[strongSwan] IPSec Tunnel Up, But No Traffic

[Joe Ryan]

Hello Everyone,

I have a DigitalOcean VPS running Ubuntu 12.04 that I want to connect to 
with a BeagleBone running Debian so that I can access all of the devices 
on the same subnet as the BeagleBone, and not have to worry about an IT 
department opening ports. I have tried this with both StrongSwan 4.5.2 
and 5.2.0 and have the same result, so I'm sure it's my configuration. 
After bringing up the the connection everything negotiates as expected, 
and the final line of ipsec status all is machinetun{1}:   10.128.0.0/16 
=== 192.168.250.0/24 where machinetun is the connection 10.128.0.0/16 is 
a private network on DigitalOcean and the 192.168.250.0/24 is a private 
network on my machine. My logs show the CHILD_SA being established and 
rekeyed as expected, with keep alive packets going out frequently, and 
nothing to suggest a problem.

At this point I would hope that I would be able to ping the gateway on 
my machine, 192.168.250.60 from the DigitalOcean VPS private IP address 
using one of the following:

#ping the BeagleBone gateway from DO
ping 192.168.250.60
#ping the BeagleBone gateway with an interface on the DO private network
ping -I 10.128.120.160 192.168.250.60

But get no results in this direction or the reverse.

I also have net.ipv4.ip_forward 1 on both machines.

My configurations are below, and I hope someone might have a good idea 
what direction I can look to in to figure out what I've done wrong.

# BeagleBone Conf
config setup
        strictcrlpolicy=no
        charondebug=1
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev2
        left=%any
        leftcert=beagleCert.der
        leftid=bea...@hostname.com
        lefthostaccess=yes
        leftfirewall=yes

conn machinetun
        leftsourceip=%config
        leftsubnet=192.168.250.0/24
        right=hostname.com
        rightid=@hostname.com
        rightsubnet=10.128.0.0/16
        auto=start

# DigitalOcean Conf
config setup
        strictcrlpolicy=no
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        left=%any
        leftcert=svCert.der
        leftid=@hostname.com
        lefthostaccess=yes
        leftfirewall=yes

conn machinetun
        leftsubnet=10.128.0.0/16
        right=%any
        rightsubnet=192.168.250.0/24
        rightid=bea...@hostname.com
        rightsourceip=10.128.0.50
        auto=add

Thank you,
Joe
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users