hello all: My ipsec tunnel can't established by a traffic. I configured a ikev2 , net-to-net, psk, i can use "ipsec up" command to establish tunnel, but it can't established by a coming traffic, of course, the ttraffic can match the rule.
the network: -------------------------- pc------------------------------------client-----------------------server-----------------------------pc2 192.168.4.2 192.168.4.1 10.0.0.1 10.0.0.2 192.168.10.1 192.168.10.2 [client:ipsec.conf] --------------------------- # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. conn %default reauth=yes ikelifetime=60m keylife=20m rekeymargin=5m keyingtries=1 dpdaction=clear dpddelay=10s #dpdtimeout=20s keyexchange=ikev2 authby=psk type=tunnel installpolicy=yes conn nat-t left=10.0.0.1 leftsubnet=192.168.4.0/24 leftfirewall=yes right=10.0.0.2 rightsubnet=192.168.10.0/24 auto=route [server:ipsec.conf] --------------------------- # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. conn %default reauth=yes ikelifetime=60m keylife=20m rekeymargin=5m keyingtries=1 keyexchange=ikev2 authby=psk dpdaction=clear dpddelay=10s type=tunnel conn nat-t left=10.0.0.2 leftsubnet=192.168.10.0/24 leftfirewall=yes right=%any rightsubnet=192.168.4.0/24 auto=route [client and server :strongswan.conf] ----------------------- # /etc/strongswan.conf - strongSwan configuration file charon { # two defined file loggers filelog { /var/log/charon.log { time_format = %b %e %T ike_name = yes append = no default = 2 flush_line = yes } stderr { # more detailed loglevel for a specific subsystem, overriding the # default loglevel. ike = 2 knl = 3 chd = 2 esp = 2 job = 2 lib = 2 mgr = 2 net = 2 } } # and two loggers using syslog syslog { identifier = charon-custom daemon { } auth { default = -1 ike = 0 } } load_modular = yes duplicheck.enable = no compress = yes port = 0 port_nat_t = 0 install_routes = yes plugins { include strongswan.d/charon/*.conf } dns1 = 114.114.114.114 nbns1 = 114.114.114.114 } include strongswan.d/*.conf command: -------------------- ipsec start ipsec statusall ------------------- [root@epcaas-client ~]# ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.10.0-693.11.1.el7.x86_64, x86_64): uptime: 57 seconds, since May 25 11:46:38 2018 malloc: sbrk 1351680, mmap 0, used 281552, free 1070128 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf curve25519 xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke vici updown xauth-generic radattr counters Listening IP addresses: 10.0.0.1 192.168.4.1 Connections: nat-t: 10.0.0.1...10.0.0.2 IKEv2, dpddelay=10s nat-t: local: [10.0.0.1] uses pre-shared key authentication nat-t: remote: [10.0.0.2] uses pre-shared key authentication nat-t: child: 192.168.4.0/24 === 192.168.10.0/24 TUNNEL, dpdaction=clear Routed Connections: nat-t{1}: ROUTED, TUNNEL, reqid 1 nat-t{1}: 192.168.4.0/24 === 192.168.10.0/24 Security Associations (0 up, 0 connecting): none at pc command ------------------------------------ ping 192.168.10.2 from 192.168.4.2: [client:/var/log/charon.log] ----------------------- May 25 11:46:38 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 3.10.0-693.11.1.el7.x86_64, x86_64) May 25 11:46:38 00[LIB] plugin 'aes': loaded successfully May 25 11:46:38 00[LIB] plugin 'des': loaded successfully May 25 11:46:38 00[LIB] plugin 'rc2': loaded successfully May 25 11:46:38 00[LIB] plugin 'sha2': loaded successfully May 25 11:46:38 00[LIB] plugin 'sha1': loaded successfully May 25 11:46:38 00[LIB] plugin 'md5': loaded successfully May 25 11:46:38 00[LIB] plugin 'random': loaded successfully May 25 11:46:38 00[LIB] plugin 'nonce': loaded successfully May 25 11:46:38 00[LIB] plugin 'x509': loaded successfully May 25 11:46:38 00[LIB] plugin 'revocation': loaded successfully May 25 11:46:38 00[LIB] plugin 'constraints': loaded successfully May 25 11:46:38 00[LIB] plugin 'pubkey': loaded successfully May 25 11:46:38 00[LIB] plugin 'pkcs1': loaded successfully May 25 11:46:38 00[LIB] plugin 'pkcs7': loaded successfully May 25 11:46:38 00[LIB] plugin 'pkcs8': loaded successfully May 25 11:46:38 00[LIB] plugin 'pkcs12': loaded successfully May 25 11:46:38 00[LIB] plugin 'pgp': loaded successfully May 25 11:46:38 00[LIB] plugin 'dnskey': loaded successfully May 25 11:46:38 00[LIB] plugin 'sshkey': loaded successfully May 25 11:46:38 00[LIB] plugin 'pem': loaded successfully May 25 11:46:38 00[LIB] plugin 'fips-prf': loaded successfully May 25 11:46:38 00[LIB] plugin 'curve25519': loaded successfully May 25 11:46:38 00[LIB] plugin 'xcbc': loaded successfully May 25 11:46:38 00[LIB] plugin 'cmac': loaded successfully May 25 11:46:38 00[LIB] plugin 'hmac': loaded successfully May 25 11:46:38 00[CFG] loaded legacy entry attribute INTERNAL_IP4_DNS: 72:72:72:72 May 25 11:46:38 00[CFG] loaded legacy entry attribute INTERNAL_IP4_NBNS: 72:72:72:72 May 25 11:46:38 00[LIB] plugin 'attr': loaded successfully May 25 11:46:38 00[LIB] created TUN device: ipsec0 May 25 11:46:38 00[LIB] plugin 'kernel-libipsec': loaded successfully May 25 11:46:38 00[LIB] plugin 'kernel-pfkey': loaded successfully May 25 11:46:38 00[LIB] plugin 'kernel-netlink': loaded successfully May 25 11:46:38 00[LIB] plugin 'resolve': loaded successfully May 25 11:46:38 00[LIB] plugin 'socket-default': loaded successfully May 25 11:46:38 00[LIB] plugin 'stroke': loaded successfully May 25 11:46:38 00[LIB] plugin 'vici': loaded successfully May 25 11:46:38 00[LIB] plugin 'updown': loaded successfully May 25 11:46:38 00[LIB] plugin 'xauth-generic': loaded successfully May 25 11:46:38 00[LIB] plugin 'radattr': loaded successfully May 25 11:46:38 00[LIB] plugin 'counters': loaded successfully May 25 11:46:38 00[LIB] feature CUSTOM:kernel-ipsec in plugin 'kernel-pfkey' failed to load May 25 11:46:38 00[LIB] feature CUSTOM:kernel-ipsec in plugin 'kernel-netlink' failed to load May 25 11:46:38 00[KNL] known interfaces and IP addresses: May 25 11:46:38 00[KNL] lo May 25 11:46:38 00[KNL] 127.0.0.1 May 25 11:46:38 00[KNL] ::1 May 25 11:46:38 00[KNL] eth0 May 25 11:46:38 00[KNL] 10.0.0.1 May 25 11:46:38 00[KNL] fe80::f816:3eff:fe32:c093 May 25 11:46:38 00[KNL] eth1 May 25 11:46:38 00[KNL] 192.168.4.1 May 25 11:46:38 00[KNL] fe80::f816:3eff:fed6:573a May 25 11:46:38 00[KNL] eth2 May 25 11:46:38 00[KNL] 192.168.6.61 May 25 11:46:38 00[KNL] fe80::f816:3eff:fe77:5cc6 May 25 11:46:38 00[KNL] ipsec0 May 25 11:46:38 00[KNL] fe80::dda:9afd:25a6:e916 May 25 11:46:38 00[LIB] feature PUBKEY:ECDSA in plugin 'pem' has unmet dependency: PUBKEY:ECDSA May 25 11:46:38 00[LIB] feature PUBKEY:BLISS in plugin 'pem' has unmet dependency: PUBKEY:BLISS May 25 11:46:38 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA May 25 11:46:38 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has unmet dependency: PRIVKEY:DSA May 25 11:46:38 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has unmet dependency: PRIVKEY:BLISS May 25 11:46:38 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin 'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST May 25 11:46:38 00[LIB] feature PRF:PRF_CAMELLIA128_XCBC in plugin 'xcbc' has unmet dependency: CRYPTER:CAMELLIA_CBC-16 May 25 11:46:38 00[LIB] feature SIGNER:CAMELLIA_XCBC_96 in plugin 'xcbc' has unmet dependency: CRYPTER:CAMELLIA_CBC-16 May 25 11:46:38 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' May 25 11:46:38 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' May 25 11:46:38 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' May 25 11:46:38 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' May 25 11:46:38 00[CFG] loading crls from '/etc/ipsec.d/crls' May 25 11:46:38 00[CFG] loading secrets from '/etc/ipsec.secrets' May 25 11:46:38 00[CFG] loaded IKE secret for 10.0.0.1 May 25 11:46:38 00[CFG] expanding file expression '/etc/ipsec.*.secrets' failed May 25 11:46:38 00[LIB] unloading plugin 'kernel-pfkey' without loaded features May 25 11:46:38 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf curve25519 xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke vici updown xauth-generic radattr counters May 25 11:46:38 00[LIB] unable to load 10 plugin features (8 due to unmet dependencies) May 25 11:46:38 00[JOB] spawning 16 worker threads May 25 11:46:38 01[LIB] created thread 01 [2687] May 25 11:46:38 01[JOB] started worker thread 01 May 25 11:46:38 01[JOB] no events, waiting May 25 11:46:38 02[LIB] created thread 02 [2689] May 25 11:46:38 02[JOB] started worker thread 02 May 25 11:46:38 02[NET] waiting for data on sockets May 25 11:46:38 03[LIB] created thread 03 [2690] May 25 11:46:38 03[JOB] started worker thread 03 May 25 11:46:38 04[LIB] created thread 04 [2688] May 25 11:46:38 04[JOB] started worker thread 04 May 25 11:46:38 04[JOB] watcher going to poll() 4 fds May 25 11:46:38 04[JOB] watcher got notification, rebuilding May 25 11:46:38 04[JOB] watcher going to poll() 4 fds May 25 11:46:38 04[JOB] watched FD 16 ready to read May 25 11:46:38 04[JOB] watcher going to poll() 3 fds May 25 11:46:38 05[LIB] created thread 05 [2684] May 25 11:46:38 05[JOB] started worker thread 05 May 25 11:46:38 06[LIB] created thread 06 [2680] May 25 11:46:38 06[JOB] started worker thread 06 May 25 11:46:38 07[LIB] created thread 07 [2676] May 25 11:46:38 07[JOB] started worker thread 07 May 25 11:46:38 08[LIB] created thread 08 [2677] May 25 11:46:38 08[JOB] started worker thread 08 May 25 11:46:38 09[LIB] created thread 09 [2678] May 25 11:46:38 09[JOB] started worker thread 09 May 25 11:46:38 10[LIB] created thread 10 [2681] May 25 11:46:38 10[JOB] started worker thread 10 May 25 11:46:38 11[LIB] created thread 11 [2682] May 25 11:46:38 11[JOB] started worker thread 11 May 25 11:46:38 12[LIB] created thread 12 [2683] May 25 11:46:38 12[JOB] started worker thread 12 May 25 11:46:38 13[LIB] created thread 13 [2686] May 25 11:46:38 13[JOB] started worker thread 13 May 25 11:46:38 14[LIB] created thread 14 [2691] May 25 11:46:38 14[JOB] started worker thread 14 May 25 11:46:38 15[LIB] created thread 15 [2679] May 25 11:46:38 15[JOB] started worker thread 15 May 25 11:46:38 16[LIB] created thread 16 [2685] May 25 11:46:38 16[JOB] started worker thread 16 May 25 11:46:38 07[ESP] no matching outbound IPsec policy for fe80::dda:9afd:25a6:e916 == ff02::2 [58] May 25 11:46:38 04[JOB] watcher got notification, rebuilding May 25 11:46:38 04[JOB] watcher going to poll() 4 fds May 25 11:46:38 04[JOB] watched FD 16 ready to read May 25 11:46:38 04[JOB] watcher going to poll() 3 fds May 25 11:46:38 04[JOB] watcher got notification, rebuilding May 25 11:46:38 04[JOB] watcher going to poll() 4 fds May 25 11:46:38 04[JOB] watched FD 19 ready to read May 25 11:46:38 04[JOB] watcher going to poll() 3 fds May 25 11:46:38 10[CFG] received stroke: add connection 'nat-t' May 25 11:46:38 10[CFG] conn nat-t May 25 11:46:38 10[CFG] left=10.0.0.1 May 25 11:46:38 10[CFG] leftsubnet=192.168.4.0/24 May 25 11:46:38 10[CFG] leftauth=psk May 25 11:46:38 10[CFG] leftupdown=ipsec _updown iptables May 25 11:46:38 10[CFG] right=10.0.0.2 May 25 11:46:38 10[CFG] rightsubnet=192.168.10.0/24 May 25 11:46:38 10[CFG] rightauth=psk May 25 11:46:38 10[CFG] dpddelay=10 May 25 11:46:38 10[CFG] dpdtimeout=150 May 25 11:46:38 10[CFG] dpdaction=1 May 25 11:46:38 10[CFG] sha256_96=no May 25 11:46:38 10[CFG] mediation=no May 25 11:46:38 10[CFG] keyexchange=ikev2 May 25 11:46:38 10[KNL] 10.0.0.2 is not a local address or the interface is down May 25 11:46:38 10[CFG] added configuration 'nat-t' May 25 11:46:38 04[JOB] watcher got notification, rebuilding May 25 11:46:38 04[JOB] watcher going to poll() 4 fds May 25 11:46:38 04[JOB] watched FD 19 ready to read May 25 11:46:38 04[JOB] watcher going to poll() 3 fds May 25 11:46:38 12[CFG] received stroke: route 'nat-t' May 25 11:46:38 12[CFG] proposing traffic selectors for us: May 25 11:46:38 12[CFG] 192.168.4.0/24 May 25 11:46:38 12[CFG] proposing traffic selectors for other: May 25 11:46:38 12[CFG] 192.168.10.0/24 May 25 11:46:38 12[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ May 25 11:46:38 12[ESP] adding policy 192.168.10.0/24 === 192.168.4.0/24 in May 25 11:46:39 12[ESP] adding policy 192.168.4.0/24 === 192.168.10.0/24 out May 25 11:46:39 12[KNL] getting a local address in traffic selector 192.168.4.0/24 May 25 11:46:39 12[KNL] using host 192.168.4.1 May 25 11:46:39 12[KNL] installing route: 192.168.10.0/24 src 192.168.4.1 dev ipsec0 May 25 11:46:39 12[KNL] getting iface index for ipsec0 May 25 11:46:39 12[CHD] CHILD_SA nat-t{1} state change: CREATED => ROUTED May 25 11:46:39 04[JOB] watcher got notification, rebuilding May 25 11:46:39 04[JOB] watcher going to poll() 4 fds May 25 11:46:39 04[JOB] watched FD 16 ready to read May 25 11:46:39 04[JOB] watcher going to poll() 3 fds May 25 11:46:39 04[JOB] watcher got notification, rebuilding May 25 11:46:39 04[JOB] watcher going to poll() 4 fds May 25 11:46:42 07[ESP] no matching outbound IPsec policy for fe80::dda:9afd:25a6:e916 == ff02::2 [58] May 25 11:46:46 07[ESP] no matching outbound IPsec policy for fe80::dda:9afd:25a6:e916 == ff02::2 [58] May 25 11:46:50 04[JOB] watched FD 19 ready to read May 25 11:46:50 04[JOB] watcher going to poll() 3 fds May 25 11:46:50 15[CFG] proposing traffic selectors for us: May 25 11:46:50 15[CFG] 192.168.4.0/24 May 25 11:46:50 15[CFG] proposing traffic selectors for other: May 25 11:46:50 15[CFG] 192.168.10.0/24 May 25 11:46:50 04[JOB] watcher got notification, rebuilding May 25 11:46:50 04[JOB] watcher going to poll() 4 fds May 25 11:47:35 04[JOB] watched FD 19 ready to read May 25 11:47:35 04[JOB] watcher going to poll() 3 fds May 25 11:47:35 09[CFG] proposing traffic selectors for us: May 25 11:47:35 09[CFG] 192.168.4.0/24 May 25 11:47:35 09[CFG] proposing traffic selectors for other: May 25 11:47:35 09[CFG] 192.168.10.0/24 May 25 11:47:35 04[JOB] watcher got notification, rebuilding May 25 11:47:35 04[JOB] watcher going to poll() 4 fds May 25 11:53:10 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet May 25 11:53:15 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet May 25 11:53:20 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet May 25 11:53:25 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet the log show me "could not find an outbound IPsec SA for reqid {1}, dropping packet", but not "creating acquire job". thanks.