Hello Noel, Team, Any kind souls out there? Please assist with the below question.
On Mon, Apr 8, 2019 at 3:22 PM MOSES KARIUKI <[email protected]> wrote: > Thanks a lot Noel. The connection is up and stable. Very helpful. > One more thing, the remote client is able to ping my private IP, but i am > unable to ping his private IP address. I have checked and my routes seem > OK. What do you suggest? > > Below is my status: > > *sudo ipsec statusall* > Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.18.0-1008-gcp, > x86_64): > uptime: 28 seconds, since Apr 08 12:14:39 2019 > malloc: sbrk 1622016, mmap 0, used 629024, free 992992 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 5 > loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce > x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey > sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink > resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic > counters > Listening IP addresses: > 10.138.0.4 > Connections: > televida: 10.138.0.4...200.**.***.*** IKEv2, dpddelay=30s > televida: local: [35.1**.2**.***] uses pre-shared key authentication > televida: remote: [200.**.***.***] uses pre-shared key authentication > televida: child: 10.138.0.0/20 === 10.28.2.0/24 TUNNEL, > dpdaction=clear > > Security Associations (1 up, 0 connecting): > televida[1]: ESTABLISHED 23 seconds ago, > 10.138.0.4[35.1**.2**.***]...200.**.***.***[200.**.***.***] > televida[1]: IKEv2 SPIs: 055627d3eb22222f_i 081a1b696be14ad2_r*, > pre-shared key reauthentication in 23 hours > televida[1]: IKE proposal: > AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521 > televida{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c5fb101f_i > 82900426_o > televida{2}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, > rekeying in 41 minutes > televida{2}: 10.138.0.4/32 === 10.28.2.0/24 > kariukims@klick-001:~$ ping 10.28.2.9 > PING 10.28.2.9 (10.28.2.9) 56(84) bytes of data. > ^C > --- 10.28.2.9 ping statistics --- > 3 packets transmitted, 0 received, 100% packet loss, time 56ms > > > Kind regards, > Moses K > > On Mon, Apr 8, 2019 at 3:09 PM MOSES KARIUKI <[email protected]> wrote: > >> Thanks a lot Noel. The connection is up and stable. Very helpful. >> One more thing, the remote client is able to ping my private IP, but i am >> unable to ping his private IP address. I have checked and my routes seem >> OK. What do you suggest? >> >> Kind regards, >> Moses K >> >> >> On Thu, Apr 4, 2019 at 9:50 PM Noel Kuntze >> <[email protected]> wrote: >> >>> Hi, >>> >>> You configured "rightsourceip=10.10.10.0/24" but that's supposed to be >>> a site-to-site connection. Use rightsubnet instead. >>> rightsourceip is for assigning and requesting virtual IPs. The best way >>> for you would be to migrate to swanctl instead. >>> Its configuration format is a lot clearer. >>> >>> Kind regards >>> >>> Noel >>> >>> Am 02.04.19 um 11:27 schrieb MOSES KARIUKI: >>> > Dear Tobias, >>> > >>> > :) :) >>> > I read the message. But I can't really interpret what setting is >>> needed to make it work. I have listed my current configuration. I am still >>> finding my way with Linux networking and Strongswan. >>> > >>> > Please assist. I will really appreciate and also offer assist others. >>> > >>> > regards, >>> > Moses >>> > >>> > >>> > >>> > On Tue, Apr 2, 2019 at 11:23 AM Tobias Brunner <[email protected] >>> <mailto:[email protected]>> wrote: >>> > >>> > Hi Moses, >>> > >>> > > Apr 1 20:57:58 klick-001 charon: 11[IKE] expected a virtual IP >>> > > request, sending FAILED_CP_REQUIRED >>> > >>> > I guess reading is hard. Or is that message (that you explicitly >>> marked >>> > in your email) really that unclear? >>> > >>> > Regards, >>> > Tobias >>> > >>> >>>
