Missing ping replies

Andreas Steffen Thu, 22 Jan 2015 14:24:04 -0800

Hi Sascha,

due to the Linux netfilter architecture tcpdump running on an IPsec
endpoint shows you only the inbound decrypted plaintext but never the
outbound plaintext IP packets. Does tcpdump show outbound encrypted
ESP packets?


Regards

Andreas

On 01/22/2015 12:30 PM, [email protected] wrote:
> 
> Hi,
> 
> I've build a connection between a FRITZ!Box and a strongSwan server. On
> the virtual server where strongSwan is located I've added a virtual
> interface and configured the ip 192.168.0.10/24 on it.
> 
> Now I'm trying to ping each side of the vpn with no luck.
> 
> On the serverside (strongSwan) I can see the incoming icmp requests, but
> cannot see an answer:
> 
> tcpdump -i eth0 dst host 192.168.0.10 or src host 192.168.0.10
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 12:25:44.421577 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
> 10277, seq 3537, length 64
> 12:25:45.421483 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
> 10277, seq 3538, length 64
> 12:25:46.425221 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
> 10277, seq 3539, length 64
> 
> My ipsec.conf:
> 
> conn fritzbox
>         aggressive=no
>         keyingtries=0
>         type=tunnel
>         left=<strongSwan public ip>
>         leftsubnet=192.168.0.0/24
>         leftfirewall=yes
>         lefthostaccess=yes
>         leftnexthop=%defaultroute
>         #
>         ike=aes256-sha-modp1024
>         esp=aes256-sha1-modp1024
>         #
>         right=<hostname of fritzbox>
>         rightid=@<hostname of fritzbox>
>         rightsubnet=192.168.2.0/24
>         leftnexthop=%defaultroute
>         #
>         ikelifetime=4h
>         keylife=1h
>         #
>         authby=secret
>         auto=add
> 
> Starting strongSwan gives me the following last line:
> Jan 22 12:27:44 linux vpn: + <hostname of fritzbox> 192.168.2.0/24 ==
> <fritzbox public ip> -- <strongSwan public ip> == 192.168.0.0/24
> 
> "route" shows me:
> 192.168.0.0     *               255.255.255.0   U     0      0        0
> eth0
> 
> Any hints what I made wrong or where I have to tweak the settings?
> 
> Greets
> Sascha
> _______________________________________________
> Users mailing list
> [email protected]
> https://lists.strongswan.org/mailman/listinfo/users

-- 
======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Fritzbox <-> strongSwan / Missing ping replies

Reply via email to