Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 10-25-2017, 02:47 PM   #1
LQ Newbie
Registered: Sep 2010
Distribution: Ubuntu & CentOS
Posts: 15

Rep: Reputation: 0
Strongswan connectivity issue

Hi all,

I have a ubuntu server that runs strongswan in this topology:

SiteA <-> Strongswan box <-> SiteB <-> Strongswan-on-public-cloud <->

I use the strongswan public cloud as a default gateway for siteB, but siteA only encrypts traffic to siteB.

Enc domains are as follows:
SiteA <->

SiteB <-> 0/0

Traffic from SiteA to siteB works fine, but I can not connect SiteB to siteA.

jumbo@strongswan:/etc$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-97-generic, x86_64):
uptime: 12 days, since Oct 13 09:00:34 2017
malloc: sbrk 3244032, mmap 532480, used 1050336, free 2193696
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Listening IP addresses:
SiteB: strongswan-public-ip...SiteB-public-ip IKEv1
SiteB: local: [strongswan-public-ip] uses pre-shared key authentication
SiteB: remote: [SiteB-public-ip] uses pre-shared key authentication
SiteB: child: === TUNNEL
SiteA: strongswan-public-ip...%any IKEv1
SiteA: local: [strongswan-public-ip] uses pre-shared key authentication
SiteA: remote: uses pre-shared key authentication
SiteA: child: === TUNNEL
Security Associations (1 up, 0 connecting):
SiteB[663]: ESTABLISHED 34 minutes ago, strongswan-public-ip[strongswan-public-ip]...SiteB-public-ip[SiteB-public-ip]
SiteB[663]: IKEv1 SPIs: 011dca5e09a1e991_i a93dd721b5b0c3f4_r*, pre-shared key reauthentication in 20 minutes
SiteB[663]: IKE proposal: AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
SiteB{1293}: INSTALLED, TUNNEL, reqid 324, ESP SPIs: c001209d_i a04abb5a_o
SiteB{1293}: AES_CBC_256/HMAC_SHA1_96, 1495325 bytes_i (17984 pkts, 0s ago), 41766448 bytes_o (30960 pkts, 2s ago), rekeying in 9 minutes
SiteB{1293}: ===

jumbo@strongswan:/etc$ sudo ip route list table 220 via <strongswan-gateway-ip> dev ens160 proto static

So the routing table seems to confirm my problem.
This is the ipsec.conf:

conn SiteB

conn SiteA

I have public dns at siteA, hence the <any> tag on SiteA public ip. Of course, the vpn needs to be initialized from SiteA -> strongswan, I use a simple ping script for this.

The vpn from siteB to strongswan works, I can access internet via this site, but strongswan will not forward traffic into the vpn to siteA.

SiteA and siteB runs cisco ASAs.

Is it possible to fix this?
Old 10-25-2017, 02:56 PM   #2
LQ Newbie
Registered: Sep 2010
Distribution: Ubuntu & CentOS
Posts: 15

Original Poster
Rep: Reputation: 0
Huh, this actually works.
My ping script was not running


strongswan, vpn

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Strongswan IKEv2 - clients can access everything BUT strongswan machine itself - "truncated-udp length 0" psycroptic Linux - Networking 3 05-27-2017 04:41 AM
Strongswan-to-Strongswan IPsec VPN - slow with pure ESP, fast w/UDP encapsulation? psycroptic Linux - Networking 0 11-20-2014 08:44 AM
[SOLVED] strongswan eroute ipsec issue rajat.toshniwal Linux - Networking 3 10-17-2012 04:32 AM
strongswan ikev2 issue in setting up tunnels sriram_ec Linux - Networking 2 06-19-2012 05:09 AM
Connectivity Issue rajaniyer123 Solaris / OpenSolaris 4 07-04-2007 11:29 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:27 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration