Issue #2071
Tunnel Up but no traffic
Description
Hi,
I'm trying to set up a VPN Site to Site, i followed this https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/index.html
Description of the problem :
The tunnel is Up but there is no traffic between the two Lans
Here the schema of my Network.
My configuration :
I have 2 Ubuntu Servers where StrongSwan is installed
SrvA
With two interfaces :
ens3 : 149.202.170.225
ens4 : 192.168.209.2
ipsec.conf
config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net left=149.202.170.225 leftsubnet=192.168.209.0/24 leftid=srvA leftfirewall=yes right=149.202.189.59 rightsubnet=192.168.210.0/24 rightid=srvB auto=add
ip route list table 220
192.168.210.0/24 via 149.202.160.1 dev ens3 proto static src 192.168.209.2
iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- mail.cerp.be anywhere tcp dpt:ssh DROP tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.210.0/24 192.168.209.0/24 policy match dir in pol ipsec reqid 2 proto esp ACCEPT all -- 192.168.209.0/24 192.168.210.0/24 policy match dir out pol ipsec reqid 2 proto esp Chain OUTPUT (policy ACCEPT) target prot opt source destination
SrvB
With two interfaces too :
ens3 : 149.202.189.59
ens4 : 192.168.210.2
ipsec.conf
config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 mobike=no conn net-net left=149.202.189.59 leftsubnet=192.168.210.0/24 leftid=srvB leftfirewall=yes right=149.202.170.225 rightsubnet=192.168.209.0/24 rightid=srvA auto=add
ip route list table 220
192.168.209.0/24 via 149.202.160.1 dev ens3 proto static src 192.168.210.2
iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.209.0/24 192.168.210.0/24 policy match dir in pol ipsec reqid 3 proto esp ACCEPT all -- 192.168.210.0/24 192.168.209.0/24 policy match dir out pol ipsec reqid 3 proto esp Chain OUTPUT (policy ACCEPT) target prot opt source destination
ipsec statusall on SrvA
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-22-generic, x86_64): uptime: 20 hours, since Jul 24 14:46:22 2016 malloc: sbrk 2744320, mmap 0, used 362928, free 2381392 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown Listening IP addresses: 149.202.170.225 192.168.209.2 Connections: net-net: 149.202.170.225...149.202.189.59 IKEv2 net-net: local: [srvA] uses pre-shared key authentication net-net: remote: [srvB] uses pre-shared key authentication net-net: child: 192.168.209.0/24 === 192.168.210.0/24 TUNNEL Security Associations (1 up, 0 connecting): net-net[8]: ESTABLISHED 115 seconds ago, 149.202.170.225[srvA]...149.202.189.59[srvB] net-net[8]: IKEv2 SPIs: 57151688e443e913_i* b19e02dcba8f7a4e_r, pre-shared key reauthentication in 51 minutes net-net[8]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 net-net{4}: INSTALLED, TUNNEL, reqid 3, ESP SPIs: ce7a1184_i cd627d1d_o net-net{4}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes net-net{4}: 192.168.209.0/24 === 192.168.210.0/24
ipsec up net-net
initiating IKE_SA net-net[10] to 149.202.189.59 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] sending packet: from 149.202.170.225[500] to 149.202.189.59[500] (1124 bytes) received packet: from 149.202.189.59[500] to 149.202.170.225[500] (456 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] authentication of 'srvA' (myself) with pre-shared key establishing CHILD_SA net-net generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from 149.202.170.225[500] to 149.202.189.59[500] (380 bytes) received packet: from 149.202.189.59[500] to 149.202.170.225[500] (220 bytes) parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ] authentication of 'srvB' with pre-shared key successful IKE_SA net-net[10] established between 149.202.170.225[srvA]...149.202.189.59[srvB] scheduling reauthentication in 3345s maximum IKE_SA lifetime 3525s connection 'net-net' established successfully
I precise that I activated the forward ipv4 on both servers (echo "1"> /proc/sys/net/ipv4/ip_forward)
Thank you for helping me :)
Related issues
History
#1 Updated by Tobias Brunner about 9 years ago
- Category set to configuration
- Status changed from New to Feedback
Do hosts in these subnets route traffic to the opposite subnet via your VPN gateways? Or do they just send it to their default gateway? See ForwardingAndSplitTunneling.
#2 Updated by Aurelien Casbarro about 9 years ago
Hi,
What do you mean by VPN Gateways ?
I already saw the ForwardingAndSplitTunneling but i don't understand sorry.
I'd like fisrt, on srvA to ping for example 192.168.210.2
How can i do that ?
Thank you
#3 Updated by Tobias Brunner about 9 years ago
What do you mean by VPN Gateways ?
SrvA and SrvB.
I'd like fisrt, on srvA to ping for example 192.168.210.2
How can i do that ?
That doesn't work? Since these addresses (192.168.209.2 too) are local to each server that should work fine with the established tunnel. You should try to find out where packets are stuck (packet counters in ipsec statusall
and iptables -v -L
, tcpdump/Wireshark etc.).
#4 Updated by Aurelien Casbarro about 9 years ago
Hi,
No that doesn't work and I don"t understand Why.
I followed the documentation for install, and i follow this steps
- I installed strongswan (rpm) on each Ubuntu Servers
- I have modified the two files, /etc/ipsec.conf and /etc/ipsec.secrets
- I enabled the forward ipv4 (echo "1"> /proc/sys/net/ipv4/ip_forward)
- And I start on SrvA or Srvb ipsec, withe the command ipsec up net-net
And that's all, i think I missed something
On iptables the ports 500 and 4500 are opened.
Chain INPUT (policy ACCEPT 59 packets, 5156 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- ens3 any 192.168.210.0/24 192.168.209.0/24 policy match dir in pol ipsec reqid 9 proto esp 0 0 ACCEPT all -- any ens3 192.168.209.0/24 192.168.210.0/24 policy match dir out pol ipsec reqid 9 proto esp Chain OUTPUT (policy ACCEPT 36 packets, 4208 bytes) pkts bytes target prot opt in out source destination
But when I try a ping or a traceroute just between the two servers, nothing happens (tcpdump can't help me, because there is 0 byte in traffic)
Thank you
#5 Updated by Tobias Brunner about 9 years ago
But when I try a ping or a traceroute just between the two servers, nothing happens (tcpdump can't help me, because there is 0 byte in traffic)
Seems strange. Counters in ipsec statusall
don't increase? What if you explicitly specify the source address with ping -I 192.168.209.2 192.168.210.2
(the routes in table 220 should take care of that though)? Also check /proc/net/xfrm_stats
, if it is available. And regarding traffic captures see CorrectTrafficDump and the TRACE target for iptables.
#6 Updated by Aurelien Casbarro about 9 years ago
Hi,
I tried the ping -I and tcpdump but nothing ..
This is not a Nat rule that miss ?
Ipsec statusall On SrvA before the ping
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-22-generic, x86_64): uptime: 42 hours, since Jul 24 14:46:22 2016 malloc: sbrk 2523136, mmap 0, used 363408, free 2159728 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown Listening IP addresses: 149.202.170.225 192.168.209.2 Connections: net-net: 149.202.170.225...149.202.189.59 IKEv2 net-net: local: [srvA] uses pre-shared key authentication net-net: remote: [srvB] uses pre-shared key authentication net-net: child: 192.168.209.0/24 === 192.168.210.0/24 TUNNEL Security Associations (1 up, 0 connecting): net-net[50]: ESTABLISHED 7 seconds ago, 149.202.170.225[srvA]...149.202.189.59[srvB] net-net[50]: IKEv2 SPIs: 77ac532627342f4d_i* 2c6c672932fa613a_r, pre-shared key reauthentication in 53 minutes net-net[50]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 net-net{153}: INSTALLED, TUNNEL, reqid 46, ESP SPIs: c543b239_i c6bf6a4b_o net-net{153}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 14 minutes net-net{153}: 192.168.209.0/24 === 192.168.210.0/24
ping -I 192.168.209.2 192.168.210.2
PING 192.168.210.2 (192.168.210.2) from 192.168.209.2 : 56(84) bytes of data.
--> Nothing happens
Ipsec status after ping -I 192.168.209.2 192.168.210.2
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-22-generic, x86_64): uptime: 42 hours, since Jul 24 14:46:22 2016 malloc: sbrk 2523136, mmap 0, used 363408, free 2159728 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown Listening IP addresses: 149.202.170.225 192.168.209.2 Connections: net-net: 149.202.170.225...149.202.189.59 IKEv2 net-net: local: [srvA] uses pre-shared key authentication net-net: remote: [srvB] uses pre-shared key authentication net-net: child: 192.168.209.0/24 === 192.168.210.0/24 TUNNEL Security Associations (1 up, 0 connecting): net-net[50]: ESTABLISHED 2 minutes ago, 149.202.170.225[srvA]...149.202.189.59[srvB] net-net[50]: IKEv2 SPIs: 77ac532627342f4d_i* 2c6c672932fa613a_r, pre-shared key reauthentication in 51 minutes net-net[50]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 net-net{153}: INSTALLED, TUNNEL, reqid 46, ESP SPIs: c543b239_i c6bf6a4b_o net-net{153}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 4368 bytes_o (52 pkts, 9s ago), rekeying in 12 minutes net-net{153}: 192.168.209.0/24 === 192.168.210.0/24
on srvA
ifconfig
ens3 Link encap:Ethernet HWaddr fa:16:3e:28:fb:27 inet addr:149.202.170.225 Bcast:149.202.170.225 Mask:255.255.255.255 inet6 addr: fe80::f816:3eff:fe28:fb27/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:192691 errors:0 dropped:0 overruns:0 frame:0 TX packets:170772 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:61580986 (61.5 MB) TX bytes:24689718 (24.6 MB) ens4 Link encap:Ethernet HWaddr fa:16:3e:fb:3c:a7 inet addr:192.168.209.2 Bcast:192.168.209.255 Mask:255.255.255.0 inet6 addr: fe80::f816:3eff:fefb:3ca7/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:144 errors:0 dropped:0 overruns:0 frame:0 TX packets:85 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:12096 (12.0 KB) TX bytes:5682 (5.6 KB)
iptables -v -L
Chain INPUT (policy ACCEPT 559 packets, 43066 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- ens3 any 192.168.210.0/24 192.168.209.0/24 policy match dir in pol ipsec reqid 46 proto esp 0 0 ACCEPT all -- any ens3 192.168.209.0/24 192.168.210.0/24 policy match dir out pol ipsec reqid 46 proto esp Chain OUTPUT (policy ACCEPT 570 packets, 73134 bytes) pkts bytes target prot opt in out source destination
iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 1906 packets, 67578 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1906 packets, 67578 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 35 packets, 7604 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 35 packets, 7604 bytes) pkts bytes target prot opt in out source destination
ip route
default via 149.202.160.1 dev ens3 149.202.160.1 dev ens3 scope link 192.168.209.0/24 dev ens4 proto kernel scope link src 192.168.209.2
ip route list table 220
192.168.210.0/24 via 149.202.160.1 dev ens3 proto static src 192.168.209.2
on SrvB
ifconfig
ens3 Link encap:Ethernet HWaddr fa:16:3e:af:66:8a inet addr:149.202.189.59 Bcast:149.202.189.59 Mask:255.255.255.255 inet6 addr: fe80::f816:3eff:feaf:668a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:88735 errors:0 dropped:0 overruns:0 frame:0 TX packets:72203 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:53921786 (53.9 MB) TX bytes:5002650 (5.0 MB) ens4 Link encap:Ethernet HWaddr fa:16:3e:b6:83:46 inet addr:192.168.210.2 Bcast:192.168.210.255 Mask:255.255.255.0 inet6 addr: fe80::f816:3eff:feb6:8346/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11 errors:0 dropped:0 overruns:0 frame:0 TX packets:15 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:826 (826.0 B) TX bytes:1222 (1.2 KB)
iptables -v -L
Chain INPUT (policy ACCEPT 306 packets, 15996 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- ens3 any 192.168.209.0/24 192.168.210.0/24 policy match dir in pol ipsec reqid 40 proto esp 0 0 ACCEPT all -- any ens3 192.168.210.0/24 192.168.209.0/24 policy match dir out pol ipsec reqid 40 proto esp Chain OUTPUT (policy ACCEPT 270 packets, 17143 bytes) pkts bytes target prot opt in out source destination
iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 1975 packets, 73047 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1975 packets, 73047 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 45 packets, 5784 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 45 packets, 5784 bytes) pkts bytes target prot opt in out source destination
ip route
default via 149.202.160.1 dev ens3 149.202.160.1 dev ens3 scope link 192.168.210.0/24 dev ens4 proto kernel scope link src 192.168.210.2
ip route list table 220
192.168.209.0/24 via 149.202.160.1 dev ens3 proto static src 192.168.210.2
Thank you for your help
#7 Updated by Tobias Brunner about 9 years ago
Ipsec status after ping -I 192.168.209.2 192.168.210.2
This shows 52 outbound packets, but none inbound. So the question is what happens on the other end (SrvB). Do you see the counter for inbound traffic increase in ipsec statusall
there? What about traffic in tcpdump on SrvB?
#8 Updated by Aurelien Casbarro about 9 years ago
No packets inbound on SrvB, here's the result of ipsec statusall on both servers
On SrvA
ping 192.168.210.2
ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-22-generic, x86_64): uptime: 43 hours, since Jul 24 14:46:22 2016 malloc: sbrk 2523136, mmap 0, used 362704, free 2160432 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown Listening IP addresses: 149.202.170.225 192.168.209.2 Connections: net-net: 149.202.170.225...149.202.189.59 IKEv2 net-net: local: [srvA] uses pre-shared key authentication net-net: remote: [srvB] uses pre-shared key authentication net-net: child: 192.168.209.0/24 === 192.168.210.0/24 TUNNEL Security Associations (1 up, 0 connecting): net-net[52]: ESTABLISHED 4 minutes ago, 149.202.170.225[srvA]...149.202.189.59[srvB] net-net[52]: IKEv2 SPIs: afed062090dd2b71_i* 04ce84ee4e02c332_r, pre-shared key reauthentication in 49 minutes net-net[52]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 net-net{160}: INSTALLED, TUNNEL, reqid 48, ESP SPIs: c31754b9_i c2bdc41d_o net-net{160}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 3276 bytes_o (39 pkts, 10s ago), rekeying in 9 minutes net-net{160}: 192.168.209.0/24 === 192.168.210.0/24
On servB (after ping on srvA)
ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-22-generic, x86_64): uptime: 43 hours, since Jul 24 14:46:28 2016 malloc: sbrk 2433024, mmap 0, used 366656, free 2066368 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown Virtual IP pools (size/online/offline): 10.3.0.5: 1/0/0 10.3.0.6: 1/0/0 Listening IP addresses: 149.202.189.59 192.168.210.2 Connections: net-net: 149.202.189.59...149.202.170.225 IKEv2 net-net: local: [srvB] uses pre-shared key authentication net-net: remote: [srvA] uses pre-shared key authentication net-net: child: 192.168.210.0/24 === 192.168.209.0/24 TUNNEL Security Associations (1 up, 0 connecting): net-net[46]: ESTABLISHED 7 minutes ago, 149.202.189.59[srvB]...149.202.170.225[srvA] net-net[46]: IKEv2 SPIs: afed062090dd2b71_i 04ce84ee4e02c332_r*, pre-shared key reauthentication in 48 minutes net-net[46]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 net-net{149}: INSTALLED, TUNNEL, reqid 42, ESP SPIs: c2bdc41d_i c31754b9_o net-net{149}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 8 minutes net-net{149}: 192.168.210.0/24 === 192.168.209.0/24
When Srva is pinging SrvB ( ping 192.168.210.2)
On SrvB
tcpdump src 149.202.170.225
--> Nothing
tcpdump src 192.168.209.2
--> Nothing
When I start the tunnel on SrvA and, On SrvB I make a tcpdump, there is something :
On SrvA ipsec up net-net
On srvB tcpdump -v src 149.202.170.225
root@srvB:~# tcpdump -v src 149.202.170.225 tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes 10:42:11.545160 IP (tos 0x0, ttl 57, id 33109, offset 0, flags [DF], proto UDP (17), length 1152) 149.202.170.225.isakmp > 149.202.189.59.isakmp: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]: (sa: len=720 (p: #1 protoid=isakmp transform=4 len=44 (t: #1 type=encr id=aes (type=keylen value=0080)) (t: #2 type=integ id=hmac-sha ) (t: #3 type=prf id=hmac-sha ) (t: #4 type=dh id=modp2048 )) (p: #2 protoid=isakmp transform=4 len=40 (t: #1 type=encr id=3des ) (t: #2 type=integ id=hmac-sha ) (t: #3 type=prf id=hmac-sha ) (t: #4 type=dh id=modp1536 )) (p: #3 protoid=isakmp transform=37 len=328 (t: #1 type=encr id=aes (type=keylen value=0080)) (t: #2 type=encr id=aes (type=keylen value=00c0)) (t: #3 type=encr id=aes (type=keylen value=0100)) (t: #4 type=encr id=3des ) (t: #5 type=encr id=#23 (type=keylen value=0080)) (t: #6 type=encr id=#23 (type=keylen value=00c0)) (t: #7 type=encr id=#23 (type=keylen value=0100)) (t: #8 type=integ id=hmac-md5 ) (t: #9 type=integ id=hmac-sha ) (t: #10 type=integ id=#12 ) (t: #11 type=integ id=#13 ) (t: #12 type=integ id=#14 ) (t: #13 type=integ id=aes-xcbc ) (t: #14 type=prf id=hmac-md5 ) (t: #15 type=prf id=hmac-sha ) (t: #16 type=prf id=#5 ) (t: #17 type=prf id=#6 ) (t: #18 type=prf id=#7 ) (t: #19 type=prf id=aes128_xcbc ) (t: #20 type=dh id=modp2048 ) (t: #21 type=dh id=#23 ) (t: #22 type=dh id=#24 ) (t: #23 type=dh id=modp1536 ) (t: #24 type=dh id=modp3072 ) (t: #25 type=dh id=modp4096 ) (t: #26 type=dh id=modp8192 ) (t: #27 type=dh id=modp1024 ) (t: #28 type=dh id=#22 ) (t: #29 type=dh id=#19 ) (t: #30 type=dh id=#20 ) (t: #31 type=dh id=#21 ) (t: #32 type=dh id=#26 ) (t: #33 type=dh id=#25 ) (t: #34 type=dh id=#27 ) (t: #35 type=dh id=#28 ) (t: #36 type=dh id=#29 ) (t: #37 type=dh id=#30 )) (p: #4 protoid=isakmp transform=33 len=308 (t: #1 type=encr id=#18 (type=keylen value=0080)) (t: #2 type=encr id=#18 (type=keylen value=00c0)) (t: #3 type=encr id=#18 (type=keylen value=0100)) (t: #4 type=encr id=#19 (type=keylen value=0080)) (t: #5 type=encr id=#19 (type=keylen value=00c0)) (t: #6 type=encr id=#19 (type=keylen value=0100)) (t: #7 type=encr id=#20 (type=keylen value=0080)) (t: #8 type=encr id=#20 (type=keylen value=00c0)) (t: #9 type=encr id=#20 (type=keylen value=0100)) (t: #10 type=prf id=hmac-md5 ) (t: #11 type=prf id=hmac-sha ) (t: #12 type=prf id=#5 ) (t: #13 type=prf id=#6 ) (t: #14 type=prf id=#7 ) (t: #15 type=prf id=aes128_xcbc ) (t: #16 type=dh id=modp2048 ) (t: #17 type=dh id=#23 ) (t: #18 type=dh id=#24 ) (t: #19 type=dh id=modp1536 ) (t: #20 type=dh id=modp3072 ) (t: #21 type=dh id=modp4096 ) (t: #22 type=dh id=modp8192 ) (t: #23 type=dh id=modp1024 ) (t: #24 type=dh id=#22 ) (t: #25 type=dh id=#19 ) (t: #26 type=dh id=#20 ) (t: #27 type=dh id=#21 ) (t: #28 type=dh id=#26 ) (t: #29 type=dh id=#25 ) (t: #30 type=dh id=#27 ) (t: #31 type=dh id=#28 ) (t: #32 type=dh id=#29 ) (t: #33 type=dh id=#30 ))) (v2ke: len=256 group=modp2048) (nonce: len=32 data=(6081068215fa73776fb5...07d7273d000000100000402f0001000200030004)) (n: prot_id=#0 type=16388(nat_detection_source_ip)) (n: prot_id=#0 type=16389(nat_detection_destination_ip)) (n: prot_id=#0 type=16431(status)) 10:42:11.580291 IP (tos 0x0, ttl 57, id 33118, offset 0, flags [DF], proto UDP (17), length 428) 149.202.170.225.ipsec-nat-t > 149.202.189.59.ipsec-nat-t: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa ikev2_auth[I]: (v2e: len=364)
But when I ping , Nothing
#9 Updated by Tobias Brunner about 9 years ago
Sounds like ESP (IP protocol 50) might be blocked on a firewall between the two servers. If you can't change that you could try forcing UDP encapsulation by setting forceencaps=yes.
#10 Updated by Aurelien Casbarro about 9 years ago
It works !
It was effectively the firewall !
For other people who have the problem :
The machines are hosted by OVH in Public Cloud (France)
And it is possible to configure firewall on the openstack horizon via Ovh Manager
In group security -> Make sure everything is openend because it was there my problem.
So I really Thank you Mr Brunner !
Have a Nice Day
#11 Updated by Tobias Brunner about 9 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required
You're welcome.
#12 Updated by Tobias Brunner about 9 years ago
- Related to Issue #2073: Traffic behind gateway added