Hello Everyone,
This is the first time I'm trying to use StrongSwan.
I'm trying to use strongswan to create an IPSec tunnel. The tunnel status says
up but I cannot ping over the tunnel. Would appreciate any pointers to get it
working.
Please find below a detailed view of the issue.
Setup:
(Left subnet)
172.16.18.88 80.0.0.1 <-Router-> 30.0.0.1 10.1.1.1
wlan0 eth0 eth0 eth1
Raspberry pi Raspberry pi
StrongSwan running here. StrongSwan running here.
Left config:
config setup
charondebug=@all@
cachecrls=yes
uniqueids=yes
strictcrlpolicy=no
# uniqueids = no
conn pi_to_pi
type=tunnel
authby=secret
auto=start
keyexchange=ike
esp=3des-md5
left=%defaultroute
leftid=80.0.0.1
leftsubnet=172.16.18.88/24
right=30.0.0.1
rightsubnet=10.1.1.0/24
root@raspberrypi:~# ipsec status
Security Associations (1 up, 0 connecting):
pi_to_pi[1]: ESTABLISHED 10 minutes ago,
80.0.0.1[80.0.0.1]...30.0.0.1[30.0.0.1]
pi_to_pi{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb15009b_i cc28abb3_o
pi_to_pi{1}: 172.16.18.0/24 === 10.1.1.0/24
root@raspberrypi:~# ip xfrm policy | more
src 10.1.1.0/24 dst 172.16.18.0/24
dir fwd priority 187712
tmpl src 30.0.0.1 dst 80.0.0.1
proto esp reqid 1 mode tunnel
src 10.1.1.0/24 dst 172.16.18.0/24
dir in priority 187712
tmpl src 30.0.0.1 dst 80.0.0.1
proto esp reqid 1 mode tunnel
src 172.16.18.0/24 dst 10.1.1.0/24
dir out priority 187712
tmpl src 80.0.0.1 dst 30.0.0.1
proto esp reqid 1 mode tunnel
root@raspberrypi:~# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Ping fails
root@raspberrypi:~# ping 10.1.1.1 -I 172.16.18.88
PING 10.1.1.1 (10.1.1.1) from 172.16.18.88 : 56(84) bytes of data.
TCP dump shows that the pkt is not going out over the tunnel but is just sent
to the next hop:
21:06:46.079466 IP (tos 0x0, ttl 64, id 9795, offset 0, flags [DF], proto ICMP
(1), length 84)
80.0.0.1 > 10.1.1.1: ICMP echo request, id 1694, seq 30, length 64
0x0000: e8e8 7590 02c1 b827 eb85 9967 0800 4500
..u....'...g..E.
0x0010: 0054 2643 4000 4001 b963 5000 0001 0a01
mailto:.T&C@[email protected].....
0x0020: 0101 0800 844a 069e 001e d663 a65c 0436
.....J.....c.\.6
0x0030: 0100 0809 0a0b 0c0d 0e0f 1011 1213 1415
................
0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425
...........!"#$%
0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435
&'()*+,-./012345
0x0060: 3637 67
Any pointers to get the tunnel working would be highly appreciated.
With Rgds,
Makarand.
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
#1-1815 Meyerside Drive
Mississauga, Ontario
L5T 1G3
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: mailto:[email protected]
Website: http://www.is5com.com/
Confidentiality Notice:
This message is intended only for the named recipients. This message may
contain information that is confidential and/or exempt from disclosure under
applicable law. Any dissemination or copying of this message by anyone other
than a named recipient is strictly prohibited. If you are not a named recipient
or an employee or agent responsible for delivering this message to a named
recipient, please notify us immediately, and permanently destroy this message
and any copies you may have. Warning: Email may not be secure unless properly
encrypted.
