Hi, First, I want to thank you Noel for your help and patience. I know some of my questions are probably dumb but though not an excuse, the sheer amount of information to process is huge and intimidating (especially when discovering graphics like this https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg) and I just cannot figure / get a high level view of how ip routes, tables, packets, etc. work together, all the more with the interactions between drivers in the network stack. I also want to apologize for providing dumps which were in contradiction with the setup I was describing -> this was the result of trying everything I could think of without fully understanding what I was doing.
However, after reading all the articles and information you provided, it looks like I managed to successfully connect to the other site but I cannot access any computer of this other site. I suspect it has to do with packet routing but I cannot find a way to correct my setup. When I ping or telnet a machine (on port 3389 where I should be able to connect via RDP), the command hangs. For the record, I am setting up a Site to Site VPN with IKEv1 and PSK. I am using a computer running Ubuntu 16.04 with IP 192.168.1.44 on a local network behind an ISP-provided router. The router has a DHCP range of address 1 to 100 and NAT forwarding has been configured for ports 500 and 4500 on this router towards my computer. Beyond the router is internet. You will find below the configuration files and the result of running a bash from a fresh boot. Thanks in advance for all the help anybody can provide, Kind regards, Charles ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections #conn sample-self-signed # leftsubnet=10.1.0.0/16 # leftcert=selfCert.der # leftsendcert=never # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightcert=peerCert.der # auto=start #conn sample-with-ca-cert # leftsubnet=10.1.0.0/16 # leftcert=myCert.pem # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightid="C=CH, O=Linux strongSwan CN=peer name" # auto=start conn ciscoios keyexchange=ikev1 keyingtries=%forever leftauth=psk rightauth=psk leftsubnet=192.168.1.0/24 leftid=93.XXX.XXX.XXX auto=route rightsubnet=172.21.148.0/28 #network behind IOS right=83.XXX.XXX.XXX #IKEID sent by IOS ike=aes256-sha-modp1024 #P1: modp1024 = DH group 2 esp=aes256-sha1-modp1024 #P2 ipsec.secrets # This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. # 93.XXX.XXX.XXX 83.XXX.XXX.XXX YYYYYYYY 83.XXX.XXX.XXX : PSK "YYYYYYYY" ipsec.sql -not found- auth.log Oct 23 10:03:40 Nachalsys charon: 12[IKE] initiating Main Mode IKE_SA ciscoios[1] to 83.XXX.XXX.XXX Oct 23 10:03:40 Nachalsys charon: 05[IKE] IKE_SA ciscoios[1] established between 192.168.1.44[93.XXX.XXX.XXX]...83.XXX.XXX.XXX[83.XXX.XXX.XXX] Oct 23 10:03:41 Nachalsys charon: 14[IKE] CHILD_SA ciscoios{1} established with SPIs c86d1e57_i 064d5231_o and TS 192.168.1.0/24 === 172.21.148.0/28 daemon.log -not found- root@Nachalsys ~ # sysctl net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 root@Nachalsys ~ # sysctl net.ipv6.conf.all.forwarding=1 net.ipv6.conf.all.forwarding = 1 root@Nachalsys ~ # iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT root@Nachalsys ~ # ipsec up ciscoios initiating Main Mode IKE_SA ciscoios[1] to 83.XXX.XXX.XXX generating ID_PROT request 0 [ SA V V V V ] sending packet: from 192.168.1.44[500] to 83.XXX.XXX.XXX[500] (216 bytes) received packet: from 83.XXX.XXX.XXX[500] to 192.168.1.44[500] (128 bytes) parsed ID_PROT response 0 [ SA V V ] received NAT-T (RFC 3947) vendor ID received FRAGMENTATION vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 192.168.1.44[500] to 83.XXX.XXX.XXX[500] (244 bytes) received packet: from 83.XXX.XXX.XXX[500] to 192.168.1.44[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received XAuth vendor ID received unknown vendor ID: f6:93:91:2c:ea:0a:16:46:54:24:cd:24:86:5c:90:e8 received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] sending packet: from 192.168.1.44[4500] to 83.XXX.XXX.XXX[4500] (108 bytes) received packet: from 83.XXX.XXX.XXX[4500] to 192.168.1.44[4500] (92 bytes) parsed ID_PROT response 0 [ ID HASH V ] received DPD vendor ID IKE_SA ciscoios[1] established between 192.168.1.44[93.XXX.XXX.XXX]...83.XXX.XXX.XXX[83.XXX.XXX.XXX] scheduling reauthentication in 10082s maximum IKE_SA lifetime 10622s generating QUICK_MODE request 1172503876 [ HASH SA No KE ID ID ] sending packet: from 192.168.1.44[4500] to 83.XXX.XXX.XXX[4500] (316 bytes) received packet: from 83.XXX.XXX.XXX[4500] to 192.168.1.44[4500] (300 bytes) parsed QUICK_MODE response 1172503876 [ HASH SA No KE ID ID ] CHILD_SA ciscoios{1} established with SPIs c86d1e57_i 064d5231_o and TS 192.168.1.0/24 === 172.21.148.0/28 connection 'ciscoios' established successfully root@Nachalsys ~ # ping 172.21.148.1 PING 172.21.148.1 (172.21.148.1) 56(84) bytes of data. ^C --- 172.21.148.1 ping statistics --- 10 packets transmitted, 0 received, 100% packet loss, time 9217ms 1 root@Nachalsys ~ # telnet 172.21.148.1 3389 :( Trying 172.21.148.1... ^X^C 130 root@Nachalsys ~ # :( 130 root@Nachalsys ~ # ipsec statusall :( Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.10.0-37-generic, x86_64): uptime: 3 minutes, since Oct 23 10:01:49 2017 malloc: sbrk 2568192, mmap 0, used 361488, free 2206704 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown Listening IP addresses: 192.168.1.44 Connections: ciscoios: %any...83.XXX.XXX.XXX IKEv1 ciscoios: local: [93.XXX.XXX.XXX] uses pre-shared key authentication ciscoios: remote: [83.XXX.XXX.XXX] uses pre-shared key authentication ciscoios: child: 192.168.1.0/24 === 172.21.148.0/28 TUNNEL Security Associations (1 up, 0 connecting): ciscoios[1]: ESTABLISHED 78 seconds ago, 192.168.1.44[93.XXX.XXX.XXX]...83.XXX.XXX.XXX[83.XXX.XXX.XXX] ciscoios[1]: IKEv1 SPIs: 5701ca65606e4e4d_i* 46160bea31365403_r, pre-shared key reauthentication in 2 hours ciscoios[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 ciscoios{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c86d1e57_i 064d5231_o ciscoios{1}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 1140 bytes_o (15 pkts, 22s ago), rekeying in 47 minutes ciscoios{1}: 192.168.1.0/24 === 172.21.148.0/28 root@Nachalsys ~ # ipsec listall List of registered IKE algorithms: encryption: AES_CBC[aes] RC2_CBC[rc2] 3DES_CBC[openssl] CAMELLIA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl] DES_CBC[openssl] DES_ECB[openssl] NULL[openssl] integrity: HMAC_MD5_96[openssl] HMAC_MD5_128[openssl] HMAC_SHA1_96[openssl] HMAC_SHA1_128[openssl] HMAC_SHA1_160[openssl] HMAC_SHA2_256_128[openssl] HMAC_SHA2_256_256[openssl] HMAC_SHA2_384_192[openssl] HMAC_SHA2_384_384[openssl] HMAC_SHA2_512_256[openssl] HMAC_SHA2_512_512[openssl] CAMELLIA_XCBC_96[xcbc] AES_XCBC_96[xcbc] aead: AES_GCM_8[openssl] AES_GCM_12[openssl] AES_GCM_16[openssl] hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD4[md4] HASH_MD5[md5] prf: PRF_KEYED_SHA1[sha1] PRF_HMAC_MD5[openssl] PRF_HMAC_SHA1[openssl] PRF_HMAC_SHA2_256[openssl] PRF_HMAC_SHA2_384[openssl] PRF_HMAC_SHA2_512[openssl] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc] PRF_CAMELLIA128_XCBC[xcbc] dh-group: MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] MODP_3072[openssl] MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl] MODP_CUSTOM[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] ECP_224_BP[openssl] ECP_256_BP[openssl] ECP_384_BP[openssl] ECP_512_BP[openssl] random-gen: RNG_WEAK[openssl] RNG_STRONG[random] RNG_TRUE[random] nonce-gen: [nonce] List of loaded Plugins: charon: CUSTOM:libcharon NONCE_GEN CUSTOM:libcharon-sa-managers CUSTOM:libcharon-receiver CUSTOM:kernel-ipsec CUSTOM:kernel-net CUSTOM:libcharon-receiver HASHER:HASH_SHA1 RNG:RNG_STRONG CUSTOM:socket CUSTOM:libcharon-sa-managers HASHER:HASH_SHA1 RNG:RNG_WEAK test-vectors: CUSTOM:test-vectors aes: CRYPTER:AES_CBC-16 CRYPTER:AES_CBC-24 CRYPTER:AES_CBC-32 rc2: CRYPTER:RC2_CBC-0 sha1: HASHER:HASH_SHA1 PRF:PRF_KEYED_SHA1 sha2: HASHER:HASH_SHA224 HASHER:HASH_SHA256 HASHER:HASH_SHA384 HASHER:HASH_SHA512 md4: HASHER:HASH_MD4 md5: HASHER:HASH_MD5 random: RNG:RNG_STRONG RNG:RNG_TRUE nonce: NONCE_GEN RNG:RNG_WEAK x509: CERT_ENCODE:X509 HASHER:HASH_SHA1 CERT_DECODE:X509 HASHER:HASH_SHA1 PUBKEY:ANY CERT_ENCODE:X509_AC CERT_DECODE:X509_AC CERT_ENCODE:X509_CRL CERT_DECODE:X509_CRL CERT_ENCODE:X509_OCSP_REQUEST HASHER:HASH_SHA1 RNG:RNG_WEAK CERT_DECODE:X509_OCSP_RESPONSE CERT_ENCODE:PKCS10_REQUEST CERT_DECODE:PKCS10_REQUEST revocation: CUSTOM:revocation CERT_ENCODE:X509_OCSP_REQUEST (soft) CERT_DECODE:X509_OCSP_RESPONSE (soft) CERT_DECODE:X509_CRL (soft) CERT_DECODE:X509 (soft) FETCHER:(null) (soft) constraints: CUSTOM:constraints CERT_DECODE:X509 (soft) pubkey: CERT_ENCODE:TRUSTED_PUBKEY CERT_DECODE:TRUSTED_PUBKEY PUBKEY:RSA (soft) PUBKEY:ECDSA (soft) PUBKEY:DSA (soft) pkcs1: PRIVKEY:RSA PUBKEY:ANY PUBKEY:RSA (soft) PUBKEY:ECDSA (soft) PUBKEY:DSA (soft) PUBKEY:RSA pkcs7: CONTAINER_DECODE:PKCS7 CONTAINER_ENCODE:PKCS7_DATA CONTAINER_ENCODE:PKCS7_SIGNED_DATA CONTAINER_ENCODE:PKCS7_ENVELOPED_DATA pkcs8: PRIVKEY:ANY PRIVKEY:RSA PRIVKEY:ECDSA pkcs12: CONTAINER_DECODE:PKCS12 CONTAINER_DECODE:PKCS7 CERT_DECODE:X509 (soft) PRIVKEY:ANY (soft) HASHER:HASH_SHA1 (soft) CRYPTER:3DES_CBC-24 (soft) CRYPTER:RC2_CBC-0 (soft) pgp: PRIVKEY:ANY PRIVKEY:RSA PUBKEY:ANY PUBKEY:RSA CERT_DECODE:PGP dnskey: PUBKEY:ANY PUBKEY:RSA sshkey: PUBKEY:ANY CERT_DECODE:TRUSTED_PUBKEY pem: PRIVKEY:ANY PRIVKEY:ANY HASHER:HASH_MD5 (soft) PRIVKEY:RSA PRIVKEY:RSA HASHER:HASH_MD5 (soft) PRIVKEY:ECDSA PRIVKEY:ECDSA HASHER:HASH_MD5 (soft) PRIVKEY:DSA (not loaded) PRIVKEY:DSA HASHER:HASH_MD5 (soft) PRIVKEY:BLISS (not loaded) PRIVKEY:BLISS PUBKEY:ANY PUBKEY:ANY PUBKEY:RSA PUBKEY:RSA PUBKEY:ECDSA PUBKEY:ECDSA PUBKEY:DSA (not loaded) PUBKEY:DSA PUBKEY:BLISS CERT_DECODE:ANY CERT_DECODE:X509 (soft) CERT_DECODE:PGP (soft) CERT_DECODE:X509 CERT_DECODE:X509 CERT_DECODE:X509_CRL CERT_DECODE:X509_CRL CERT_DECODE:X509_OCSP_REQUEST (not loaded) CERT_DECODE:X509_OCSP_REQUEST CERT_DECODE:X509_OCSP_RESPONSE CERT_DECODE:X509_OCSP_RESPONSE CERT_DECODE:X509_AC CERT_DECODE:X509_AC CERT_DECODE:PKCS10_REQUEST CERT_DECODE:PKCS10_REQUEST CERT_DECODE:TRUSTED_PUBKEY CERT_DECODE:TRUSTED_PUBKEY CERT_DECODE:PGP CERT_DECODE:PGP CONTAINER_DECODE:PKCS12 CONTAINER_DECODE:PKCS12 openssl: CUSTOM:openssl-threading CRYPTER:AES_CBC-16 CRYPTER:AES_CBC-24 CRYPTER:AES_CBC-32 CRYPTER:CAMELLIA_CBC-16 CRYPTER:CAMELLIA_CBC-24 CRYPTER:CAMELLIA_CBC-32 CRYPTER:CAST_CBC-0 CRYPTER:BLOWFISH_CBC-0 CRYPTER:3DES_CBC-24 CRYPTER:DES_CBC-8 CRYPTER:DES_ECB-8 CRYPTER:NULL-0 HASHER:HASH_MD4 HASHER:HASH_MD5 HASHER:HASH_SHA1 HASHER:HASH_SHA224 HASHER:HASH_SHA256 HASHER:HASH_SHA384 HASHER:HASH_SHA512 PRF:PRF_KEYED_SHA1 PRF:PRF_HMAC_MD5 PRF:PRF_HMAC_SHA1 PRF:PRF_HMAC_SHA2_256 PRF:PRF_HMAC_SHA2_384 PRF:PRF_HMAC_SHA2_512 SIGNER:HMAC_MD5_96 SIGNER:HMAC_MD5_128 SIGNER:HMAC_SHA1_96 SIGNER:HMAC_SHA1_128 SIGNER:HMAC_SHA1_160 SIGNER:HMAC_SHA2_256_128 SIGNER:HMAC_SHA2_256_256 SIGNER:HMAC_SHA2_384_192 SIGNER:HMAC_SHA2_384_384 SIGNER:HMAC_SHA2_512_256 SIGNER:HMAC_SHA2_512_512 AEAD:AES_GCM_8-16 AEAD:AES_GCM_8-24 AEAD:AES_GCM_8-32 AEAD:AES_GCM_12-16 AEAD:AES_GCM_12-24 AEAD:AES_GCM_12-32 AEAD:AES_GCM_16-16 AEAD:AES_GCM_16-24 AEAD:AES_GCM_16-32 DH:MODP_2048 DH:MODP_2048_224 DH:MODP_2048_256 DH:MODP_1536 DH:MODP_3072 DH:MODP_4096 DH:MODP_6144 DH:MODP_8192 DH:MODP_1024 DH:MODP_1024_160 DH:MODP_768 DH:MODP_CUSTOM PRIVKEY:RSA PRIVKEY:ANY PRIVKEY_GEN:RSA PUBKEY:RSA PUBKEY:ANY PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512 PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5 PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5 PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1 PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1 CERT_DECODE:X509 PUBKEY:RSA (soft) PUBKEY:ECDSA (soft) PUBKEY:DSA (soft) CERT_DECODE:X509_CRL CONTAINER_DECODE:PKCS7 CONTAINER_DECODE:PKCS12 DH:ECP_256 DH:ECP_384 DH:ECP_521 DH:ECP_224 DH:ECP_192 DH:ECP_224_BP DH:ECP_256_BP DH:ECP_384_BP DH:ECP_512_BP PRIVKEY:ECDSA PRIVKEY_GEN:ECDSA PUBKEY:ECDSA PRIVKEY_SIGN:ECDSA_WITH_NULL PUBKEY_VERIFY:ECDSA_WITH_NULL PRIVKEY_SIGN:ECDSA_WITH_SHA1_DER PUBKEY_VERIFY:ECDSA_WITH_SHA1_DER PRIVKEY_SIGN:ECDSA_WITH_SHA256_DER PUBKEY_VERIFY:ECDSA_WITH_SHA256_DER PRIVKEY_SIGN:ECDSA-256 PUBKEY_VERIFY:ECDSA-256 PRIVKEY_SIGN:ECDSA_WITH_SHA384_DER PRIVKEY_SIGN:ECDSA_WITH_SHA512_DER PUBKEY_VERIFY:ECDSA_WITH_SHA384_DER PUBKEY_VERIFY:ECDSA_WITH_SHA512_DER PRIVKEY_SIGN:ECDSA-384 PRIVKEY_SIGN:ECDSA-521 PUBKEY_VERIFY:ECDSA-384 PUBKEY_VERIFY:ECDSA-521 RNG:RNG_STRONG RNG:RNG_WEAK fips-prf: PRF:PRF_FIPS_SHA1_160 PRF:PRF_KEYED_SHA1 gmp: DH:MODP_2048 RNG:RNG_STRONG DH:MODP_2048_224 RNG:RNG_STRONG DH:MODP_2048_256 RNG:RNG_STRONG DH:MODP_1536 RNG:RNG_STRONG DH:MODP_3072 RNG:RNG_STRONG DH:MODP_4096 RNG:RNG_STRONG DH:MODP_6144 RNG:RNG_STRONG DH:MODP_8192 RNG:RNG_STRONG DH:MODP_1024 RNG:RNG_STRONG DH:MODP_1024_160 RNG:RNG_STRONG DH:MODP_768 RNG:RNG_STRONG DH:MODP_CUSTOM RNG:RNG_STRONG PRIVKEY:RSA PRIVKEY_GEN:RSA RNG:RNG_TRUE PUBKEY:RSA PRIVKEY_SIGN:RSA_EMSA_PKCS1_NULL PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA1 HASHER:HASH_SHA1 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA224 HASHER:HASH_SHA224 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA256 HASHER:HASH_SHA256 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA384 HASHER:HASH_SHA384 PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA512 HASHER:HASH_SHA512 PRIVKEY_SIGN:RSA_EMSA_PKCS1_MD5 HASHER:HASH_MD5 PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1 HASHER:HASH_SHA1 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224 HASHER:HASH_SHA224 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256 HASHER:HASH_SHA256 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384 HASHER:HASH_SHA384 PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA512 HASHER:HASH_SHA512 PUBKEY_VERIFY:RSA_EMSA_PKCS1_MD5 HASHER:HASH_MD5 PRIVKEY_DECRYPT:ENCRYPT_RSA_PKCS1 PUBKEY_ENCRYPT:ENCRYPT_RSA_PKCS1 RNG:RNG_WEAK agent: PRIVKEY:ANY PRIVKEY:RSA PRIVKEY:ECDSA xcbc: PRF:PRF_AES128_XCBC CRYPTER:AES_CBC-16 PRF:PRF_CAMELLIA128_XCBC CRYPTER:CAMELLIA_CBC-16 SIGNER:CAMELLIA_XCBC_96 CRYPTER:CAMELLIA_CBC-16 SIGNER:AES_XCBC_96 CRYPTER:AES_CBC-16 hmac: PRF:PRF_HMAC_SHA1 HASHER:HASH_SHA1 PRF:PRF_HMAC_MD5 HASHER:HASH_MD5 PRF:PRF_HMAC_SHA2_256 HASHER:HASH_SHA256 PRF:PRF_HMAC_SHA2_384 HASHER:HASH_SHA384 PRF:PRF_HMAC_SHA2_512 HASHER:HASH_SHA512 SIGNER:HMAC_SHA1_96 HASHER:HASH_SHA1 SIGNER:HMAC_SHA1_128 HASHER:HASH_SHA1 SIGNER:HMAC_SHA1_160 HASHER:HASH_SHA1 SIGNER:HMAC_MD5_96 HASHER:HASH_MD5 SIGNER:HMAC_MD5_128 HASHER:HASH_MD5 SIGNER:HMAC_SHA2_256_128 HASHER:HASH_SHA256 SIGNER:HMAC_SHA2_256_256 HASHER:HASH_SHA256 SIGNER:HMAC_SHA2_384_192 HASHER:HASH_SHA384 SIGNER:HMAC_SHA2_384_384 HASHER:HASH_SHA384 SIGNER:HMAC_SHA2_512_256 HASHER:HASH_SHA512 SIGNER:HMAC_SHA2_512_512 HASHER:HASH_SHA512 gcm: AEAD:AES_GCM_8-16 CRYPTER:AES_CBC-16 AEAD:AES_GCM_8-24 CRYPTER:AES_CBC-24 AEAD:AES_GCM_8-32 CRYPTER:AES_CBC-32 AEAD:AES_GCM_12-16 CRYPTER:AES_CBC-16 AEAD:AES_GCM_12-24 CRYPTER:AES_CBC-24 AEAD:AES_GCM_12-32 CRYPTER:AES_CBC-32 AEAD:AES_GCM_16-16 CRYPTER:AES_CBC-16 AEAD:AES_GCM_16-24 CRYPTER:AES_CBC-24 AEAD:AES_GCM_16-32 CRYPTER:AES_CBC-32 attr: CUSTOM:attr kernel-netlink: CUSTOM:kernel-ipsec CUSTOM:kernel-net resolve: CUSTOM:resolve socket-default: CUSTOM:socket CUSTOM:kernel-ipsec (soft) connmark: CUSTOM:connmark stroke: CUSTOM:stroke PRIVKEY:RSA (soft) PRIVKEY:ECDSA (soft) PRIVKEY:DSA (soft) PRIVKEY:BLISS (soft) CERT_DECODE:ANY (soft) CERT_DECODE:X509 (soft) CERT_DECODE:X509_CRL (soft) CERT_DECODE:X509_AC (soft) CERT_DECODE:TRUSTED_PUBKEY (soft) updown: CUSTOM:updown root@Nachalsys ~ # ip -s xfrm policy src 172.21.148.0/28 dst 192.168.1.0/24 uid 0 dir fwd action allow index 82 priority 2867 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:03:41 use - tmpl src 83.XXX.XXX.XXX dst 192.168.1.44 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 172.21.148.0/28 dst 192.168.1.0/24 uid 0 dir in action allow index 72 priority 2867 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:03:41 use - tmpl src 83.XXX.XXX.XXX dst 192.168.1.44 proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 192.168.1.0/24 dst 172.21.148.0/28 uid 0 dir out action allow index 65 priority 2867 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:03:41 use 2017-10-23 10:04:36 tmpl src 192.168.1.44 dst 83.XXX.XXX.XXX proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket in action allow index 59 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:00:23 use 2017-10-23 10:03:41 src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket out action allow index 52 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:00:23 use 2017-10-23 10:08:16 src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket in action allow index 43 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:00:23 use 2017-10-23 10:03:40 src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 socket out action allow index 36 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:00:23 use 2017-10-23 10:03:40 src ::/0 dst ::/0 uid 0 socket in action allow index 27 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:00:23 use - src ::/0 dst ::/0 uid 0 socket out action allow index 20 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:00:23 use - src ::/0 dst ::/0 uid 0 socket in action allow index 11 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:00:23 use - src ::/0 dst ::/0 uid 0 socket out action allow index 4 priority 0 share any flag (0x00000000) lifetime config: limit: soft 0(bytes), hard 0(bytes) limit: soft 0(packets), hard 0(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:00:23 use - root@Nachalsys ~ # ip -s xfrm state src 192.168.1.44 dst 83.XXX.XXX.XXX proto esp spi 0x064d5231(105730609) reqid 1(0x00000001) mode tunnel replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) auth-trunc hmac(sha1) 0x466bf4ff8b0b84b217af306707c4132461055fe4 (160 bits) 96 enc cbc(aes) 0xe904f2a626428de9ac9c0de6a7fd5ac3573b68cb50a3559a95e2ad6ba78456be (256 bits) encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0xf, bitmap 0x00000000 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 2950(sec), hard 3600(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 1140(bytes), 15(packets) add 2017-10-23 10:03:41 use 2017-10-23 10:04:02 stats: replay-window 0 replay 0 failed 0 src 83.XXX.XXX.XXX dst 192.168.1.44 proto esp spi 0xc86d1e57(3362594391) reqid 1(0x00000001) mode tunnel replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) auth-trunc hmac(sha1) 0x77b5d898a1d67ae85257f02069f4d305fa79c554 (160 bits) 96 enc cbc(aes) 0x352455d84da909a0b806792889005112c77f8f4d4b344931f989c29422cbf23b (256 bits) encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 2944(sec), hard 3600(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2017-10-23 10:03:41 use - stats: replay-window 0 replay 0 failed 0 root@Nachalsys ~ # ip route list table 220 172.21.148.0/28 via 192.168.1.1 dev wlp61s0 proto static src 192.168.1.44 root@Nachalsys ~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination f2b-sshd tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-sshd (1 references) target prot opt source destination RETURN all -- anywhere anywhere root@Nachalsys ~ # iptables-save # Generated by iptables-save v1.6.0 on Mon Oct 23 10:09:13 2017 *nat :PREROUTING ACCEPT [13:490] :INPUT ACCEPT [6:266] :OUTPUT ACCEPT [81:5229] :POSTROUTING ACCEPT [79:5085] -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Mon Oct 23 10:09:13 2017 # Generated by iptables-save v1.6.0 on Mon Oct 23 10:09:13 2017 *filter :INPUT ACCEPT [2064:691071] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2103:365586] :f2b-sshd - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd -A f2b-sshd -j RETURN COMMIT # Completed on Mon Oct 23 10:09:13 2017 root@Nachalsys ~ # On Mon, Sep 4, 2017 at 9:09 PM, Noel Kuntze < noel.kuntze+strongswan-users-ml@thermi.consulting> wrote: > Hi, > > Advise for your problem and corrections for incorrect statements are found > in the text, below > the corresponding quoted section from your mail. > > On 04.09.2017 20:20, Charles-Antoine Giuliani wrote: > > I followed the configuration at > > https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/ > > (closest configuration I could find, though the examples seem to have > been designed for local networks) > Those are not examples, as the introduction page to the test results > says[1][2]. You are not supposed to use those. > There is a dedicated article[3] on the wiki about example configurations. > Read the introduction[4] and the article about forwarding[5] first, > then use the configuration for the corresponding scenario (site-to-site > scenario). The test scenarios are tests that are run in a virtualized LAN > environment > using QEMU, so this obviously does not correspond to a real life > deployment. This is also made clear in the warning[2]. > > > > > However the computer does not manage to connect > > > > thyfate@DataLearning-001:~$ sudo ipsec start > > Starting strongSwan 5.1.2 IPsec [starter]... > > charon is already running (/var/run/charon.pid exists) -- skipping > daemon start > > starter is already running (/var/run/starter.charon.pid exists) -- no > fork done > > thyfate@DataLearning-001:~$ sudo ipsec up ciscoios > > initiating Main Mode IKE_SA ciscoios[3554] to 83.XXX.XXX.XXX > > generating ID_PROT request 0 [ SA V V V V ] > > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 > bytes) > > sending retransmit 1 of request message ID 0, seq 1 > > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 > bytes) > > sending retransmit 2 of request message ID 0, seq 1 > > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 > bytes) > > sending retransmit 3 of request message ID 0, seq 1 > > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 > bytes) > > sending retransmit 4 of request message ID 0, seq 1 > > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 > bytes) > > sending retransmit 5 of request message ID 0, seq 1 > > sending packet: from 93.XXX.XXX.XXX[500] to 83.XXX.XXX.XXX[500] (196 > bytes) > > giving up after 5 retransmits > > establishing IKE_SA failed, peer not responding > > establishing connection 'ciscoios' failed > > That obviously does not work, because you are neither supposed to, nor > allowed to send IP packets from an IP > address that is not bound to your host. You can work around that, but it > is neither the or even a solution to your problem > nor advised to try to do that. At least your home router would drop the > packets because of the bogus source. I am very certain > that charon logs a corresponding error message in syslog or the journal, > whenever you try to initiate the connection > > The "left" parameter is described as follows in the first paragraph about > it on the man page: > > left = <ip address> | <fqdn> | %any | <range> | <subnet> > > The IP address of the left participant's public-network > interface or one of several magic values. The value %any (the default) for > the local endpoint signifies an address > > to be filled in (by automatic keying) during negotiation. > If the local peer initiates the connection setup the routing table will be > queried to determine the correct local > > IP address. In case the local peer is responding to a > connection setup then any IP address that is assigned to a local interface > will be accepted. > > As you can read, that parameter is neither appropriate nor needed in your > case, because 93.XXX.XXX.XXX is not bound to any local interface. Just > don't use "left". Charon is smart > enough to determine the correct source IP by itself, as the man page > describes. > > > Below some details on the setup: > > > > I am using Ubuntu 14.04. My computer is behind an ISP-provided router > box where ports 500 and 4500 have been NAT - forwarded, both on TCP and > UDP. My computer external address is 93.XXX.XXX.XXX and the local network > the computer is on has ranges 192.168.1.XXX, the specific machine having ip > 192.168.1.104. On the other side, a Cisco ASA 5520 is used to create the > VPN on an external ip address of 83.XXX.XXX.XXX. > > > > Strongswan was installed with the following command line > > > > sudo apt-get install strongswan strongswan-plugin-af-alg > strongswan-plugin-agent strongswan-plugin-certexpire > strongswan-plugin-coupling strongswan-plugin-curl strongswan-plugin-dhcp > strongswan-plugin-duplicheck strongswan-plugin-eap-aka > strongswan-plugin-eap-aka-3gpp2 strongswan-plugin-eap-dynamic > strongswan-plugin-eap-gtc strongswan-plugin-eap-mschapv2 > strongswan-plugin-eap-peap strongswan-plugin-eap-radius > strongswan-plugin-eap-tls strongswan-plugin-eap-ttls > strongswan-plugin-error-notify strongswan-plugin-farp > strongswan-plugin-fips-prf strongswan-plugin-gcrypt strongswan-plugin-gmp > strongswan-plugin-ipseckey strongswan-plugin-kernel-libipsec > strongswan-plugin-ldap strongswan-plugin-led strongswan-plugin-load-tester > strongswan-plugin-lookip strongswan-plugin-ntru strongswan-plugin-pgp > strongswan-plugin-pkcs11 strongswan-plugin-pubkey strongswan-plugin-radattr > strongswan-plugin-sshkey strongswan-plugin-systime-fix > strongswan-plugin-whitelist strongswan-plugin-xauth-eap > > strongswan-plugin-xauth-generic strongswan-plugin-xauth-noauth > strongswan-plugin-xauth-pam > > Never do that unless you need the package and know what it does. There are > packets that cause very hard problems and obstacles when installed without > reason, e.g. "strongswan-plugin-kernel-libipsec". Remove that package. > > > > ============================================================ > > /etc/ipsec.conf > > ============================================================ > > # ipsec.conf - strongSwan IPsec configuration file > > > > # basic configuration > > > > config setup > > # strictcrlpolicy=yes > > # uniqueids = no > > > > # Add connections here. > > > > # Sample VPN connections > > > > #conn sample-self-signed > > # leftsubnet=10.1.0.0/16 <http://10.1.0.0/16> > > # leftcert=selfCert.der > > # leftsendcert=never > > # right=192.168.0.2 > > # rightsubnet=10.2.0.0/16 <http://10.2.0.0/16> > > # rightcert=peerCert.der > > # auto=start > > > > #conn sample-with-ca-cert > > # leftsubnet=10.1.0.0/16 <http://10.1.0.0/16> > > # leftcert=myCert.pem > > # right=192.168.0.2 > > # rightsubnet=10.2.0.0/16 <http://10.2.0.0/16> > > # rightid="C=CH, O=Linux strongSwan CN=peer name" > > # auto=start > > > > conn %default > > ikelifetime=1440m > > keylife=60m > > rekeymargin=3m > > keyingtries=1 > > keyexchange=ikev1 > > authby=secret > > > > conn ciscoios > > left=93.XXX.XXX.XXX #strongswan outside address > > leftsubnet=172.31.17.0/28 <http://172.31.17.0/28> > #network behind strongswan > > leftid=93.XXX.XXX.XXX #IKEID sent by strongswan > > leftfirewall=no > > right=83.XXX.XXX.XXX #IOS outside address > > rightsubnet=172.21.148.0/28 <http://172.21.148.0/28> > #network behind IOS > > rightid=83.XXX.XXX.XXX #IKEID sent by IOS > > auto=add > > ike=aes256-sha-modp1024 #P1: modp1024 = DH group 2 > > esp=aes256-sha1 #P2 > > DH group 2 is broken[6]. Avoid it. > In any case, use auto=route, don't set "left", "leftfirewall" is > superfluous, rightid does not need to be set in your case and try to use > PFS. It's basically free and it is good practice to use it. > Remove anything above the "conn ciscoios" section and move > "keyexchange=ikev1" into "conn ciscoios". Set "keyingtries=%forever", > "leftauth=psk" and "rightauth=psk". > > > thyfate@DataLearning-001:~$ sudo ipsec statusall > > [sudo] password for thyfate: > > Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.16.0-77-generic, > x86_64): > > uptime: 42 days, since Jul 24 07:41:43 2017 > > malloc: sbrk 2904064, mmap 266240, used 581776, free 2322288 > > worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, > scheduled: 1 > > loaded plugins: charon test-vectors curl unbound ldap pkcs11 aes rc2 > sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pubkey > pkcs1 pkcs7 pkcs8 pkcs12 pgp sshkey ipseckey pem openssl gcrypt af-alg > fips-prf gmp xcbc cmac hmac ctr ccm gcm ntru attr kernel-netlink resolve > socket-default farp stroke updown eap-identity eap-aka eap-aka-3gpp2 > eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap > xauth-generic xauth-eap xauth-noauth dhcp whitelist lookip error-notify > certexpire led duplicheck radattr addrblock > > Listening IP addresses: > > 192.168.1.104 > > Connections: > > ciscoios: 93.XXX.XXX.XXX...83.XXX.XXX.XXX IKEv1 > > ciscoios: local: [93.XXX.XXX.XXX] uses pre-shared key > authentication > > ciscoios: remote: [83.XXX.XXX.XXX] uses pre-shared key > authentication > > ciscoios: child: 0.0.0.0/0 <http://0.0.0.0/0> === 172.21.148.0/28 > <http://172.21.148.0/28> TUNNEL > > The local TS does not match your configuration (0.0.0.0/0 <=> > 172.31.17.0/28). Do not try to use larger traffic selectors than > requested by the administrator > of the other peer. Other IKE software does not implement IKEv1 traffic > selector narrowing, so this configuration will throw errors, because the > subnets are different from the ones configured, > if the remote peer is for example a Cisco or Juniper device. > > > Security Associations (1 up, 0 connecting): > > ciscoios[3554]: CONNECTING, 93.XXX.XXX.XXX[%any]...83.XXX. > XXX.XXX[%any] > > ciscoios[3554]: IKEv1 SPIs: 1b151f2a679038df_i* 0000000000000000_r > > ciscoios[3554]: Tasks queued: QUICK_MODE > > ciscoios[3554]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE > MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD > > > > > thyfate@DataLearning-001:~$ sudo iptables-save > > # Generated by iptables-save v1.4.21 on Mon Sep 4 08:39:12 2017 > > *nat > > :PREROUTING ACCEPT [14381:2557534] > > :INPUT ACCEPT [14224:2540988] > > :OUTPUT ACCEPT [18294:1425542] > > :POSTROUTING ACCEPT [18294:1425542] > > -A POSTROUTING -s 172.31.17.0/28 <http://172.31.17.0/28> -o eth0 -j > MASQUERADE > > That rule will cause problems. Read the article about NAT problems[7] and > then apply the rule to fix it. > > > COMMIT > > # Completed on Mon Sep 4 08:39:12 2017 > > # Generated by iptables-save v1.4.21 on Mon Sep 4 08:39:12 2017 > > *filter > > :INPUT ACCEPT [676542:524740723] > > :FORWARD ACCEPT [0:0] > > The counters are suspiciously low. Check if forwarding is enabled. Fix it > appropriately following the article about forwarding[5]. > > > :OUTPUT ACCEPT [434134:197554510] > > :fail2ban-ssh - [0:0] > > -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh > > -A fail2ban-ssh -j RETURN > > COMMIT > > # Completed on Mon Sep 4 08:39:12 2017 > > > > Kind regards > > Noel > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/ > ConfigurationExamples > [2] https://wiki.strongswan.org/projects/strongswan/wiki/ > ConfigurationExamplesNotes > [3] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples > [4] https://wiki.strongswan.org/projects/strongswan/wiki/ > IntroductionTostrongSwan > [5] https://wiki.strongswan.org/projects/strongswan/wiki/ > ForwardingAndSplitTunneling > [6] > https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations#Logjam > (Read the paragraph titled "LogJam") > [7] https://wiki.strongswan.org/projects/strongswan/wiki/ > ForwardingAndSplitTunneling#General-NAT-problems > >