Hi, > 21:06:46.079466 IP (tos 0x0, ttl 64, id 9795, offset 0, flags [DF], proto > ICMP (1), length 84) > 80.0.0.1 > 10.1.1.1: ICMP echo request, id 1694, seq 30, length 64 The source IP is changed. Fix your damn NAT rules and follow the contents of the HelpRequests[1] page to the letter. The ForwardingAndSplitTunneling[2] tells you what the problem is and how to fix it.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests [2] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#General-NAT-problems Am 04.04.19 um 22:49 schrieb Makarand Pradhan: > Hello Everyone, > > This is the first time I'm trying to use StrongSwan. > > I'm trying to use strongswan to create an IPSec tunnel. The tunnel status > says up but I cannot ping over the tunnel. Would appreciate any pointers to > get it working. > > Please find below a detailed view of the issue. > > Setup: > > (Left subnet) > 172.16.18.88 80.0.0.1 <-Router-> 30.0.0.1 10.1.1.1 > wlan0 eth0 eth0 eth1 > Raspberry pi Raspberry pi > StrongSwan running here. StrongSwan running here. > > Left config: > config setup > charondebug=@all@ > cachecrls=yes > uniqueids=yes > strictcrlpolicy=no > # uniqueids = no > > conn pi_to_pi > type=tunnel > authby=secret > auto=start > keyexchange=ike > esp=3des-md5 > left=%defaultroute > leftid=80.0.0.1 > leftsubnet=172.16.18.88/24 > right=30.0.0.1 > rightsubnet=10.1.1.0/24 > > root@raspberrypi:~# ipsec status > Security Associations (1 up, 0 connecting): > pi_to_pi[1]: ESTABLISHED 10 minutes ago, > 80.0.0.1[80.0.0.1]...30.0.0.1[30.0.0.1] > pi_to_pi{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb15009b_i cc28abb3_o > pi_to_pi{1}: 172.16.18.0/24 === 10.1.1.0/24 > > root@raspberrypi:~# ip xfrm policy | more > src 10.1.1.0/24 dst 172.16.18.0/24 > dir fwd priority 187712 > tmpl src 30.0.0.1 dst 80.0.0.1 > proto esp reqid 1 mode tunnel > src 10.1.1.0/24 dst 172.16.18.0/24 > dir in priority 187712 > tmpl src 30.0.0.1 dst 80.0.0.1 > proto esp reqid 1 mode tunnel > src 172.16.18.0/24 dst 10.1.1.0/24 > dir out priority 187712 > tmpl src 80.0.0.1 dst 30.0.0.1 > proto esp reqid 1 mode tunnel > > root@raspberrypi:~# iptables -L -n > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Ping fails > root@raspberrypi:~# ping 10.1.1.1 -I 172.16.18.88 > PING 10.1.1.1 (10.1.1.1) from 172.16.18.88 : 56(84) bytes of data. > > > TCP dump shows that the pkt is not going out over the tunnel but is just sent > to the next hop: > > 21:06:46.079466 IP (tos 0x0, ttl 64, id 9795, offset 0, flags [DF], proto > ICMP (1), length 84) > 80.0.0.1 > 10.1.1.1: ICMP echo request, id 1694, seq 30, length 64 > 0x0000: e8e8 7590 02c1 b827 eb85 9967 0800 4500 > ..u....'...g..E. > 0x0010: 0054 2643 4000 4001 b963 5000 0001 0a01 > mailto:.T&C@[email protected]..... > 0x0020: 0101 0800 844a 069e 001e d663 a65c 0436 > .....J.....c.\.6 > 0x0030: 0100 0809 0a0b 0c0d 0e0f 1011 1213 1415 > ................ > 0x0040: 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 > ...........!"#$% > 0x0050: 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 > &'()*+,-./012345 > 0x0060: 3637 67 > > Any pointers to get the tunnel working would be highly appreciated. > > With Rgds, > Makarand. > > Makarand Pradhan > Senior Software Engineer. > iS5 Communications Inc. > #1-1815 Meyerside Drive > Mississauga, Ontario > L5T 1G3 > Main Line: +1-844-520-0588 Ext. 129 > Direct Line: +1-289-724-2296 > Cell: +1-226-501-5666 > Fax:+1-289-401-5206 > Email: mailto:[email protected] > Website: http://www.is5com.com/ > > > Confidentiality Notice: > This message is intended only for the named recipients. This message may > contain information that is confidential and/or exempt from disclosure under > applicable law. Any dissemination or copying of this message by anyone other > than a named recipient is strictly prohibited. If you are not a named > recipient or an employee or agent responsible for delivering this message to > a named recipient, please notify us immediately, and permanently destroy this > message and any copies you may have. Warning: Email may not be secure unless > properly encrypted. >
signature.asc
Description: OpenPGP digital signature
