Strongswan and USG40 setup
Freshman Member
Hi Guys,
I have setup an IPsec tunnel (with VTI interfaces) between a USG40 and a linux box (using strongswan). Both phases of the tunnel complete successfully and the tunnel is fully UP. Below is a schematic of the setup:
So the problem is that when I ping the USG40's VTI interface from the remote server, the USG receives it and replies to it, but it never gets back to the server. I did a packet capture on the USG's VTI int, and below is the output:
I've made ALL secure-policy rules permissive, so default is allow all traffic to ensure that no rule is blocking traffic. The logs confirm that traffic is being "forwarded" (ACCESS FORWARD).
Here the strongswan config for anyone interested:
Please advise.
I have setup an IPsec tunnel (with VTI interfaces) between a USG40 and a linux box (using strongswan). Both phases of the tunnel complete successfully and the tunnel is fully UP. Below is a schematic of the setup:
So the problem is that when I ping the USG40's VTI interface from the remote server, the USG receives it and replies to it, but it never gets back to the server. I did a packet capture on the USG's VTI int, and below is the output:
20:00:38.855199 IP (tos 0x0, ttl 64, id 19789, offset 0, flags [DF], proto ICMP (1), length 84)
10.0.51.1 > 10.0.51.2: ICMP echo request, id 15142, seq 42, length 64
20:00:38.855708 IP (tos 0x0, ttl 64, id 51490, offset 0, flags [none], proto ICMP (1), length 84)
10.0.51.2 > 10.0.51.1: ICMP echo reply, id 15142, seq 42, length 64
The RX and TX for the USG int is incrementing with each ping, and a nestat -i on the server VTI int shows TX hits but no RX hits.
The RX and TX for the USG int is incrementing with each ping, and a nestat -i on the server VTI int shows TX hits but no RX hits.
I've made ALL secure-policy rules permissive, so default is allow all traffic to ensure that no rule is blocking traffic. The logs confirm that traffic is being "forwarded" (ACCESS FORWARD).
Here the strongswan config for anyone interested:
conn swiss1
type=tunnel
ike=3des-md5-modp2048
esp=3des-md5
keyexchange=ikev2
authby=secret
forceencaps=yes
mark=100
leftupdown="/usr/local/sbin/ipsec-int-updown.sh --sourceip 10.0.51.1/24 --mtu 1370"
leftsourceip=10.0.51.1/24
left=95.183.x.x
leftsubnet=0.0.0.0/0
right=%
rightsubnet=10.0.50.0/24,10.0.51.0/24
auto=start
0
Comments
-
Hi @popa,
A quick question, is Linux server running as NAT router(with two NIC)to establish site to site VPN ? or it just simple host to connect USG to access USG subnet?
Client to site(host to subnet) or Site to site(subnet to subnet)?
0 -
Thanks for the response.
Managed to sort it out. Turned out the ISP was dropping the ESP packets. Using a different provider fixed the issue.0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.5K Nebula
- 152 Nebula Ideas
- 101 Nebula Status and Incidents
- 5.8K Security
- 296 USG FLEX H Series
- 281 Security Ideas
- 1.5K Switch
- 77 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 254 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 87 About Community
- 76 Security Highlight
