(I removed the NFLOG rules) [alice] $ iptables-save -c # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:40 2017 *nat :PREROUTING ACCEPT [4:256] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [4:2672] :POSTROUTING ACCEPT [4:2672] COMMIT # Completed on Sat Sep 9 14:02:40 2017 # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:40 2017 *raw :PREROUTING ACCEPT [18:6158] :OUTPUT ACCEPT [16:8534] :nixos-fw-rpfilter - [0:0] [18:6158] -A PREROUTING -j nixos-fw-rpfilter [18:6158] -A nixos-fw-rpfilter -m rpfilter -j RETURN [0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A nixos-fw-rpfilter -j DROP COMMIT # Completed on Sat Sep 9 14:02:40 2017 # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:40 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :nixos-fw - [0:0] :nixos-fw-accept - [0:0] :nixos-fw-log-refuse - [0:0] :nixos-fw-refuse - [0:0] [0:0] -A INPUT -s 10.0.0.0/24 -d 10.0.0.1/32 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT [18:6158] -A INPUT -j nixos-fw [0:0] -A FORWARD -s 10.0.0.0/24 -d 10.0.0.1/32 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT [0:0] -A FORWARD -s 10.0.0.1/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT [0:0] -A OUTPUT -s 10.0.0.1/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT [2:1152] -A nixos-fw -i lo -j nixos-fw-accept [10:4622] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept [6:384] -A nixos-fw -j nixos-fw-log-refuse [12:5774] -A nixos-fw-accept -j ACCEPT [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6 [6:384] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse [6:384] -A nixos-fw-refuse -j DROP COMMIT # Completed on Sat Sep 9 14:02:40 2017
[alice] $ sysctl -A | grep rp_filter net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.eth1.arp_filter = 0 net.ipv4.conf.eth1.rp_filter = 0 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 [carol] $ iptables-save -c # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:56 2017 *nat :PREROUTING ACCEPT [2:128] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [3:2002] :POSTROUTING ACCEPT [3:2002] COMMIT # Completed on Sat Sep 9 14:02:56 2017 # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:56 2017 *raw :PREROUTING ACCEPT [7:1983] :OUTPUT ACCEPT [5:2374] :nixos-fw-rpfilter - [0:0] [7:1983] -A PREROUTING -j nixos-fw-rpfilter [7:1983] -A nixos-fw-rpfilter -m rpfilter -j RETURN [0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A nixos-fw-rpfilter -j DROP COMMIT # Completed on Sat Sep 9 14:02:56 2017 # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:56 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :nixos-fw - [0:0] :nixos-fw-accept - [0:0] :nixos-fw-log-refuse - [0:0] :nixos-fw-refuse - [0:0] [0:0] -A INPUT -s 10.0.0.0/24 -d 10.0.0.2/32 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT [7:1983] -A INPUT -j nixos-fw [0:0] -A FORWARD -s 10.0.0.0/24 -d 10.0.0.2/32 -i eth1 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT [0:0] -A FORWARD -s 10.0.0.2/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT [0:0] -A OUTPUT -s 10.0.0.2/32 -d 10.0.0.0/24 -o eth1 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT [0:0] -A nixos-fw -i lo -j nixos-fw-accept [3:1727] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept [4:256] -A nixos-fw -j nixos-fw-log-refuse [3:1727] -A nixos-fw-accept -j ACCEPT [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6 [4:256] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse [4:256] -A nixos-fw-refuse -j DROP COMMIT # Completed on Sat Sep 9 14:02:56 2017 [carol] $ sysctl -A | grep rp_filter net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.eth1.arp_filter = 0 net.ipv4.conf.eth1.rp_filter = 0 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 [moon] $ iptables-save -c # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:37 2017 *nat :PREROUTING ACCEPT [5:4546] :INPUT ACCEPT [5:4546] :OUTPUT ACCEPT [1:64] :POSTROUTING ACCEPT [1:64] COMMIT # Completed on Sat Sep 9 14:02:37 2017 # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:37 2017 *raw :PREROUTING ACCEPT [15:8288] :OUTPUT ACCEPT [15:6477] :nixos-fw-rpfilter - [0:0] [15:8288] -A PREROUTING -j nixos-fw-rpfilter [15:8288] -A nixos-fw-rpfilter -m rpfilter -j RETURN [0:0] -A nixos-fw-rpfilter -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j RETURN [0:0] -A nixos-fw-rpfilter -j DROP COMMIT # Completed on Sat Sep 9 14:02:37 2017 # Generated by iptables-save v1.6.1 on Sat Sep 9 14:02:37 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2:1432] :nixos-fw - [0:0] :nixos-fw-accept - [0:0] :nixos-fw-log-refuse - [0:0] :nixos-fw-refuse - [0:0] [15:8288] -A INPUT -j nixos-fw [0:0] -A FORWARD -s 10.0.0.2/32 -d 10.0.0.0/24 -i eth1 -m policy --dir in --pol ipsec --reqid 3 --proto esp -j ACCEPT [0:0] -A FORWARD -s 10.0.0.0/24 -d 10.0.0.2/32 -o eth1 -m policy --dir out --pol ipsec --reqid 3 --proto esp -j ACCEPT [0:0] -A FORWARD -s 10.0.0.1/32 -d 10.0.0.0/24 -i eth1 -m policy --dir in --pol ipsec --reqid 2 --proto esp -j ACCEPT [0:0] -A FORWARD -s 10.0.0.0/24 -d 10.0.0.1/32 -o eth1 -m policy --dir out --pol ipsec --reqid 2 --proto esp -j ACCEPT [0:0] -A nixos-fw -i lo -j nixos-fw-accept [5:2328] -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept [4:3152] -A nixos-fw -p udp -m udp --dport 4500 -j nixos-fw-accept [4:2680] -A nixos-fw -p udp -m udp --dport 500 -j nixos-fw-accept [0:0] -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept [2:128] -A nixos-fw -j nixos-fw-log-refuse [13:8160] -A nixos-fw-accept -j ACCEPT [0:0] -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "rejected connection: " --log-level 6 [2:128] -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse [0:0] -A nixos-fw-log-refuse -j nixos-fw-refuse [2:128] -A nixos-fw-refuse -j DROP COMMIT # Completed on Sat Sep 9 14:02:37 2017 [moon] $ sysctl -A | grep rp_filter net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.eth1.arp_filter = 0 net.ipv4.conf.eth1.rp_filter = 0 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 BTW note that if I execute the following on all hosts: $ iptables --insert INPUT --protocol ESP --jump ACCEPT pinging from alice to carol will actually give a "Destination Net Unreachable" error instead of not giving any output: [alice] $ ping -c 10.0.0.2 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. >From 192.168.1.3 icmp_seq=1 Destination Net Unreachable --- 10.0.0.2 ping statistics --- 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms On 9 September 2017 at 15:57, Noel Kuntze < [email protected]> wrote: > Hi Bas, > > Please provide the outputs of `iptables-save -c` on all hosts > and the output of `sysctl -A | grep rp_filter`. `iptables -S` is not > useful. > > Kind regards > > Noel > > On 09.09.2017 15:50, Bas van Dijk wrote: > > Hi Noel, > > > > These are the firewall rules of all hosts after establishing the tunnels > (all the NFLOG rules will be removed eventually, they're currently used for > debugging): > > > > [alice] $ iptables -S > > -P INPUT ACCEPT > > -P FORWARD ACCEPT > > -P OUTPUT ACCEPT > > -N nixos-fw > > -N nixos-fw-accept > > -N nixos-fw-log-refuse > > -N nixos-fw-refuse > > -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 < > http://10.0.0.1/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 > --proto esp -j ACCEPT > > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec > -j NFLOG --nflog-group 5 > > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j > NFLOG --nflog-group 5 > > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5 > > -A INPUT -p ah -j NFLOG --nflog-group 5 > > -A INPUT -p esp -j NFLOG --nflog-group 5 > > -A INPUT -j nixos-fw > > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 < > http://10.0.0.1/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 > --proto esp -j ACCEPT > > -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 < > http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 > --proto esp -j ACCEPT > > -A OUTPUT -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 < > http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 > --proto esp -j ACCEPT > > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5 > > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5 > > -A OUTPUT -p ah -j NFLOG --nflog-group 5 > > -A OUTPUT -p esp -j NFLOG --nflog-group 5 > > -A nixos-fw -i lo -j nixos-fw-accept > > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept > > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept > > -A nixos-fw -j nixos-fw-log-refuse > > -A nixos-fw-accept -j ACCEPT > > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j > LOG --log-prefix "rejected connection: " --log-level 6 > > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse > > -A nixos-fw-log-refuse -j nixos-fw-refuse > > -A nixos-fw-refuse -j DROP > > > > [carol] $ iptables -S > > -P INPUT ACCEPT > > -P FORWARD ACCEPT > > -P OUTPUT ACCEPT > > -N nixos-fw > > -N nixos-fw-accept > > -N nixos-fw-log-refuse > > -N nixos-fw-refuse > > -A INPUT -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 < > http://10.0.0.2/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 > --proto esp -j ACCEPT > > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec > -j NFLOG --nflog-group 5 > > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j > NFLOG --nflog-group 5 > > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5 > > -A INPUT -p ah -j NFLOG --nflog-group 5 > > -A INPUT -p esp -j NFLOG --nflog-group 5 > > -A INPUT -j nixos-fw > > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 < > http://10.0.0.2/32> -i eth1 -m policy --dir in --pol ipsec --reqid 1 > --proto esp -j ACCEPT > > -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 < > http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 > --proto esp -j ACCEPT > > -A OUTPUT -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 < > http://10.0.0.0/24> -o eth1 -m policy --dir out --pol ipsec --reqid 1 > --proto esp -j ACCEPT > > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5 > > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5 > > -A OUTPUT -p ah -j NFLOG --nflog-group 5 > > -A OUTPUT -p esp -j NFLOG --nflog-group 5 > > -A nixos-fw -i lo -j nixos-fw-accept > > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept > > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept > > -A nixos-fw -j nixos-fw-log-refuse > > -A nixos-fw-accept -j ACCEPT > > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j > LOG --log-prefix "rejected connection: " --log-level 6 > > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse > > -A nixos-fw-log-refuse -j nixos-fw-refuse > > -A nixos-fw-refuse -j DROP > > > > [moon] $ iptables -S > > -P INPUT ACCEPT > > -P FORWARD ACCEPT > > -P OUTPUT ACCEPT > > -N nixos-fw > > -N nixos-fw-accept > > -N nixos-fw-log-refuse > > -N nixos-fw-refuse > > -A INPUT -m addrtype ! --dst-type LOCAL -m policy --dir in --pol ipsec > -j NFLOG --nflog-group 5 > > -A INPUT -m addrtype --dst-type LOCAL -m policy --dir in --pol ipsec -j > NFLOG --nflog-group 5 > > -A INPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5 > > -A INPUT -p ah -j NFLOG --nflog-group 5 > > -A INPUT -p esp -j NFLOG --nflog-group 5 > > -A INPUT -j nixos-fw > > -A FORWARD -s 10.0.0.2/32 <http://10.0.0.2/32> -d 10.0.0.0/24 < > http://10.0.0.0/24> -i eth1 -m policy --dir in --pol ipsec --reqid 2 > --proto esp -j ACCEPT > > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.2/32 < > http://10.0.0.2/32> -o eth1 -m policy --dir out --pol ipsec --reqid 2 > --proto esp -j ACCEPT > > -A FORWARD -s 10.0.0.1/32 <http://10.0.0.1/32> -d 10.0.0.0/24 < > http://10.0.0.0/24> -i eth1 -m policy --dir in --pol ipsec --reqid 1 > --proto esp -j ACCEPT > > -A FORWARD -s 10.0.0.0/24 <http://10.0.0.0/24> -d 10.0.0.1/32 < > http://10.0.0.1/32> -o eth1 -m policy --dir out --pol ipsec --reqid 1 > --proto esp -j ACCEPT > > -A OUTPUT -m policy --dir out --pol ipsec -j NFLOG --nflog-group 5 > > -A OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5 > > -A OUTPUT -p ah -j NFLOG --nflog-group 5 > > -A OUTPUT -p esp -j NFLOG --nflog-group 5 > > -A nixos-fw -i lo -j nixos-fw-accept > > -A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept > > -A nixos-fw -p udp -m udp --dport 4500 -j nixos-fw-accept > > -A nixos-fw -p udp -m udp --dport 500 -j nixos-fw-accept > > -A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept > > -A nixos-fw -j nixos-fw-log-refuse > > -A nixos-fw-accept -j ACCEPT > > -A nixos-fw-log-refuse -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j > LOG --log-prefix "rejected connection: " --log-level 6 > > -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse > > -A nixos-fw-log-refuse -j nixos-fw-refuse > > -A nixos-fw-refuse -j DROP > > > > > > On 9 September 2017 at 15:34, Noel Kuntze <noel.kuntze+strongswan-users- > [email protected] <mailto:noel.kuntze+strongswan-users-ml@thermi. > consulting>> wrote: > > > > Hi, > > > > Check your iptables rules. > > > > Kind regards > > > > Noel > > > > On 09.09.2017 14 <tel:09.09.2017%2014>:06, Bas van Dijk wrote: > > > Dear list, > > > > > > (I accidentally sent a previous message < > https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA < > https://groups.google.com/forum/#%21topic/strongswan-users/2ytikPcg7jA>> > to the read-only [email protected] <mailto: > [email protected]> <mailto:strongswan-users@ > googlegroups.com <mailto:[email protected]>>. So let's > try the real list.) > > > > > > I'm working on another NixOS strongswan test. This time I have two > roadwarriors alice and carol that set up a connection to gateway moon. They > request a virtual IP. The gateway moon assigns virtual IP addresses from a > pool per roadwarrior containing a single IP address. Authentication is > based on X.509 certificates. In order to test the tunnel alice and carol > ping each other. The test configuration can be found in: > > > > > > https://github.com/LumiGuide/nixpkgs/blob/strongswan- > swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix < > https://github.com/LumiGuide/nixpkgs/blob/strongswan- > swanctl-pubkey-test/nixos/tests/strongswan-swanctl-pubkey.nix> > > > > > > The roadwarriors alice and carol can successfully establish a > CHILD_SA with the gateway moon. The problem is that the roadwarriors can't > ping eachother. > > > > > > This is a tcpdump on alice while initiating the CHILD_SA and > trying to ping carol: > > > > > > [alice] $ tcpdump -s 0 -n -i nflog:5 > > > tcpdump: verbose output suppressed, use -v or -vv for full > protocol decode > > > listening on nflog:5, link-type NFLOG (Linux netfilter log > messages), capture size 262144 bytes > > > # swanctl -i --child alice > > > 11:05:07.318185 IP 192.168.1.1.500 > 192.168.1.3.500: isakmp: > parent_sa ikev2_init[I] > > > 11:05:07.318291 IP 192.168.1.3.500 > 192.168.1.1.500: isakmp: > parent_sa ikev2_init[R] > > > 11:05:07.318296 IP 192.168.1.1.4500 > 192.168.1.3.4500: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > > > 11:05:07.318308 IP 192.168.1.1.4500 > 192.168.1.3.4500: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > > > 11:05:08.346181 IP 192.168.1.3.4500 > 192.168.1.1.4500: > NONESP-encap: isakmp: child_sa ikev2_auth[R] > > > 11:05:08.346196 IP 192.168.1.3.4500 > 192.168.1.1.4500: > NONESP-encap: isakmp: child_sa ikev2_auth[R] > > > # ping -c 1 10.0.0.2 > > > 11:05:15.898172 IP 192.168.1.1 > 10.0.0.2 <http://10.0.0.2>: ICMP > echo request, id 1120, seq 1, length 64 > > > 11:05:15.898200 IP 192.168.1.1 > 10.0.0.2 <http://10.0.0.2>: ICMP > echo request, id 1120, seq 1, length 64 > > > 11:05:15.898205 IP 192.168.1.1 > 192.168.1.3 <http://192.168.1.3>: > ESP(spi=0xc6877d56,seq=0x1), length 136 > > > > > > So it looks like the ping packet gets encapsulated and send to > moon. This is the dump on moon: > > > > > > [moon] $ tcpdump -s 0 -n -i nflog:5 > > > tcpdump: verbose output suppressed, use -v or -vv for full > protocol decode > > > listening on nflog:5, link-type NFLOG (Linux netfilter log > messages), capture size 262144 bytes > > > 11:05:07.170190 IP 192.168.1.1.500 > 192.168.1.3.500: isakmp: > parent_sa ikev2_init[I] > > > 11:05:07.170218 IP 192.168.1.3.500 > 192.168.1.1.500: isakmp: > parent_sa ikev2_init[R] > > > 11:05:07.170221 IP 192.168.1.1.4500 > 192.168.1.3.4500: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > > > 11:05:07.170227 IP 192.168.1.1.4500 > 192.168.1.3.4500: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > > > 11:05:08.225827 IP 192.168.1.3.4500 > 192.168.1.1.4500: > NONESP-encap: isakmp: child_sa ikev2_auth[R] > > > 11:05:08.225843 IP 192.168.1.3.4500 > 192.168.1.1.4500: > NONESP-encap: isakmp: child_sa ikev2_auth[R] > > > > > > 11:05:15.777787 IP 192.168.1.1 > 192.168.1.3 <http://192.168.1.3>: > ESP(spi=0xc6877d56,seq=0x1), length 136 > > > > > > So moon receives the encapsulated ping message from alice but it > never reroutes it to carol. Is this caused by a bad routing configuration? > These are the routes on alice and her auto-generated swanctl configuration: > > > > > > [alice] $ ip route list table 220 > > > 10.0.0.0/24 <http://10.0.0.0/24> <http://10.0.0.0/24> via > 192.168.1.3 dev eth1 proto static src 192.168.1.1 > > > > > > [alice] $ cat /etc/swanctl/swanctl.conf > > > connections { > > > alice { > > > children { > > > alice { > > > remote_ts = 10.0.0.0/24 <http://10.0.0.0/24> < > http://10.0.0.0/24> > > > start_action = trap > > > updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w > 9g-strongswan-5.6.0/libexec/ipsec/_updown iptables > > > } > > > } > > > local-main { > > > auth = pubkey > > > certs = aliceCert.der > > > id = alice > > > } > > > remote-main { > > > auth = pubkey > > > id = moon > > > } > > > remote_addrs = moon > > > version = 2 > > > vips = 0.0.0.0 > > > } > > > } > > > > > > Routing table 220 is empty on moon. Is that how it's supposed to > be? This is its auto-generated swanctl configuration: > > > > > > [moon] $ cat /etc/swanctl/swanctl.conf > > > connections { > > > alice { > > > children { > > > alice { > > > local_ts = 10.0.0.0/24 <http://10.0.0.0/24> < > http://10.0.0.0/24> > > > updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w > 9g-strongswan-5.6.0/libexec/ipsec/_updown iptables > > > } > > > } > > > local-main { > > > auth = pubkey > > > certs = moonCert.der > > > id = moon > > > } > > > pools = alice > > > remote-main { > > > auth = pubkey > > > id = alice > > > } > > > version = 2 > > > } > > > carol { > > > children { > > > carol { > > > local_ts = 10.0.0.0/24 <http://10.0.0.0/24> < > http://10.0.0.0/24> > > > updown = /nix/store/jdcviy5z25xamq35g8k9qbdpskkx3w > 9g-strongswan-5.6.0/libexec/ipsec/_updown iptables > > > } > > > } > > > local-main { > > > auth = pubkey > > > certs = moonCert.der > > > id = moon > > > } > > > pools = carol > > > remote-main { > > > auth = pubkey > > > id = carol > > > } > > > version = 2 > > > } > > > } > > > pools { > > > alice { > > > addrs = 10.0.0.1 > > > } > > > carol { > > > addrs = 10.0.0.2 > > > } > > > } > > > > > > I'm sure I'm not configuring something correctly. Can somebody > point me in the right direction to get this test succeeding? > > > > > > Regards, > > > > > > Bas > > > > > > > > > > > > > > > > >
