Discussion:
[strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Walid Aweiwi
2009-01-02 00:30:28 UTC
Permalink
Hi All,

I configured strongswan-4.2.10 on 2 VPN server "RED" and "BLUE", both servers are behind
NAT with ikev1 and PSK, Dynamic DNS & traffic forwarding for the needed traffic on the
ADSL routers as follow:

------------------
-192.168.100.0/24-
------------------
.
.
.
.
192.168.100.100
-------------------------
- VPN Server stronswan -
- with iptables & NAT -
- RED -
-------------------------
192.168.2.254
.
.
.
192.168.2.1
-------------------------
- ADSL Router with NAT -
- Dynamic IP from ISP -
- with Dynamic DNS to -
- the dynamic IP -
- Forwarding all trafic -
- to the 192.168.2.1 -
-------------------------
Public IP Dynamic
.
.
.
.
-------------------------
- Internet Cloud -
-------------------------
.
.
.
.
Public IP Dynamic
-------------------------
- ADSL Router with NAT -
- Dynamic IP from ISP -
- with Dynamic DNS to -
- the dynamic IP -
- Forwarding all trafic -
- to the 192.168.14.254 -
-------------------------
192.168.14.254
.
.
.
.
192.168.14.1
-------------------------
- VPN Server stronswan -
- with iptables & NAT -
- BLUE -
-------------------------
192.168.25.25
.
.
.
.
.
------------------
-192.168.25.0/24-
------------------

BLUE configuration:
ipsec.cong
config setup
plutodebug=control
charonstart=no
nat_traversal=yes

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret

conn net-net
left=192.168.14.1
leftsubnet=192.168.25.0/24
leftid=@sun.strongswan.org
leftfirewall=yes
right=x.dyndns.org
rightsubnet=192.168.100.0/24
rightid=@moon.strongswan.org
auto=start

ipsec.secrets
@moon.strongswan.org @sun.strongswan.org : PSK xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

RED confiurations:
ipsec.conf
config setup
plutodebug=control
charonstart=no
nat_traversal=yes

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret

conn net-net
left=192.168.2.254
leftsubnet=192.168.100.0/24
leftid=@moon.strongswan.org
leftfirewall=yes
right=y.dyndns.org
rightsubnet=192.168.25.0/24
rightid=@sun.strongswan.org
auto=start

ipsec.secrets
@moon.strongswan.org @sun.strongswan.org : PSK xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ipsec status
000 "net-net":
192.168.100.0/24===192.168.2.254:4500[@moon.strongswan.org]...xxxx.xx.xx.xxx:4500[@sun.strongswan.org]===192.168.25.0/24;
erouted; eroute owner: #7
000 "net-net": newest ISAKMP SA: #6; newest IPsec SA: #7;
000
000 #7: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in
292s; newest IPSEC; eroute owner
000 #7: "net-net" esp.2dff52df-Lwi65K7TOc+***@public.gmane.org (0 bytes) esp.8b0fa9d1-Q0ErXNX1RuYLg+***@public.gmane.org; tunnel
000 #6: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2067s;
newest ISAKMP

but my problem is no route nor ping from RED server to BLUE.

Any advise!!!

--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
Daniel Mentz
2009-01-02 09:26:08 UTC
Permalink
Post by Walid Aweiwi
but my problem is no route nor ping from RED server to BLUE.
Hi Walid,

could you please provide us with the output of the command

ip route list

It should contain something like

192.168.25.0/24 dev ppp0 scope link src 192.168.100.100

The outlook will look differently on your machine because you're
probably using an ethernet link instead of PPP.

The output of "ipsec status" looks very promising.
What's the exact output of the ping command? Does it say "no route to
host" or is it just not getting any reply (100% packet loss) ?

Please run tcpdump on the external interfaces of RED and BLUE in order
to see if those boxes transmit ESP packets or just unencrypted ICMP packets.

For the sake of completeness you could also include the output of the
two following commands:

ip xfrm state
ip xfrm policy

Regards,
Daniel
Walid Aweiwi
2009-01-02 11:18:30 UTC
Permalink
Hi Daniel,

RED output logs:
ip route list
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.254
169.254.0.0/16 dev eth0 scope link
default via 192.168.2.1 dev eth0

ipsec status
000 "net-net":
192.168.100.0/24===192.168.2.254:4500[@moon.strongswan.org]...213.6.10.244:4500[@sun.strongswan.org]===192.168.25.0/24;
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000
000 #2: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 722s
000 #2: "net-net" esp.a1da8e02-hI0Zi+***@public.gmane.org (0 bytes) esp.700349d6-Q0ErXNX1RuYLg+***@public.gmane.org (0
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3136s
000 #4: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 871s;
newest IPSEC; eroute owner
000 #4: "net-net" esp.c13228b8-hI0Zi+***@public.gmane.org (0 bytes) esp.c5b532b7-Q0ErXNX1RuYLg+***@public.gmane.org; tunnel
000 #3: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
3271s; newest ISAKMP
000

ip xfrm policy
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0

ip xfrm state
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0




BLUE output logs:

ip route list
192.168.14.0/24 dev eth0 proto kernel scope link src 192.168.14.1
192.168.25.0/24 dev eth0 proto kernel scope link src 192.168.25.25
169.254.0.0/16 dev eth0 scope link
default via 192.168.14.254 dev eth0

ipsec status
000 "net-net":
192.168.25.0/24===192.168.14.1:4500[@sun.strongswan.org]...82.102.240.47:10171[@moon.strongswan.org]===192.168.100.0/24;
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000
000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in
488s; newest IPSEC; eroute owner
000 #4: "net-net" esp.c5b532b7-***@public.gmane.org (0 bytes) esp.c13228b8-***@public.gmane.org (0
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3011s;
newest ISAKMP
000 #3: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 727s
000 #3: "net-net" esp.700349d6-***@public.gmane.org (0 bytes) esp.a1da8e02-***@public.gmane.org (0
bytes); tunnel
000 #2: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3126s
000

src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0

src 192.168.14.1 dst 82.102.240.47
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0




the tcpdump logs on RED.

tcpdump -i eth0 not port ssh and not port domain and not arp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:15:32.213144 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:32.815520 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 300
13:15:32.822317 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 326
13:15:33.214593 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:35.696800 IP 192.168.2.100 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s)
13:15:35.733188 IP 192.168.2.100.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
13:15:41.256312 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:41.256475 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005718 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005887 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756095 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756299 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:43.505142 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:44.255700 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:45.005950 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:45.575554 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
isakmp-nat-keep-alive
13:15:46.607604 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
isakmp-nat-keep-alive
13:15:52.214772 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:53.216956 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:00.755893 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:00.756295 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505012 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505198 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255106 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255466 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.004167 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.753917 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:04.505081 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:05.263502 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:05.592182 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
isakmp-nat-keep-alive
13:16:06.012609 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:06.747796 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
isakmp-nat-keep-alive
13:16:06.761678 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:12.218682 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:12.971620 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 1,
length 64
13:16:13.220735 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:13.971711 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 2,
length 64
13:16:14.972435 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps

---------- Original Message -----------
From: Daniel Mentz <danielml+mailinglists.strongswan-***@public.gmane.org>
To: Walid Aweiwi <walid-5LNP/***@public.gmane.org>
Cc: users-3+4lAyCyj6DkhV4RL1hkzWD2FQJk+8+***@public.gmane.org
Sent: Fri, 02 Jan 2009 10:26:08 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Post by Walid Aweiwi
but my problem is no route nor ping from RED server to BLUE.
Hi Walid,
could you please provide us with the output of the command
ip route list
It should contain something like
192.168.25.0/24 dev ppp0 scope link src 192.168.100.100
The outlook will look differently on your machine because you're
probably using an ethernet link instead of PPP.
The output of "ipsec status" looks very promising.
What's the exact output of the ping command? Does it say "no route to
host" or is it just not getting any reply (100% packet loss) ?
Please run tcpdump on the external interfaces of RED and BLUE in order
to see if those boxes transmit ESP packets or just unencrypted ICMP packets.
For the sake of completeness you could also include the output of the
ip xfrm state
ip xfrm policy
Regards,
Daniel
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
Walid Aweiwi
2009-01-02 11:42:55 UTC
Permalink
RED tcpdump output:

cat /tmp/tcpdump.log | grep ESP
13:20:37.795130 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
13:20:37.944141 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
13:20:38.091078 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
13:20:51.544420 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? inf[E]
13:20:51.631910 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? inf[E]
13:20:51.684359 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? inf[E]
13:20:51.712082 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? inf[E]
13:20:51.729090 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? inf[E]
13:20:51.767064 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? inf[E]
13:20:51.772018 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? inf[E]
13:20:51.897217 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? inf[E]
13:20:52.002662 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others ? inf[E]
13:21:01.532021 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:21:11.709750 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:21:31.859271 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:23:21.963069 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident[E]
13:23:22.046752 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 R ident[E]
13:23:22.168218 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:23:22.440587 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
13:23:22.622770 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:23:32.857717 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:23:32.910278 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 R ident
13:23:33.107328 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:23:33.149968 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 R ident
13:23:33.272857 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident[E]
13:23:33.273139 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 R ident[E]
13:23:33.506959 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:23:33.645808 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
13:23:33.798234 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:24:58.169342 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R inf[E]
13:24:58.170001 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R inf[E]
13:24:58.180619 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R inf[E]
13:24:58.290224 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R inf[E]
13:24:58.337283 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I inf[E]
13:24:58.360755 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I inf[E]
13:24:58.495345 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R inf[E]
13:25:08.614580 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:25:18.755690 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:25:38.774390 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:27:53.928110 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident[E]
13:27:54.010098 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 R ident[E]
13:27:54.132972 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:27:54.402197 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
13:27:54.576001 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:29:23.648294 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R inf[E]
13:29:23.720663 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R inf[E]
13:29:23.747362 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I inf[E]
13:29:33.755075 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:29:43.940855 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:30:03.955384 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:33:32.549351 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident[E]
13:33:32.646332 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 R ident[E]
13:33:32.770124 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:33:33.020016 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
13:33:33.216916 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:33:50.342322 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I inf[E]
13:33:50.402856 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I inf[E]
13:33:50.449530 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R inf[E]
13:33:50.649064 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R inf[E]
13:34:01.699136 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:34:01.755442 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 R ident
13:34:02.056607 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:34:02.099292 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 R ident
13:34:12.098243 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 R ident
13:34:12.115971 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident
13:34:12.208864 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 I ident[E]
13:34:12.221128 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 1 R ident[E]
13:34:12.454657 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
13:34:12.590779 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
13:34:12.849814 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-nat-t:
NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps

---------- Original Message -----------
From: "Walid Aweiwi" <walid-5LNP/***@public.gmane.org>
To: Daniel Mentz <danielml+mailinglists.strongswan-***@public.gmane.org>
Cc: users-3+4lAyCyj6DkhV4RL1hkzWD2FQJk+8+***@public.gmane.org
Sent: Fri, 2 Jan 2009 13:18:30 +0200
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Walid Aweiwi
Hi Daniel,
ip route list
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.254
169.254.0.0/16 dev eth0 scope link
default via 192.168.2.1 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000
000 #2: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established);
(ISAKMP SA established); EVENT_SA_REPLACE in 3136s 000 #4: "net-net"
STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 871s; newest IPSEC;
ISAKMP SA established); EVENT_SA_REPLACE in 3271s; newest ISAKMP 000
ip xfrm policy
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
ip xfrm state
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
ip route list
192.168.14.0/24 dev eth0 proto kernel scope link src 192.168.14.1
192.168.25.0/24 dev eth0 proto kernel scope link src 192.168.25.25
169.254.0.0/16 dev eth0 scope link
default via 192.168.14.254 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000
000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 488s; newest IPSEC; eroute owner 000 #4: "net-net"
tunnel 000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 3011s; newest ISAKMP 000 #3: "net-net" STATE_QUICK_R2
(IPsec SA established); EVENT_SA_REPLACE in 727s 000 #3: "net-net"
tunnel 000 #2: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 3126s 000
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
the tcpdump logs on RED.
tcpdump -i eth0 not port ssh and not port domain and not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:15:32.213144 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:32.815520 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 300
13:15:32.822317 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 326
13:15:33.214593 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:35.696800 IP 192.168.2.100 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s)
13:15:35.733188 IP 192.168.2.100.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): REGISTRATION; REQUEST; BROADCAST
13:15:41.256312 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:15:41.256475 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005718 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005887 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756095 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756299 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:15:43.505142 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:15:44.255700 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:15:45.005950 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:15:45.575554 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-
nat-t: isakmp-nat-keep-alive
13:15:46.607604 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-
nat-t: isakmp-nat-keep-alive
13:15:52.214772 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:53.216956 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:00.755893 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:00.756295 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505012 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505198 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255106 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255466 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.004167 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.753917 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:04.505081 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:05.263502 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:05.592182 IP a10-244.adsl.paltel.net.ipsec-nat-t > 192.168.2.254.ipsec-
nat-t: isakmp-nat-keep-alive
13:16:06.012609 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:06.747796 IP 192.168.2.254.ipsec-nat-t > a10-244.adsl.paltel.net.ipsec-
nat-t: isakmp-nat-keep-alive
13:16:06.761678 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT
UDP PACKET(137): QUERY; REQUEST; BROADCAST
13:16:12.218682 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:12.971620 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124,
seq 1, length 64
13:16:13.220735 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:13.971711 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124,
seq 2, length 64
13:16:14.972435 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 10:26:08 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Post by Walid Aweiwi
but my problem is no route nor ping from RED server to BLUE.
Hi Walid,
could you please provide us with the output of the command
ip route list
It should contain something like
192.168.25.0/24 dev ppp0 scope link src 192.168.100.100
The outlook will look differently on your machine because you're
probably using an ethernet link instead of PPP.
The output of "ipsec status" looks very promising.
What's the exact output of the ping command? Does it say "no route to
host" or is it just not getting any reply (100% packet loss) ?
Please run tcpdump on the external interfaces of RED and BLUE in order
to see if those boxes transmit ESP packets or just unencrypted ICMP packets.
For the sake of completeness you could also include the output of the
ip xfrm state
ip xfrm policy
Regards,
Daniel
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
Daniel Mentz
2009-01-02 12:14:12 UTC
Permalink
Hi Walid,

thanks for the debug output.
The command "ip xfrm policy" printed the contents of the so called
Security Policy Database or SPD. To me it seems that the correct entries
are missing in this database. It's over my head why those entries are
missing. Also, the routing table misses necessary entries as well.

From the tcpdump output you provided I can see that the packets are not
encrypted which is a consequence of the fact that those SPD entries are
missing.

I would like to ask you again to provide additional data: You enabled

plutodebug=control

which is a good thing. Could you please provide us with the data from
the syslog output. This is in /var/log/auth.log on my debian system but
it might be located in a different file depending on your distribution.
I'm interested in the lines containing "pluto[xxxx]".

Thanks
Daniel
Post by Walid Aweiwi
Hi Daniel,
ip route list
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.254
169.254.0.0/16 dev eth0 scope link
default via 192.168.2.1 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000
000 #2: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 722s
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3136s
000 #4: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 871s;
newest IPSEC; eroute owner
000 #3: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
3271s; newest ISAKMP
000
ip xfrm policy
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
ip xfrm state
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
ip route list
192.168.14.0/24 dev eth0 proto kernel scope link src 192.168.14.1
192.168.25.0/24 dev eth0 proto kernel scope link src 192.168.25.25
169.254.0.0/16 dev eth0 scope link
default via 192.168.14.254 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000
000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in
488s; newest IPSEC; eroute owner
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3011s;
newest ISAKMP
000 #3: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 727s
bytes); tunnel
000 #2: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3126s
000
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
the tcpdump logs on RED.
tcpdump -i eth0 not port ssh and not port domain and not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:15:32.213144 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:32.815520 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 300
13:15:32.822317 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 326
13:15:33.214593 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:35.696800 IP 192.168.2.100 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s)
13:15:35.733188 IP 192.168.2.100.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
13:15:41.256312 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:41.256475 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005718 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005887 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756095 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756299 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:43.505142 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:44.255700 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:45.005950 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
isakmp-nat-keep-alive
13:15:52.214772 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:53.216956 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:00.755893 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:00.756295 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505012 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505198 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255106 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255466 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.004167 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.753917 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:04.505081 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:05.263502 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.012609 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.761678 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:12.218682 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:12.971620 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 1,
length 64
13:16:13.220735 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:13.971711 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 2,
length 64
13:16:14.972435 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 10:26:08 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Post by Walid Aweiwi
but my problem is no route nor ping from RED server to BLUE.
Hi Walid,
could you please provide us with the output of the command
ip route list
It should contain something like
192.168.25.0/24 dev ppp0 scope link src 192.168.100.100
The outlook will look differently on your machine because you're
probably using an ethernet link instead of PPP.
The output of "ipsec status" looks very promising.
What's the exact output of the ping command? Does it say "no route to
host" or is it just not getting any reply (100% packet loss) ?
Please run tcpdump on the external interfaces of RED and BLUE in order
to see if those boxes transmit ESP packets or just unencrypted ICMP packets.
For the sake of completeness you could also include the output of the
ip xfrm state
ip xfrm policy
Regards,
Daniel
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
Walid Aweiwi
2009-01-02 12:25:34 UTC
Permalink
on RED
tail -f /var/log/secure



Jan 2 14:23:18 sarisiR pluto[8015]: |
Jan 2 14:23:18 sarisiR pluto[8015]: | *received whack message
Jan 2 14:23:18 sarisiR pluto[8015]: | creating state object #3 at 0x8920ca8
Jan 2 14:23:18 sarisiR pluto[8015]: | ICOOKIE: 17 72 af 70 b1 c9 3f ca
Jan 2 14:23:18 sarisiR pluto[8015]: | RCOOKIE: 00 00 00 00 00 00 00 00
Jan 2 14:23:18 sarisiR pluto[8015]: | peer: d5 06 0a f4
Jan 2 14:23:18 sarisiR pluto[8015]: | state hash entry 12
Jan 2 14:23:18 sarisiR pluto[8015]: | inserting event EVENT_SO_DISCARD, timeout in 0
seconds for #3
Jan 2 14:23:18 sarisiR pluto[8015]: | Queuing pending Quick Mode with 213.6.10.244
"net-net"
Jan 2 14:23:18 sarisiR pluto[8015]: "net-net" #3: initiating Main Mode
Jan 2 14:23:18 sarisiR pluto[8015]: | 7_128-2-14,
Jan 2 14:23:18 sarisiR pluto[8015]: | inserting event EVENT_RETRANSMIT, timeout in 10
seconds for #3
Jan 2 14:23:18 sarisiR pluto[8015]: | next event EVENT_RETRANSMIT in 10 seconds for #3
Jan 2 14:23:18 sarisiR pluto[8015]: |
Jan 2 14:23:18 sarisiR pluto[8015]: | *received 156 bytes from 213.6.10.244:4500 on eth0
Jan 2 14:23:18 sarisiR pluto[8015]: | ICOOKIE: 17 72 af 70 b1 c9 3f ca
Jan 2 14:23:18 sarisiR pluto[8015]: | RCOOKIE: f3 a5 f6 d3 6b 87 de b7
Jan 2 14:23:18 sarisiR pluto[8015]: | peer: d5 06 0a f4
Jan 2 14:23:18 sarisiR pluto[8015]: | state hash entry 0
Jan 2 14:23:18 sarisiR pluto[8015]: | state object not found
Jan 2 14:23:18 sarisiR pluto[8015]: | ICOOKIE: 17 72 af 70 b1 c9 3f ca
Jan 2 14:23:18 sarisiR pluto[8015]: | RCOOKIE: 00 00 00 00 00 00 00 00
Jan 2 14:23:18 sarisiR pluto[8015]: | peer: d5 06 0a f4
Jan 2 14:23:18 sarisiR pluto[8015]: | state hash entry 12
Jan 2 14:23:18 sarisiR pluto[8015]: | state object #3 found, in STATE_MAIN_I1
Jan 2 14:23:18 sarisiR pluto[8015]: "net-net" #3: ignoring Vendor ID payload
[strongSwan 4.2.10]
Jan 2 14:23:18 sarisiR pluto[8015]: "net-net" #3: received Vendor ID payload [XAUTH]
Jan 2 14:23:18 sarisiR pluto[8015]: "net-net" #3: received Vendor ID payload [Dead Peer
Detection]
Jan 2 14:23:18 sarisiR pluto[8015]: "net-net" #3: received Vendor ID payload [RFC 3947]
Jan 2 14:23:18 sarisiR pluto[8015]: "net-net" #3: enabling possible NAT-traversal with
method 3
Jan 2 14:23:18 sarisiR pluto[8015]: | ICOOKIE: 17 72 af 70 b1 c9 3f ca
Jan 2 14:23:18 sarisiR pluto[8015]: | RCOOKIE: 00 00 00 00 00 00 00 00
Jan 2 14:23:18 sarisiR pluto[8015]: | peer: d5 06 0a f4
Jan 2 14:23:18 sarisiR pluto[8015]: | state hash entry 12
Jan 2 14:23:18 sarisiR pluto[8015]: | ICOOKIE: 17 72 af 70 b1 c9 3f ca
Jan 2 14:23:18 sarisiR pluto[8015]: | RCOOKIE: f3 a5 f6 d3 6b 87 de b7
Jan 2 14:23:18 sarisiR pluto[8015]: | peer: d5 06 0a f4
Jan 2 14:23:18 sarisiR pluto[8015]: | state hash entry 0
Jan 2 14:23:18 sarisiR pluto[8015]: | inserting event EVENT_RETRANSMIT, timeout in 10
seconds for #3
Jan 2 14:23:18 sarisiR pluto[8015]: | next event EVENT_RETRANSMIT in 10 seconds for #3
Jan 2 14:23:18 sarisiR pluto[8015]: |
Jan 2 14:23:18 sarisiR pluto[8015]: | *received 356 bytes from 213.6.10.244:4500 on eth0
Jan 2 14:23:18 sarisiR pluto[8015]: | ICOOKIE: 17 72 af 70 b1 c9 3f ca
Jan 2 14:23:18 sarisiR pluto[8015]: | RCOOKIE: f3 a5 f6 d3 6b 87 de b7
Jan 2 14:23:18 sarisiR pluto[8015]: | peer: d5 06 0a f4
Jan 2 14:23:18 sarisiR pluto[8015]: | state hash entry 0
Jan 2 14:23:18 sarisiR pluto[8015]: | state object #3 found, in STATE_MAIN_I2
Jan 2 14:23:18 sarisiR pluto[8015]: "net-net" #3: NAT-Traversal: Result using RFC 3947:
both are NATed
Jan 2 14:23:18 sarisiR pluto[8015]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in
20 seconds
Jan 2 14:23:18 sarisiR pluto[8015]: | inserting event EVENT_RETRANSMIT, timeout in 10
seconds for #3
Jan 2 14:23:18 sarisiR pluto[8015]: | next event EVENT_RETRANSMIT in 10 seconds for #3
Jan 2 14:23:18 sarisiR pluto[8015]: |
Jan 2 14:23:18 sarisiR pluto[8015]: | *received 92 bytes from 213.6.10.244:4500 on eth0
Jan 2 14:23:18 sarisiR pluto[8015]: | ICOOKIE: 17 72 af 70 b1 c9 3f ca
Jan 2 14:23:18 sarisiR pluto[8015]: | RCOOKIE: f3 a5 f6 d3 6b 87 de b7
Jan 2 14:23:18 sarisiR pluto[8015]: | peer: d5 06 0a f4
Jan 2 14:23:18 sarisiR pluto[8015]: | state hash entry 0
Jan 2 14:23:18 sarisiR pluto[8015]: | state object #3 found, in STATE_MAIN_I3
Jan 2 14:23:18 sarisiR pluto[8015]: "net-net" #3: Peer ID is ID_FQDN: '@sun.strongswan.org'
Jan 2 14:23:18 sarisiR pluto[8015]: | peer CA: '%none'
Jan 2 14:23:18 sarisiR pluto[8015]: | required CA: '%none'
Jan 2 14:23:18 sarisiR pluto[8015]: | inserting event EVENT_SA_REPLACE, timeout in 3292
seconds for #3
Jan 2 14:23:18 sarisiR pluto[8015]: "net-net" #3: ISAKMP SA established
Jan 2 14:23:18 sarisiR pluto[8015]: | unqueuing pending Quick Mode with 213.6.10.244
"net-net"
Jan 2 14:23:18 sarisiR pluto[8015]: | duplicating state object #3
Jan 2 14:23:18 sarisiR pluto[8015]: | creating state object #4 at 0x8922e90
Jan 2 14:23:18 sarisiR pluto[8015]: | ICOOKIE: 17 72 af 70 b1 c9 3f ca
Jan 2 14:23:18 sarisiR pluto[8015]: | RCOOKIE: f3 a5 f6 d3 6b 87 de b7
Jan 2 14:23:18 sarisiR pluto[8015]: | peer: d5 06 0a f4
Jan 2 14:23:18 sarisiR pluto[8015]: | state hash entry 0
Jan 2 14:23:18 sarisiR pluto[8015]: | inserting event EVENT_SO_DISCARD, timeout in 0
seconds for #4
Jan 2 14:23:18 sarisiR pluto[8015]: "net-net" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3}
Jan 2 14:23:18 sarisiR pluto[8015]: | 12_128-2, 3_000-1,
Jan 2 14:23:18 sarisiR pluto[8015]: | kernel_alg_db_prop_new() will return
p_new->protoid=3, p_new->trans_cnt=2
Jan 2 14:23:18 sarisiR pluto[8015]: | kernel_alg_db_prop_new() trans[0]:
transid=12, attr_cnt=2, attrs[0].type=5, attrs[0].val=2
Jan 2 14:23:18 sarisiR pluto[8015]: | kernel_alg_db_prop_new() trans[1]: transid=3,
attr_cnt=1, attrs[0].type=5, attrs[0].val=1
Jan 2 14:23:19 sarisiR pluto[8015]: | inserting event EVENT_RETRANSMIT, timeout in 10
seconds for #4
Jan 2 14:23:19 sarisiR pluto[8015]: | next event EVENT_RETRANSMIT in 10 seconds for #4
Jan 2 14:23:19 sarisiR pluto[8015]: |
Jan 2 14:23:19 sarisiR pluto[8015]: | *received 428 bytes from 213.6.10.244:4500 on eth0
Jan 2 14:23:19 sarisiR pluto[8015]: | ICOOKIE: 17 72 af 70 b1 c9 3f ca
Jan 2 14:23:19 sarisiR pluto[8015]: | RCOOKIE: f3 a5 f6 d3 6b 87 de b7
Jan 2 14:23:19 sarisiR pluto[8015]: | peer: d5 06 0a f4
Jan 2 14:23:19 sarisiR pluto[8015]: | state hash entry 0
Jan 2 14:23:19 sarisiR pluto[8015]: | state object #4 found, in STATE_QUICK_I1
Jan 2 14:23:19 sarisiR pluto[8015]: | our client is subnet 192.168.100.0/24
Jan 2 14:23:19 sarisiR pluto[8015]: | our client protocol/port is 0/0
Jan 2 14:23:19 sarisiR pluto[8015]: | peer client is subnet 192.168.25.0/24
Jan 2 14:23:19 sarisiR pluto[8015]: | peer client protocol/port is 0/0
Jan 2 14:23:19 sarisiR pluto[8015]: | kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3):
a_keylen=20
Jan 2 14:23:19 sarisiR pluto[8015]: | install_ipsec_sa() for #4: inbound and outbound
Jan 2 14:23:19 sarisiR pluto[8015]: | route owner of "net-net" prospective erouted:
self; eroute owner: self
Jan 2 14:23:19 sarisiR pluto[8015]: | add inbound eroute 192.168.25.0/24:0 ->
192.168.100.0/24:0 => tun.10000-Q0ErXNX1RuYLg+***@public.gmane.org:0
Jan 2 14:23:19 sarisiR pluto[8015]: | sr for #4: prospective erouted
Jan 2 14:23:19 sarisiR pluto[8015]: | route owner of "net-net" prospective erouted:
self; eroute owner: self
Jan 2 14:23:19 sarisiR pluto[8015]: | eroute_connection replace eroute
192.168.100.0/24:0 -> 192.168.25.0/24:0 => tun.0-hI0Zi+***@public.gmane.org:0
Jan 2 14:23:19 sarisiR pluto[8015]: | executing up-client: 2>&1 PLUTO_VERSION='1.1'
PLUTO_VERB='up-client' PLUTO_CONNECTION='net-net' PLUTO_NEXT_HOP='213.6.10.244'
PLUTO_INTERFACE='eth0' PLUTO_REQID='16385' PLUTO_ME='192.168.2.254'
PLUTO_MY_ID='@moon.strongswan.org' PLUTO_MY_CLIENT='192.168.100.0/24'
PLUTO_MY_CLIENT_NET='192.168.100.0' PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='213.6.10.244'
PLUTO_PEER_ID='@sun.strongswan.org' PLUTO_PEER_CLIENT='192.168.25.0/24'
PLUTO_PEER_CLIENT_NET='192.168.25.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown iptables
Jan 2 14:23:19 sarisiR pluto[8015]: | route_and_eroute: firewall_notified: true
Jan 2 14:23:19 sarisiR pluto[8015]: | route_and_eroute: instance "net-net", setting
eroute_owner {spd=0x892023c,sr=0x892023c} to #4 (was #0) (newest_ipsec_sa=#0)
Jan 2 14:23:19 sarisiR pluto[8015]: | inserting event EVENT_SA_REPLACE, timeout in 842
seconds for #4
Jan 2 14:23:19 sarisiR pluto[8015]: "net-net" #4: sent QI2, IPsec SA established
{ESP=>0x5a63835f <0xa7248a86 NATOA=0.0.0.0}
Jan 2 14:23:19 sarisiR pluto[8015]: | next event EVENT_NAT_T_KEEPALIVE in 19 seconds
Jan 2 14:23:38 sarisiR pluto[8015]: |
Jan 2 14:23:38 sarisiR pluto[8015]: | *time to handle event
Jan 2 14:23:38 sarisiR pluto[8015]: | event after this is EVENT_SA_REPLACE in 823 seconds
Jan 2 14:23:38 sarisiR pluto[8015]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in
20 seconds
Jan 2 14:23:38 sarisiR pluto[8015]: | next event EVENT_NAT_T_KEEPALIVE in 20 seconds
Jan 2 14:23:58 sarisiR pluto[8015]: |
Jan 2 14:23:58 sarisiR pluto[8015]: | *time to handle event
Jan 2 14:23:58 sarisiR pluto[8015]: | event after this is EVENT_SA_REPLACE in 803 seconds
Jan 2 14:23:58 sarisiR pluto[8015]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in
20 seconds
Jan 2 14:23:58 sarisiR pluto[8015]: | next event EVENT_NAT_T_KEEPALIVE in 20 seconds


--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps

---------- Original Message -----------
From: Daniel Mentz <danielml+mailinglists.strongswan-***@public.gmane.org>
To: Walid Aweiwi <walid-5LNP/***@public.gmane.org>
Cc: users-3+4lAyCyj6DkhV4RL1hkzWD2FQJk+8+***@public.gmane.org
Sent: Fri, 02 Jan 2009 13:14:12 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Hi Walid,
thanks for the debug output.
The command "ip xfrm policy" printed the contents of the so called
Security Policy Database or SPD. To me it seems that the correct entries
are missing in this database. It's over my head why those entries are
missing. Also, the routing table misses necessary entries as well.
From the tcpdump output you provided I can see that the packets are not
encrypted which is a consequence of the fact that those SPD entries are
missing.
I would like to ask you again to provide additional data: You enabled
plutodebug=control
which is a good thing. Could you please provide us with the data from
the syslog output. This is in /var/log/auth.log on my debian system but
it might be located in a different file depending on your distribution.
I'm interested in the lines containing "pluto[xxxx]".
Thanks
Daniel
Post by Walid Aweiwi
Hi Daniel,
ip route list
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.254
169.254.0.0/16 dev eth0 scope link
default via 192.168.2.1 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000
000 #2: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 722s
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3136s
000 #4: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 871s;
newest IPSEC; eroute owner
000 #3: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
3271s; newest ISAKMP
000
ip xfrm policy
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
ip xfrm state
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
ip route list
192.168.14.0/24 dev eth0 proto kernel scope link src 192.168.14.1
192.168.25.0/24 dev eth0 proto kernel scope link src 192.168.25.25
169.254.0.0/16 dev eth0 scope link
default via 192.168.14.254 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000
000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in
488s; newest IPSEC; eroute owner
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3011s;
newest ISAKMP
000 #3: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 727s
bytes); tunnel
000 #2: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE
in 3126s
Post by Daniel Mentz
Post by Walid Aweiwi
000
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
the tcpdump logs on RED.
tcpdump -i eth0 not port ssh and not port domain and not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:15:32.213144 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:32.815520 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 300
13:15:32.822317 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 326
13:15:33.214593 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:35.696800 IP 192.168.2.100 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s)
13:15:35.733188 IP 192.168.2.100.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
13:15:41.256312 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:41.256475 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005718 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005887 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756095 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756299 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:43.505142 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:44.255700 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:45.005950 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
isakmp-nat-keep-alive
13:15:52.214772 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:53.216956 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:00.755893 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:00.756295 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505012 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505198 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255106 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255466 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.004167 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.753917 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:04.505081 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:05.263502 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.012609 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.761678 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:12.218682 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:12.971620 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 1,
length 64
13:16:13.220735 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:13.971711 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 2,
length 64
13:16:14.972435 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 10:26:08 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Post by Walid Aweiwi
but my problem is no route nor ping from RED server to BLUE.
Hi Walid,
could you please provide us with the output of the command
ip route list
It should contain something like
192.168.25.0/24 dev ppp0 scope link src 192.168.100.100
The outlook will look differently on your machine because you're
probably using an ethernet link instead of PPP.
The output of "ipsec status" looks very promising.
What's the exact output of the ping command? Does it say "no route to
host" or is it just not getting any reply (100% packet loss) ?
Please run tcpdump on the external interfaces of RED and BLUE in order
to see if those boxes transmit ESP packets or just unencrypted ICMP packets.
For the sake of completeness you could also include the output of the
ip xfrm state
ip xfrm policy
Regards,
Daniel
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
Walid Aweiwi
2009-01-02 12:35:50 UTC
Permalink
Hi Daniel,

I forgot to mentioned that I'm using virtual interface (eth0, eth0:1) not two NICs, eth0
is the WAN "external" NIC and the eth0:1 is the LAN "internal" NIC.

--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps

---------- Original Message -----------
From: Daniel Mentz <danielml+mailinglists.strongswan-***@public.gmane.org>
To: Walid Aweiwi <walid-5LNP/***@public.gmane.org>
Cc: users-3+4lAyCyj6DkhV4RL1hkzWD2FQJk+8+***@public.gmane.org
Sent: Fri, 02 Jan 2009 13:14:12 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Hi Walid,
thanks for the debug output.
The command "ip xfrm policy" printed the contents of the so called
Security Policy Database or SPD. To me it seems that the correct entries
are missing in this database. It's over my head why those entries are
missing. Also, the routing table misses necessary entries as well.
From the tcpdump output you provided I can see that the packets are not
encrypted which is a consequence of the fact that those SPD entries are
missing.
I would like to ask you again to provide additional data: You enabled
plutodebug=control
which is a good thing. Could you please provide us with the data from
the syslog output. This is in /var/log/auth.log on my debian system but
it might be located in a different file depending on your distribution.
I'm interested in the lines containing "pluto[xxxx]".
Thanks
Daniel
Post by Walid Aweiwi
Hi Daniel,
ip route list
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.254
169.254.0.0/16 dev eth0 scope link
default via 192.168.2.1 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000
000 #2: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 722s
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3136s
000 #4: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 871s;
newest IPSEC; eroute owner
000 #3: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
3271s; newest ISAKMP
000
ip xfrm policy
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
ip xfrm state
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
ip route list
192.168.14.0/24 dev eth0 proto kernel scope link src 192.168.14.1
192.168.25.0/24 dev eth0 proto kernel scope link src 192.168.25.25
169.254.0.0/16 dev eth0 scope link
default via 192.168.14.254 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000
000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in
488s; newest IPSEC; eroute owner
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3011s;
newest ISAKMP
000 #3: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 727s
bytes); tunnel
000 #2: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE
in 3126s
Post by Daniel Mentz
Post by Walid Aweiwi
000
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
the tcpdump logs on RED.
tcpdump -i eth0 not port ssh and not port domain and not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:15:32.213144 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:32.815520 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 300
13:15:32.822317 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 326
13:15:33.214593 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:35.696800 IP 192.168.2.100 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s)
13:15:35.733188 IP 192.168.2.100.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
13:15:41.256312 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:41.256475 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005718 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005887 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756095 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756299 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:43.505142 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:44.255700 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:45.005950 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
isakmp-nat-keep-alive
13:15:52.214772 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:53.216956 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:00.755893 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:00.756295 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505012 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505198 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255106 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255466 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.004167 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.753917 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:04.505081 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:05.263502 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.012609 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.761678 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:12.218682 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:12.971620 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 1,
length 64
13:16:13.220735 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:13.971711 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 2,
length 64
13:16:14.972435 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 10:26:08 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Post by Walid Aweiwi
but my problem is no route nor ping from RED server to BLUE.
Hi Walid,
could you please provide us with the output of the command
ip route list
It should contain something like
192.168.25.0/24 dev ppp0 scope link src 192.168.100.100
The outlook will look differently on your machine because you're
probably using an ethernet link instead of PPP.
The output of "ipsec status" looks very promising.
What's the exact output of the ping command? Does it say "no route to
host" or is it just not getting any reply (100% packet loss) ?
Please run tcpdump on the external interfaces of RED and BLUE in order
to see if those boxes transmit ESP packets or just unencrypted ICMP packets.
For the sake of completeness you could also include the output of the
ip xfrm state
ip xfrm policy
Regards,
Daniel
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
Daniel Mentz
2009-01-02 15:18:10 UTC
Permalink
Hi Walid,

I must admit that I still have no idea what the reason for this problem is.

But I found a message on this mailing list in which a very similar
problem is described:

https://lists.strongswan.org/pipermail/users/2008-February/002258.html

The author was using a CentOS5/RHEL5 machine. Are you using the same
distribution?

He says that the command "ipsec status" deletes entries in the SPD.
Could you please run "ip xfrm policy" before executing "ipsec status"?
Also please run "ip xfrm monitor" while you're running strongSwan. "ip
xfrm monitor" is like "tail -f". It prints all the changes that were
made to the SPD. So you need to run this on a separate tty while you're
starting strongSwan.

Please send us the output of "ip xfrm monitor".

Daniel
Post by Walid Aweiwi
Hi Daniel,
I forgot to mentioned that I'm using virtual interface (eth0, eth0:1) not two NICs, eth0
is the WAN "external" NIC and the eth0:1 is the LAN "internal" NIC.
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 13:14:12 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Hi Walid,
thanks for the debug output.
The command "ip xfrm policy" printed the contents of the so called
Security Policy Database or SPD. To me it seems that the correct entries
are missing in this database. It's over my head why those entries are
missing. Also, the routing table misses necessary entries as well.
From the tcpdump output you provided I can see that the packets are not
encrypted which is a consequence of the fact that those SPD entries are
missing.
I would like to ask you again to provide additional data: You enabled
plutodebug=control
which is a good thing. Could you please provide us with the data from
the syslog output. This is in /var/log/auth.log on my debian system but
it might be located in a different file depending on your distribution.
I'm interested in the lines containing "pluto[xxxx]".
Thanks
Daniel
Post by Walid Aweiwi
Hi Daniel,
ip route list
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.254
169.254.0.0/16 dev eth0 scope link
default via 192.168.2.1 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000
000 #2: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE
in 722s
Post by Daniel Mentz
Post by Walid Aweiwi
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3136s
000 #4: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 871s;
newest IPSEC; eroute owner
000 #3: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
3271s; newest ISAKMP
000
ip xfrm policy
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
ip xfrm state
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
ip route list
192.168.14.0/24 dev eth0 proto kernel scope link src 192.168.14.1
192.168.25.0/24 dev eth0 proto kernel scope link src 192.168.25.25
169.254.0.0/16 dev eth0 scope link
default via 192.168.14.254 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000
000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in
488s; newest IPSEC; eroute owner
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3011s;
newest ISAKMP
000 #3: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 727s
bytes); tunnel
000 #2: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE
in 3126s
Post by Daniel Mentz
Post by Walid Aweiwi
000
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
the tcpdump logs on RED.
tcpdump -i eth0 not port ssh and not port domain and not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:15:32.213144 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:32.815520 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 300
13:15:32.822317 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 326
13:15:33.214593 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:35.696800 IP 192.168.2.100 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s)
13:15:35.733188 IP 192.168.2.100.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
13:15:41.256312 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:41.256475 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005718 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005887 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756095 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756299 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:43.505142 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:44.255700 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:45.005950 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
isakmp-nat-keep-alive
13:15:52.214772 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:53.216956 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:00.755893 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:00.756295 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505012 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505198 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255106 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255466 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.004167 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.753917 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:04.505081 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:05.263502 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.012609 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.761678 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:12.218682 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:12.971620 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 1,
length 64
13:16:13.220735 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:13.971711 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 2,
length 64
13:16:14.972435 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 10:26:08 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are
behind NAT
Post by Daniel Mentz
Post by Walid Aweiwi
Post by Daniel Mentz
Post by Walid Aweiwi
but my problem is no route nor ping from RED server to BLUE.
Hi Walid,
could you please provide us with the output of the command
ip route list
It should contain something like
192.168.25.0/24 dev ppp0 scope link src 192.168.100.100
The outlook will look differently on your machine because you're
probably using an ethernet link instead of PPP.
The output of "ipsec status" looks very promising.
What's the exact output of the ping command? Does it say "no route to
host" or is it just not getting any reply (100% packet loss) ?
Please run tcpdump on the external interfaces of RED and BLUE in order
to see if those boxes transmit ESP packets or just unencrypted ICMP packets.
For the sake of completeness you could also include the output of the
ip xfrm state
ip xfrm policy
Regards,
Daniel
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
Walid Aweiwi
2009-01-02 16:01:07 UTC
Permalink
Hi Daniel,

Exactly I have CentOS5/RHEL5 machine, actually it is a trixbox 2.6.13, is this my problem?

ip xfrm monitor



Deleted src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x6909a1ff reqid 16385 mode tunnel
replay-window 32
auth sha1 0xfea69a74cab82ffbd8d34456f8e7c80ee2a40873
enc aes 0xbe25c4cfb9248829fec842d816684234
encap type espinudp sport 4500 dport 10559 addr 0.0.0.0
Deleted src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xf40155fb reqid 16385 mode tunnel
replay-window 32
auth sha1 0x444138c885b07307d384a66367566db0e61f3c42
enc aes 0x15cfdeaff19184eb252aff99ce34e115
encap type espinudp sport 10559 dport 4500 addr 0.0.0.0


--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps

---------- Original Message -----------
From: Daniel Mentz <danielml+mailinglists.strongswan-***@public.gmane.org>
To: Walid Aweiwi <walid-5LNP/***@public.gmane.org>
Cc: users-3+4lAyCyj6DkhV4RL1hkzWD2FQJk+8+***@public.gmane.org
Sent: Fri, 02 Jan 2009 16:18:10 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Hi Walid,
I must admit that I still have no idea what the reason for this problem is.
But I found a message on this mailing list in which a very similar
https://lists.strongswan.org/pipermail/users/2008-February/002258.html
The author was using a CentOS5/RHEL5 machine. Are you using the same
distribution?
He says that the command "ipsec status" deletes entries in the SPD.
Could you please run "ip xfrm policy" before executing "ipsec status"?
Also please run "ip xfrm monitor" while you're running strongSwan. "ip
xfrm monitor" is like "tail -f". It prints all the changes that were
made to the SPD. So you need to run this on a separate tty while you're
starting strongSwan.
Please send us the output of "ip xfrm monitor".
Daniel
Post by Walid Aweiwi
Hi Daniel,
I forgot to mentioned that I'm using virtual interface (eth0, eth0:1) not two NICs, eth0
is the WAN "external" NIC and the eth0:1 is the LAN "internal" NIC.
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 13:14:12 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Hi Walid,
thanks for the debug output.
The command "ip xfrm policy" printed the contents of the so called
Security Policy Database or SPD. To me it seems that the correct entries
are missing in this database. It's over my head why those entries are
missing. Also, the routing table misses necessary entries as well.
From the tcpdump output you provided I can see that the packets are not
encrypted which is a consequence of the fact that those SPD entries are
missing.
I would like to ask you again to provide additional data: You enabled
plutodebug=control
which is a good thing. Could you please provide us with the data from
the syslog output. This is in /var/log/auth.log on my debian system but
it might be located in a different file depending on your distribution.
I'm interested in the lines containing "pluto[xxxx]".
Thanks
Daniel
Post by Walid Aweiwi
Hi Daniel,
ip route list
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.254
169.254.0.0/16 dev eth0 scope link
default via 192.168.2.1 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000
000 #2: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE
in 722s
Post by Daniel Mentz
Post by Walid Aweiwi
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3136s
000 #4: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 871s;
newest IPSEC; eroute owner
tunnel
Post by Daniel Mentz
Post by Walid Aweiwi
Post by Daniel Mentz
Post by Walid Aweiwi
000 #3: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
3271s; newest ISAKMP
000
ip xfrm policy
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
ip xfrm state
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
ip route list
192.168.14.0/24 dev eth0 proto kernel scope link src 192.168.14.1
192.168.25.0/24 dev eth0 proto kernel scope link src 192.168.25.25
169.254.0.0/16 dev eth0 scope link
default via 192.168.14.254 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000
000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in
488s; newest IPSEC; eroute owner
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3011s;
newest ISAKMP
000 #3: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 727s
bytes); tunnel
000 #2: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE
in 3126s
Post by Daniel Mentz
Post by Walid Aweiwi
000
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
the tcpdump logs on RED.
tcpdump -i eth0 not port ssh and not port domain and not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:15:32.213144 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:32.815520 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 300
13:15:32.822317 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 326
13:15:33.214593 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:35.696800 IP 192.168.2.100 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s)
13:15:35.733188 IP 192.168.2.100.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
13:15:41.256312 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:41.256475 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005718 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005887 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756095 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756299 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:43.505142 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:44.255700 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:45.005950 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
isakmp-nat-keep-alive
13:15:52.214772 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:53.216956 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:00.755893 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:00.756295 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505012 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505198 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255106 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255466 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.004167 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.753917 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:04.505081 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:05.263502 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.012609 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.761678 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:12.218682 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:12.971620 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 1,
length 64
13:16:13.220735 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:13.971711 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 2,
length 64
13:16:14.972435 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 10:26:08 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are
behind NAT
Post by Daniel Mentz
Post by Walid Aweiwi
Post by Daniel Mentz
Post by Walid Aweiwi
but my problem is no route nor ping from RED server to BLUE.
Hi Walid,
could you please provide us with the output of the command
ip route list
It should contain something like
192.168.25.0/24 dev ppp0 scope link src 192.168.100.100
The outlook will look differently on your machine because you're
probably using an ethernet link instead of PPP.
The output of "ipsec status" looks very promising.
What's the exact output of the ping command? Does it say "no route to
host" or is it just not getting any reply (100% packet loss) ?
Please run tcpdump on the external interfaces of RED and BLUE in order
to see if those boxes transmit ESP packets or just unencrypted ICMP packets.
For the sake of completeness you could also include the output of the
ip xfrm state
ip xfrm policy
Regards,
Daniel
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
Daniel Mentz
2009-01-02 17:47:27 UTC
Permalink
Hi Walid,

to me it seems that your problem is related to the one described in

https://lists.strongswan.org/pipermail/users/2008-September/002705.html

The only thing I can suggest is to upgrade your kernel or to apply the
patch that was posted in the e-mail mentioned above. But be aware that
this patch might break other features of strongSwan.

I would go for the first option if possible: Upgrade the kernel.

Regards,
Daniel
Post by Walid Aweiwi
Hi Daniel,
Exactly I have CentOS5/RHEL5 machine, actually it is a trixbox 2.6.13, is this my problem?
ip xfrm monitor
Deleted src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x6909a1ff reqid 16385 mode tunnel
replay-window 32
auth sha1 0xfea69a74cab82ffbd8d34456f8e7c80ee2a40873
enc aes 0xbe25c4cfb9248829fec842d816684234
encap type espinudp sport 4500 dport 10559 addr 0.0.0.0
Deleted src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xf40155fb reqid 16385 mode tunnel
replay-window 32
auth sha1 0x444138c885b07307d384a66367566db0e61f3c42
enc aes 0x15cfdeaff19184eb252aff99ce34e115
encap type espinudp sport 10559 dport 4500 addr 0.0.0.0
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 16:18:10 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Hi Walid,
I must admit that I still have no idea what the reason for this problem is.
But I found a message on this mailing list in which a very similar
https://lists.strongswan.org/pipermail/users/2008-February/002258.html
The author was using a CentOS5/RHEL5 machine. Are you using the same
distribution?
He says that the command "ipsec status" deletes entries in the SPD.
Could you please run "ip xfrm policy" before executing "ipsec status"?
Also please run "ip xfrm monitor" while you're running strongSwan. "ip
xfrm monitor" is like "tail -f". It prints all the changes that were
made to the SPD. So you need to run this on a separate tty while you're
starting strongSwan.
Please send us the output of "ip xfrm monitor".
Daniel
Post by Walid Aweiwi
Hi Daniel,
I forgot to mentioned that I'm using virtual interface (eth0, eth0:1) not two NICs, eth0
is the WAN "external" NIC and the eth0:1 is the LAN "internal" NIC.
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 13:14:12 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are
behind NAT
Post by Daniel Mentz
Post by Walid Aweiwi
Post by Daniel Mentz
Hi Walid,
thanks for the debug output.
The command "ip xfrm policy" printed the contents of the so called
Security Policy Database or SPD. To me it seems that the correct entries
are missing in this database. It's over my head why those entries are
missing. Also, the routing table misses necessary entries as well.
From the tcpdump output you provided I can see that the packets are not
encrypted which is a consequence of the fact that those SPD entries are
missing.
I would like to ask you again to provide additional data: You enabled
plutodebug=control
which is a good thing. Could you please provide us with the data from
the syslog output. This is in /var/log/auth.log on my debian system but
it might be located in a different file depending on your distribution.
I'm interested in the lines containing "pluto[xxxx]".
Thanks
Daniel
Post by Walid Aweiwi
Hi Daniel,
ip route list
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.254
169.254.0.0/16 dev eth0 scope link
default via 192.168.2.1 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000
000 #2: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE
in 722s
Post by Daniel Mentz
Post by Walid Aweiwi
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3136s
000 #4: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 871s;
newest IPSEC; eroute owner
tunnel
Post by Daniel Mentz
Post by Walid Aweiwi
Post by Daniel Mentz
Post by Walid Aweiwi
000 #3: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
3271s; newest ISAKMP
000
ip xfrm policy
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
ip xfrm state
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
ip route list
192.168.14.0/24 dev eth0 proto kernel scope link src 192.168.14.1
192.168.25.0/24 dev eth0 proto kernel scope link src 192.168.25.25
169.254.0.0/16 dev eth0 scope link
default via 192.168.14.254 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000
000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in
488s; newest IPSEC; eroute owner
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3011s;
newest ISAKMP
000 #3: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 727s
bytes); tunnel
000 #2: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE
in 3126s
Post by Daniel Mentz
Post by Walid Aweiwi
000
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
the tcpdump logs on RED.
tcpdump -i eth0 not port ssh and not port domain and not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:15:32.213144 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:32.815520 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 300
13:15:32.822317 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 326
13:15:33.214593 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:35.696800 IP 192.168.2.100 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s)
13:15:35.733188 IP 192.168.2.100.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
13:15:41.256312 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:41.256475 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005718 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005887 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756095 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756299 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:43.505142 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:44.255700 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:45.005950 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
isakmp-nat-keep-alive
13:15:52.214772 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:53.216956 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:00.755893 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:00.756295 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505012 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505198 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255106 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255466 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.004167 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.753917 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:04.505081 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:05.263502 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.012609 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.761678 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:12.218682 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:12.971620 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 1,
length 64
13:16:13.220735 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:13.971711 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 2,
length 64
13:16:14.972435 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 10:26:08 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are
behind NAT
Post by Daniel Mentz
Post by Walid Aweiwi
Post by Daniel Mentz
Post by Walid Aweiwi
but my problem is no route nor ping from RED server to BLUE.
Hi Walid,
could you please provide us with the output of the command
ip route list
It should contain something like
192.168.25.0/24 dev ppp0 scope link src 192.168.100.100
The outlook will look differently on your machine because you're
probably using an ethernet link instead of PPP.
The output of "ipsec status" looks very promising.
What's the exact output of the ping command? Does it say "no route to
host" or is it just not getting any reply (100% packet loss) ?
Please run tcpdump on the external interfaces of RED and BLUE in order
to see if those boxes transmit ESP packets or just unencrypted ICMP packets.
For the sake of completeness you could also include the output of the
ip xfrm state
ip xfrm policy
Regards,
Daniel
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
Walid Aweiwi
2009-01-03 07:41:36 UTC
Permalink
Hi Daniel,

Thank you very much, I'm going to use VPN on different box because I have IP-PBX
installed in this box and may be kernel upgrade will effect the voice functionality and
patch the strongswan not trusted.

Finlay nice to deal with Daniel and your help is really appreciated.

--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps

---------- Original Message -----------
From: Daniel Mentz <danielml+mailinglists.strongswan-***@public.gmane.org>
To: Walid Aweiwi <walid-5LNP/***@public.gmane.org>
Cc: users-3+4lAyCyj6DkhV4RL1hkzWD2FQJk+8+***@public.gmane.org
Sent: Fri, 02 Jan 2009 18:47:27 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Hi Walid,
to me it seems that your problem is related to the one described in
https://lists.strongswan.org/pipermail/users/2008-September/002705.html
The only thing I can suggest is to upgrade your kernel or to apply the
patch that was posted in the e-mail mentioned above. But be aware that
this patch might break other features of strongSwan.
I would go for the first option if possible: Upgrade the kernel.
Regards,
Daniel
Post by Walid Aweiwi
Hi Daniel,
Exactly I have CentOS5/RHEL5 machine, actually it is a trixbox 2.6.13, is this my problem?
ip xfrm monitor
Deleted src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x6909a1ff reqid 16385 mode tunnel
replay-window 32
auth sha1 0xfea69a74cab82ffbd8d34456f8e7c80ee2a40873
enc aes 0xbe25c4cfb9248829fec842d816684234
encap type espinudp sport 4500 dport 10559 addr 0.0.0.0
Deleted src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xf40155fb reqid 16385 mode tunnel
replay-window 32
auth sha1 0x444138c885b07307d384a66367566db0e61f3c42
enc aes 0x15cfdeaff19184eb252aff99ce34e115
encap type espinudp sport 10559 dport 4500 addr 0.0.0.0
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 16:18:10 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are behind NAT
Post by Daniel Mentz
Hi Walid,
I must admit that I still have no idea what the reason for this problem is.
But I found a message on this mailing list in which a very similar
https://lists.strongswan.org/pipermail/users/2008-February/002258.html
The author was using a CentOS5/RHEL5 machine. Are you using the same
distribution?
He says that the command "ipsec status" deletes entries in the SPD.
Could you please run "ip xfrm policy" before executing "ipsec status"?
Also please run "ip xfrm monitor" while you're running strongSwan. "ip
xfrm monitor" is like "tail -f". It prints all the changes that were
made to the SPD. So you need to run this on a separate tty while you're
starting strongSwan.
Please send us the output of "ip xfrm monitor".
Daniel
Post by Walid Aweiwi
Hi Daniel,
I forgot to mentioned that I'm using virtual interface (eth0, eth0:1) not two NICs, eth0
is the WAN "external" NIC and the eth0:1 is the LAN "internal" NIC.
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 13:14:12 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are
behind NAT
Post by Daniel Mentz
Post by Walid Aweiwi
Post by Daniel Mentz
Hi Walid,
thanks for the debug output.
The command "ip xfrm policy" printed the contents of the so called
Security Policy Database or SPD. To me it seems that the correct entries
are missing in this database. It's over my head why those entries are
missing. Also, the routing table misses necessary entries as well.
From the tcpdump output you provided I can see that the packets are not
encrypted which is a consequence of the fact that those SPD entries are
missing.
I would like to ask you again to provide additional data: You enabled
plutodebug=control
which is a good thing. Could you please provide us with the data from
the syslog output. This is in /var/log/auth.log on my debian system but
it might be located in a different file depending on your distribution.
I'm interested in the lines containing "pluto[xxxx]".
Thanks
Daniel
Post by Walid Aweiwi
Hi Daniel,
ip route list
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.100
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.254
169.254.0.0/16 dev eth0 scope link
default via 192.168.2.1 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000
000 #2: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE
in 722s
Post by Daniel Mentz
Post by Walid Aweiwi
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3136s
000 #4: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 871s;
newest IPSEC; eroute owner
tunnel
Post by Daniel Mentz
Post by Walid Aweiwi
Post by Daniel Mentz
Post by Walid Aweiwi
000 #3: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in
3271s; newest ISAKMP
000
ip xfrm policy
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
ip xfrm state
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 213.6.10.244 dst 192.168.2.254
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.2.254 dst 213.6.10.244
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
ip route list
192.168.14.0/24 dev eth0 proto kernel scope link src 192.168.14.1
192.168.25.0/24 dev eth0 proto kernel scope link src 192.168.25.25
169.254.0.0/16 dev eth0 scope link
default via 192.168.14.254 dev eth0
ipsec status
erouted; eroute owner: #4
000 "net-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000
000 #4: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in
488s; newest IPSEC; eroute owner
bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 3011s;
newest ISAKMP
000 #3: "net-net" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 727s
bytes); tunnel
000 #2: "net-net" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE
in 3126s
Post by Daniel Mentz
Post by Walid Aweiwi
000
src ::/0 dst ::/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir in priority 0
src ::/0 dst ::/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
dir out priority 0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0xc5b532b7 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x5c0a3d0f315b36ad2210bbabfe90202ea27a9012
enc aes 0xaee1287ed6439f8f7f06e9608a3bc044
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 192.168.14.1 dst 82.102.240.47
proto esp spi 0x700349d6 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x127407c58db393cffcbfdea180fa8d5018bac1d4
enc aes 0xa477d0b7b8393a8ccd643f43a4f379d6
encap type espinudp sport 4500 dport 10171 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xc13228b8 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x9ca5f62b66e851411b0e7304533f510d2ed81f55
enc aes 0xfe00b0f04372a74c1f8a0fd5e732e8ce
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
src 82.102.240.47 dst 192.168.14.1
proto esp spi 0xa1da8e02 reqid 16385 mode tunnel
replay-window 32
auth sha1 0x8fee90346508a1cf1e4a3fc7f194ec1563223eb6
enc aes 0x99188eda96220f3faad60b9bd6bbf717
encap type espinudp sport 10171 dport 4500 addr 0.0.0.0
the tcpdump logs on RED.
tcpdump -i eth0 not port ssh and not port domain and not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:15:32.213144 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:32.815520 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 300
13:15:32.822317 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:13:ce:e1:90:39 (oui Unknown), length: 326
13:15:33.214593 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:35.696800 IP 192.168.2.100 > IGMP.MCAST.NET: igmp v3 report, 1 group record(s)
13:15:35.733188 IP 192.168.2.100.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): REGISTRATION; REQUEST; BROADCAST
13:15:41.256312 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:41.256475 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005718 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.005887 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756095 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:42.756299 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:43.505142 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:44.255700 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:15:45.005950 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
isakmp-nat-keep-alive
13:15:52.214772 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:15:53.216956 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:00.755893 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:00.756295 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505012 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:01.505198 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255106 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:02.255466 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.004167 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:03.753917 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:04.505081 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:05.263502 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.012609 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
isakmp-nat-keep-alive
13:16:06.761678 IP 192.168.2.101.netbios-ns > 192.168.2.255.netbios-ns: NBT UDP
PACKET(137): QUERY; REQUEST; BROADCAST
13:16:12.218682 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:12.971620 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 1,
length 64
13:16:13.220735 IP 192.168.2.254.iax > 192.168.14.14.iax: UDP, length 12
13:16:13.971711 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id 36124, seq 2,
length 64
13:16:14.972435 IP 192.168.2.254 > 192.168.25.25: ICMP echo request, id
--
Best Regards
Walid Aweiwi
Systems Engineer
Network Department
Bisan Systems Ltd.
Tel +97222985941 ext 202
Fax +97222985942
Mobile +972599673507
http://www.bisan.com
http://www.bisan.ps
---------- Original Message -----------
Sent: Fri, 02 Jan 2009 10:26:08 +0100
Subject: Re: [strongSwan] Problem with ikev1 net2net-psk, both VPN servers are
behind NAT
Post by Daniel Mentz
Post by Walid Aweiwi
Post by Daniel Mentz
Post by Walid Aweiwi
but my problem is no route nor ping from RED server to BLUE.
Hi Walid,
could you please provide us with the output of the command
ip route list
It should contain something like
192.168.25.0/24 dev ppp0 scope link src 192.168.100.100
The outlook will look differently on your machine because you're
probably using an ethernet link instead of PPP.
The output of "ipsec status" looks very promising.
What's the exact output of the ping command? Does it say "no route to
host" or is it just not getting any reply (100% packet loss) ?
Please run tcpdump on the external interfaces of RED and BLUE in order
to see if those boxes transmit ESP packets or just unencrypted ICMP packets.
For the sake of completeness you could also include the output of the
ip xfrm state
ip xfrm policy
Regards,
Daniel
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------
*************
This message has been scanned for viruses and dangerous content by Bisan
Systems Ltd MailScanner, and is believed to be clean.Bisan Systems Ltd does
not represent that any attachment is free from computer viruses or
defects and the user assumes all responsibility for any loss, damage or
consequence resulting directly or indirectly from the use of any
attachment. The information contained in any email does not necessarily
reflect the views of Bisan systems or any other related entities or persons.
------- End of Original Message -------

Loading...