Hi All,<div><br></div><div>I have the following setup:</div><div>Server (x.x.x.x) ------INTERNET------- DSL Router (y.y.y.y) -------- Client (192.168.1.246)</div><div><br></div><div>I would like to create a PSK ipsec tunnel between the server and the Client.</div>
<div>On server ipsec.conf:</div><div><div>config setup</div><div> plutodebug="all"</div><div> protostack=netkey</div><div> oe=off</div><div> nat_traversal=yes</div><div><br></div><div>
conn roadwarrior</div><div> authby=secret</div><div> pfs=no</div><div> auto=add</div><div> rekey=yes</div><div> type=tunnel</div><div> left=x.x.x.x</div><div> leftnexthop=x.x.x.1</div>
<div> leftid=x.x.x.x</div><div> right=%any</div></div><div><br></div><div>Client ipsec.conf:</div><div><div>config setup</div><div> plutodebug="all"</div><div> protostack=netkey</div>
<div> oe=off</div><div> nat_traversal=yes</div><div><br></div><div>conn roadwarrior</div><div> authby=secret</div><div> pfs=no</div><div> auto=add</div><div> rekey=yes</div><div> type=tunnel</div>
<div> left=x.x.x.x</div><div> leftnexthop=x.x.x.1</div><div> leftid=x.x.x.x</div><div> right=%defaultroute</div><div> rightnexthop=%defaultroute</div></div><div><br></div><div><br></div>
<div>It looks the tunnel is workign fine:</div><div><div>Client: # ipsec auto --up roadwarrior</div><div>104 "roadwarrior" #1: STATE_MAIN_I1: initiate</div><div>003 "roadwarrior" #1: ignoring unknown Vendor ID payload [4f4568794c64414365636661]</div>
<div>003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]</div><div>003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=109 </div><div>106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2</div>
<div>003 "roadwarrior" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed</div><div>108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>003 "roadwarrior" #1: received Vendor ID payload [CAN-IKEv2]</div>
<div>004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}</div><div>117 "roadwarrior" #2: STATE_QUICK_I1: initiate</div><div>
004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x20e3b86f <0xac7dbe45 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}</div></div><div><br></div><div><br></div>
<div>But when I am trying to ping the server from the client I see the ESP packages on the server but it doesn't send any reply.</div><div>tcpdump on the server's public interface during the ping:</div><div><div>16:19:44.572732 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap: ESP(spi=0x20e3b86f,seq=0x2), length 148</div>
<div>16:19:44.680605 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap: ESP(spi=0x20e3b86f,seq=0x3), length 196</div><div>16:19:44.738490 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap: ESP(spi=0x20e3b86f,seq=0x4), length 148</div>
<div><br></div></div><div>I have disabled every iptable rule on my Server. Any idea where are my replies?</div><div><br></div><div>Thanks and regards,</div><div>B</div><div><br></div>