Project

General

Profile

Issue #3150

L2TP/IPSec Host connected to Site A not able to communicate with LAN in Site B. Site A and Site B are connected via IPSec VPN

Added by Rohan Shethia about 1 month ago. Updated 29 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.6.3
Resolution:

Description

I have a setup specific question and I don’t know what I’m getting wrong here.

My setup is as follows:

L2TP/IPSec Host(172.29.1.118) (ppp IP: 192.125.126.25)———>Site A(172.29.1.104) ———IPSec———Site B (172.29.2.73)

LAN in SiteA (192.168.127.0/24) can communicate (ping) with LAN in SiteB (192.168.128.0/24).

L2TP/IPSec Host can communicate (ping) with LAN in SiteA.

But LAN in SiteB cannot communicate (ping) with L2TP/IPSec Host (the reverse does not work too). As for how far the traffic reaches, it reaches Site A, which I verified via tcpdump after which the packet is lost.

The count for XfrmInTmplMismatch (only on SiteA) rises when I try to communicate with the L2TP/IPSec host from a host in LAN SiteB.

I’m running strongSwan v5.6.3 on Linux 3.4

Configs (swanctl.conf) for SiteA (https://pastebin.com/73rm2NXC) and SiteB (https://pastebin.com/mhGwBfWd)

Also posting the output for ip xfrm policy, ip xfrm state and /proc/net/xfrm_stat.

Site A: ip xfrm policy (https://pastebin.com/advhatLW), ip xfrm state (https://pastebin.com/waJqvaeu), /proc/net/xfrm_stat (https://pastebin.com/zWCSA4iB)

Site B: ip xfrm policy (https://pastebin.com/5seJMbUy), ip xfrm state (https://pastebin.com/Tatty1mc)

Would love to get some help on this to understand what’s going wrong.

History

#1 Updated by Noel Kuntze about 1 month ago

Which IP exactly are you trying to ping? 172.29.1.118? Which networks are reachable over the L2TP tunnel? Keep in mind that strongSwan has no idea about your intentions or L2TP. It only knows about what you configured and the IKE SAs and CHILD SAs it negotiated. They need to permit the traffic you want to tunnel.

#2 Updated by Noel Kuntze about 1 month ago

  • Category set to configuration
  • Status changed from New to Feedback

#3 Updated by Rohan Shethia about 1 month ago

Specifically, I am attempting to ping from a host in LAN B (i.e. 192.168.128.2) to the L2TP/IPSec Host (i.e. 192.125.126.25) and vice-versa.

The L2TP/IPSec Remote access host can access LAN A (i.e. 192.168.127.0/24) and reverse as well. What it cannot do is, it can't reach LAN B (192.168.128.0/24). I should mention it does reach Site B (verified via tcpdump) but then a 'XfrmInTmplMismatch' occurs.

Yes, I believe I've configured the IKE SAs accordingly as shown in the conf files for both.

#4 Updated by Rohan Shethia about 1 month ago

Attaching a better diagram. In the diagram Site B is 172.29.2.73*

#5 Updated by Rohan Shethia 29 days ago

Does the diagram help with understanding in what I'm trying to do?

Also available in: Atom PDF