Project

General

Profile

Issue #2071

Tunnel Up but no traffic

Added by Aurelien Casbarro about 9 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.5.0
Resolution:
No change required

Description

Hi,

I'm trying to set up a VPN Site to Site, i followed this https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/index.html

Description of the problem :

The tunnel is Up but there is no traffic between the two Lans

Here the schema of my Network.

My configuration :

I have 2 Ubuntu Servers where StrongSwan is installed

SrvA

With two interfaces :

ens3 : 149.202.170.225
ens4 : 192.168.209.2

ipsec.conf

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev2
        mobike=no

conn net-net
        left=149.202.170.225
        leftsubnet=192.168.209.0/24
        leftid=srvA
        leftfirewall=yes
        right=149.202.189.59
        rightsubnet=192.168.210.0/24
        rightid=srvB
        auto=add

ip route list table 220

192.168.210.0/24 via 149.202.160.1 dev ens3  proto static  src 192.168.209.2

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  mail.cerp.be         anywhere             tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.210.0/24     192.168.209.0/24     policy match dir in pol ipsec reqid 2 proto esp
ACCEPT     all  --  192.168.209.0/24     192.168.210.0/24     policy match dir out pol ipsec reqid 2 proto esp

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

SrvB

With two interfaces too :

ens3 : 149.202.189.59
ens4 : 192.168.210.2

ipsec.conf

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        keyexchange=ikev2
        mobike=no

conn net-net
        left=149.202.189.59
        leftsubnet=192.168.210.0/24
        leftid=srvB
        leftfirewall=yes
        right=149.202.170.225
        rightsubnet=192.168.209.0/24
        rightid=srvA
        auto=add

ip route list table 220

192.168.209.0/24 via 149.202.160.1 dev ens3  proto static  src 192.168.210.2

iptables -L


Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.209.0/24     192.168.210.0/24     policy match dir in pol ipsec reqid 3 proto esp
ACCEPT     all  --  192.168.210.0/24     192.168.209.0/24     policy match dir out pol ipsec reqid 3 proto esp

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ipsec statusall on SrvA

Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-22-generic, x86_64):
  uptime: 20 hours, since Jul 24 14:46:22 2016
  malloc: sbrk 2744320, mmap 0, used 362928, free 2381392
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
  149.202.170.225
  192.168.209.2
Connections:
     net-net:  149.202.170.225...149.202.189.59  IKEv2
     net-net:   local:  [srvA] uses pre-shared key authentication
     net-net:   remote: [srvB] uses pre-shared key authentication
     net-net:   child:  192.168.209.0/24 === 192.168.210.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
     net-net[8]: ESTABLISHED 115 seconds ago, 149.202.170.225[srvA]...149.202.189.59[srvB]
     net-net[8]: IKEv2 SPIs: 57151688e443e913_i* b19e02dcba8f7a4e_r, pre-shared key reauthentication in 51 minutes
     net-net[8]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     net-net{4}:  INSTALLED, TUNNEL, reqid 3, ESP SPIs: ce7a1184_i cd627d1d_o
     net-net{4}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 13 minutes
     net-net{4}:   192.168.209.0/24 === 192.168.210.0/24

ipsec up net-net

initiating IKE_SA net-net[10] to 149.202.189.59
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 149.202.170.225[500] to 149.202.189.59[500] (1124 bytes)
received packet: from 149.202.189.59[500] to 149.202.170.225[500] (456 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
authentication of 'srvA' (myself) with pre-shared key
establishing CHILD_SA net-net
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 149.202.170.225[500] to 149.202.189.59[500] (380 bytes)
received packet: from 149.202.189.59[500] to 149.202.170.225[500] (220 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
authentication of 'srvB' with pre-shared key successful
IKE_SA net-net[10] established between 149.202.170.225[srvA]...149.202.189.59[srvB]
scheduling reauthentication in 3345s
maximum IKE_SA lifetime 3525s
connection 'net-net' established successfully

I precise that I activated the forward ipv4 on both servers (echo "1"> /proc/sys/net/ipv4/ip_forward)

Thank you for helping me :)


Related issues

Related to Issue #2073: Traffic behind gatewayClosed27.07.2016

History

#1 Updated by Tobias Brunner about 9 years ago

  • Category set to configuration
  • Status changed from New to Feedback

Do hosts in these subnets route traffic to the opposite subnet via your VPN gateways? Or do they just send it to their default gateway? See ForwardingAndSplitTunneling.

#2 Updated by Aurelien Casbarro about 9 years ago

Hi,

What do you mean by VPN Gateways ?
I already saw the ForwardingAndSplitTunneling but i don't understand sorry.

I'd like fisrt, on srvA to ping for example 192.168.210.2

How can i do that ?

Thank you

#3 Updated by Tobias Brunner about 9 years ago

What do you mean by VPN Gateways ?

SrvA and SrvB.

I'd like fisrt, on srvA to ping for example 192.168.210.2

How can i do that ?

That doesn't work? Since these addresses (192.168.209.2 too) are local to each server that should work fine with the established tunnel. You should try to find out where packets are stuck (packet counters in ipsec statusall and iptables -v -L, tcpdump/Wireshark etc.).

#4 Updated by Aurelien Casbarro about 9 years ago

Hi,

No that doesn't work and I don"t understand Why.

I followed the documentation for install, and i follow this steps

  • I installed strongswan (rpm) on each Ubuntu Servers
  • I have modified the two files, /etc/ipsec.conf and /etc/ipsec.secrets
  • I enabled the forward ipv4 (echo "1"> /proc/sys/net/ipv4/ip_forward)
  • And I start on SrvA or Srvb ipsec, withe the command ipsec up net-net

And that's all, i think I missed something

On iptables the ports 500 and 4500 are opened.

Chain INPUT (policy ACCEPT 59 packets, 5156 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  ens3   any     192.168.210.0/24     192.168.209.0/24     policy match dir in pol ipsec reqid 9 proto esp
    0     0 ACCEPT     all  --  any    ens3    192.168.209.0/24     192.168.210.0/24     policy match dir out pol ipsec reqid 9 proto esp

Chain OUTPUT (policy ACCEPT 36 packets, 4208 bytes)
 pkts bytes target     prot opt in     out     source               destination

But when I try a ping or a traceroute just between the two servers, nothing happens (tcpdump can't help me, because there is 0 byte in traffic)

Thank you

#5 Updated by Tobias Brunner about 9 years ago

But when I try a ping or a traceroute just between the two servers, nothing happens (tcpdump can't help me, because there is 0 byte in traffic)

Seems strange. Counters in ipsec statusall don't increase? What if you explicitly specify the source address with ping -I 192.168.209.2 192.168.210.2 (the routes in table 220 should take care of that though)? Also check /proc/net/xfrm_stats, if it is available. And regarding traffic captures see CorrectTrafficDump and the TRACE target for iptables.

#6 Updated by Aurelien Casbarro about 9 years ago

Hi,

I tried the ping -I and tcpdump but nothing ..

This is not a Nat rule that miss ?

Ipsec statusall On SrvA before the ping


Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-22-generic, x86_64):
  uptime: 42 hours, since Jul 24 14:46:22 2016
  malloc: sbrk 2523136, mmap 0, used 363408, free 2159728
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
  149.202.170.225
  192.168.209.2
Connections:
     net-net:  149.202.170.225...149.202.189.59  IKEv2
     net-net:   local:  [srvA] uses pre-shared key authentication
     net-net:   remote: [srvB] uses pre-shared key authentication
     net-net:   child:  192.168.209.0/24 === 192.168.210.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
     net-net[50]: ESTABLISHED 7 seconds ago, 149.202.170.225[srvA]...149.202.189.59[srvB]
     net-net[50]: IKEv2 SPIs: 77ac532627342f4d_i* 2c6c672932fa613a_r, pre-shared key reauthentication in 53 minutes
     net-net[50]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     net-net{153}:  INSTALLED, TUNNEL, reqid 46, ESP SPIs: c543b239_i c6bf6a4b_o
     net-net{153}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 14 minutes
     net-net{153}:   192.168.209.0/24 === 192.168.210.0/24

ping -I 192.168.209.2 192.168.210.2

PING 192.168.210.2 (192.168.210.2) from 192.168.209.2 : 56(84) bytes of data.

--> Nothing happens

Ipsec status after ping -I 192.168.209.2 192.168.210.2

Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-22-generic, x86_64):
  uptime: 42 hours, since Jul 24 14:46:22 2016
  malloc: sbrk 2523136, mmap 0, used 363408, free 2159728
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 9
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
  149.202.170.225
  192.168.209.2
Connections:
     net-net:  149.202.170.225...149.202.189.59  IKEv2
     net-net:   local:  [srvA] uses pre-shared key authentication
     net-net:   remote: [srvB] uses pre-shared key authentication
     net-net:   child:  192.168.209.0/24 === 192.168.210.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
     net-net[50]: ESTABLISHED 2 minutes ago, 149.202.170.225[srvA]...149.202.189.59[srvB]
     net-net[50]: IKEv2 SPIs: 77ac532627342f4d_i* 2c6c672932fa613a_r, pre-shared key reauthentication in 51 minutes
     net-net[50]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     net-net{153}:  INSTALLED, TUNNEL, reqid 46, ESP SPIs: c543b239_i c6bf6a4b_o
     net-net{153}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 4368 bytes_o (52 pkts, 9s ago), rekeying in 12 minutes
     net-net{153}:   192.168.209.0/24 === 192.168.210.0/24

on srvA

ifconfig

ens3      Link encap:Ethernet  HWaddr fa:16:3e:28:fb:27
          inet addr:149.202.170.225  Bcast:149.202.170.225  Mask:255.255.255.255
          inet6 addr: fe80::f816:3eff:fe28:fb27/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:192691 errors:0 dropped:0 overruns:0 frame:0
          TX packets:170772 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:61580986 (61.5 MB)  TX bytes:24689718 (24.6 MB)

ens4      Link encap:Ethernet  HWaddr fa:16:3e:fb:3c:a7
          inet addr:192.168.209.2  Bcast:192.168.209.255  Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:fefb:3ca7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:144 errors:0 dropped:0 overruns:0 frame:0
          TX packets:85 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12096 (12.0 KB)  TX bytes:5682 (5.6 KB)

iptables -v -L

Chain INPUT (policy ACCEPT 559 packets, 43066 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  ens3   any     192.168.210.0/24     192.168.209.0/24     policy match dir in pol ipsec reqid 46 proto esp
    0     0 ACCEPT     all  --  any    ens3    192.168.209.0/24     192.168.210.0/24     policy match dir out pol ipsec reqid 46 proto esp

Chain OUTPUT (policy ACCEPT 570 packets, 73134 bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables -t nat -v -L

Chain PREROUTING (policy ACCEPT 1906 packets, 67578 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 1906 packets, 67578 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 35 packets, 7604 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 35 packets, 7604 bytes)
 pkts bytes target     prot opt in     out     source               destination

ip route

default via 149.202.160.1 dev ens3
149.202.160.1 dev ens3  scope link
192.168.209.0/24 dev ens4  proto kernel  scope link  src 192.168.209.2

ip route list table 220

192.168.210.0/24 via 149.202.160.1 dev ens3  proto static  src 192.168.209.2

on SrvB

ifconfig

ens3      Link encap:Ethernet  HWaddr fa:16:3e:af:66:8a
          inet addr:149.202.189.59  Bcast:149.202.189.59  Mask:255.255.255.255
          inet6 addr: fe80::f816:3eff:feaf:668a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:88735 errors:0 dropped:0 overruns:0 frame:0
          TX packets:72203 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:53921786 (53.9 MB)  TX bytes:5002650 (5.0 MB)

ens4      Link encap:Ethernet  HWaddr fa:16:3e:b6:83:46
          inet addr:192.168.210.2  Bcast:192.168.210.255  Mask:255.255.255.0
          inet6 addr: fe80::f816:3eff:feb6:8346/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:826 (826.0 B)  TX bytes:1222 (1.2 KB)

iptables -v -L

Chain INPUT (policy ACCEPT 306 packets, 15996 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  ens3   any     192.168.209.0/24     192.168.210.0/24     policy match dir in pol ipsec reqid 40 proto esp
    0     0 ACCEPT     all  --  any    ens3    192.168.210.0/24     192.168.209.0/24     policy match dir out pol ipsec reqid 40 proto esp

Chain OUTPUT (policy ACCEPT 270 packets, 17143 bytes)
 pkts bytes target     prot opt in     out     source               destination


iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 1975 packets, 73047 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 1975 packets, 73047 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 45 packets, 5784 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 45 packets, 5784 bytes)
 pkts bytes target     prot opt in     out     source               destination

ip route

default via 149.202.160.1 dev ens3
149.202.160.1 dev ens3  scope link
192.168.210.0/24 dev ens4  proto kernel  scope link  src 192.168.210.2

ip route list table 220

192.168.209.0/24 via 149.202.160.1 dev ens3  proto static  src 192.168.210.2

Thank you for your help

#7 Updated by Tobias Brunner about 9 years ago

Ipsec status after ping -I 192.168.209.2 192.168.210.2

This shows 52 outbound packets, but none inbound. So the question is what happens on the other end (SrvB). Do you see the counter for inbound traffic increase in ipsec statusall there? What about traffic in tcpdump on SrvB?

#8 Updated by Aurelien Casbarro about 9 years ago

No packets inbound on SrvB, here's the result of ipsec statusall on both servers

On SrvA

ping 192.168.210.2

ipsec statusall


Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-22-generic, x86_64):
  uptime: 43 hours, since Jul 24 14:46:22 2016
  malloc: sbrk 2523136, mmap 0, used 362704, free 2160432
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
  149.202.170.225
  192.168.209.2
Connections:
     net-net:  149.202.170.225...149.202.189.59  IKEv2
     net-net:   local:  [srvA] uses pre-shared key authentication
     net-net:   remote: [srvB] uses pre-shared key authentication
     net-net:   child:  192.168.209.0/24 === 192.168.210.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
     net-net[52]: ESTABLISHED 4 minutes ago, 149.202.170.225[srvA]...149.202.189.59[srvB]
     net-net[52]: IKEv2 SPIs: afed062090dd2b71_i* 04ce84ee4e02c332_r, pre-shared key reauthentication in 49 minutes
     net-net[52]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     net-net{160}:  INSTALLED, TUNNEL, reqid 48, ESP SPIs: c31754b9_i c2bdc41d_o
     net-net{160}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 3276 bytes_o (39 pkts, 10s ago), rekeying in 9 minutes
     net-net{160}:   192.168.209.0/24 === 192.168.210.0/24

On servB (after ping on srvA)

ipsec statusall


Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-22-generic, x86_64):
  uptime: 43 hours, since Jul 24 14:46:28 2016
  malloc: sbrk 2433024, mmap 0, used 366656, free 2066368
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
  10.3.0.5: 1/0/0
  10.3.0.6: 1/0/0
Listening IP addresses:
  149.202.189.59
  192.168.210.2
Connections:
     net-net:  149.202.189.59...149.202.170.225  IKEv2
     net-net:   local:  [srvB] uses pre-shared key authentication
     net-net:   remote: [srvA] uses pre-shared key authentication
     net-net:   child:  192.168.210.0/24 === 192.168.209.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
     net-net[46]: ESTABLISHED 7 minutes ago, 149.202.189.59[srvB]...149.202.170.225[srvA]
     net-net[46]: IKEv2 SPIs: afed062090dd2b71_i 04ce84ee4e02c332_r*, pre-shared key reauthentication in 48 minutes
     net-net[46]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     net-net{149}:  INSTALLED, TUNNEL, reqid 42, ESP SPIs: c2bdc41d_i c31754b9_o
     net-net{149}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 8 minutes
     net-net{149}:   192.168.210.0/24 === 192.168.209.0/24

When Srva is pinging SrvB ( ping 192.168.210.2)

On SrvB

tcpdump src 149.202.170.225

--> Nothing

tcpdump src 192.168.209.2

--> Nothing

When I start the tunnel on SrvA and, On SrvB I make a tcpdump, there is something :

On SrvA ipsec up net-net

On srvB tcpdump -v src 149.202.170.225

root@srvB:~# tcpdump -v src 149.202.170.225
tcpdump: listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:11.545160 IP (tos 0x0, ttl 57, id 33109, offset 0, flags [DF], proto UDP (17), length 1152)
    149.202.170.225.isakmp > 149.202.189.59.isakmp: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
    (sa: len=720
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0080))
            (t: #2 type=integ id=hmac-sha )
            (t: #3 type=prf id=hmac-sha )
            (t: #4 type=dh id=modp2048 ))
        (p: #2 protoid=isakmp transform=4 len=40
            (t: #1 type=encr id=3des )
            (t: #2 type=integ id=hmac-sha )
            (t: #3 type=prf id=hmac-sha )
            (t: #4 type=dh id=modp1536 ))
        (p: #3 protoid=isakmp transform=37 len=328
            (t: #1 type=encr id=aes (type=keylen value=0080))
            (t: #2 type=encr id=aes (type=keylen value=00c0))
            (t: #3 type=encr id=aes (type=keylen value=0100))
            (t: #4 type=encr id=3des )
            (t: #5 type=encr id=#23 (type=keylen value=0080))
            (t: #6 type=encr id=#23 (type=keylen value=00c0))
            (t: #7 type=encr id=#23 (type=keylen value=0100))
            (t: #8 type=integ id=hmac-md5 )
            (t: #9 type=integ id=hmac-sha )
            (t: #10 type=integ id=#12 )
            (t: #11 type=integ id=#13 )
            (t: #12 type=integ id=#14 )
            (t: #13 type=integ id=aes-xcbc )
            (t: #14 type=prf id=hmac-md5 )
            (t: #15 type=prf id=hmac-sha )
            (t: #16 type=prf id=#5 )
            (t: #17 type=prf id=#6 )
            (t: #18 type=prf id=#7 )
            (t: #19 type=prf id=aes128_xcbc )
            (t: #20 type=dh id=modp2048 )
            (t: #21 type=dh id=#23 )
            (t: #22 type=dh id=#24 )
            (t: #23 type=dh id=modp1536 )
            (t: #24 type=dh id=modp3072 )
            (t: #25 type=dh id=modp4096 )
            (t: #26 type=dh id=modp8192 )
            (t: #27 type=dh id=modp1024 )
            (t: #28 type=dh id=#22 )
            (t: #29 type=dh id=#19 )
            (t: #30 type=dh id=#20 )
            (t: #31 type=dh id=#21 )
            (t: #32 type=dh id=#26 )
            (t: #33 type=dh id=#25 )
            (t: #34 type=dh id=#27 )
            (t: #35 type=dh id=#28 )
            (t: #36 type=dh id=#29 )
            (t: #37 type=dh id=#30 ))
        (p: #4 protoid=isakmp transform=33 len=308
            (t: #1 type=encr id=#18 (type=keylen value=0080))
            (t: #2 type=encr id=#18 (type=keylen value=00c0))
            (t: #3 type=encr id=#18 (type=keylen value=0100))
            (t: #4 type=encr id=#19 (type=keylen value=0080))
            (t: #5 type=encr id=#19 (type=keylen value=00c0))
            (t: #6 type=encr id=#19 (type=keylen value=0100))
            (t: #7 type=encr id=#20 (type=keylen value=0080))
            (t: #8 type=encr id=#20 (type=keylen value=00c0))
            (t: #9 type=encr id=#20 (type=keylen value=0100))
            (t: #10 type=prf id=hmac-md5 )
            (t: #11 type=prf id=hmac-sha )
            (t: #12 type=prf id=#5 )
            (t: #13 type=prf id=#6 )
            (t: #14 type=prf id=#7 )
            (t: #15 type=prf id=aes128_xcbc )
            (t: #16 type=dh id=modp2048 )
            (t: #17 type=dh id=#23 )
            (t: #18 type=dh id=#24 )
            (t: #19 type=dh id=modp1536 )
            (t: #20 type=dh id=modp3072 )
            (t: #21 type=dh id=modp4096 )
            (t: #22 type=dh id=modp8192 )
            (t: #23 type=dh id=modp1024 )
            (t: #24 type=dh id=#22 )
            (t: #25 type=dh id=#19 )
            (t: #26 type=dh id=#20 )
            (t: #27 type=dh id=#21 )
            (t: #28 type=dh id=#26 )
            (t: #29 type=dh id=#25 )
            (t: #30 type=dh id=#27 )
            (t: #31 type=dh id=#28 )
            (t: #32 type=dh id=#29 )
            (t: #33 type=dh id=#30 )))
    (v2ke: len=256 group=modp2048)
    (nonce: len=32 data=(6081068215fa73776fb5...07d7273d000000100000402f0001000200030004))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
    (n: prot_id=#0 type=16431(status))
10:42:11.580291 IP (tos 0x0, ttl 57, id 33118, offset 0, flags [DF], proto UDP (17), length 428)
    149.202.170.225.ipsec-nat-t > 149.202.189.59.ipsec-nat-t: NONESP-encap: isakmp 2.0 msgid 00000001: child_sa  ikev2_auth[I]:
    (v2e: len=364)

But when I ping , Nothing

#9 Updated by Tobias Brunner about 9 years ago

Sounds like ESP (IP protocol 50) might be blocked on a firewall between the two servers. If you can't change that you could try forcing UDP encapsulation by setting forceencaps=yes.

#10 Updated by Aurelien Casbarro about 9 years ago

It works !

It was effectively the firewall !

For other people who have the problem :

The machines are hosted by OVH in Public Cloud (France)

And it is possible to configure firewall on the openstack horizon via Ovh Manager

In group security -> Make sure everything is openend because it was there my problem.

So I really Thank you Mr Brunner !

Have a Nice Day

#11 Updated by Tobias Brunner about 9 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

You're welcome.

#12 Updated by Tobias Brunner about 9 years ago