Jeff Puro <[email protected]> writes: > I have an issue with a pretty standard setup using Strongswan, wherein the > tunnel comes up properly but the traffic to the actual server is never > marked for ESP and thus never seems to get onto the tunnel. I've confirmed > that I do not see any traffic for esp using tcpdump, and when I do > a traceroute to the server on the right's VPN, it always just goes to the > internet gateway. The setup is pretty standard, but the key difference is > the server I am attempting to connect to is using a public IP address > (which is maybe why it attempts to go to it using the Amazon internet > gateway). I do not see any routes in table 220 etc. I have tried numerous > permutations to even the ipsec-tools.conf thinking that this would mark > traffic as secured, but that doesn't work, I've also tried numerous > iptables settings to no avail. My primary configuration is as follows:
Can you also share the output of these commands: 1) `ip xfrm policy` 2) `ip xfrm state` > Software versions: > > Ubuntu 16.04 > Strongswan: 5.3.5 > > Configurations: > > ipsec.conf: > > config setup > charondebug="all" > > conn %default > ikelifetime=28800s > keylife=86400s > keyingtries=999 > keyexchange=ikev1 > ike=aes256-sha1-modp1536 > type=tunnel > > conn vpn-conn > auto=start > type=tunnel > leftauth=psk > rightauth=psk > ike=aes256-sha1-modp1536! > esp=aes256-sha1! > ikelifetime=28800s > keylife=86400s > left=%defaultroute > leftsubnet=18.x.x.x/32 > right=68.x.x.x > rightsubnet=68.x.x.x/32 > keyingtries=999 > keyexchange=ikev1 > reauth=no > closeaction=restart > dpdaction=restart > dpddelay=60s > dpdtimeout=150s -- Narendra Joshi
