[Swan] Cannot ping the other end
Xinwei Hong
xhong at skytap.com
Thu Jan 19 22:42:21 UTC 2017
Hi,
I'm trying to set up a VPN tunnel between two networks.
"my_vpn": 10.0.1.0/24===10.2.128.171
<10.2.128.171>..10.2.128.170<10.2.128.170>===10.0.2.0/24;
the ipsec.conf are as follows:
config setup
protostack=netkey
dumpdir=/var/run/pluto/ virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
conn my_vpn
left=10.2.128.171
right=10.2.128.170
leftsubnet=10.0.1.0/24
rightsubnet=10.0.2.0/24
ike=aes128-sha1;modp4096
esp=aes128-sha1
type=tunnel
authby=secret
keyexchange=ike
keyingtries=2
disablearrivalcheck=no
ikev2=no
auto=start
similar things on the other side with modified IPs.
ipsec status result:
………
000 Connection list:
000
000 "my_vpn": 10.0.1.0/24===10.2.128.171
<10.2.128.171>...10.2.128.170<10.2.128.170>===10.0.2.0/24; erouted; eroute
owner: #4
000 "my_vpn": oriented; my_ip=unset; their_ip=unset
000 "my_vpn": xauth us:none, xauth them:none, my_username=[any];
their_username=[any]
000 "my_vpn": modecfg info: us:none, them:none, modecfg policy:push,
dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;
000 "my_vpn": labeled_ipsec:no;
000 "my_vpn": policy_label:unset;
000 "my_vpn": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2;
000 "my_vpn": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "my_vpn": sha2-truncbug:no; initial-contact:no; cisco-unity:no;
fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "my_vpn": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "my_vpn": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset;
sa_prio:auto; sa_tfc:none;
000 "my_vpn": nflog-group: unset; mark: unset; vti-iface:unset;
vti-routing:no; vti-shared:no;
000 "my_vpn": newest ISAKMP SA: #1; newest IPsec SA: #4;
000 "my_vpn": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP4096(16)
000 "my_vpn": IKE algorithms found: AES_CBC(7)_128-SHA1(2)-MODP4096(16)
000 "my_vpn": IKE algorithm newest: AES_CBC_128-SHA1-MODP4096
000 "my_vpn": ESP algorithms wanted: AES(12)_128-SHA1(2)
000 "my_vpn": ESP algorithms loaded: AES(12)_128-SHA1(2)
000 "my_vpn": ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE
connections
000 IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0)
000 IPsec SAs: total(2), authenticated(2), anonymous(0)
000
000 #4: "my_vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27060s; newest IPSEC; eroute owner; isakmp#1; idle;
import:admin initiate
000 #4: "my_vpn" esp.4b1111f5 at 10.2.128.170 esp.91c9eaa8 at 10.2.128.171
tun.0 at 10.2.128.170 tun.0 at 10.2.128.171 ref=0 refhim=0 Traffic: ESPin=0B
ESPout=0B! ESPmax=4194303B
000 #1: "my_vpn":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1619s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000 #3: "my_vpn":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 27538s; isakmp#2; idle; import:not set
000 #3: "my_vpn" esp.d171d1be at 10.2.128.170 esp.b441013 at 10.2.128.171
tun.0 at 10.2.128.170 tun.0 at 10.2.128.171 ref=0 refhim=0 Traffic: ESPin=0B
ESPout=0B! ESPmax=4194303B
000 #2: "my_vpn":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 2338s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000
000 Bare Shunt list:
000
“ipsec verify” shows some error:
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.18 (netkey) on 4.4.0-31-generic
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or
cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on
or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth2/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
the networks on each side is on eth3, for which I have changed rp_filter to
0.
I have:
local host 10.0.1.2 (added route to 10.0.2.0/24 via 10.0.1.1 on this eth3)
local vpn router: has 10.0.1.1 on eth3.
10.2.128.171 on eth1
remote vpn router: 10.0.2.1 on eth3
10.2.128.170 on eth1
remote host: 10.0.2.2 (added route to 10.0.1.0/24 via 10.0.2.1 on eth3)
when I try to ping from local host to 10.0.2.2, traffic only reach local
vpn router on eth3.
tcpdump udp port 500 or udp port 4500 on vpn router does not show any
result.
"ipsec whack --trafficstatus" got:
006 #4: "my_vpn", type=ESP, add_time=1484863659, inBytes=0, outBytes=0,
id='10.2.128.170'
006 #3: "my_vpn", type=ESP, add_time=1484863655, inBytes=0, outBytes=0,
id='10.2.128.170'
Can you please advice me anything wrong with my settings?
Thanks,
Xinwei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170119/6428de6f/attachment.html>
More information about the Swan
mailing list