Hi, I´m using a strongswan-4.6.4-1.el6.i686 with a CentOS 6.3. The system is working as a dedicated vpn-gateway some time for a ikev2 tunnel. Now I would like to migrate some ikev1 tunnels from another gateway to this one. I got two ikev1 tunnels up on this gateway, but I can´t get any traffic through one of them. This is the status of the tunnel with the problem:
strongswan whack --status 000 Status of IKEv1 pluto daemon (strongSwan 4.6.4): 000 interface lo/lo ::1:500 000 interface lo/lo 127.0.0.1:500 000 interface eth1/eth1 XXX.XXX.94.199:500 000 interface eth0/eth0 192.168.16.45:500 000 %myid = '%any' 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pkcs8 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve 000 debug options: raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+natt+oppo+controlmore 000 "system_bb_test": 192.168.170.0/24===XXX.XXX.94.199[XXX.XXX.94.199]---XXX.XXX.94.193...XXX.XXX.151.193---XXX.XXX.151.196[XXX.XXX.151.196]===XX.XX.20.0/24; erouted; eroute owner: #4 000 "system_bb_test": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 000 "system_bb_test": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth1; 000 "system_bb_test": newest ISAKMP SA: #2; newest IPsec SA: #4; 000 "system_bb_test": IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024 000 "system_bb_test": ESP proposal: 3DES_CBC/HMAC_SHA1/<N/A> 000 #4: "system_bb_test" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2632s; newest IPSEC; eroute owner 000 #4: "system_bb_test" [email protected] (0 bytes) [email protected] (0 bytes); tunnel 000 #2: "system_bb_test" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27790s; newest ISAKMP 000 #3: "system_by_test2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27845s; newest IPSEC; eroute owner 000 #3: "system_by_test2" [email protected] (180 bytes, 21s ago) [email protected] (124 bytes, 21s ago); tunnel 000 #1: "system_by_test2" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 28112s; newest ISAKMP 000 This is the config of the tunnel: conn system_bb_test left=XXX.XXX.94.199 leftsubnet=192.168.170.0/24 leftnexthop=XXX.XXX.94.193 leftid=XXX.XXX.94.199 #leftauth=psk right=XXX.XXX.151.196 rightsubnet=XXX.XXX.20.0/24 rightnexthop=XXX.XXX.151.193 rightid=XXX.XXX.151.196 #rightauth=psk authby=psk auto=start keyexchange=ikev1 ikelifetime=28800s keylife=3600s ike=3des-sha1-modp1024 esp=3des-sha1 pfs=no #dpdaction=restart #dpddelay=5 #dpdtimeout=100 I can see (via tcpdump) the packets are arriving on the right interface bit there is no esp-packet leaving the external interface. I´m a little bit lost with this problem so any suggestions are welcome. Kind regards fatcharly _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
