Intro to Configure IPsec VPN (Gateway-to-Gateway ) using Strongswan

February 10, 2015 | By
| 17 Replies More

Strongswan supports Gateway-to-Gateway (site-to-site) and Road warrior  types of VPN. In first type, network traffic is encrypted/decrypted on the gateway (entrance/exit) of an organization. However in Road warrior case, traffic encrypted from the end client (machine) to remote end gateway. In this article, we will explain creation of  tunnel between two sites of an organization to secure the communication. Strongswan based VPN server/gateway placement is shown in the following figure. We want to secure communication between 10.1.0.0/16 and 11.1.0.0/16 networks of organization.

strongswan - Copy (2)

As shown in the above figure, we are interested to secure the communication from A to B and vice versa. It is important to make sure the routing of Strongswan based VPN Gateways in the organization network. We assume that machine from  office A can ping a machine in the network of B office . This will ensure the connectivity of devices in the network.

In our previous we have installed the strongswan on the VM. However, in production environment, strongswan is installed on the hardware for the better performance.  In this article, we are using VM to show the tunnel creation between two sites.

By default, configuration of strongswan  are under /usr/local/etc/ directory which is shown in the following figure.

configuration_files_storngswan

Gateway-to-Gateway tunnel (Pre shared key)

In this tunnel, we are using shared secret between two machine. This shared secrets used by Diffie-Hellman algorithm for mutual authentication before sharing key for symmetric encryption algorithm.

Configuration of Stronswan on Local (left) machine (A side)

ipsec.conf  is the main configuration file of strongswan. In this file, we define parameters of policy for tunnel such as encryption algorithms,hashing algorithm etc.

 config setup

charondebug="all"

uniqueids=yes

strictcrlpolicy=no

conn %default

conn tunnel #

left=192.168.1.10

leftsubnet=10.1.0.0/16

right=192.168.1.11

rightsubnet=11.1.0.0/16

ike=aes256-sha2_256-modp1024!

esp=aes256-sha2_256!

keyingtries=0

ikelifetime=1h

lifetime=8h

dpddelay=30

dpdtimeout=120

dpdaction=clear

authby=secret

auto=start

keyexchange=ikev2

type=tunnel

ipsec.secrets file contains the secret information such as shared key, smart cards pin and password of private key etc. In our case, pre shared key between A and B is sharedsecret

192.168.1.10 192.168.1.11 : PSK 'sharedsecret'

 Configuration of Strongswan on Remote (Right) machine (B side)

config setup

charondebug="all"

uniqueids=yes

strictcrlpolicy=no

conn %default

conn tunnel #

left=192.168.1.11

leftsubnet=11.1.0.0/16

right=192.168.1.10

rightsubnet=10.1.0.0/16

ike=aes256-sha2_256-modp1024!

esp=aes256-sha2_256!

keyingtries=0

ikelifetime=1h

lifetime=8h

dpddelay=30

dpdtimeout=120

dpdaction=clear

authby=secret

auto=start

keyexchange=ikev2

type=tunnel

 

and the contents of ipsec.secrets of remote site are

192.168.1.11 192.168.1.10 : PSK 'sharedsecret'

After changes at both sides, run following command for tunnel creation.

# ipsec restart

restart_ipsec

To check the status of tunnel on both machines, run following command in the terminal. Output of the command for local and remote machine is shown below.

#ipsec statusall

tunnel_status

Output of ipsec statusall on VM A

Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-24-generic, x86_64):

uptime: 8 minutes, since Jan 03 13:44:32 2015

malloc: sbrk 1351680, mmap 0, used 250048, free 1101632

worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5

loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic

Listening IP addresses:

192.168.1.10

Connections:

     tunnel: 192.168.1.10...192.168.1.11 IKEv2, dpddelay=30s

      tunnel:   local: [192.168.1.10] uses pre-shared key authentication

     tunnel:   remote: [192.168.1.11] uses pre-shared key authentication

     tunnel:   child: 10.1.0.0/16 === 11.1.0.0/16 TUNNEL, dpdaction=clear

Security Associations (1 up, 0 connecting):

     tunnel[1]: ESTABLISHED 8 minutes ago, 192.168.1.10[192.168.1.10]...192.168.1.11[192.168.1.11]

     tunnel[1]: IKEv2 SPIs: cafdf24210e8e503_i* 7ee6557a1d297e35_r, pre-shared key reauthentication in 25 minutes

     tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

     tunnel{1}: INSTALLED, TUNNEL, ESP SPIs: cbd51ed8_i c7243b49_o

     tunnel{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hours

     tunnel{1}:   10.1.0.0/16 === 11.1.0.0/16

Output of ipsec statusall on VM B

Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-24-generic, x86_64):

uptime: 6 minutes, since Jan 03 13:44:21 2015

malloc: sbrk 1351680, mmap 0, used 250944, free 1100736

worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8

loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic

Listening IP addresses:

192.168.1.11

Connections:

     tunnel: 192.168.1.11...192.168.1.10 IKEv2, dpddelay=30s

     tunnel:   local: [192.168.1.11] uses pre-shared key authentication

     tunnel:   remote: [192.168.1.10] uses pre-shared key authentication

     tunnel:   child: 11.1.0.0/16 === 10.1.0.0/16 TUNNEL, dpdaction=clear

Security Associations (1 up, 0 connecting):

     tunnel[3]: ESTABLISHED 6 minutes ago, 192.168.1.11[192.168.1.11]...192.168.1.10[192.168.1.10]

     tunnel[3]: IKEv2 SPIs: cafdf24210e8e503_i 7ee6557a1d297e35_r*, pre-shared key reauthentication in 36 minutes

     tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

     tunnel{3}: INSTALLED, TUNNEL, ESP SPIs: c7243b49_i cbd51ed8_o

     tunnel{3}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hours

     tunnel{3}:   11.1.0.0/16 === 10.1.0.0/16

ip command with xfrm parameter can be used to see the policies and states of ipsec  tunnel on linux box. Output of  the command ip xfrm states on both devices is shown below.

xfrm-state

Output of ip xfrm state command on VM A

src 192.168.1.10 dst 192.168.1.11

proto esp spi 0xc7243b49 reqid 1 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha256) 0x3077c888d622b899532a5f1b8e9399efe65684ffa694bf072ea4de8a44898b2f 128

enc cbc(aes) 0x8fafb23d824c1e898dc42f6d59b14c52e6a33b2183c0c9c762de8cacfd355a6f

src 192.168.1.11 dst 192.168.1.10

proto esp spi 0xcbd51ed8 reqid 1 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha256) 0x50b63121299e97339cf2a78bb86b958ae0c3e594b1c535a0a12ce0a165d4e0ef 128

enc cbc(aes) 0x41447fea3021a3b13838f076dbe72139389be93960a641664bb7e1e6fc34b01a

 

Output of ip xfrm state command on VM B

src 192.168.1.11 dst 192.168.1.10

proto esp spi 0xcbd51ed8 reqid 3 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha256) 0x50b63121299e97339cf2a78bb86b958ae0c3e594b1c535a0a12ce0a165d4e0ef 128

enc cbc(aes) 0x41447fea3021a3b13838f076dbe72139389be93960a641664bb7e1e6fc34b01a

src 192.168.1.10 dst 192.168.1.11

proto esp spi 0xc7243b49 reqid 3 mode tunnel

replay-window 32 flag af-unspec

auth-trunc hmac(sha256) 0x3077c888d622b899532a5f1b8e9399efe65684ffa694bf072ea4de8a44898b2f 128

enc cbc(aes) 0x8fafb23d824c1e898dc42f6d59b14c52e6a33b2183c0c9c762de8cacfd355a6f

 

As shown in the figure, XFRM command is showing sensitive information (keys). So please avoid such commands on the production strongswan server.

Filed Under : HOWTOS, OPEN SOURCE TOOLS, SECURITY

Tagged With :

Free Linux Ebook to Download

Comments (17)

Trackback URL | Comments RSS Feed

  1. Sumanth says:

    Hi,

    I did the exact same steps as above on two local vms on my laptop.
    I am very new to ipsec and strongswan and was testing out a possible was to configure strongswan on two local vms on my laptop itself.
    But when I execute:
    ipsec statusall - I see no connections.
    Both the vms are running ubuntu 14.04 and strongswan version is: strongSwan U5.1.2/K3.13.0-48-generic
    One vm has the ifconfig as:
    eth0 10.0.2.15/24
    eth1 192.168.0.100/24
    The other has the foll. ifconfig:
    eth0 10.0.2.15/24
    eth1 192.168.0.101/24

    In ipsec.conf(say on the left machine), I have added the following:
    conn tunnel #
    left=192.168.0.100
    leftsubnet=10.0.2.15/24
    right=192.168.0.101
    rightsubnet=10.0.2.15/24

    I would be grateful if you could let me know if I am doing something wrong with the configuration or if the setup itself is wrong as both the subnets are under 10.0.2.15 itself as both the vms are on my local laptop machine itself. Please suggest.

    Thanks & Best Regards
    Sumanth

  2. nido says:

    Hi,

    do following things and get back to us.
    please change subnet on one VM. You have same subnet on both sides.

    please share complete details. ipsec.conf/ipsec.secrets files and logs as well.

    please also share /var/log/syslog and /var/log/authlog with us.

    • Sumanth says:

      Hi Nido,

      Thanks for the reply and especially the article.
      The ipaddress of my VM_A looks like this:
      eth0:10.0.2.15
      eth1:192.168.1.130
      The ipaddress of my VM_B looks like this:
      eth0:10.0.2.15
      eth1:192.168.1.131

      and the foll. cmd gives the below output:
      $ sudo ipsec statusall
      Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.13.0-48-generic, x86_64):
      uptime: 4 minutes, since May 26 08:34:35 2015
      malloc: sbrk 2412544, mmap 0, used 323616, free 2088928
      worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
      loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
      Listening IP addresses:
      10.0.2.15
      192.168.1.131
      Connections:
      tunnel: 192.168.1.131...192.168.1.130 IKEv2, dpddelay=30s
      tunnel: local: [192.168.1.131] uses pre-shared key authentication
      tunnel: remote: [192.168.1.130] uses pre-shared key authentication
      tunnel: child: 192.168.1.0/24 === 192.168.1.0/24 TUNNEL, dpdaction=clear
      Security Associations (1 up, 0 connecting):
      tunnel[1]: ESTABLISHED 4 minutes ago, 192.168.1.131[192.168.1.131]...192.168.1.130[192.168.1.130]
      tunnel[1]: IKEv2 SPIs: 210a80be506b3db6_i* b605f71c45464001_r, pre-shared key reauthentication in 35 minutes
      tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

      But ip xfrm state gives nothing as Luca had mentioned below.
      I believe it is mostly because both the vms are in the same subnet. Please let me know if my understanding is correct?
      Also i had another question. In the above log , one of the lines in the Connections part, suggests that:
      tunnel: child: 192.168.1.0/24 === 192.168.1.0/24 TUNNEL,

      So does it mean that any computer within this subnet(192.168.1.0/255) has ipsec connectivity?
      My host has 192.168.1.2 ip address and everything is in 192.168.1.0/255 subnet
      with both the vms ipaddress being 192.168.1.130 & 192.168.1.131.
      What does the above log indicate? Pls suggest.

      Thank You
      Sumanth

      • nido says:

        Hi,
        Thanks for comments.

        1. can you install another tool (ipsec-tools) on your VM's. You can download it from http://ipsec-tools.sourceforge.net/

        Once you installed the tool, it will give you set of commands and "setkey" is one of them.

        Run "setkey -D" and share your output with me. It will show the security association between to parties.

        2. line child: 192.168.1.0/24 === 192.168.1.0/24 TUNNEL in your case indicate that IPSEC tunnel between 192.168.1.130 and 192.168.1.131 IP addresses Both IP's are from 192.168.1.0/24 network.

        you can say 192.168.1.131/130 are the gateways of your network which are used for IPsec tunnel.

  3. Luca says:

    Thanks for the article!
    I have a problem.

    I want to create a tunnel ipsec between two VM (Fedora) on my laptop. I can ping from A to B and from B to A.
    Ip VM A=192.168.1.130
    Ip VM B=192.168.1.131

    Default Gateway 192.168.1.1 and subnet 192.168.1.0/24 for both.

    ipsec.config on VM A:
    # ipsec.conf - strongSwan IPsec configuration file

    config setup

    #charondebug="all"
    #uniqueids=yes
    #strictcrlpolicy=no

    #conn %default

    #conn tunnel #

    #left=192.168.1.130
    #leftsubnet=192.168.1.0/24
    #right=192.168.1.131
    #rightsubnet=192.168.1.0/24
    #ike=aes256-sha2_256-modp1024!
    #esp=aes256-sha2_256!
    #keyingtries=0
    #ikelifetime=1h
    #lifetime=8h
    #dpddelay=30
    #dpdtimeout=120
    #dpdaction=clear
    #authby=secret
    #auto=start
    #keyexchange=ikev2
    #type=tunnel

    ipsec.config on VM B

    # ipsec.conf - strongSwan IPsec configuration file

    config setup

    #charondebug="all"
    #uniqueids=yes
    #strictcrlpolicy=no

    #conn %default

    #conn tunnel #

    #left=192.168.1.131
    #leftsubnet=192.168.1.0/24
    #right=192.168.1.130
    #rightsubnet=192.168.1.0/24
    #ike=aes256-sha2_256-modp1024!
    #esp=aes256-sha2_256!
    #keyingtries=0
    #ikelifetime=1h
    #lifetime=8h
    #dpddelay=30
    #dpdtimeout=120
    #dpdaction=clear
    #authby=secret
    #auto=start
    #keyexchange=ikev2
    #type=tunnel

    ipsec.secrets Vm A
    192.168.1.130 192.168.1.131 : PSK 'sharedsecret'

    ipsec.secrets Vm B
    192.168.1.131 192.168.1.130 : PSK 'sharedsecret'

    This is a command ipsec statuall on a Vm B for example:

    [root@localhost ~]# ipsec statusall
    Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.17.4-301.fc21.x86_64, x86_64):
    uptime: 7 seconds, since May 17 11:57:35 2015
    malloc: sbrk 1470464, mmap 0, used 298288, free 1172176
    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
    loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
    Listening IP addresses:
    192.168.1.131
    Connections:
    Security Associations (0 up, 0 connecting):
    none

    Now i have many doubts:
    1)
    I have only one NIC in both VM, for example this is ifconfig on the Vm A:

    eno16777736: flags=4163 mtu 1500
    inet 192.168.1.130 netmask 255.255.255.0 broadcast 192.168.1.255
    inet6 fe80::20c:29ff:fede:b771 prefixlen 64 scopeid 0x20
    ether 00:0c:29:de:b7:71 txqueuelen 1000 (Ethernet)
    RX packets 54817 bytes 76430363 (72.8 MiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 29712 bytes 2506960 (2.3 MiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    lo: flags=73 mtu 65536
    inet 127.0.0.1 netmask 255.0.0.0
    inet6 ::1 prefixlen 128 scopeid 0x10
    loop txqueuelen 0 (Local Loopback)
    RX packets 8 bytes 800 (800.0 B)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 8 bytes 800 (800.0 B)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

    This is a problem? If yes, how create the second Nic?

    2)Ip forwarding must to be active? In a other tutorial i found that this commando before launch ipsec:

    $ echo 1 > /proc/sys/net/ipv4/ip_forward
    $ echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
    $ echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

    Thanks for the solution.

    • nido says:

      No issue of nic,, why you placed # in the ipsec.conf file ?
      # mean comments , so you have disabled every thing in the ipsec.conf file. Please remove # and check again.

      You can check /var/log/syslog as well for further troubleshooting.

      • Luca says:

        Thanks! Now Ok, great! This is the terminal after command "ipsec restart":
        Listening IP addresses:
        192.168.1.130
        Connections:
        tunnel: 192.168.1.130...192.168.1.131 IKEv2, dpddelay=30s
        tunnel: local: [192.168.1.130] uses pre-shared key authentication
        tunnel: remote: [192.168.1.131] uses pre-shared key authentication
        tunnel: child: 192.168.1.0/24 === 192.168.1.0/24 TUNNEL, dpdaction=clear
        Security Associations (1 up, 0 connecting):
        tunnel[1]: ESTABLISHED 8 seconds ago, 192.168.1.130[192.168.1.130]...192.168.1.131[192.168.1.131]
        tunnel[1]: IKEv2 SPIs: 5fbeb22285363d2a_i* eec4cf2b8fbafb96_r, pre-shared key reauthentication in 40 minutes
        tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

        Some questions:
        1)Why the file log in var/log/ doesn't exist?

        2)This is important: my target is capture packets ESP with wireshark. Now inthis situation all packets are not ESP but TCP, UDP, ecc.. why? The tunnel between the two VM is Up...
        I remember that that default GW of two VM are the router, 192.168.1.1

        3)Finally i want this scene:

        PC A ---GATEWAY A(VM A) ---tunnel--- GATEWAY B (VM B) ---- PC B

        But all are in the same subnet e and Gateway A and B are own VM with only one NIC. How connect PC A to PC B with the tunnel?

        Thanks a lot!!

        • nido says:

          good to know that it is working.

          you can the check the status of tunnel using "ip xfrm state" command .

          1. Please check your path. It is /var/log/syslog not var/log (slash is important)

          2. It will show ESP once you sent traffic from one node to other and sniff on outer interface (Left and Right IP address)

          3. I will check this part myself and then i will be back with solution.

          • Luca says:

            About point number 2.

            I have VM A (192.168.1.130) and VM B (192.168.1.131) and both VMs have the same gateway for the internet connection, my home router, 192.168.1.1.

            How send traffic from A to B for to show packets ESP in Wireshark? I tryed with ping but the protocol is ICMP. Other example? Thanks!

          • nido says:

            please share output of following command . run it on both VM's.

            # ip xfrm state

          • Luca says:

            Ok, i try ip xfrm state after create a tunnel, but there isn't any result.

            [root@computer]# ipsec statusall
            Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.17.4-301.fc21.x86_64, x86_64):
            uptime: 8 minutes, since May 19 09:48:23 2015
            malloc: sbrk 1470464, mmap 0, used 317264, free 1153200
            worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
            loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
            Listening IP addresses:
            192.168.1.130
            Connections:
            tunnel: 192.168.1.130...192.168.1.131 IKEv2, dpddelay=30s
            tunnel: local: [192.168.1.130] uses pre-shared key authentication
            tunnel: remote: [192.168.1.131] uses pre-shared key authentication
            tunnel: child: 192.168.1.0/24 === 192.168.1.0/24 TUNNEL, dpdaction=clear
            Security Associations (1 up, 0 connecting):
            tunnel[1]: ESTABLISHED 7 minutes ago, 192.168.1.130[192.168.1.130]...192.168.1.131[192.168.1.131]
            tunnel[1]: IKEv2 SPIs: a05bdd1af769fdb7_i* 828175c706066feb_r, pre-shared key reauthentication in 30 minutes
            tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
            [root@computer]# ip xfrm state
            [root@computer]#

            I try also ip xfrm state show but nothing..

  4. Luca says:

    I resolved all my problems!
    Last question:

    I have PC A ----GW A----tunnel---GW B------PC B

    GW A and GW B have gateway my home router, 192.168.1.1 and have internet connection.

    PC A have a GW A like gateway, and PC B have GW B too.
    PC A can ping PC B but both haven't internet access. Why?

    • nido says:

      Good to know that you have solved the all problems. Please share your solution with community.

      Most probably you internet traffic is not going outside.

  5. Luca says:

    Sorry, but i have two other questions.

    1) Why do i have to disable firewalld with the command "systemctl stop firewalld" on my two gateway for ping leftsubnet to rightsubnet?

    2)Why do i have to launch the "ipsec restart" command twice to open the tunnel?

    The first time:
    Security Associations (1 up, 0 connecting):
    tunnel[2]: ESTABLISHED 21 seconds ago, 172.16.75.2[172.16.75.2]...172.16.75.1[172.16.75.1]
    tunnel[2]: IKEv2 SPIs: de3400a4281e14ca_i 8391c3b42217f221_r*, pre-shared key reauthentication in 47 minutes
    tunnel[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

    The second time:
    tunnel[2]: ESTABLISHED 32 seconds ago, 172.16.75.2[172.16.75.2]...172.16.75.1[172.16.75.1]
    tunnel[2]: IKEv2 SPIs: 735da7aa6f9d93d0_i 89d9cb265fc41166_r*, pre-shared key reauthentication in 42 minutes
    tunnel[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    tunnel{2}: INSTALLED, TUNNEL, ESP SPIs: c9ccfe10_i c8df7fb5_o
    tunnel{2}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 7 hours
    tunnel{2}: 192.168.1.0/24 === 192.168.0.0/24

    I hope you answer this question!

    • nido says:

      1. Actually IPsec/strongswan uses port 4500 which is usually blocked. SO that why you need to stop the firewall or you can insert rule to allow ipsec traffic. you can also solve this problem by add leftfirewall=yes on both side in configuration file

      2. ipsec restart reload the changes of configuration files. ipsec restart basically initiates the IKE and ESP parameters with 2nd device. To identify the problem i would recommend to you please first run "ipsec stop" on both sides and then "ipsec start" . It may solve the problem.

      • Kirk says:

        I tried 1 (leftfirewall=yes, allow ipsec and 4500/udp in firewalld) but still have trouble. The tunnel comes up on both sides but no traffic is ever passed. It seems like no traffic is sent through the tunnel at all as the byte count is always 0, and with auto=add on both sides the tunnel will stay down (i.e. no traffic ever detected to bring it up).

        The routes are added (table 220) and the iptables rules are added, but I think the firewalld rules must be interfering somewhere. But where? I'm just not seeing it. Any suggestions?

        • nido says:

          Thanks for comments

          Can you check your end to end ping without IPSEC ?
          If yes than we will move ahead.

          what is output of ipsec statusall command ?

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.