Re: [strongSwan] Fritzbox <-> strongSwan / Missing ping replies

[sascha]

Ok that makes sense. But replies to pings don't reach the source,  
either. So it seems that something is wrong with "routing"?

I really don't have a clue what to debug to find out what's going wrong.
Greets
Sascha

Zitat von Andreas Steffen <andreas.stef...@strongswan.org>:

Hi Sascha,

due to the Linux netfilter architecture tcpdump running on an IPsec
endpoint shows you only the inbound decrypted plaintext but never the
outbound plaintext IP packets. Does tcpdump show outbound encrypted
ESP packets?

Regards

Andreas

On 01/22/2015 12:30 PM, sas...@schmidt.ps wrote:

Hi,

I've build a connection between a FRITZ!Box and a strongSwan server. On
the virtual server where strongSwan is located I've added a virtual
interface and configured the ip 192.168.0.10/24 on it.

Now I'm trying to ping each side of the vpn with no luck.

On the serverside (strongSwan) I can see the incoming icmp requests, but
cannot see an answer:

tcpdump -i eth0 dst host 192.168.0.10 or src host 192.168.0.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:25:44.421577 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
10277, seq 3537, length 64
12:25:45.421483 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
10277, seq 3538, length 64
12:25:46.425221 IP 192.168.2.4 > 192.168.0.10: ICMP echo request, id
10277, seq 3539, length 64

My ipsec.conf:

conn fritzbox
        aggressive=no
        keyingtries=0
        type=tunnel
        left=<strongSwan public ip>
        leftsubnet=192.168.0.0/24
        leftfirewall=yes
        lefthostaccess=yes
        leftnexthop=%defaultroute
        #
        ike=aes256-sha-modp1024
        esp=aes256-sha1-modp1024
        #
        right=<hostname of fritzbox>
        rightid=@<hostname of fritzbox>
        rightsubnet=192.168.2.0/24
        leftnexthop=%defaultroute
        #
        ikelifetime=4h
        keylife=1h
        #
        authby=secret
        auto=add

Starting strongSwan gives me the following last line:
Jan 22 12:27:44 linux vpn: + <hostname of fritzbox> 192.168.2.0/24 ==
<fritzbox public ip> -- <strongSwan public ip> == 192.168.0.0/24

"route" shows me:
192.168.0.0     *               255.255.255.0   U     0      0        0
eth0

Any hints what I made wrong or where I have to tweak the settings?

Greets
Sascha
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

--
======================================================================
Andreas Steffen                         andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==


_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users