The problem looks extremely strange. Could you send me the following information:
ip -s xfrm policy ip -x xfrm state so that I can check if there are any packet hits or esp errors. Andreas On 05/10/2011 01:19 PM, Pavel Arnošt wrote: > Hi, thanks, I managed to get similar system with the same software versions > but simplier setup where I can test it at will. At the beginning, I have > Openswan: > > /etc/ipsec.conf: > > version 2.0 > > config setup > plutodebug="parsing" > > conn %default > authby=secret > > conn CONN > type=tunnel > left=A.A.A.A > leftsubnet=172.24.26.64/26 > right=B.B.B.B > rightsubnet=172.27.96.15/32 > auto=start > auth=esp > keylife=3600s > ikelifetime=1440m > compress=no > ike=aes256-sha1,aes128-md5 > esp=aes256-sha1,aes128-md5 > pfs=yes > > # ping -I 172.24.26.65 172.27.96.15 > PING 172.27.96.15 (172.27.96.15) from 172.24.26.65 : 56(84) bytes of data. > 64 bytes from 172.27.96.15: icmp_seq=1 ttl=123 time=6.32 ms > 64 bytes from 172.27.96.15: icmp_seq=2 ttl=123 time=5.69 ms > 64 bytes from 172.27.96.15: icmp_seq=3 ttl=123 time=5.58 ms > > Then I uninstall Openswan and install Strongswan: > > /etc/ipsec.conf: > > version 2.0 > > config setup > plutodebug="parsing" > charonstart=no > > conn %default > keyexchange=ikev1 > authby=secret > leftfirewall=yes > lefthostaccess=yes > > conn CONN > type=tunnel > left=A.A.A.A > leftsubnet=172.24.26.64/26 > right=B.B.B.B > rightsubnet=172.27.96.15/32 > auto=start > auth=esp > keylife=3600s > ikelifetime=1440m > compress=no > ike=aes256-sha1,aes128-md5 > esp=aes256-sha1,aes128-md5 > pfs=yes > > # ping -I 172.24.26.65 172.27.96.15 > PING 172.27.96.15 (172.27.96.15) from 172.24.26.65 : 56(84) bytes of data. > ping: sendmsg: No such process > ping: sendmsg: No such process > ping: sendmsg: No such process > > SAs are established: > > 000 #2: "CONN" STATE_QUICK_I2 (sent QI2, IPsec SA established); > EVENT_SA_REPLACE in 2719s; newest IPSEC; eroute owner > 000 #2: "CONN" esp.bfbfcee8@194.228.96.46 (0 bytes) > esp.c7b835a6@213.180.34.38 (0 bytes); tunnel > 000 #1: "CONN" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in > 85277s; newest ISAKMP > > Policies are in place: > > src 172.27.96.15/32 dst 172.24.26.64/26 > dir in priority 1819 > tmpl src B.B.B.B dst A.A.A.A > proto esp reqid 16384 mode tunnel > src 172.24.26.64/26 dst 172.27.96.15/32 > dir out priority 1819 > tmpl src A.A.A.A dst B.B.B.B > proto esp reqid 16386 mode tunnel > src 172.27.96.15/32 dst 172.24.26.64/26 > dir fwd priority 1819 > tmpl src B.B.B.B dst A.A.A.A > proto esp reqid 16385 mode tunnel > > Firewall policies also in place: > > Chain INPUT (policy DROP 63626 packets, 5624K bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- eth1 * 172.27.96.15 > 172.24.26.64/26 policy match dir in pol ipsec reqid 16384 proto 50 > > Chain FORWARD (policy DROP 106K packets, 4269K bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- eth1 * 172.27.96.15 > 172.24.26.64/26 policy match dir in pol ipsec reqid 16384 proto 50 > > Chain OUTPUT (policy ACCEPT 21M packets, 21G bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * eth1 172.24.26.64/26 > 172.27.96.15 policy match dir out pol ipsec reqid 16384 proto 50 > > All zeroes, I would expect something in the OUTPUT chain (from ping -I > 172.24.26.65 172.27.96.15). > > eth1 is external interface and eth0 is internal interface with IP > 172.24.26.65 assigned: > > 2: eth0:<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen > 1000 > link/ether 00:18:fe:32:56:08 brd ff:ff:ff:ff:ff:ff > inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0 > inet 172.24.26.65/26 brd 172.24.26.127 scope global eth0:0 > > What am I missing? > > Thanks, > Regards, > Pavel Arnost > > -------------------------------------------------- > From: "Andreas Steffen"<andreas.stef...@strongswan.org> > Sent: Tuesday, May 10, 2011 12:12 PM > To: "Pavel Arnošt"<pavel.arn...@valvera.cz> > Cc:<users@lists.strongswan.org> > Subject: Re: [strongSwan] Migration from Openswan to Strongswan > >> Hello Pavel, >> >> if you have iptables in place and you ping the internal interface >> of the VPN gateway then you need an INPUT/OUTPUT iptables rule >> to access that interface. Thus you'll need >> >> leftfirewall=yes >> lefthostaccess=yes >> >> If you have a MASQUERADING rule in place which NATs all traffic >> from the internal network to the outer IP address of the gateway >> then you must exempt traffic to be tunneled from this rule by adding >> >> iptables -t nat -I POSTROUTING 1 -s 10.10.0.0/16 -o eth0 \ >> -m policy --dir out --pol ipsec --proto esp -j ACCEPT >> >> Regards >> >> Andreas >> >> On 05/10/2011 11:51 AM, Pavel Arnošt wrote: >>> Hi, >>> I tried to migrate our Openswan VPN (2.6.21) to Strongswan VPN (4.5.1) >>> on our CentOS 5 server. Openswan package is from official CentOS >>> repository (openswan-2.6.21-5.el5_6.4), Strongswan package have been >>> built from this spec file: >>> http://developer.intra2net.com/git/?p=strongswan-rpm;a=blob_plain;f=strongswan.spec;hb=e2bb0076fce6d44ee80cff4b20d90a0eee1fa689 >>> I slightly modified configuration for IKEv1 keying, ipsec.conf looks >>> like: >>> config setup >>> charonstart=no >>> plutodebug="control" >>> conn %default >>> keyexchange=ikev1 >>> authby=secret >>> conn CONN >>> type=tunnel >>> left=A.A.A.A >>> leftsubnet=192.168.52.0/24 >>> right=B.B.B.B >>> rightsubnet=10.10.0.0/16 >>> auto=start >>> auth=esp >>> ikelifetime=28800s >>> keylife=3600s >>> compress=no >>> ike=3des-sha1-modp1024 >>> esp=3des-sha1 >>> pfs=yes >>> dpddelay=30 >>> dpdtimeout=120 >>> dpdaction=restart >>> Both ISAKMP and IPsec SA were succesfully established, ip xfrm policy >>> output was the same as output from Openswan. But... >>> In tcpdump, I saw incoming ESP traffic from B.B.B.B, but no ESP traffic >>> from our address A.A.A.A. Ping to 10.10.255.1 returned no response, so I >>> think that policies were in place (with turned off VPN, ping returned >>> "host unreachable" from far away gateway). I added "iptables -I FORWARD >>> -j ACCEPT" rule to iptables to rule out problem with firewall. >>> Do you have any idea what can be wrong? >>> Thanks, >>> Regards, >>> Pavel Arnost ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
