Issue #1083: vpn tunnel connected but can not ping through it - strongSwan

Issue #1083

vpn tunnel connected but can not ping through it

Added by Edwin Wang about 10 years ago. Updated almost 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

configuration

Affected version:

4.5.2

Resolution:

No change required

Description

Hello
I'm setting up a VPN using strongSwan,like this:

192.168.1.2...(server A)172.16.65.2 ==== 172.16.65.1(server B)...192.168.55.2

The connection is established OK. I can ping from client 192.168.1.2 to 192.168.55.2, but I can't ping from 192.168.1.2 to 192.168.55.2.

the ipsec status on server A:

000 #3: "vpn" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2286s; newest IPSEC; eroute owner
000 #3: "vpn" esp.cd80c02d@172.16.65.1 (240 bytes, 90s ago) esp.cdb335cf@172.16.65.2 (240 bytes, 529s ago); tunnel
000 #1: "vpn" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 9245s; newest ISAKMP

tcpdump on server A:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:27:26.770959 IP 172.16.65.2.500 > 172.16.65.1.500: isakmp: phase 2/others ? oakley-quick[E]
20:27:26.771947 IP 172.16.65.1.500 > 172.16.65.2.500: isakmp: phase 2/others ? inf[E]
20:27:31.770493 ARP, Request who-has 172.16.65.1 tell 172.16.65.2, length 28
20:27:31.770828 ARP, Reply 172.16.65.1 is-at 00:0c:29:f7:6b:c2, length 46
20:27:36.782186 IP 172.16.65.2.500 > 172.16.65.1.500: isakmp: phase 2/others ? oakley-quick[E]
20:27:36.783019 IP 172.16.65.1.500 > 172.16.65.2.500: isakmp: phase 2/others ? inf[E]
20:27:41.782461 ARP, Request who-has 172.16.65.2 tell 172.16.65.1, length 46
20:27:41.782505 ARP, Reply 172.16.65.2 is-at 00:0c:29:09:6d:53, length 28
20:27:56.800708 IP 172.16.65.2.500 > 172.16.65.1.500: isakmp: phase 2/others ? oakley-quick[E]
20:27:56.801386 IP 172.16.65.1.500 > 172.16.65.2.500: isakmp: phase 2/others ? inf[E]

Can you help me please?
Thank you in advance for your help.

History

#1 Updated by Tobias Brunner about 10 years ago

Description updated (diff)
Status changed from New to Feedback
Affected version changed from 5.3.2 to 4.5.2

I can ping from client 192.168.1.2 to 192.168.55.2, but I can't ping from 192.168.1.2 to 192.168.55.2

That statement makes no sense.

Please post your config and the output of ipsec statusall. You might also want to consider using a more recent release. And if strongSwan is running on both hosts using IKEv2 is strongly recommended.

#2 Updated by Edwin Wang about 10 years ago

Hi,
Thanks a lot for your responses.Here is my config and the output.

192.168.1.2...(server A)172.16.65.2 ==== 172.16.65.1(server B)...192.168.55.2

ipsec.conf (server A):

conn auto_base
        rekeyfuzz="100%" 
        keyingtries="0" 
        keyexchange="ikev1" 
        leftsendcert="always" 
        forceencaps=yes
        authby=psk
        auto=start
        type=tunnel
        leftfirewall=yes
        pfs="yes" 
        rekeymargin="540" 
        esp="aes128-md5" 
        ike="aes128-md5-modp1024" 
        ikelifetime="7200" 
        keylife="3600" 
        pfsgroup="modp1024" 

conn auto_vpn
        also=auto_base
        left=172.16.65.2
        leftsubnet=192.168.1.0/24
        right=172.16.65.1
        rightsubnet=192.168.55.0/24

ipsec statusall(server A):

000 Status of IKEv1 pluto daemon (strongSwan 4.5.3):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.16.65.2:4500
000 interface eth0/eth0 172.16.65.2:500
000 interface eth1/eth1 192.168.1.1:4500
000 interface eth1/eth1 192.168.1.1:500
000 interface eth2/eth2 172.16.63.2:4500
000 interface eth2/eth2 172.16.63.2:500
000 %myid = '%any'
000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve 
000 debug options: controlmore
000 
000 "auto_vpn": 192.168.1.0/24===172.16.65.2[172.16.65.2]...172.16.65.1[172.16.65.1]===192.168.55.0/24; erouted; eroute owner: #3
000 "auto_vpn":   ike_life: 7200s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "auto_vpn":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; 
000 "auto_vpn":   newest ISAKMP SA: #1; newest IPsec SA: #3; 
000 "auto_vpn":   IKE proposal: AES_CBC_128/HMAC_MD5/MODP_1024
000 "auto_vpn":   ESP proposal: AES_CBC_128/HMAC_MD5/MODP_1024
000 
000 #3: "auto_vpn" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2504s; newest IPSEC; eroute owner
000 #3: "auto_vpn" esp.c5c4d262@172.16.65.1 (240 bytes, 75s ago) esp.cc296034@172.16.65.2 (240 bytes, 75s ago); tunnel
000 #1: "auto_vpn" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 6073s; newest ISAKMP
000

ipsec.conf(server B):

conn auto_base
        rekeyfuzz="100%" 
        keyingtries="0" 
        keyexchange="ikev1" 
        leftsendcert="always" 
        authby="psk" 
        auto="add" 
        type="tunnel" 
        leftfirewall="yes" 
        compress="no" 
        pfs="yes" 
        rekeymargin="540" 
        esp="aes128-md5" 
        ike="aes128-md5-modp1024" 
        ikelifetime="7200" 
        keylife="3600" 
        pfsgroup="modp1024" 

conn auto_vpn_2
        also=auto_base
        left=172.16.65.1
        leftsubnet=192.168.55.0/24
        right=172.16.65.2
        rightsubnet=192.168.1.0/24

ipsec statusall(server B):

000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.64.79.219:4500
000 interface eth0/eth0 10.64.79.219:500
000 interface eth1/eth1 172.16.65.1:4500
000 interface eth1/eth1 172.16.65.1:500
000 interface eth2/eth2 172.16.64.1:4500
000 interface eth2/eth2 172.16.64.1:500
000 interface eth3/eth3 192.168.55.1:4500
000 interface eth3/eth3 192.168.55.1:500
000 %myid = '%any'
000 loaded plugins: sqlite aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gcrypt gmp hmac xauth attr attr-sql kernel-netlink resolve 
000 debug options: controlmore
000 
000 "auto_vpn_2": 192.168.55.0/24===172.16.65.1[172.16.65.1]...172.16.65.2[172.16.65.2]===192.168.1.0/24; erouted; eroute owner: #9
000 "auto_vpn_2":   ike_life: 7200s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "auto_vpn_2":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth1; 
000 "auto_vpn_2":   newest ISAKMP SA: #0; newest IPsec SA: #9; 
000 "auto_vpn_2":   ESP proposal: AES_CBC_128/HMAC_MD5/MODP_1024
000 
000 #9: "auto_vpn_2" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3084s; newest IPSEC; eroute owner
000 #9: "auto_vpn_2" esp.cc296034@172.16.65.2 (240 bytes, 188s ago) esp.c5c4d262@172.16.65.1 (240 bytes, 188s ago); tunnel

pluto debug log(server B)

  loaded PSK secret for 172.16.65.2 172.16.65.1
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secrets'
connection must specify host IP address for our side
added connection description "auto_vpn" 
"auto_vpn" #1: initiating Main Mode
added connection description "redirect_auto_vpn" 
"auto_vpn" #1: received Vendor ID payload [strongSwan]
"auto_vpn" #1: received Vendor ID payload [XAUTH]
"auto_vpn" #1: received Vendor ID payload [Dead Peer Detection]
"auto_vpn" #1: received Vendor ID payload [RFC 3947]
"auto_vpn" #1: enabling possible NAT-traversal with method 3
"auto_vpn" #1: NAT-Traversal: Result using RFC 3947: no NAT detected
"auto_vpn" #1: Peer ID is ID_IPV4_ADDR: '172.16.65.1'
"auto_vpn" #1: ISAKMP SA established
"auto_vpn" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
| route_and_eroute with c: redirect_auto_vpn (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 2
| inR1_outI2: instance redirect_auto_vpn[0], setting newest_ipsec_sa to #2 (was #0) (spd.eroute=#2)
"auto_vpn" #3: sent QI2, IPsec SA established {ESP=>0xc5c4d262 <0xcc296034}

It seems every thing looks fine. Can you help me,please?
Thanks again

#3 Updated by Tobias Brunner about 10 years ago

It seems every thing looks fine. Can you help me,please?

Yes, looks fine. So what's exactly the problem? And did you already have a look at ForwardingAndSplitTunneling?

#4 Updated by Edwin Wang about 10 years ago

Now I'm using IKEv2 and it works.Thank you for your advice. Another question, can I use both ikev1 and ikev2 at the same time?Like this

charonstart="yes" 
plutostart="yes"

and I have two connections. The one is keyexchange="ikev2" and the other one is keyexchange="ikev1".
Thank you in advance for your help.

#5 Updated by Tobias Brunner about 10 years ago

Another question, can I use both ikev1 and ikev2 at the same time?Like this
[...]
and I have two connections. The one is keyexchange="ikev2" and the other one is keyexchange="ikev1".

Yes, that's possible (have a look at these old test scenarios), these two options actually default to yes. However, using a recent release avoids having to run two IKE daemons at the same time (see Bye bye pluto!).

#6 Updated by Tobias Brunner almost 10 years ago

Category set to configuration
Status changed from Feedback to Closed
Assignee set to Tobias Brunner
Resolution set to No change required

Project

General

Profile

strongSwan

Issues