I am trying to set up a VPN tunnel between 2 sites, like this
remoteA – vpnA — Internet — vpnB — remoteB
vpnA and vpnB have publicIP
vpnA and remoteA have privateIP (1 subnet)
Actually, I was able to get the tunnel up
net-net1[1]: ESTABLISHED 22 minutes ago, [xxx]…[yyy]
net-net1[1]: IKE SPIs: e94a8711bfc6cfe0_i* 4f199ccf7cffb49b_r, pre-shared key reauthentication in 32 minutes
net-net1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
net-net1{1}: INSTALLED, TUNNEL, ESP SPIs: ca7f5d3d_i 27d80a67_o
net-net1{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 31 minutes
BUT, when I try to ping remoteB from remoteA/vpnA,
FAIL and based on my check using tcpdump at vpnA,
the packet is not through the tunnel, may be using default gateway instead
(correct me if I am wrong, but I can’t see any encryption notation, only ICMP message)
Unfortunately, I can’t perform any test from the other side
(vpnB and remoteB is handle by other party, they insist remoteB can be reach from vpnB)
Anyway, I had check all related at site A
ipsec statusall
ipsec listall
auth.log
daemon.log
ip -s xfrm policy
ip -s xfrm state
ip route list table 220
iptables -L
so far, all are consistent with the sample shown in https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/
and even the routing in ‘ip route list table 220’ does provide the routing to remoteB, even though not defined in static route
What I did at vpnA
I did not define default gateway (hence no routing for 0.0.0.0)
only static routing to vpnB publicIP routed to vpnA internet GatewayIP
(In hope that routing to remoteB is not using default gateway)
Once the tunnel up, the routing for remoteB is automated as in ‘ip route list table 220’
via dev eth0 proto static src
However, I can not ping remoteB successfully and
- vpnB said no packet is seen in the log
- even the log/messages at vpnA shown nothing related to charon or pluto activity
Hence, I kindda like confuse
Is the ping packet go through the tunnel or not?
I tried to google around and read all related FAQs, but can’t find any concrete answer
Hence, I am seeking the wisdom of this forum
Anyway: here is what I used at vpnA, (in summary to make it short)
SUSE Linux Enterprise Server 11 (x86_64)
SuSEfirewall2 version 3.6 - set privateIP intf as DMZ, publicIP intf as External, masquerade enable
strongSwan U4.4.0 - use the example at https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/