Issue #2486
Updated by Tobias Brunner almost 8 years ago
Dears i have a problem with traffic going through my VPN tunnel , as per the ISP the traffic is reaching them and its going back to my site but i cant access through their open port .
the tunnel is up
here is the configuration
<pre>
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.1, Linux 4.4.0-042stab120.16, x86_64):
uptime: 19 hours, since Dec 04 12:10:04 2017
malloc: sbrk 2555904, mmap 0, used 392144, free 2163760
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
104.238.102.71
132.148.15.163
132.148.11.102
Connections:
mtnvpn: 104.238.102.71...196.29.171.33 IKEv1 Aggressive
mtnvpn: local: [104.238.102.71] uses pre-shared key authentication
mtnvpn: remote: [196.29.171.33] uses pre-shared key authentication
mtnvpn: child: 104.238.102.71/32 === 196.29.171.7/32 TUNNEL
Routed Connections:
mtnvpn{1}: ROUTED, TUNNEL, reqid 1
mtnvpn{1}: 104.238.102.71/32 === 196.29.171.7/32
Security Associations (1 up, 0 connecting):
mtnvpn[1]: ESTABLISHED 19 hours ago, 104.238.102.71[104.238.102.71]...196.29.171.33[196.29.171.33]
mtnvpn[1]: IKEv1 SPIs: 7243fb059461ff0f_i* 0475d4607eb6474f_r, pre-shared key reauthentication in 4 hours
mtnvpn[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
</pre>
<pre>
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
</pre>
ipsec.conf
<pre>
# ipsec.conf - strongSwan IPsec configuration file
##### Added due MTN VPN ###
config setup
strictcrlpolicy=no
#charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" #useful debugs
#plutodebug=all
#plutostderrlog=/var/log/openswan.log
charondebug="ike 2, knl 3, cfg 0"
conn %default
ikelifetime=1440m
#keylife=60m
#rekeymargin=3m
keyingtries=2
keyexchange=ikev1
authby=psk
type=tunnel
conn mtnvpn
#reauth=no
#rekey=no
aggressive=yes
ike=3des-sha1-modp1024! #Phase1 parameters
esp=3des-sha1 #Phase2 parameters
left=104.238.102.71 #local IP used to connect to MTN
leftsubnet=104.238.102.71/32
leftid=104.238.102.71
#leftfirewall=NO
#leftsourceip=%config #apply received IP
right=196.29.171.33 #gateway (MTN) IP
rightsubnet=196.29.171.7/32
rightid=196.29.171.33
#auto=start
auto=route
</pre>
######End MTN VPN#####
<pre>
#ip route show table 220
196.29.171.7 via 104.238.102.254 dev eth0 proto static src 104.238.102.71
</pre>
Your support is requested about this issue
the tunnel is up
here is the configuration
<pre>
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.1, Linux 4.4.0-042stab120.16, x86_64):
uptime: 19 hours, since Dec 04 12:10:04 2017
malloc: sbrk 2555904, mmap 0, used 392144, free 2163760
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
104.238.102.71
132.148.15.163
132.148.11.102
Connections:
mtnvpn: 104.238.102.71...196.29.171.33 IKEv1 Aggressive
mtnvpn: local: [104.238.102.71] uses pre-shared key authentication
mtnvpn: remote: [196.29.171.33] uses pre-shared key authentication
mtnvpn: child: 104.238.102.71/32 === 196.29.171.7/32 TUNNEL
Routed Connections:
mtnvpn{1}: ROUTED, TUNNEL, reqid 1
mtnvpn{1}: 104.238.102.71/32 === 196.29.171.7/32
Security Associations (1 up, 0 connecting):
mtnvpn[1]: ESTABLISHED 19 hours ago, 104.238.102.71[104.238.102.71]...196.29.171.33[196.29.171.33]
mtnvpn[1]: IKEv1 SPIs: 7243fb059461ff0f_i* 0475d4607eb6474f_r, pre-shared key reauthentication in 4 hours
mtnvpn[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
</pre>
<pre>
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
</pre>
ipsec.conf
<pre>
# ipsec.conf - strongSwan IPsec configuration file
##### Added due MTN VPN ###
config setup
strictcrlpolicy=no
#charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" #useful debugs
#plutodebug=all
#plutostderrlog=/var/log/openswan.log
charondebug="ike 2, knl 3, cfg 0"
conn %default
ikelifetime=1440m
#keylife=60m
#rekeymargin=3m
keyingtries=2
keyexchange=ikev1
authby=psk
type=tunnel
conn mtnvpn
#reauth=no
#rekey=no
aggressive=yes
ike=3des-sha1-modp1024! #Phase1 parameters
esp=3des-sha1 #Phase2 parameters
left=104.238.102.71 #local IP used to connect to MTN
leftsubnet=104.238.102.71/32
leftid=104.238.102.71
#leftfirewall=NO
#leftsourceip=%config #apply received IP
right=196.29.171.33 #gateway (MTN) IP
rightsubnet=196.29.171.7/32
rightid=196.29.171.33
#auto=start
auto=route
</pre>
######End MTN VPN#####
<pre>
#ip route show table 220
196.29.171.7 via 104.238.102.254 dev eth0 proto static src 104.238.102.71
</pre>
Your support is requested about this issue