Re: [strongSwan] IPSec Tunnel Up, But No Traffic

[Joe Ryan]

Thank you for the response Noel, The bytes_o goes up when I ping from 
either of the hosts, but the bytes_i remains at zero for both. Both 
machines have an iptables firewall, and when I do iptables -L -n I see 
that StrongSwan has inserted several rules (as shown below) matching 
ipsec traffic. From your response it seems I should open additional 
protocols, sources and destinations, but I'm not sure what I should open 
to get traffic, but stay secure. Any suggestions would be great.

Thank you,
Joe
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.128.0.0/16        192.168.250.0/24     policy 
match dir in pol ipsec reqid 1 proto 50

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.128.0.0/16        192.168.250.0/24     policy 
match dir in pol ipsec reqid 1 proto 50
ACCEPT     all  --  192.168.250.0/24     10.128.0.0/16        policy 
match dir out pol ipsec reqid 1 proto 50

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.250.0/24     10.128.0.0/16        policy 
match dir out pol ipsec reqid 1 proto 50

On 2014-07-29 13:27, Noel Kuntze wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Jose,

Is there a firewall active on either of the host? Do the traffic
counters, which are shown in the output of "ipsec statusall",
increment?

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 29.07.2014 um 22:24 schrieb Joe Ryan:
Hello Everyone,

I have a DigitalOcean VPS running Ubuntu 12.04 that I want to connect 
to with a BeagleBone running Debian so that I can access all of the 
devices on the same subnet as the BeagleBone, and not have to worry 
about an IT department opening ports. I have tried this with both 
StrongSwan 4.5.2 and 5.2.0 and have the same result, so I'm sure it's 
my configuration. After bringing up the the connection everything 
negotiates as expected, and the final line of ipsec status all is 
machinetun{1}:   10.128.0.0/16 === 192.168.250.0/24 where machinetun 
is the connection 10.128.0.0/16 is a private network on DigitalOcean 
and the 192.168.250.0/24 is a private network on my machine. My logs 
show the CHILD_SA being established and rekeyed as expected, with keep 
alive packets going out frequently, and nothing to suggest a problem.

At this point I would hope that I would be able to ping the gateway on 
my machine, 192.168.250.60 from the DigitalOcean VPS private IP 
address using one of the following:

#ping the BeagleBone gateway from DO
ping 192.168.250.60
#ping the BeagleBone gateway with an interface on the DO private 
network
ping -I 10.128.120.160 192.168.250.60

But get no results in this direction or the reverse.

I also have net.ipv4.ip_forward 1 on both machines.

My configurations are below, and I hope someone might have a good idea 
what direction I can look to in to figure out what I've done wrong.

# BeagleBone Conf
config setup
        strictcrlpolicy=no
        charondebug=1
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev2
        left=%any
        leftcert=beagleCert.der
        leftid=bea...@hostname.com
        lefthostaccess=yes
        leftfirewall=yes

conn machinetun
        leftsourceip=%config
    leftsubnet=192.168.250.0/24
        right=hostname.com
        rightid=@hostname.com
        rightsubnet=10.128.0.0/16
        auto=start

# DigitalOcean Conf
config setup
        strictcrlpolicy=no
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        left=%any
        leftcert=svCert.der
        leftid=@hostname.com
        lefthostaccess=yes
        leftfirewall=yes

conn machinetun
        leftsubnet=10.128.0.0/16
        right=%any
        rightsubnet=192.168.250.0/24
        rightid=bea...@hostname.com
        rightsourceip=10.128.0.50
        auto=add

Thank you,
Joe
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJT2AOaAAoJEDg5KY9j7GZYzIgP/jTC5ZAaxKPvowYe19v7LRca
ySlHVvPKsf/Wcgsc/ouzzZ5wa/3zP+UrLf5hLedvkcyENtNu/U7i7xV917j83H5x
kX9JdLXe1dLFVwLHzKTS870I1KByit0F0daI5y24TpcL5KF9eQ9jh+qRHcGvpApj
0Py9b2JuJi3z33moWqiqM9h9mD9Q9X0Maf2VmMx4hThCQN26FoZImB/tvtxv+8TM
VqEuZcl/wzELnqvMi4c4P/5l/EzNV6v6eFHmnD018f4EbUyhdLHAv37B882q/Gwy
D8LT6JYX/iRq2Nl16QOhaPlCC9cULyNLi9jqqXxDAaAmTS0PZrqUuTSxzj0pn1N1
X3oG642tQXsRu1jb8ONO7okWFHC1nU3wxNYzACvNgiBqJ7BhA78SV/ABV/VOzouP
I9ST7YjPli4yFvfrsN77y1ArGjEdEtvSAEZS4OdtwIqPa6EO9bWlSqXXMuOhFJ8o
IaRYCfr2y/LnWzU/woW2H3Us/ed5TCWAI8pd4xUl5iU8DUrxiu0Q6IHqRKNrHO3g
p+UUaW2ekoEgRGANee3vqubr6FhFemQB2cAXKLHWw7uz0+SWZCN+PaV54+ANJxWm
JddffniFUee+QEM0JUWHEgiQE5l5K6qEu42eD2faxxfsB96fvVdZ8TBbdy60CVZZ
D9FdPsnrxOmRYzx3hlLp
=37c9
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

--
Joe Ryan
aphyt - open source tools for industrial automation
j...@aphyt.com
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users