Sorry, bad filter of tcpdump, it works fine: # tcpdump -i eth0 | grep ESP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 12:10:00.159139 IP 192.168.1.93 > 192.168.1.118: ESP(spi=0xc2f23b3e,seq=0x1f), length 132 12:10:00.159184 IP 192.168.1.118 > 192.168.1.93: ESP(spi=0xc4ceb00e,seq=0x1f), length 132 12:10:01.159058 IP 192.168.1.93 > 192.168.1.118: ESP(spi=0xc2f23b3e,seq=0x20), length 132 12:10:01.159095 IP 192.168.1.118 > 192.168.1.93: ESP(spi=0xc4ceb00e,seq=0x20), length 132
Thanks again! regards, igorlor 2012/7/6 Igor Lopez Orbe <[email protected]>: > Hello Martin, > > Thank you so much for your help! > > ipsec statusall > Status of IKEv2 charon daemon (strongSwan 4.5.2): > uptime: 96 seconds, since Jul 06 11:54:20 2012 > malloc: sbrk 270336, mmap 0, used 250208, free 20128 > worker threads: 7 idle of 16, job queue load: 0, scheduled events: 2 > loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random > x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp > agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve > socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc > eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock > Listening IP addresses: > 192.168.1.93 > 10.1.0.1 > 192.168.1.22 > 192.168.122.1 > 192.168.100.1 > 10.8.0.2 > Connections: > net-net: 192.168.1.93...192.168.1.118 > net-net: local: [moon.strongswan.org] uses pre-shared key > authentication > net-net: remote: [sun.strongswan.org] uses any authentication > net-net: child: 10.1.0.0/16 === 10.2.0.0/16 > Security Associations: > net-net[1]: ESTABLISHED 75 seconds ago, > 192.168.1.93[moon.strongswan.org]...192.168.1.118[sun.strongswan.org] > net-net[1]: IKE SPIs: eb0ceaa5e18cc3d3_i a1a71423b04cec60_r*, > pre-shared key reauthentication in 54 minutes > net-net[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c91ae2c0_i c755d56e_o > net-net{1}: AES_CBC_128/HMAC_SHA1_96, 1260 bytes_i (24s ago), > 1260 bytes_o (24s ago), rekeying in 14 minutes > net-net{1}: 10.1.0.0/16 === 10.2.0.0/16 > > What i dont know know is why when i do ping from one side to the other > one in the tcpdump doesnt appear anything about encryption > > 11:58:11.032033 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305, > seq 4, length 64 > 11:58:12.032493 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305, > seq 5, length 64 > 11:58:13.031936 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305, > seq 6, length 64 > 11:58:14.031969 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305, > seq 7, length 64 > 11:58:15.032215 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305, > seq 8, length 64 > 11:58:16.031937 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305, > seq 9, length 64 > 11:58:17.031921 IP 10.1.0.1 > 10.2.0.1: ICMP echo request, id 30305, > seq 10, length 64 > > > Should i add something more for that? > > regards, > > igorlor > > 2012/7/6 Martin Willi <[email protected]>: >> Hello Igor, >> >>> received TS_UNACCEPTABLE notify, no CHILD_SA built >> >>> leftsubnet=10.2.0.0/16 >>> [email protected] >>> rightsubnet=10.1.0.0/16 >>> [email protected] >> >>> leftsubnet=10.2.0.0/16 >>> [email protected] >>> rightsubnet=10.1.0.0/16 >>> [email protected] >> >> Your left/rightsubnet definitions do not match, both peers claim that >> the 10.2.0.0/16 subnet is theirs. Who should have the 10.2.0.0/16 >> subnet, sun or moon? >> >> Regards >> Martin >> _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
