Hello,
I'm running strongswan 4.2.4-5+lenny1 on Debian 5.0.3 (2.6.26-2-686 kernel).
My configuration files are :
-
IPTables rules for IPSEC :
/sbin/iptables -A INPUT -i $PUB_IFACE -s $DTI -p 50 -j ACCEPT
/sbin/iptables -A INPUT -i $PUB_IFACE -s $DTI -p 51 -j ACCEPT
/sbin/iptables -A INPUT -i $PUB_IFACE -p udp --destination-port 500 -j ACCEPT
/sbin/iptables -A INPUT -i $PUB_IFACE -p udp --destination-port 4500 -j ACCEPT
I've added this line because my Debian box make MASQUERADE for my private
network client to access Internet.
/sbin/iptables -t nat -I POSTROUTING 1 -s $LEFT_LAN -o eth2 -m policy --dir
out --pol ipsec --proto esp -j ACCEPT
-
/etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=control
charonstart=no
nat_traversal=yes
conn dti-ext
left=pub_ip_1
leftnexthop=%defaultroute
leftsubnet=private_net_1 (rfc 1918)
leftfirewall=yes
right=pub_ip_2
rightsubnet=private_net_2 (not an rfc 1918 network)
authby=psk
ike=3des-sha1
ikelifetime=28800
esp=3des-sha1
keylife=3600
keyexchange=ike
pfs=yes
auth=esp
auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
I've read http://www.strongswan.org/uml/testresults43/ikev1/net2net-psk/.
Every thing seems to be ok.
When I launch ipsec connection, I established the connection and the ISAKMP SA
: ipsec statusall
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 private_ip:500
000 interface eth1/eth1 dmz_ip:500
000 interface eth2/eth2 public_ip:500
000 %myid = (none)
000 debug control
000
000 dti-ext: private_net_1===pub_ip_1---router...pub_ip_2===private_net_2;
erouted; eroute owner: #2
000 dti-ext: ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 dti-ext: policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 22,27; interface:
eth2;
000 dti-ext: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 dti-ext: IKE algorithms wanted: 5_000-2-5, 5_000-2-2,
000 dti-ext: IKE algorithms found: 5_192-2_160-5, 5_192-2_160-2,
000 dti-ext: IKE algorithm newest: 3DES_CBC_192-SHA-MODP1024
000 dti-ext: ESP algorithms wanted: 3_000-2,
000 dti-ext: ESP algorithms loaded: 3_192-2_160,
000 dti-ext: ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=Phase1
000
000 #2: dti-ext STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 151s; newest IPSEC; eroute owner
000 #2: dti-ext esp.37848...@pub_ip_2 (60 bytes, 2495s ago)
esp.abd0b...@pub_ip_1 (0 bytes); tunnel
000 #1: dti-ext STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
25293s; newest ISAKMP
On my client on private_net_1 (windows XP), I've added a route to
private_net_2 which is private_ip (LAN ip address of my Debian box).
When I try to ping an host on private_net_2 there is no reply.
A tcpdump on LAN interface Debian box shows the icmp request packets.
A tcpdump on Public interface Debian box shows no icmp request packet.
When I do a tracert to private_net_2 (from windows XP) I can see with a
tcpdump on the public interface the icmp request going to the Internet...
Can some help me I don't know what to do ...
Regards,
JPaul
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users