Hey Martin
Thanks for your prompt reply.
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.10.17-g86ce428, armv7l):
> -----Original Message-----
> You probably won't need ESP/AH forwarding rules, as in your NAT situation all
> traffic is UDP encapsulated over ports 500/4500.
You are right, there the traffic does get encapsulated.
> > and ipsec statusall is:
> > Security Associations (0 up, 0 connecting):
>
> Your "ipsec statusall" shows no active connections. No client currently
> connected?
I am appending below the "ipsec statusall" with a client connected:
malloc: sbrk 1216512, mmap 0, used 214312, free 1002200
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 5
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce
x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac
ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-mschapv2 xauth-generic dhcp addrblock
Listening IP addresses:
192.168.7.1
Connections:
roadwarrior-eap: %any...%any IKEv2
roadwarrior-eap: local: [dnsname.com] uses public key authentication
roadwarrior-eap: cert: "C=UK, O= dnsname.com, CN= dnsname.com"
roadwarrior-eap: remote: uses EAP_MSCHAPV2 authentication with EAP identity
'%any'
roadwarrior-eap: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
roadwarrior-eap[2]: ESTABLISHED 20 seconds ago,
192.168.7.1[dnsname.com]...147.188.254.202[10.8.50.4]
roadwarrior-eap[2]: Remote EAP identity: some.identity
roadwarrior-eap[2]: IKEv2 SPIs: b42cd00ab10b4a49_i 397b754c1c6e59fb_r*, public
key reauthentication in 2 hours
roadwarrior-eap[2]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
roadwarrior-eap{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: cdc15832_i 462cf18a_o
roadwarrior-eap{2}: AES_CBC_256/HMAC_SHA1_96, 51187 bytes_i (384 pkts, 0s
ago), 14072 bytes_o (132 pkts, 1s ago), rekeying in 42 minutes
roadwarrior-eap{2}: 0.0.0.0/0 === 192.168.7.58/32
> > The problem that I have is that I am able to ping the network
> > computers (i.e. 192.168.7.5) but I am unable to ping the gateway
> > itself (192.168.7.1).
>
> If pinging the LAN hosts works, your IPsec policies get negotiated correctly.
> Likely that your routing or firewall configuration drops
> packets.
>
> If you ping your internal gateway address, do you see incoming packets when
> sniffing on your gateway? Do you see ESP packets
> leaving?
>
> > 192.168.7.0 * 255.255.255.0 U 0 0 0 br-lan
>
> strongSwan installs a route to table 220 (ip route show table 220), which
> should go over your Sky router. It overrides the LAN route to
> your DHCP-assigned road-warrior IP. Can you confirm this route gets installed
> correctly?
"ip route show table 220" returns empty. I guess the problem is here that the
route does not get installed. DO you have any suggestions about fixing this?
Thanks
Mihai
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users