-
Hi all, trying to get my ipsec env runnig for more than 5 days. Ive read so many thread here and on google I'm kind of desperated. Tunnel is working with a vti on both end. Both ipsec node are behind a NAT. I guess its not a big thing what it missing here but for some reason I dont get it. PLEASE HELP. Thx ping is working from: ipsecnode-net-A (10.254.03) to ipsecnode-net-B (10.100.0.12) (and vice versa) 10.254.0.3:/# ping 10.100.0.12 no ping: host-in-net-A (10.254.0.12) to ipsecnode-net-B (10.100.0.12) 10.254.0.12:/# ping 10.100.0.12 10.254.0.3:/# :/# ip a ping goes trough the tunnel (same on other site) but I get no echo on host-10.254.0.12 10.254.0.3:/# ip -s tunnel show 10.254.0.3:/# cat strongswan.conf (same on other site) charon { 10.254.0.3:/# ip -s xfrm state 10.254.0.3:/# iptables-save *filter |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 10 replies
-
Please pastebin the output of EDIT: Also please pastebin the output of Also make sure forwarding is locally enabled and for the interfaces involved (sysctl net.ipv4.ip_forward=1 net.ipv4.conf.vti0.forwarding=1 net.ipv4.conf.ens3.forwarding=1). |
Beta Was this translation helpful? Give feedback.
-
Hi Thermi, Many thx for looking into it!!!! all Instance are located on an openstack at a German hosting provider. I don't understand the issue at all and I'm not doing it for the first time. I also thought of a problem in the provider's backend. But I dont have any approach. Here you go: 10.254.0.3:/# iptables-save -c *filter 10.100.0.12:/# iptables-save -c *filter 10.254.0.3:/# sysctl -p 10.100.0.12:/# sysctl -p 10.254.0.3:/# ip route show table all 10.100.0.12:/# ip route show table all 10.254.0.3:/# ip rule 10.100.0.12:/# ip rule 10.254.0.3:/# cat ipsec.conf config setup conn xxxx-to-kunde100 10.100.0.12:/# cat ipsec.conf conn kunde100-to-xxxx 10.254.0.3:/# ipsec statusall 10.100.0.12:/# ipsec statusall 10.254.0.3:/# swanctl -l 10.254.0.3:/# swanctl -L These 3 packets are test ping from host 10.254.0.11 to ipsec host 10.100.0.12 10.100.0.12:/# swanctl -l 10.100.0.12:/# swanctl -L |
Beta Was this translation helpful? Give feedback.
-
Config seems to be ok? Will look into audit log with provider. Ping goes its way but I get no echo on host 10.254.0.11. 10.254.0.11:/# ping 10.100.0.12 10.254.0.3:/# tcpdump icmp |
Beta Was this translation helpful? Give feedback.
Config seems to be ok? Will look into audit log with provider.
Ping goes its way but I get no echo on host 10.254.0.11.
10.254.0.11:/# ping 10.100.0.12
PING 10.100.0.12 (10.100.0.12) 56(84) bytes of data.
10.254.0.3:/# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vti0, link-type RAW (Raw IP), capture size 262144 bytes
07:10:25.406741 IP 10.254.0.11 > 10.100.0.12: ICMP echo request, id 12, seq 1, length 64
07:10:25.409683 IP 10.100.0.12 > 10.254.0.11: ICMP echo reply, id 12, seq 1, length 64