L2TP/IPSec Host connected to Site A not able to communicate with LAN in Site B. Site A and Site B are connected via IPSec VPN
I have a setup specific question and I don’t know what I’m getting wrong here.
My setup is as follows:
L2TP/IPSec Host(172.29.1.118) (ppp IP: 220.127.116.11)———>Site A(172.29.1.104) ———IPSec———Site B (172.29.2.73)
LAN in SiteA (192.168.127.0/24) can communicate (ping) with LAN in SiteB (192.168.128.0/24).
L2TP/IPSec Host can communicate (ping) with LAN in SiteA.
But LAN in SiteB cannot communicate (ping) with L2TP/IPSec Host (the reverse does not work too). As for how far the traffic reaches, it reaches Site A, which I verified via tcpdump after which the packet is lost.
The count for XfrmInTmplMismatch (only on SiteA) rises when I try to communicate with the L2TP/IPSec host from a host in LAN SiteB.
I’m running strongSwan v5.6.3 on Linux 3.4
Also posting the output for ip xfrm policy, ip xfrm state and /proc/net/xfrm_stat.
Would love to get some help on this to understand what’s going wrong.
#1 Updated by Noel Kuntze 6 months ago
Which IP exactly are you trying to ping? 172.29.1.118? Which networks are reachable over the L2TP tunnel? Keep in mind that strongSwan has no idea about your intentions or L2TP. It only knows about what you configured and the IKE SAs and CHILD SAs it negotiated. They need to permit the traffic you want to tunnel.
#3 Updated by Rohan Shethia 6 months ago
Specifically, I am attempting to ping from a host in LAN B (i.e. 192.168.128.2) to the L2TP/IPSec Host (i.e. 18.104.22.168) and vice-versa.
The L2TP/IPSec Remote access host can access LAN A (i.e. 192.168.127.0/24) and reverse as well. What it cannot do is, it can't reach LAN B (192.168.128.0/24). I should mention it does reach Site B (verified via tcpdump) but then a 'XfrmInTmplMismatch' occurs.
Yes, I believe I've configured the IKE SAs accordingly as shown in the conf files for both.