<div dir="ltr"><div>Hi,</div><div><br></div><div>I'm trying to set up a VPN tunnel between two networks.</div><div>"my_vpn": <a href="http://10.0.1.0/24===10.2.128.171">10.0.1.0/24===10.2.128.171</a><10.2.128.171>..10.2.128.170<10.2.128.170>===<a href="http://10.0.2.0/24">10.0.2.0/24</a>;</div><div><br></div><div>the ipsec.conf are as follows:</div><div>config setup</div><div> protostack=netkey</div><div> dumpdir=/var/run/pluto/ virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10</a></div><div><br></div><div>conn my_vpn</div><div> left=10.2.128.171</div><div> right=10.2.128.170</div><div> leftsubnet=<a href="http://10.0.1.0/24">10.0.1.0/24</a></div><div> rightsubnet=<a href="http://10.0.2.0/24">10.0.2.0/24</a></div><div> ike=aes128-sha1;modp4096</div><div> esp=aes128-sha1</div><div> type=tunnel</div><div> authby=secret</div><div> keyexchange=ike</div><div> keyingtries=2</div><div> disablearrivalcheck=no</div><div> ikev2=no</div><div> auto=start</div><div><br></div><div>similar things on the other side with modified IPs.</div><div><br></div><div>ipsec status result:</div><div>………</div><div>000 Connection list:</div><div>000 </div><div>000 "my_vpn": <a href="http://10.0.1.0/24===10.2.128.171">10.0.1.0/24===10.2.128.171</a><10.2.128.171>...10.2.128.170<10.2.128.170>===<a href="http://10.0.2.0/24">10.0.2.0/24</a>; erouted; eroute owner: #4</div><div>000 "my_vpn": oriented; my_ip=unset; their_ip=unset</div><div>000 "my_vpn": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]</div><div>000 "my_vpn": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;</div><div>000 "my_vpn": labeled_ipsec:no;</div><div>000 "my_vpn": policy_label:unset;</div><div>000 "my_vpn": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2;</div><div>000 "my_vpn": retransmit-interval: 500ms; retransmit-timeout: 60s;</div><div>000 "my_vpn": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;</div><div>000 "my_vpn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;</div><div>000 "my_vpn": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;</div><div>000 "my_vpn": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;</div><div>000 "my_vpn": newest ISAKMP SA: #1; newest IPsec SA: #4;</div><div>000 "my_vpn": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP4096(16)</div><div>000 "my_vpn": IKE algorithms found: AES_CBC(7)_128-SHA1(2)-MODP4096(16)</div><div>000 "my_vpn": IKE algorithm newest: AES_CBC_128-SHA1-MODP4096</div><div>000 "my_vpn": ESP algorithms wanted: AES(12)_128-SHA1(2)</div><div>000 "my_vpn": ESP algorithms loaded: AES(12)_128-SHA1(2)</div><div>000 "my_vpn": ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1></div><div> </div><div>000 Total IPsec connections: loaded 1, active 1</div><div>000 </div><div>000 State Information: DDoS cookies not required, Accepting new IKE connections</div><div>000 IKE SAs: total(2), half-open(0), open(0), authenticated(2), anonymous(0)</div><div>000 IPsec SAs: total(2), authenticated(2), anonymous(0)</div><div>000 </div><div>000 #4: "my_vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27060s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate</div><div>000 #4: "my_vpn" <a href="mailto:esp.4b1111f5@10.2.128.170">esp.4b1111f5@10.2.128.170</a> <a href="mailto:esp.91c9eaa8@10.2.128.171">esp.91c9eaa8@10.2.128.171</a> <a href="mailto:tun.0@10.2.128.170">tun.0@10.2.128.170</a> <a href="mailto:tun.0@10.2.128.171">tun.0@10.2.128.171</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B </div><div>000 #1: "my_vpn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1619s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div><div>000 #3: "my_vpn":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27538s; isakmp#2; idle; import:not set</div><div>000 #3: "my_vpn" <a href="mailto:esp.d171d1be@10.2.128.170">esp.d171d1be@10.2.128.170</a> <a href="mailto:esp.b441013@10.2.128.171">esp.b441013@10.2.128.171</a> <a href="mailto:tun.0@10.2.128.170">tun.0@10.2.128.170</a> <a href="mailto:tun.0@10.2.128.171">tun.0@10.2.128.171</a> ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B </div><div>000 #2: "my_vpn":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2338s; lastdpd=-1s(seq in:0 out:0); idle; import:not set</div><div>000 </div><div>000 Bare Shunt list:</div><div>000 </div><div><br></div><div>“ipsec verify” shows some error:</div><div>Verifying installed system and configuration files</div><div><br></div><div>Version check and ipsec on-path <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Libreswan 3.18 (netkey) on 4.4.0-31-generic</div><div>Checking for IPsec support in kernel <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div> NETKEY: Testing XFRM related proc values</div><div> ICMP default/send_redirects <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[NOT DISABLED]</div><div><br></div><div> Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!</div><div><br></div><div> ICMP default/accept_redirects <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[NOT DISABLED]</div><div><br></div><div> Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!</div><div><br></div><div> XFRM larval drop <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Pluto ipsec.conf syntax <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Hardware random device <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[N/A]</div><div>Two or more interfaces found, checking IP forwarding<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[FAILED]</div><div>Checking rp_filter <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[ENABLED]</div><div> /proc/sys/net/ipv4/conf/all/rp_filter <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[ENABLED]</div><div> /proc/sys/net/ipv4/conf/default/rp_filter <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[ENABLED]</div><div> /proc/sys/net/ipv4/conf/eth0/rp_filter <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[ENABLED]</div><div> /proc/sys/net/ipv4/conf/eth1/rp_filter <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[ENABLED]</div><div> /proc/sys/net/ipv4/conf/eth2/rp_filter <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[ENABLED]</div><div> /proc/sys/net/ipv4/conf/ip_vti0/rp_filter <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[ENABLED]</div><div> /proc/sys/net/ipv4/conf/lo/rp_filter <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[ENABLED]</div><div> rp_filter is not fully aware of IPsec and should be disabled</div><div>Checking that pluto is running <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div> Pluto listening for IKE on udp 500 <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div> Pluto listening for IKE/NAT-T on udp 4500 <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div> Pluto ipsec.secret syntax <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Checking 'ip' command <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Checking 'iptables' command <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Opportunistic Encryption <span class="gmail-Apple-tab-span" style="white-space:pre"> </span>[DISABLED]</div><div><br></div><div>the networks on each side is on eth3, for which I have changed rp_filter to 0.</div><div><br></div><div>I have:</div><div>local host 10.0.1.2 (added route to <a href="http://10.0.2.0/24">10.0.2.0/24</a> via 10.0.1.1 on this eth3)</div><div>local vpn router: has 10.0.1.1 on eth3.</div><div> 10.2.128.171 on eth1</div><div>remote vpn router: 10.0.2.1 on eth3</div><div> 10.2.128.170 on eth1</div><div>remote host: 10.0.2.2 (added route to <a href="http://10.0.1.0/24">10.0.1.0/24</a> via 10.0.2.1 on eth3)</div><div><br></div><div>when I try to ping from local host to 10.0.2.2, traffic only reach local vpn router on eth3.</div><div><br></div><div>tcpdump udp port 500 or udp port 4500 on vpn router does not show any result.</div><div><br></div><div>"ipsec whack --trafficstatus" got:<br></div><div>
<p class="gmail-p1">006 #4: "my_vpn", type=ESP, add_time=1484863659, inBytes=0, outBytes=0, id='10.2.128.170'<br></p>
<p class="gmail-p1"><span class="gmail-s1">006 #3: "my_vpn", type=ESP, add_time=1484863655, inBytes=0, outBytes=0, id='10.2.128.170'</span></p></div><div>Can you please advice me anything wrong with my settings?</div><div><br></div><div>Thanks,</div><div>Xinwei</div><div><br></div><div>
</div></div>