bytes @ 0x7ffd82fee470 > 10[KNL] <mobile|1> 0: FC 00 00 00 19 00 05 00 CF 00 00 00 11 08 00 > 00 ................ > ............................ > 10[KNL] <mobile|1> 240: FF FF FF FF FF FF FF FF FF FF FF FF > ............ > 10[KNL] <mobile|1> policy 10.2.0.2/32 === 0.0.0.0/0 in (mark 0/0x > 0) already exists, increasing refcount > 10[KNL] <mobile|1> updating policy 10.2.0.2/32 === 0.0.0.0/0 in (mark > 0/0x 0) > 10[KNL] <mobile|1> sending XFRM_MSG_UPDPOLICY: => 252 bytes @ 0x7ffd82fee470 > 10[KNL] <mobile|1> 0: FC 00 00 00 19 00 05 00 D0 00 00 00 11 08 00 > 00 ................ > ........................... > 10[KNL] <mobile|1> 224: 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 > 00 ................ > 10[KNL] <mobile|1> 240: FF FF FF FF FF FF FF FF FF FF FF FF > ............ > 10[KNL] <mobile|1> policy 10.2.0.2/32 === 0.0.0.0/0 fwd (mark 0/0x > 0) already exists, increasing refcount > 10[KNL] <mobile|1> updating policy 10.2.0.2/32 === 0.0.0.0/0 fwd > (mark 0/0x 0) > 10[KNL] <mobile|1> sending XFRM_MSG_UPDPOLICY: => 252 bytes @ 0x7ffd82fee470 > 10[KNL] <mobile|1> 0: FC 00 00 00 19 00 05 00 D1 00 00 00 11 08 00 > 00 ................ > .......................... > 10[KNL] <mobile|1> 224: 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 > 00 ................ > 10[KNL] <mobile|1> 240: FF FF FF FF FF FF FF FF FF FF FF FF > ............ > 10[KNL] <mobile|1> getting a local address in traffic selector 0.0.0.0/0 > 10[KNL] <mobile|1> using host %any > 10[KNL] <mobile|1> getting address to reach sss.sss.202.73 > 10[KNL] <mobile|1> getting interface name for ppp.ppp.4.186 > 10[KNL] <mobile|1> ppp.ppp.4.186 is on interface eth1 > 10[IKE] <mobile|1> CHILD_SA mobile{1} established with SPIs c41566b6_i > 0de9adeb_o and TS 0.0.0.0/0 === 10.2.0.2/32 > 10[KNL] <mobile|1> getting interface name for ppp.ppp.4.186 > 10[KNL] <mobile|1> ppp.ppp.4.186 is on interface eth1 > 14[NET] <mobile|1> received packet: from sss.sss.202.73[500] to > ppp.ppp.4.186[500] > 14[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1460918583 [ HASH N(DPD) ] > 14[IKE] <mobile|1> queueing ISAKMP_DPD task > 14[IKE] <mobile|1> activating new tasks > 14[IKE] <mobile|1> activating ISAKMP_DPD task > 14[ENC] <mobile|1> generating INFORMATIONAL_V1 request 364710107 [ > HASH N(DPD_ACK) ] > 14[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to > sss.sss.202.73[500] > 14[IKE] <mobile|1> activating new tasks > 14[IKE] <mobile|1> nothing to initiate > 01[KNL] <mobile|1> querying SAD entry with SPI c41566b6 (mark 0/0x 0) > 01[KNL] <mobile|1> sending XFRM_MSG_GETSA: => 40 bytes @ 0x7ffd877f7260 > 01[KNL] <mobile|1> 0: 28 00 00 00 12 00 01 00 D2 00 00 00 11 08 00 > 00 (............... > 01[KNL] <mobile|1> 16: 80 D0 04 BA 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 01[KNL] <mobile|1> 32: C4 15 66 B6 02 00 32 00 > ..f...2. > 01[KNL] <mobile|1> querying policy 10.2.0.2/32 === 0.0.0.0/0 in (mark > 0/0x 0) > 01[KNL] <mobile|1> sending XFRM_MSG_GETPOLICY: => 80 bytes @ 0x7ffd877f7260 > 01[KNL] <mobile|1> 0: 50 00 00 00 15 00 01 00 D3 00 00 00 11 08 00 > 00 P............... > ......................... > 01[KNL] <mobile|1> 64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > 01[KNL] <mobile|1> querying policy 10.2.0.2/32 === 0.0.0.0/0 fwd > (mark 0/0x 0) > 01[KNL] <mobile|1> sending XFRM_MSG_GETPOLICY: => 80 bytes @ 0x7ffd877f7260 > 01[KNL] <mobile|1> 0: 50 00 00 00 15 00 01 00 D4 00 00 00 11 08 00 > 00 P............... > ...................... > 01[KNL] <mobile|1> 64: 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 > 00 ................ > 01[KNL] <mobile|1> querying SAD entry with SPI 0de9adeb (mark 0/0x 0) > 01[KNL] <mobile|1> sending XFRM_MSG_GETSA: => 40 bytes @ 0x7ffd877f7260 > 01[KNL] <mobile|1> 0: 28 00 00 00 12 00 01 00 D5 00 00 00 11 08 00 > 00 (............... > 01[KNL] <mobile|1> 16: AD FA CA 49 00 00 00 00 00 00 00 00 00 00 00 > 00 ...I............ > 01[KNL] <mobile|1> 32: 0D E9 AD EB 02 00 32 00 > ......2. > 09[NET] <mobile|1> received packet: from sss.sss.202.73[500] to > ppp.ppp.4.186[500] > 09[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1526651347 [ HASH N(DPD) ] > 09[IKE] <mobile|1> queueing ISAKMP_DPD task > 09[IKE] <mobile|1> activating new tasks > 09[IKE] <mobile|1> activating ISAKMP_DPD task > 09[ENC] <mobile|1> generating INFORMATIONAL_V1 request 1249208433 [ > HASH N(DPD_ACK) ] > 09[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to > sss.sss.202.73[500] > 09[IKE] <mobile|1> activating new tasks > 09[IKE] <mobile|1> nothing to initiate > 10[NET] <mobile|1> received packet: from sss.sss.202.73[500] to > ppp.ppp.4.186[500] > 10[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1940403548 [ HASH N(DPD) ] > 10[IKE] <mobile|1> queueing ISAKMP_DPD task > 10[IKE] <mobile|1> activating new tasks > 10[IKE] <mobile|1> activating ISAKMP_DPD task > 10[ENC] <mobile|1> generating INFORMATIONAL_V1 request 1632913071 [ > HASH N(DPD_ACK) ] > 10[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to > sss.sss.202.73[500] > 10[IKE] <mobile|1> activating new tasks > 10[IKE] <mobile|1> nothing to initiate > 11[NET] <mobile|1> received packet: from sss.sss.202.73[500] to > ppp.ppp.4.186[500] > 11[ENC] <mobile|1> parsed INFORMATIONAL_V1 request 1847830875 [ HASH N(DPD) ] > 11[IKE] <mobile|1> queueing ISAKMP_DPD task > 11[IKE] <mobile|1> activating new tasks > 11[IKE] <mobile|1> activating ISAKMP_DPD task > 11[ENC] <mobile|1> generating INFORMATIONAL_V1 request 3593142118 [ > HASH N(DPD_ACK) ] > 11[NET] <mobile|1> sending packet: from ppp.ppp.4.186[500] to > sss.sss.202.73[500] > 11[IKE] <mobile|1> activating new tasks > 11[IKE] <mobile|1> nothing to initiate > > > The output of ip route list table 0 is as follows: > 10.2.0.2 via ppp.ppp.4.100 dev eth1 table 220 proto static > default via ppp.ppp.4.100 dev eth1 metric 100 > ppp.ppp.4.0/24 dev eth1 proto kernel scope link src ppp.ppp.4.186 > broadcast 127.0.0.0 dev lo table local proto kernel scope link src > 127.0.0.1 > local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 > local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 > broadcast 127.255.255.255 dev lo table local proto kernel scope > link src 127.0.0.1 > broadcast ppp.ppp.4.0 dev eth1 table local proto kernel scope link > src ppp.ppp.4.186 > local ppp.ppp.4.186 dev eth1 table local proto kernel scope host > src ppp.ppp.4.186 > broadcast ppp.ppp.4.255 dev eth1 table local proto kernel scope > link src ppp.ppp.4.186 > unreachable default dev lo table unspec proto kernel metric -1 > error -101 hoplimit 255 > feab::/64 dev eth1 proto kernel metric 256 > unreachable default dev lo table unspec proto kernel metric -1 > error -101 hoplimit 255 > local ::1 via :: dev lo table local proto none metric 0 > local feab:: via :: dev lo table local proto none metric 0 > local feab::abc:def:fsd:dsdf via :: dev lo table local proto none metric 0 > ff00::/8 dev eth1 table local metric 256 > > The output of ipsec statusall is as follows: > Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.2.0-23-generic, > x86_64): > uptime: 51 seconds, since Jul 02 20:34:51 2012 > malloc: sbrk 401408, mmap 0, used 255600, free 145808 > worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, > scheduled: 2 > loaded plugins: charon aes des sha1 sha2 md4 md5 random nonce x509 > revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl > gcrypt fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve > socket-default socket-raw socket-dynamic stroke updown eap-identity > eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-radius > xauth-generic > Virtual IP pools (size/online/offline): > mobile: 65535/1/0 > Listening IP addresses: > ppp.ppp.4.186 > Connections: > mobile: %any...%any IKEv1 > mobile: local: [snowmane.mydomain.edu] uses public key authentication > mobile: cert: "C=US, O=snowmane, CN=snowmane.mydomain.edu" > mobile: remote: [%any] uses public key authentication > mobile: remote: [%any] uses XAuth authentication: any > mobile: child: 0.0.0.0/0 === dynamic TUNNEL > Security Associations (1 up, 0 connecting): > mobile[1]: ESTABLISHED 31 seconds ago, > ppp.ppp.4.186[snowmane.mydomain.edu]...sss.sss.202.73[C=US, > O=snowmane, CN=client] > mobile[1]: Remote XAuth identity: test > mobile[1]: IKEv1 SPIs: ae710ea7de69ab5e_i c1f98a8f2b5a7a44_r*, > public key reauthentication in 2 hours > mobile[1]: IKE proposal: > AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 > mobile{1}: INSTALLED, TUNNEL, ESP SPIs: c41566b6_i 0de9adeb_o > mobile{1}: AES_CBC_256/HMAC_SHA1_96, 1199 bytes_i (0s ago), 0 > bytes_o, rekeying in 44 minutes > mobile{1}: 0.0.0.0/0 === 10.2.0.2/32 > > > Thanks and Regards, > Ashwin ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
