Hello Tobias,
I'm very sorry for previous wrong output. It was caused by fact I had
wrong config loaded(where I was trying various things in order to fix my
problem). Now I restarted ipsec on both VPN boxes and I have:
# ip route list table 220
192.168.1.0/24 via 1.2.3.1 dev eth0.2 proto static src 192.168.2.1
But when I do ping to host that is obviously running and has firewall
with any/any allow:
# ping 192.168.1.54
PING 192.168.1.54 (192.168.1.54): 56 data bytes
^C
--- 192.168.1.54 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
#
when I run tcpdump on same system I can see:
# tcpdump -i any -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535
bytes
12:47:09.671920 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565,
seq 0, length 64
12:47:10.672438 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565,
seq 1, length 64
12:47:11.672876 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565,
seq 2, length 64
12:47:12.673316 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565,
seq 3, length 64
12:47:13.673749 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565,
seq 4, length 64
12:47:14.674188 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565,
seq 5, length 64
12:47:15.674639 IP 1.2.3.4 > 192.168.1.54: ICMP echo request, id 8565,
seq 6, length 64
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel
#
If I understand it correct, I should see there "192.168.2.1 >
192.168.1.54" instead of "1.2.3.4 > 192.168.1.54" .
Also if I run tcpdump on other VPN server, I get no ping at all.
Here is log with knl set to 2. This is what I got when connection was
established:
13[KNL] got SPI c9cc5971
13[KNL] adding SAD entry with SPI c9cc5971 and reqid {1} (mark
0/0x00000000)
13[KNL] using encryption algorithm AES_CBC with key size 128
13[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
13[KNL] using replay window of 32 packets
13[KNL] adding SAD entry with SPI cec8aa6b and reqid {1} (mark
0/0x00000000)
13[KNL] using encryption algorithm AES_CBC with key size 128
13[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
13[KNL] using replay window of 32 packets
13[KNL] adding policy 192.168.2.0/24 === 192.168.1.0/24 out (mark
0/0x00000000)
13[KNL] adding policy 192.168.1.0/24 === 192.168.2.0/24 in (mark
0/0x00000000)
13[KNL] adding policy 192.168.1.0/24 === 192.168.2.0/24 fwd (mark
0/0x00000000)
13[KNL] getting a local address in traffic selector 192.168.2.0/24
13[KNL] using host 192.168.2.1
13[KNL] using 1.2.3.1 as nexthop to reach 4.3.2.1/32
13[KNL] 1.2.3.4 is on interface eth0.2
13[KNL] installing route: 192.168.1.0/24 via 1.2.3.1 src 192.168.2.1 dev
eth0.2
13[KNL] getting iface index for eth0.2
13[KNL] policy 192.168.2.0/24 === 192.168.1.0/24 out (mark
0/0x00000000) already exists, increasing refcount
13[KNL] updating policy 192.168.2.0/24 === 192.168.1.0/24 out (mark
0/0x00000000)
13[KNL] policy 192.168.1.0/24 === 192.168.2.0/24 in (mark 0/0x00000000)
already exists, increasing refcount
13[KNL] updating policy 192.168.1.0/24 === 192.168.2.0/24 in (mark
0/0x00000000)
13[KNL] policy 192.168.1.0/24 === 192.168.2.0/24 fwd (mark
0/0x00000000) already exists, increasing refcount
13[KNL] updating policy 192.168.1.0/24 === 192.168.2.0/24 fwd (mark
0/0x00000000)
13[KNL] getting a local address in traffic selector 192.168.2.0/24
13[KNL] using host 192.168.2.1
13[KNL] using 1.2.3.1 as nexthop to reach 4.3.2.1/32
13[KNL] 1.2.3.4 is on interface eth0.2
13[IKE] CHILD_SA tva-to-vino{1} established with SPIs c9cc5971_i
cec8aa6b_o and TS 192.168.2.0/24 === 192.168.1.0/24
13[KNL] 1.2.3.4 is on interface eth0.2
13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr
N(AUTH_LFT) ]
On 5/2/2016 11:20, Tobias Brunner wrote:
Hi Lukas,
# ip route list table 220
192.168.1.0/24 via 1.2.3.1 dev eth0.2 proto static src 1.2.3.4
#
where 1.2.3.4 is locally attached, publicly reachable IP address and
1.2.3.1 is default gw for this public IP address.
Looks strange. The source address should be part of the local traffic
selector (192.168.2.0/24), which 1.2.3.4 is probably not. Please
increase the log level for the knl subsystem to see what's going on
during the route/policy installation [1].
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
