Hi, I don't see the virtual IP address 10.2.1.211/32 installed on your physical USB interface with IP address 10.39.63.211. Does the command
ip route list table 220 show any source route entries? Regards Andreas On 12.03.2018 11:45, Shuchen He wrote: > Hi, > > I have setup a VPN between ASA and strongswan using IKE1. The strongswan > work as remote VPN using PSK XAuth. > > The VPN tunnel is up but I can not ping the remote site. Below is the > configuration and some output. > > My observation at the moment is that the Linux kernel has setup > everything but the TS traffic just does not leave the Linux box. When I > ping remote site, I can see "ip xfrm state" actually shows a flow for my > traffic... but the flow is somehow dropped by either the kernel or > strongswan. > > Can you please let me know what else I should do to further > troubleshoot the issue? > > *Configuration > * > connections { > home { > aggressive = yes > dpd_delay = 30 > dpd_timeout = 90 > version = 1 > remote_addrs = 126.2.1.4 > # uncomment if the responder only supports crappy crypto. But > seriously, > # every single one of those algorithms is broken. Better spend > some $$$ > # on a better solution. > proposals = aes256-sha1-modp1024 > vips = 0.0.0.0,:: > local-1 { > auth = psk > id = acompanyTest > } > local-2 { > auth = xauth-generic > xauth_id = acompanyTest > } > remote-1 { > auth = psk > # You might have to set this to the correct value, if the > responder isn't configure correctly. > #id = 126.2.1.4 > } > children { > home { > remote_ts = 10.2.1.0/24 > #local_ts=192.168.199.0/24,0.0.0.0 > # uncomment if the responder only supports crappy > crypto. But seriously, > # every single one of those algorithms is broken. Better > spend some $$$ > # on a better solution. > # esp_proposals = 3des-md5! > # Use this, if you want PFS with DH group 2. > # esp_proposals = 3des-md5-modp1024! > esp_proposals = aes128-sha1-modp768 > } > } > } > } > secrets { > ike-home { > id = 126.2.1.4 > secret = "acompany123" > } > eap-home { > id = acompanyTest > secret = "acompany123" > } > } > > # ipsec statusall > Status of IKE charon daemon (strongSwan 5.6.2, Linux > 3.0.35-2666-gbdde708-g889281e-dirty, armv7l): > uptime: 18 minutes, since Mar 12 18:15:45 2018 > malloc: sbrk 253952, mmap 0, used 158560, free 95392 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 6 > loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce > x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey > sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink > resolve socket-default stroke vici updown xauth-generic counters > Listening IP addresses: > 192.168.199.100 > 192.168.199.254 > 192.168.199.141 > 192.168.126.1 > 10.39.63.211 > Connections: > site: %any...126.2.1.4 IKEv1 > site: local: [mylocalsite] uses pre-shared key authentication > site: remote: uses pre-shared key authentication > site: child: 192.168.199.0/24 === 10.2.1.0/24 TUNNEL > home: %any...126.2.1.4 IKEv1 Aggressive, dpddelay=30s > home: local: [acompanyTest] uses pre-shared key authentication > home: local: uses XAuth authentication: generic with XAuth > identity 'acompanyTest' > home: remote: uses pre-shared key authentication > home: child: dynamic === 10.2.1.0/24 TUNNEL, dpdaction=clear > Routed Connections: > site{1}: ROUTED, TUNNEL, reqid 1 > site{1}: 192.168.199.0/24 === 10.2.1.0/24 > Security Associations (1 up, 0 connecting): > home[1]: ESTABLISHED 17 minutes ago, > 10.39.63.211[acompanyTest]...126.2.1.4[126.2.1.4] > home[1]: IKEv1 SPIs: 504550d01ee905e2_i* 2311e0ae0c6c454f_r, > rekeying in 3 hours > home[1]: IKE proposal: > AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > home{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: > cc621d5e_i 3545bd6a_o > home{2}: AES_CBC_128/HMAC_SHA1_96/MODP_768, 0 bytes_i, 0 > bytes_o, rekeying in 40 minutes > home{2}: 10.2.1.211/32 === 10.2.1.0/24 > root@wheezy-armel:~ 18:33:49 > # ifconfig > eth0 Link encap:Ethernet HWaddr 50:ff:99:30:13:10 > inet addr:192.168.199.100 Bcast:192.168.199.255 > Mask:255.255.255.0 > inet6 addr: fe80::52ff:99ff:fe30:1310/64 Scope:Link > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 > RX packets:3585 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1318 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:422967 (413.0 KiB) TX bytes:177070 (172.9 KiB) > eth1 Link encap:Ethernet HWaddr 50:ff:99:30:13:11 > inet addr:192.168.199.141 Bcast:192.168.199.255 > Mask:255.255.255.0 > inet6 addr: fe80::52ff:99ff:fe30:1311/64 Scope:Link > UP BROADCAST MULTICAST MTU:1500 Metric:1 > RX packets:11288 errors:0 dropped:0 overruns:0 frame:0 > TX packets:25 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:2799722 (2.6 MiB) TX bytes:3078 (3.0 KiB) > Interrupt:155 Base address:0x8000 > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:1334 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1334 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:465386 (454.4 KiB) TX bytes:465386 (454.4 KiB) > usb0 Link encap:Ethernet HWaddr 02:1e:10:1f:00:00 > inet addr:10.39.63.211 Bcast:10.39.63.215 Mask:255.255.255.248 > inet6 addr: fe80::1e:10ff:fe1f:0/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:1049 errors:0 dropped:0 overruns:0 frame:0 > TX packets:973 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:67244 (65.6 KiB) TX bytes:153707 (150.1 KiB) > wlan0 Link encap:Ethernet HWaddr 08:ea:40:72:28:b7 > inet addr:192.168.126.1 Bcast:192.168.126.255 Mask:255.255.255.0 > inet6 addr: fe80::aea:40ff:fe72:28b7/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:3229 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:0 (0.0 B) TX bytes:112 (112.0 B) > > # route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use > Iface > 0.0.0.0 10.39.63.209 0.0.0.0 UG 0 0 0 usb0 > 10.39.63.208 0.0.0.0 255.255.255.248 U 0 0 0 usb0 > 192.168.126.0 0.0.0.0 255.255.255.0 U 0 0 0 > wlan0 > 192.168.199.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 192.168.199.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 > > # ip route show table 220 > 10.2.1.0/24 via 10.39.63.209 dev usb0 proto static src 192.168.199.100 > > # ip -s xfrm state > src 10.39.63.211 dst 126.2.1.4 > proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel > replay-window 0 seq 0x00000000 flag af-unspec (0x00100000) > auth-trunc hmac(sha1) 0xaeb85f4b30fec0ccc1240cf9f6204a74e1785df5 > (160 bits) 96 > enc cbc(aes) 0xa0711780a30caaad143960ede951ef46 (128 bits) > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 3501(sec), hard 3960(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:52 use - > stats: > replay-window 0 replay 0 failed 0 > src 126.2.1.4 dst 10.39.63.211 > proto esp spi 0xcc621d5e(3428982110) reqid 2(0x00000002) mode tunnel > replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) > auth-trunc hmac(sha1) 0xbe6d3dc8b3c032f0059ece1a0234cbd87858d25e > (160 bits) 96 > enc cbc(aes) 0x7d99b233194ab31328cec11ea2ce7aa1 (128 bits) > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 3596(sec), hard 3960(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:52 use - > stats: > replay-window 0 replay 0 failed 0 > root@wheezy-armel:~ 18:34:25 > # ping -i 192.168.199.100 10.2.1.60 > PING 10.2.1.60 (10.2.1.60) 56(84) bytes of data. > ^C > --- 10.2.1.60 ping statistics --- > 1 packets transmitted, 0 received, 100% packet loss, time 0ms > > # ip -s xfrm state > src 10.39.63.211 dst 126.2.1.4 > proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel > replay-window 0 seq 0x00000003 flag (0x00000000) > sel src 192.168.199.100/32 dst 10.2.1.60/32 proto udp sport 48645 > dport 1025 uid 0 > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 165(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:34:35 use - > stats: > replay-window 0 replay 0 failed 0 > src 10.39.63.211 dst 126.2.1.4 > proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel > replay-window 0 seq 0x00000000 flag af-unspec (0x00100000) > auth-trunc hmac(sha1) 0xaeb85f4b30fec0ccc1240cf9f6204a74e1785df5 > (160 bits) 96 > enc cbc(aes) 0xa0711780a30caaad143960ede951ef46 (128 bits) > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 3501(sec), hard 3960(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:52 use - > stats: > replay-window 0 replay 0 failed 0 > src 126.2.1.4 dst 10.39.63.211 > proto esp spi 0xcc621d5e(3428982110) reqid 2(0x00000002) mode tunnel > replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) > auth-trunc hmac(sha1) 0xbe6d3dc8b3c032f0059ece1a0234cbd87858d25e > (160 bits) 96 > enc cbc(aes) 0x7d99b233194ab31328cec11ea2ce7aa1 (128 bits) > encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 3596(sec), hard 3960(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:52 use - > stats: > replay-window 0 replay 0 failed 0 > root@wheezy-armel:~ 18:34:37 > # ip -s xfrm policy > src 10.2.1.211/32 dst 10.2.1.0/24 uid 0 > dir out action allow index 105 priority 371327 share any flag > (0x00000000) > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:52 use - > tmpl src 10.39.63.211 dst 126.2.1.4 > proto esp spi 0x3545bd6a(893762922) reqid 2(0x00000002) mode tunnel > level required share any > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > src 10.2.1.0/24 dst 10.2.1.211/32 uid 0 > dir fwd action allow index 98 priority 371327 share any flag > (0x00000000) > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:52 use - > tmpl src 126.2.1.4 dst 10.39.63.211 > proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel > level required share any > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > src 10.2.1.0/24 dst 10.2.1.211/32 uid 0 > dir in action allow index 88 priority 371327 share any flag > (0x00000000) > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:52 use - > tmpl src 126.2.1.4 dst 10.39.63.211 > proto esp spi 0x00000000(0) reqid 2(0x00000002) mode tunnel > level required share any > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > src 192.168.199.0/24 dst 10.2.1.0/24 uid 0 > dir out action allow index 81 priority 375424 share any flag > (0x00000000) > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:48 use - > tmpl src 10.39.63.211 dst 126.2.1.4 > proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel > level required share any > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > src 10.2.1.0/24 dst 192.168.199.0/24 uid 0 > dir fwd action allow index 74 priority 375424 share any flag > (0x00000000) > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:48 use - > tmpl src 126.2.1.4 dst 10.39.63.211 > proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel > level required share any > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > src 10.2.1.0/24 dst 192.168.199.0/24 uid 0 > dir in action allow index 64 priority 375424 share any flag > (0x00000000) > lifetime config: > limit: soft (INF)(bytes), hard (INF)(bytes) > limit: soft (INF)(packets), hard (INF)(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:48 use - > tmpl src 126.2.1.4 dst 10.39.63.211 > proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel > level required share any > enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff > src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 > socket in action allow index 59 priority 0 share any flag (0x00000000) > lifetime config: > limit: soft 0(bytes), hard 0(bytes) > limit: soft 0(packets), hard 0(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:44 use 2018-03-12 18:34:33 > src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 > socket out action allow index 52 priority 0 share any flag (0x00000000) > lifetime config: > limit: soft 0(bytes), hard 0(bytes) > limit: soft 0(packets), hard 0(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:44 use 2018-03-12 18:34:28 > src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 > socket in action allow index 43 priority 0 share any flag (0x00000000) > lifetime config: > limit: soft 0(bytes), hard 0(bytes) > limit: soft 0(packets), hard 0(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:44 use 2018-03-12 18:34:39 > src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 > socket out action allow index 36 priority 0 share any flag (0x00000000) > lifetime config: > limit: soft 0(bytes), hard 0(bytes) > limit: soft 0(packets), hard 0(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:44 use 2018-03-12 18:34:39 > src ::/0 dst ::/0 uid 0 > socket in action allow index 27 priority 0 share any flag (0x00000000) > lifetime config: > limit: soft 0(bytes), hard 0(bytes) > limit: soft 0(packets), hard 0(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:44 use - > src ::/0 dst ::/0 uid 0 > socket out action allow index 20 priority 0 share any flag (0x00000000) > lifetime config: > limit: soft 0(bytes), hard 0(bytes) > limit: soft 0(packets), hard 0(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:44 use - > src ::/0 dst ::/0 uid 0 > socket in action allow index 11 priority 0 share any flag (0x00000000) > lifetime config: > limit: soft 0(bytes), hard 0(bytes) > limit: soft 0(packets), hard 0(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:44 use - > src ::/0 dst ::/0 uid 0 > socket out action allow index 4 priority 0 share any flag (0x00000000) > lifetime config: > limit: soft 0(bytes), hard 0(bytes) > limit: soft 0(packets), hard 0(packets) > expire add: soft 0(sec), hard 0(sec) > expire use: soft 0(sec), hard 0(sec) > lifetime current: > 0(bytes), 0(packets) > add 2018-03-12 18:15:44 use - > > > Thanks > > George -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature